Microsoft mulls restricting third-party access to Windows kernel after CrowdStrike outage

Following the “worst IT outage in history” caused by a faulty CrowdStrike update that affected 8.5 million PCs, Microsoft is advocating for changes to enhance Windows’ resilience and is considering restricting security vendors’ access to the Windows kernel.

The Redmond tech giant says in a new incident response post that ways to prevent future similar outages are for vendors to minimize the use of kernel mode and for customers to fully use the integrated Windows security features.

The outage was triggered by a faulty update to CrowdStrike’s CSagent.sys driver, which led to memory access violations and system boot loops. Microsoft’s analysis confirms CrowdStrike’s findings, saying that that kernel-mode drivers while providing crucial system visibility and tamper resistance, can cause significant issues if errors occur.

The company is also considering restricting third-party access to the Windows kernel, which is the core of the operating system, to prevent similar issues in the future. A similar attempt was made during Windows Vista days back in 2006, but it fell through due to criticism from cybersecurity vendors and EU regulators.

In another blog post, Microsoft also urges resiliency in the Windows ecosystem.

Microsoft has mobilized over 5,000 support engineers and is sharing updates on their Windows release health dashboard. They advise businesses to have solid plans for continuity and incident response, back up data regularly, quickly restore devices, use safe update practices, and consider cloud management solutions.

The company also says that it plans to implement advanced security measures like Virtualization-Based Security (VBS) and zero-trust approaches. Most affected PCs are now operational, and Microsoft aims to improve system resilience going forward.