In the aftermath of the devastating CrowdStrike outage this July, Microsoft vowed to do better even though it insisted that the event was an aberration.
Evidently unwilling to take chances (or risk further hits to its credibility), the company on Tuesday, during Microsoft Ignite 2024, shared how it’s making changes to Windows to prevent similar incidents.
Many of those changes won’t come into force for some time.
A new capability launching in early 2025, Quick Machine Recovery, will allow IT admins to remotely make certain software fixes even when Windows machines aren’t able to boot. Microsoft says it’s also testing a way to let security products like antivirus software run outside of “kernel mode,” which means they’ll be able to run similar to most Windows applications.
The kernel mode change, scheduled to launch in private preview in July 2025, addresses the root cause of the CrowdStrike outage. A faulty update to CrowdStrike’s Falcon software caused an issue with the Windows kernel, the core of the Windows operating system — causing affected machines to crash.
“This change will help security developers provide a high level of security [and] easier recovery, and there will be less impact to Windows in the event of a crash or mistake,” David Weston, Microsoft VP of enterprise and OS security, wrote in a blog post shared with TechCrunch.
Microsoft is also previewing Administrator Protection, a feature that will let Windows users without administrator permissions make system changes on their PCs when needed. Administrator Protection creates a temporary, isolated token that grants users administrator privileges, and once the user completes their task, immediately destroys the token, Microsoft said.
“With Administrator Protection, if a system change requires administrator rights, like some app installations, the user is prompted to securely authorize the change using Windows Hello,” Weston explained in the post. (Windows Hello is Windows’ biometric authentication system).
“It will also be disruptive to attackers as they no longer have automatic, direct access to the kernel or other critical system security without specific authorization,” he wrote.
At the IT management level, Microsoft is introducing hot-patching in preview for Windows 11 Enterprise 24H2 and Windows 365. Hot-patching involves downloading updates in the background and applying them immediately, eliminating the need for a device restart (and making users less likely to postpone them).
Microsoft is under intense scrutiny not only over its handling of the CrowdStrike incident, it’s also under pressure for failing to to stop hackers with links to China and Russia breach of its internal systems. U.S. government agencies have described Microsoft’s corporate culture as one that deprioritized security investments and risk management.
Microsoft CEO Satya Nadella has claimed that security is now Microsoft’s top priority. The equivalent of 34,000 full-time engineers are revamping the company’s cybersecurity practices, the company said, and every employee is now being judged on their security contributions after Microsoft tied security efforts to regular performance reviews. It has also named more than a dozen deputy chief information security officers to serve in its product groups.
