The CrowdStrike catastrophe that took down 8.5 million Windows PCs and servers in July has left many of Microsoft’s biggest customers looking for answers to make sure that such an event never happens again. Now, Microsoft has some answers in the form of a new Windows Resiliency Initiative that’s designed to improve Windows security and reliability.
The Windows Resiliency Initiative includes core changes to Windows that will make it easier for Microsoft’s customers to recover Windows-based machines if there’s ever another CrowdStrike-like incident. There are also some new Windows platform improvements to provider stronger controls over what apps and drivers are allowed to run, and to help allow anti-virus processing outside of kernel mode.
Microsoft has developed a new Quick Machine Recovery feature in light of the CrowdStrike incident that will enable IT admins to target fixes at machines remotely even when they’re unable to boot properly. Quick Machine Recovery leverages improvements to the Windows Recovery Environment (Windows RE).
“In a future event, hopefully that never happens, we could push out [an update] from Windows Update to this Recovery Environment that says delete this file for everyone,” explains David Weston, vice president of enterprise and OS security at Microsoft, in an interview with The Verge. “If there’s one central problem that we need to push to a lot of customers, this gives us the ability to do that from Windows RE.”
Weston has talked to hundreds of customers since the Crowdstrike debacle, and they’re all asking for better recovery tools, improved deployment practices from security vendors, and improved resiliency from Windows itself to ensure the events that transpired in July never repeat themselves.
“Every one of them is saying I owe my board a response on how this doesn’t happen again,” says Weston. Microsoft is now requiring that security vendors that are part of the Microsoft Virus Initiative (MVI) take specific steps to improve security and reliability. These steps include better testing and response processes, alongside safe deployment practices for updates to Windows PCs and servers — including gradual rollouts and monitoring and recovery procedures.
Microsoft has also been working with its MVI partners to enable anti-virus processing outside of the kernel. CrowdStrike’s software runs at the kernel level of Windows — the core part of an operating system that has unrestricted access to system memory and hardware. This deep kernel access allowed a faulty update to generate a Blue Screen of Death as soon as affected systems started up.
“We’re developing a framework that [security vendors] want to use and they’re incentivized to use, now it has to be good enough to fill their use case,” explains Weston. Microsoft is now developing this new framework, and a preview of it will be available in private to Windows security partners in July 2025.
“It’s a significant technical challenge to centralize this and meet everyone’s requirements, but we have really experienced people across endpoint detection and the kernel space,” says Weston. At Microsoft’s Windows Endpoint Security Ecosystem Summit in September the company had kernel architects from the Windows team in attendance to talk directly to security vendors like CrowdStrike about moving scanning outside of the kernel.
Ultimately it’s up to Microsoft to secure Windows down further, and to provide a framework that works well for security vendors, too. “We sort of control physics here. We can change the memory manager or the driver framework, and we don’t have to abide by the rules that a third-party developer would,” says Weston. “That’s why I’m bullish on our ability to execute here.”
Image: Microsoft
Alongside the resiliency improvements, Windows 11 is also getting administrator protection soon. It’s a new feature that lets users have the security of a standard user, but with the ability to make system changes and even install apps when needed. Administrator protection temporarily grants admin rights for a specific task once a user has authenticated using Windows Hello and then removes them straight after a system change is made or an app is installed. “Windows creates a temporary isolated admin token to get the job done. This temporary token is immediately destroyed once the task is complete, ensuring that admin privileges do not persist,” says Weston.