[German]At the end of June 2025, there were reports (at least that's how I interpreted them) that virus scanners would "soon" no longer be allowed to use the Windows kernel mode. According to Microsoft, the CrowdStrike case, which paralyzed millions of Windows systems, was the final warning to take this step. The question now is whether we are experiencing a paradigm shift or whether it is a deceptive package and what is behind it all.
Review: The CrowdStrike disaster
On July 19, 2024, around 8.5 million Windows systems worldwide – on which the EDR software CrowdStrike Falcon was installed – experienced outages. CrowdsStrike Falcon is a widely used enterprise detection and response (EDR) protection software for end devices. The cause was an update rolled out by the manufacturer for the CrowdsStrike Falcon sensors. As a result, a blue screen of death (BSOD) (with the error message PAGE_FAULT_IN_NONEPAGED_AREA) was triggered on the affected systems. Responsible was the file csagent.sys and a faulty sys file distributed by update, which was loaded by this driver.
Windows systems that were configured for an automatic restart after a fatal error fell into a BSOD restart loop. Systems that remained in the BSOD showed the famous blue screen (BSOD). I had reported extensively on this event (see Windows systems throw BSOD due to faulty CrowdStrike update), that was the biggest computer glitch of all time.
Microsoft responds with plans …
Microsoft later announced that it was planning to make changes to its Windows kernel architecture to prevent such "collateral damage" (I hinted at this in the article Microsoft's analysis of the CrowdStrike incident and recommendations).
On September 12, 2024, David Weston, Vice President Enterprise and OS Security at Microsoft, presented plans in this direction in the article Taking steps that drive resiliency and security for Windows customers. The background was the Windows Endpoint Security Ecosystem Summit on September 10, 2024, a forum hosted by Microsoft that brought together a group of endpoint security vendors and government officials from the US and Europe to discuss strategies for improving resilience and protecting the critical infrastructure of shared customers. Microsoft has been asked by customers and security solution providers to do more for kernel security and to provide mechanisms to prevent a CrowdStrike case, it said.
Implementation is supposedly underway
On June 26, 2025, Microsoft published the article The Windows Resiliency Initiative: Building resilience for a future-ready enterprise by David Weston. He mentions the Windows Resiliency Initiative (WRI) and the Microsoft Virus Initiative (MVI).
In the MVI 3.0 program, Microsoft requires partners to commit to taking certain measures to improve the security and reliability of Windows. The requirements include testing incident response processes and adhering to SDP (Safe Deployment Practices) procedures for updates on Windows endpoints.
In July 2025, Microsoft will provide a non-public preview of the Windows Endpoint Security Platform to a number of MVI partners. This will allow MVI partners to develop solutions to run outside of the Windows kernel. According to Microsoft, this means that security products such as antivirus and endpoint protection solutions can run in user mode, just like applications.
The article The Windows Resiliency Initiative: Building resilience for a future-ready enterprise also contains statements from various manufacturers of antivirus solutions, who more or less welcome this (and provider Sophos is not even listed). Weston also provides an outlook on further "innovations" from Microsoft (simplified UI for Windows crashes, Microsoft Connected Cache, Universal Print, etc.).
In my impression, the media only reported "Microsoft bans virus scanners from the Windows kernel". A clear commitment to completely shift their security solutions out of the kernel space does not yet exist. I don't want to minimize anything, but it is important that all antivirus vendors and security providers follow this recommendation and keep their virus scanners and security solutions out of the kernel.
Security expert on the new initiative
A few days ago, I came across a tweet from security expert Florian Roth, in which he also took up the "promise to ban virus scanners from the Windows kernel".
Roth writes that at first glance, Microsoft's new "user mode security initiative" looks like a necessary response to a widespread architectural risk. But on closer inspection, it is mainly a cosmetic measure. The presentation implies that the ability to run security solutions outside of the Windows kernel is somehow new – or that most vendors have been working irresponsibly at the kernel level all along.
However, this is not true, as most modern security vendors already run the detection logic of virus scanners in user mode and only use a few kernel components for self-protection. This is common practice, says Florian Roth. So what is this initiative really about?
Roth then reveals in a tweet that it is about a provider – CrowdStrike – whose architecture ignores this standard. The company embedded the customization logic in a kernel-mode driver. One flawed update, rolled out without proper internal review or testing, crashed millions of computers worldwide.
This one decision by CrowdStrike caused the worldwide outage. Microsoft did not cause the incident – but it is now using it to emphasize its message: "Third-party access to the kernel is risky. If they had stayed in user mode or used our Defender, none of this would have happened."
The result? A new initiative that feels more like strategic positioning than a response to a broad technical need, Roth writes. It addresses a problem that doesn't exist for most vendors (who uses CrowdStrike anyway). But now it is being presented by Microsoft as if the problem exists and threatens the security of Windows. CrowdStrike was not the norm, Roth said, the product was the outlier. And Microsoft has just built an entire strategy change on this failure of a vendor.
This leads me to two conclusions: Microsoft is under a lot of pressure because of the many security incidents and other problems. And the other view could conclude that the EU requirement to open up the kernel to security vendors has now been sent to its grave in the most elegant way. This leads me to the conclusion that a nice magic show has been put on, but the bottom line is that something like a sham is being passed around on stage.
Comment from a security provider
Philip Lieberman, CEO and founder of security vendor Analog Informatics, sent me the following comment on the above topic.
The protection of the Kernel Ring 0 change to the Windows operating system comes more than 30 years too late. All of us who worked with Windows NT on Intel processors in the 1990s were stunned that Microsoft did not isolate device drivers above Ring 0 (most privileged).
The design was a compromise to support early attempts to make Windows cross-platform and support non-Intel processors. Anyone who develops device drivers knows that the slightest error will crash the operating system, making debugging these drivers a nightmare to this day.
There are similar compromises from that time, such as the fact that the C2 security architecture was never finalized to allow for better control of classified information.
Completing the mandatory access control portions of the operating system would allow commercial organizations to properly control access to sensitive information instead of having to rely on silly hacks and add-on software that barely work.
Cutler and his team developed a fantastic operating system for the time. But they were never allowed to see the vision through to completion.
Microsoft has wasted untold amounts of its own company's and its customers' time introducing silly user interfaces and abandoning industry standard technologies for platform development (i.e. destroying the Windows Phone and embedded operating system business with their .NET and Metro interfaces).
By making these bad decisions and failing to listen to its developers and customers, Microsoft has allowed Google and Apple to figuratively eat its lunch.
Their recent move to abandon Windows 10 users on the altar of "security" is tragically comical considering they are finally moving to protect the core of the operating system.
Microsoft has made so many dumb stupid mistakes, had so many botched Patch Tuesdays, and lied about so many security breaches, I have to wonder if they are even a viable company anymore.
Debby H.
Bradenton, Florida, USA