Microsoft and a group of cybersecurity vendors are working on a large scale redesign of how security software operates within Windows, aiming to significantly improve system resilience and reduce the risk of widespread outages caused by third party applications. The initiative, known as the Windows Resiliency Initiative, represents one of the most extensive architectural changes to the operating system in years and is expected to take several years before delivering full results to customers. The effort was launched following a major global disruption in 2024 when a faulty update from CrowdStrike caused millions of Windows machines to crash, affecting airlines, hospitals, financial institutions, and government services.
The 2024 incident exposed critical risks associated with allowing third party security software to operate inside the Windows kernel, which is the most privileged and sensitive part of the operating system. The kernel manages system level functions such as memory allocation, hardware communication, and process control, making it essential for performance and security applications that require deep system access. Security vendors have traditionally used kernel level access to gain full visibility into system activity, enabling tools such as endpoint detection and response systems and antivirus platforms to detect and block threats in real time. However, the same level of access also means that any faulty update or error can cause system wide failures, as seen during the CrowdStrike outage, which triggered widespread system crashes and operational disruptions globally.
Following the incident, Microsoft began working more closely with security vendors to rethink how such software should interact with Windows. The company has stated its intention to move many security functions away from kernel mode into user mode, a less privileged environment that limits system wide risks. Microsoft also introduced gradual update deployment requirements for security software to minimize the impact of faulty updates. In addition, it has been developing new system capabilities designed to allow security developers to maintain strong protection features without relying on kernel level access, while also improving system recovery options in the event of failures.
The project is being coordinated through Microsoft’s existing Microsoft Virus Initiative, which has been updated into MVI 3.0 as part of the broader Windows Resiliency Initiative. Around 100 security companies are part of the program, although only a smaller group of roughly a dozen major vendors are directly collaborating with Microsoft on kernel related changes. These include Bitdefender, CrowdStrike, ESET, SentinelOne, Sophos, Trellix, Trend Micro, and WithSecure. The collaboration involves reviewing decades of code, mapping product functionality, and redesigning how security tools interact with Windows through new application programming interfaces. Microsoft is developing these APIs in parallel with vendor input, creating a highly iterative engineering process that requires continuous coordination between multiple security providers and the operating system team.
Experts involved in the initiative have described the project as highly complex due to the technical differences between kernel mode and user mode operations. Security tools running in user mode have reduced system control and may experience delays when accessing system functions, which could impact their ability to respond quickly to threats such as ransomware or fast acting malware. At the same time, kernel level tools offer greater speed and control but introduce higher risk if they fail. Industry specialists have noted that completely removing security software from the kernel may not be feasible without significant redesign or reduced protection capabilities, leading to expectations that a hybrid model will likely emerge.
Microsoft and its partners are still evaluating how to balance system performance, security effectiveness, and resilience. While timelines for new APIs and full deployment remain unclear, early discussions indicate that the transition will be gradual and ongoing. Industry observers expect that both kernel based and user mode security solutions may coexist, with vendors potentially adopting phased migration strategies depending on product complexity and risk requirements.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
