Microsoft is taking bold steps to enhance the stability and security of the Windows operating system by removing antivirus and endpoint detection applications from direct access to the Windows kernel. This significant shift comes in response to the large-scale outage in July 2024, caused by a faulty update from cybersecurity provider CrowdStrike.
The incident, which affected approximately 8.5 million Windows machines worldwide, stemmed from a kernel-level component of CrowdStrike’s software that triggered a system-wide crash. In an effort to prevent such disruptions in the future, Microsoft announced that security software will no longer run in kernel mode. Instead, these applications will operate in user mode—similar to traditional software—where potential errors are less likely to cause widespread system failure.
Rather than unilaterally enforcing this transition, Microsoft is collaborating with leading cybersecurity vendors—including Bitdefender, ESET, Trend Micro, and CrowdStrike itself—to shape the future of this redesigned security architecture. A private preview of the new platform is expected to launch next month.
If the new approach proves successful, Microsoft plans to expand it beyond antivirus tools. The company is also evaluating similar restrictions for other kernel-level software, such as third-party drivers and anti-cheat systems used in gaming, further minimizing the risk of system-wide issues while maintaining high standards of protection.
This move marks a major turning point in how Windows manages low-level software, aiming for a safer, more resilient computing experience for all users.
