Microsoft Removes Antivirus Software from Windows Kernel

In a significant development, Microsoft has announced that antivirus software will no longer be permitted to access the Windows kernel. This decision comes in response to past issues, notably an incident involving CrowdStrike that disrupted millions of Windows systems due to an update.

Microsoft's announcement was made in a blog post detailing the progress of the 'Windows Resiliency Initiative' (WRI), which was launched during the Ignite 2024 conference. One key feature of this initiative is the introduction of the Quick Machine Recovery (QMR) mechanism, which is designed to facilitate a smooth Windows start-up even in the event of boot problems. This feature has been under testing in preview versions of Windows for Insider users since April and is expected to be widely available for all Windows 11 devices running the 24H2 update by the summer.

The removal of antivirus software from the kernel represents a major shift in how security software operates within the Windows environment. Microsoft is also working with various partners through the 'Microsoft Virus Initiative' (MVI) to explore methods to enhance the Windows platform's resilience without compromising security. This initiative has evolved into the 'MVI 3.0 Program', which outlines specific actions for partner companies.

Among the new requirements, partners must establish and test incident response processes and adhere to Safe Deployment Practices (SDP) for Windows updates. Microsoft emphasizes that security updates should be rolled out in phases and monitored closely to minimize potential negative impacts. This approach aligns with existing protocols, such as Microsoft Autopatch for Windows updates, and aims to enhance stability and recovery speeds for enterprise clients relying on a secure Windows environment.

In the coming month, Microsoft plans to distribute a preview of the Windows Endpoint Security Platform to select MVI partners. This platform will enable security solutions to operate outside the Windows kernel, placing software like antivirus and endpoint protection in user mode, similar to standard applications. Microsoft asserts that this change will provide IT security developers with increased reliability and simpler recovery processes in case of unexpected issues.

Historically, Microsoft had integrated APIs into Windows Vista around two decades ago, allowing security software enhanced access to the protected 64-bit kernel. However, with the latest changes, this access will soon be eliminated.

Additionally, as part of the WRI, Microsoft plans to change the appearance of the infamous 'Blue Screen of Death' (BSOD), which will now feature a black screen instead of blue, marking another step in the company's effort to enhance system resilience.