Source: mundissima via Shutterstock
Microsoft is making sweeping changes to its Windows operating system in wake of this summer’s incident when a flawed CrowdStrike update caused millions of commercial devices to crash and cost customers billions of dollars in downtime.
The incident was a major impetus for the new Windows Resiliency Initiative, introduced and outlined during a session at last week's Microsoft Ignite conference. Microsoft officials said the changes are being made based on what they learned from the July 19 incident, which they promised will result in a more reliable and secure release of the operating system in 2025.
Microsoft vice-president of enterprise and OS security David Weston identified three objectives that promise to make Windows more secure: Faster and simpler recovery times, more resilient drivers and tools and changes to how the OS kernel is secured to make it "more effective and self-defending."
The changes will also affect software developers and third-party security tool providers. "We're working together across the industry and will improve reliability, based on lessons from July, with new changes and standards in the OS," said Microsoft corporate VP for Windows and devices Pavan Davuluri.
The new Windows release is being designed to resist malware and script attacks with stronger controls for applications and drivers, while improved identity protection will prevent phishing attacks. Davuluri also said Microsoft is establishing a new approach to privilege access management.
Microsoft will release a preview of the new release to Windows Insiders in July 2025. It will include tighter controls over what applications and software drivers are permitted to run, stronger identity management, quick machine recovery, personal data encryption for folders and improved OS management and configuration capabilities.
The release is poised to arrive just as Microsoft ends support for Windows 10 on October 14, 2025. Although Microsoft has for years been encouraging customers to upgrade to Windows 11, which was released in 2021, nearly 61 percent of all PCs worldwide still have Windows 10, according to Statcounter.
Enabling Security Partners to Build Outside the Kernel
Further, tied to its long-term Secure Future Initiative announced a year ago, Microsoft is moving to safer programming languages by incrementally shifting from C++ to Rust. Weston explained that a new Windows Resilient Security Platform will enable third-party security product developers to build their products outside of the kernel.
"We're ensuring this platform will enable security solution providers to have the access they need to detect and respond to threats without introducing complexity into the kernel," he said. "This change will help end-user protection and antivirus products provide a high level of security and easier recovery."
While the moves should make Windows more resilient to attacks, Forrester analyst Paddy Paddington would like to see Microsoft tighten access even further. "I would much prefer it if Microsoft bit the bullet and put the walls back up," he says. "That would mean recoding for everyone who messes in the kernel driver world, including Microsoft, but it's a safer method of operation." Paddington first opined on that point in a July blog post.
Post-Incident Security Summit in Redmond
Two months after the CrowdStrike incident, Microsoft hosted its Windows Endpoint Security Ecosystem Summit in Redmond with security vendors and representatives of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to discuss how to make the OS more resilient.
Leading into the meeting, Weston indicated that an examination of Windows crash reports signaled the need to change how kernel drivers are deployed. "Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," Weston wrote in the July 27 post.
Following the September Microsoft summit, CISA last month published its Safe Software Deployment whitepaper, co-authored by the FBI, the Australian Signals Directorate's Australian Cyber Security Centre and the Joint Cyber Defense Collaborative.
Omdia principal analyst Andrew Braunberg says that Microsoft is one of numerous vendors that have issued statements of support for CISA's Secure by Design Pledge. However, it remains to be seen if they will follow through.
"It will be interesting to see if there is any change in behavior from Microsoft and other large software companies because of [Donald] Trump's win [of the U.S. presidential election]," Braunberg says. "These companies may reassess the external benefits of this support given a reduced, or eliminated, CISA under the new administration. There are international drivers for embracing secure-by-design principles, such as the EU Cyber Resiliency Act, but CISA has been the primary advocate in the US."
Nevertheless, Weston described CISA as playing an essential role in determining Microsoft's revamped security and resiliency standards for Windows endpoints. "They are providing a framework for the whole IT industry to ensure that all partners, customers and organizations are able to stay ahead of evolving security threats," he said.
Among the vendors at Microsoft’s summit was CrowdStrike, which signaled it is endorsing Microsoft's Windows Resiliency Initiative. "Microsoft's initiatives build on the discussions CrowdStrike participated in at the Windows Endpoint Security Summit in September, and we welcome innovations that enhance resiliency for our shared customers," a CrowdStrike spokesperson said. "The entire industry benefits when we collaborate to create a more resilient and open ecosystem that strengthens security for all."
Endpoint protection provider ESET is offering conditional support for Microsoft’s initiative. "In general, we support this evolution if it demonstrates measurable improvements to stability, and strongly stress this must be on condition that any change must not weaken security, affect performance, or limit the choice and differentiation between cybersecurity solutions for customers,” says ESET CTO Juraj Malcho.
Shifting to Trusted Apps and Drivers
Because many attacks result from users who download malicious or unsafe apps and drivers, Microsoft is adding Smart App Control and App Control for Business to Windows. Weston says this feature uses AI to let administrators employ policies that require verified applications. While Weston noted that Microsoft already offers this through App Locker, he said it is complicated to manage.
A feature called "robust app control" will ensure that only verified apps can run, eliminating attacks from malicious attachments and socially engineered malware, he added.
Thwarting Identity-Based Attacks and Overprivileged Accounts
According to Microsoft's Entra ID data, more than 600 million identity attacks occur every day, and 99% of them are password-based. In response, Microsoft has hardened its Windows Hello multifactor authentication capability, which uses biometrics. Microsoft has extended Windows Hello support for passkeys.
Microsoft last week released as part of its latest Windows Insider build, a preview of updates to its implementation of the WebAuthn APIs that will enable plug-in support for passkeys. In the coming months, Microsoft said third-party password managers will work with the native Windows passkey provider using Windows Hello.
The new Windows release will also aim to reduce attacks resulting from users who have too many privileges and organizations that have insufficient privilege controls, which, according to Microsoft's Digital Defense report, are the cause of 93% of ransomware attacks.
A new feature called administrate protection will give employees standard user permissions by default "so they can still make Windows systems changes, including app installation, but only when necessary and only after authorizing the change using Windows Hello," Weston said. "Admin protection will be incredibly disruptive to attackers, as they no longer have elevated privileges by default, and it will help ensure that employees do not use malware and remain in control of Windows."
According to Paddington, the new app control approach should help organizations lock down their endpoint. "I think there will be plenty of businesses who still go to third parties because of the flexibility those solutions bring," he says. "But this is a good move by Microsoft to breathe life back into the app control solution."
"For all those functions, I would have liked to see these moves earlier in the Windows 11 releases, but with Windows 10 going end of service next year, the timing works to give more enterprises reasons to move to Windows 11."