While Microsoft is taking steps to provide an alternative way for endpoint security vendors to work in Windows after the massive outage in July, there are no signs that this new option will become mandatory in the near future.

This week, Microsoft confirmed that it is doing the reasonable thing after the massive outage in July that crippled millions of its Windows devices worldwide. It makes some changes.

Notably, however, these changes do not include kicking vendors out of the Windows core. Access to the kernel – which is the core of the Windows Control Center – allowed a faulty CrowdStrike Falcon update to send 8.5 million Windows devices into a “blue screen of death” state, leading to major societal disruption that lasted for several days.

(Family: Microsoft Ignite 2024: The biggest news in devices, security)

So what does Microsoft do, exactly? For starters, the tech giant is providing a way for IT administrators to deploy patches to Windows devices even when those devices can’t boot. The impact of the July outage would likely have been greatly reduced if this sort of thing was available at the time, as the need to manually patch every Windows system was the reason the recovery took days instead of hours.

For the cybersecurity industry, however, there are greater implications in the second message from Microsoft this week. In response to calls for Microsoft to offer an alternative to kernel access for security vendors, Windows security chief David Weston confirmed that such an option is indeed in the works.

“We are developing new Windows features that enable security product developers to build their products outside of the core mode,” Weston wrote in his post Tuesday.

As a result, security tools will be able to run in the same part of the operating system that applications do, known as “user mode”.

Two things struck me about the announcement, though.

One is that there was no indication that Microsoft is considering making this user-mode option the only option, effectively excluding security vendors from the kernel. At least not soon.

In the wake of the outage, several security vendors (not just CrowdStrike) have argued that core access is critical to what they do and therefore a non-negotiable component of cybersecurity.

For example Sophos CEO Joe Levy told me that core access is critical as all endpoint security vendors battle cyber adversaries who want to disable their tools.

“They want to shut us down, or uninstall us, or defeat our ability to do the monitoring and process control that we need to do to stop malware from running, to stop ransomware from executing,” Levy said. “So we have to operate at the core level to defend against evasion or eviction.”

Microsoft has yet to provide details on its plans for the “user mode” option to kernel access. And so at this point, it’s not clear whether the new features can solve the problem Levy describes here, which allows security tools to work entirely outside of the kernel.

(I’ve contacted Microsoft and will update this post if I hear back.)

The other thing that struck me is that Microsoft isn’t exactly in a rush to provide these new features.

Security vendors will have to wait until next July to test them, when Microsoft plans to launch the features as a private preview. And there’s no word yet on when this core option might be ready for prime time.

Perhaps none of this should be surprising.

I recently spoke with Eric Grenier, director analyst at Gartner focused on endpoint security, who in his former life was director of endpoint engineering at Yale University.

That is, Grenier knows from personal experience how the Windows world works. And most of its big moves are gradual.

“Major changes take years in the Windows world,” he said during our interview (which in its entirety predates Microsoft’s announcement this week but still seems applicable.)

“Part of it has to be recoding windows to some degree. Part of it has to be the vendors recoding their platforms,” ​​Grenier told me. “And all of that takes time.”