Microsoft summit plots end of kernel access for EDR security clients
Microsoft has dropped heavy hints that change is coming to the way security products interact with the critical core of the Windows platform, its software kernel, spurred to action by the IT outage that disrupted millions of CrowdStrike customers in July.
For security vendors, being able to load kernel (ring zero) drivers matters. If Microsoft removes that access — something Apple did for macOS in 2019 — their products will need to be heavily re-designed to implement security with lower privilege.
What’s not yet clear, however, is what form any change will take and on what timescale. Hanging over this is whether Microsoft’s own Defender will be affected, or spared. Although not as fully featured as independent endpoint detection and response (EDR) clients, it would presumably continue to operate at kernel level.