Microsoft used the spotlight of its Ignite conference this week to introduce a new Quick Machine Recovery tool to help organizations remotely rebuild computer systems after major crises like the CrowdStrike outage earlier this year.

The software maker said the feature will enable IT administrators to execute “targeted fixes” from Windows Update, even when machines are unable to boot, without needing physical access to the PC. 

It is a direct response to the CrowdStrike Falcon sensor crash that blue-screened millions of Windows machines around the world and caused major delays as IT staff struggled to manually fix broken computer systems.

“This remote recovery will unblock your employees from broad issues much faster than what has been possible in the past,” Microsoft said of the Quick Machine Recovery planned for release into the Windows Insider Program community in early 2025.

Redmond’s Windows OS engineers are already redesigning the way anti-malware products interact with the Windows kernel and plans to fit “new platform capabilities” into Windows 11 to allow security vendors to operate “outside of kernel mode” in the interest of software reliability.  

Following a one-day summit in Redmond with EDR vendors earlier this year, Microsoft vice president David Weston said the plan is to provide more security capabilities to solution providers outside of kernel mode.

At Ignite this week, Microsoft said anti-malware vendors is being asked to adopt Safe Deployment Practices, which means that all security product updates must be gradual, leverage deployment rings, as well as monitoring to ensure any negative impact from updates is kept to a minimum. 

“This means security products, like anti-virus solutions, can run in user mode just as apps do. This change will help security developers provide a high level of security, easier recovery, and there will be less impact to Windows in the event of a crash or mistake. A private preview will be made available for our security product ecosystem in July 2025,” Microsoft said.

The company also touted security goodies built into the new Windows 11 PCs, including Copilot+ PCs, that are now enabled by default with additional protections added to significantly reduce the potential for attacks. 

These security features include Credential Guard, vulnerable driver block list, Local Security Authority (LSA) protection now enabled by default for new consumer devices, and BitLocker enabled by default on most modern systems. 

In addition, Microsoft announced insecure code and crypto algorithms have been removed, and kernel attack surfaces, like Tool Tips, have been moved to user mode.

Related: CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash

Related: Microsoft Redesigning EDR Vendor Access to Windows Kernel

Related: CrowdStrike Overhauls Testing and Rollout to Avoid System Crashes

Related: CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash