Microsoft wants to make Windows drivers more secure

Windows drivers are considered a security problem by Microsoft. Therefore, they are now to become more secure. The company has now provided an outlook on how it envisions this at the Ignite event.

Microsoft writes in a corresponding blog post that drivers are to become more resilient in order to avoid IT incidents. The company cites the approach with antivirus software as a successful example. In addition to extensive testing and the preventive setup of "incident response" processes. A very important point also: "Out of the kernel!" – In this context, Microsoft wanted to provide interfaces that enable antivirus manufacturers to operate outside the Windows kernel – in user space, without kernel drivers. This is a reaction to the Crowdstrike debacle, which last year globally led to the failure of millions of Windows systems.

In the blog post, Microsoft discusses that shifting AV software to user mode means that errors will not drag the entire Windows system down with them. They will then only affect the antivirus software. Microsoft wants to expand the "Driver Resilience Playbook" on this basis to the entire Windows ecosystem, beyond the AV scenario. Microsoft summarizes that the company is raising the bar for driver signing and at the same time making it easier to build reliable Windows drivers.

Partly vague descriptions

Microsoft provides an overview of the changes. Details will certainly follow, as developers need significantly more precise information. Microsoft explains somewhat vaguely that driver signing is raising the bar with new certification tests for security and resilience. Microsoft also wants to expand the drivers and APIs provided and included by the company, so that partners can replace self-written, customized kernel drivers with standardized Windows drivers or even move program logic to user mode. The manufacturer expects a significant reduction in kernel-mode code across several driver classes in the coming years, for example in the device classes network, cameras, USB, printers, batteries, storage, and audio.

Support for third-party kernel drivers will continue to be available, especially where there are no Windows-native drivers. Microsoft cites graphics drivers, for example, which must use kernel mode for performance reasons. However, Microsoft wants to set practical course for improving quality and limiting errors before they lead to failures. These include mandatory compiler security measures to restrict driver behavior, driver isolation to limit the scope of impact, and DMA remapping to prevent unintentional driver access to kernel memory.

At the sales event Ignite 2025, Microsoft also made further announcements on how the manufacturer intends to make Windows more secure. For example, the forensic and monitoring tool Sysmon from the Sysinternals tool collection will become part of Windows next year.

(dmk)