‘Windows isn’t just a product. It is an ecosystem. And that’s the secret to our success. And we look at ourselves as the caretakers of that ecosystem,’ says Dave Weston, Microsoft’s corporate vice president of enterprise and OS security.
Microsoft security competitors enrolled in the latest version of the Microsoft Virus Initiative are improving their safe deployment practices.
And that’s by design for David Weston, Microsoft’s corporate vice president of enterprise and OS security. The executive told CRN in an interview that Microsoft Virus Initiative membership comes with a commitment to testing incident response processes and following ssoftware-defined perimeters whether in user mode or kernel mode to prevent a widespread incident such as last year’s faulty CrowdStrike update that downed millions of Windows machines.
“Yes, we compete with the vendors,” Weston said. “But in the context of Windows, it is really a community. And it’s in our best interest overall to make them successful.”
Microsoft Windows Security
Bobby Guerra, CEO of Jacksonville, Fla.-based Microsoft solution provider Axiom, told CRN in an interview that Microsoft still has investments it should make in its first-party tools to help partners better secure and manage clients.
Microsoft should invest in more partner control over endpoints through its Intune offer, for example, Guerra said. The vendor should also make Intune more responsive with insight into what is happening behind the scenes.
“You should be able to fully manage servers and workstations with Intune,” Guerra said. “You should have total control of [multifactor authentication]”.
A simpler way to monitor tenant baselines and receive drift alerts plus moving all Purview options into Business Premium plans instead of locking them behind E5 licenses are other areas where Guerra could see Microsoft improving how partners administer security to clients.
After the Windows outage incident, Microsoft wanted to assure customers that it and its ecosystem are working to prevent a future incident of that magnitude.
Part of the safe deployment practices the Redmond, Wash.-based company requires is gradual security product updates and leveraging deployment rings to prevent “false assumptions” about geolocation, hardware and other factors, Weston said. Microsoft Virus Initiative members must also show incident plans, better monitoring to minimize negative effects, and more transparency with customers.
“Windows isn’t just a product,” Weston said. “It is an ecosystem. And that’s the secret to our success. And we look at ourselves as the caretakers of that ecosystem.”
Here’s more of what Weston had to say to CRN about changes made since 2024’s mass Windows outage.
What do you want partners and end users to know about the work Microsoft is doing after the CrowdStrike update incident?
It’s been about a year since CrowdStrike. And obviously that was a transformative event in a lot of ways.
While customers may not blame Microsoft, they are looking for Microsoft to make changes to help make sure it doesn’t happen again.
We’ve heard the feedback loud and clear. And we want to show people what we’re doing about it.
In September of last year, shortly after the incident, we got the community of endpoint security vendors that work in the Windows ecosystem together to say we have got to make sure this doesn’t happen again.
Windows isn’t just a product. It is an ecosystem. And that’s the secret to our success. And we look at ourselves as the caretakers of that ecosystem.
Yes, we compete with the vendors, etc. But in the context of Windows, it is really a community. And it’s in our best interest overall to make them successful.
We defined a new set of requirements around what we call safe deployment practices. Which, frankly, is the most important thing you can do—whether you’re using user mode, kernel mode.
Safely updating software is critical. Safe deployment means doing it in rings, a little bit at a time, making sure you have the right distribution so you’re not making false assumptions about geolocation, hardware, etc. And we also had people focus on developing incident plans and ultimately creating more transparency with customers.
We’ve successfully pushed dozens of our vendors to meet those requirements. Some others have that ongoing. But we have really made good on that.
What should partners know about the Microsoft Virus Initiative?
To be a member in good standing, you’ve got to comply with [the new security requirements]. For some folks, that’s taking longer. It might be code changes, architectural changes. But we have had dozens of folks who have now met that. And we’re looking forward to getting to completion there in the near future.
Let’s increase resiliency. Let’s increase transparency. And that’s what our customers asked us for. They’re like, ‘I want to know what my vendor is doing. I want to know that I feel safe with this vendor. I want to know that Microsoft feels good about the requirements.’ And so we did that.
We did hear loud and clear that our customers, governments, other folks felt like, ‘We want an alternative to kernel mode. The stakes are high from a crash or software flaw in kernel mode. We understand why you’re there from a security perspective, but we want alternatives.’
We have worked on that. We announced that at Ignite [Microsoft’s annual conference], that we would have this Windows endpoint security platform available.
We’ve spent the last months collaborating closely with folks. … We literally had dozens of vendors send us specifications on what they wanted to see to move out of kernel mode, some of them hundreds of pages long.
We’ve actually built this with the community. When they sent us stuff, we said, ‘That’s a great idea. We should implement it that way.’ With the idea that even if it takes us a little longer to build with this collaborative approach, it’s going to save time in the long run because we’re not going to build the wrong thing.
What stage is Microsoft at in unveiling this Windows endpoint security platform?
We’re going to get this private preview out. It’s not enough to build a whole platform on. But what we do want to do is make sure that what we built, based on those pages, is meeting expectations, that the vendors can kick the tires and say, ‘We’re ready for more. You’re in the right direction. Now, we just need more capabilities.’
This first drop has the MVP [minimum viable product]. And we’ll spend several months allowing people to give us feedback while in parallel building additional functionality.
But we want to make sure we’re … not tone deaf. We’re not sitting in an ivory tower.
This is a level playing field. [Microsoft] Defender is just another vendor there. Windows is about much more than just any one product.
If we want to get full participation of the community, it has to be equal and transparent. And we’ve operated that way.
We operate with Defender just like we would CrowdStrike or ESET or any of the other partners. And so we feel pretty good about that.
How should Microsoft partners think about resiliency along with security?
We kicked off this resiliency initiative to basically create intensity in the product group around rethinking resiliency.
We want to make resiliency a first-class value proposition in Windows.
Clear communication in our crashing system … we’ve revamped the UI. That’s not just to make things pretty aesthetically. In the aftermath and the fog of war of CrowdStrike, there was a lot of confusion about what was going wrong. And that’s not uncommon. There have been other incidents like that.
So just creating clarity for the IT managers, for the users, so everyone can say, ‘This is what seems to be going on.’ And communicate that in clear, human terms for the layperson is actually a net benefit.
It helps us respond faster, get to the root cause faster and get a shared understanding. So we actually spent a lot of time thinking through how to communicate that, what information needs to be there.
It seems small on the surface, but I actually think this could save us in future incidents.
What should partners know about the quick machine recovery capability becoming generally available this summer?
I love QMR. I actually led the CrowdStrike incident response for the company. That was a long couple days without sleep and a lot of stress. If I had QMR during that time, boy, I would have loved things.
It gives us a safe space, figuratively and literally. In the event of multiple crashes, the machine now reboots into this recovery environment. [It] connects to Windows Update—arguably one of the most [mission]-critical systems on the planet—and says, ‘Is there anything you want to send to me so I can get this machine back up and running?’
If we were to take this back in time to CrowdStrike, we could have deleted the channel file and done an update all from Windows Update.
One of the pain points that we heard from our customers is, ‘Microsoft, it was cool that you gave us a way to fix this. But we had to fly out on helicopters to oil rigs. … We need a better way to do this in a geo-distributed world.’
[The CrowdStrike incident], not our fault, but certainly we are looking at this opportunity to learn and make our platform and our product better. QMR is evidence of that. … It’s based on our experience and our scars there.
A couple other things that are just really cool: hot patching … the less reboots, the more frequently people can apply updates, the more streamlined the process is.
Connected cache, very similar. We live in a world where not everybody has Gigabit download. … Upgraded systems are easier to stay resilient and recover.
We’re bit by bit looking at what are the highest ROI areas for us in terms of your resiliency and working against that road map.
[We are] not spiking the football [yet], especially on the Windows endpoint security platform. We’ve still got a ways to go. But most importantly, I feel like we have a good, sustainable, collaborative way of working. And I’m excited about that.
A lot of people wouldn’t think you could get Defender, SentinelOne, CrowdStrike, all these people engaging. And we proved that that’s totally possible and that this ecosystem is mature, professional enough to let you put the customer first.
What’s been the hardest part of getting to this point with the Windows endpoint security platform?
There’s a reason things were in kernel. And that is honestly for performance and systemwide views and security.
We want people to be resilient. But we can’t do that at the cost of security.
There have been a lot of armchair quarterbacks out there [saying], ‘Why are things in the kernel?’ Frankly, you can just as easily tank a machine from user mode as you can from kernel. Think about deleting a file or locking an operation. How many times has your machine [frozen] and now you’ve got to go and reboot it? And if that’s out on an oil rig, you’re right back in the same situation.
We have to think through things like, what happens when a kernel process now falls back to user mode and the user mode [process] gets caught thinking, ‘How do we recover the system?’
Listening to people’s ideas and then saying, ‘Here’s the problem we see with that.’ And then having that dialogue back and forth and now multiplying that times all the 80 vendors we want to hear from, that gives you a flavor for the complexity of the project.
It’s all valid ideas. But we’ve got to make sure everybody is synchronized on what the pros and cons of every approach are, make people feel heard and then pick a consensus direction.
Is it too bold to say with this platform a CrowdStrike-like event won’t ever happen again?
The goal is increased resiliency. Yeah, we don’t want incidents like this in the future. [But it] is only one tool in the overall toolbox.
If you think about security, we say ‘defense in depth.’ I would argue that we need a resiliency in depth approach. Faster recovery, prevention. Think of it like a funnel. Every piece that funnel takes off, yet another risk.
That’s a little more the way we’re looking at it from an engineering perspective. It’s such a complex system, you should not bet on one layer. That’s why we’ve got so many.
The safe deployment practices are cross-cutting. If you ship out a bad AV [antivirus] signature, delete a system file from user mode, you’re going to be right back in one of those situations.
But if you have safe deployment practices, regardless of what the issue is, you’re only going to impact a small part of your population. And if you have things like AI-driven automatic rollback … that becomes almost a nonissue. And that is completely independent of what’s happening in the operating system.
We want all these things working together. That’s what’s going to give us that resilience.
Is the goal no kernel access?
For the short term, and even medium term, you’ll still need kernel access. Our goal right now with the endpoint security platform is to give an alternative to endpoint vendors in the AV and EDR [endpoint detection and response] space. There’s still DLP [data loss prevention], network stuff.
We’re focusing on what we think is the broadest problem right now. And we’re going to push there.
Right now, this is totally optional. … Customers want it. There are many CISOs and C-level people are like, ‘Hey, Dave. Tell me when this is available because I’m going to put it in my RFP.’
And so great customer demand triggers market response. As a result, most of the vendors are like, ‘Our customers are asking for this. How do we get this thing good enough that we can move to it?’
That’s the good part. This is really coming now from customer demand. People have their boards come to them and say, ‘How are you going to make sure this doesn’t have this again?’
And their response is, ‘I’m going to move to this version of Windows or this vendor that’s got these security and resiliency features.’
We basically want to fulfill that market demand at this point. And so as fast as we can put it [out], people will transition to it.
They should view Defender just like they should any other product—how are we going to increase resiliency and make sure that is a selling point of value proposition to Defender?
That’s where I would push the partners, is to make sure they’re educated on what’s possible and what the road map is in Defender.
If we’re hearing we want more and more resilience or want more understanding of transparency, and that’s going to translate to happier customers, that’s a good thing for us to have a bidirectional conversation about.
At the end of the day, they’re all Windows customers.
I am obviously from Microsoft, but I feel very agnostic. The success of the platform is actually a very vibrant ecosystem of lots of choices. That’s what is the secret to Windows’ success.
Monoculture is not what we’re after. We’re after a level playing field and letting the best parts win.
Will this help solution providers with upgrading customers to Windows 11 and maybe even selling new PCs?
Most of this recovery and resiliency initiative is pertaining to Windows 11 because that is the supported operating system for the future.
We’ve been pretty vocal about end of life [for Windows 10 in October]. We’ve also been really vocal, in my opinion, around the innovations that come from Copilot+ PCs with AI support and the benefits to security and resiliency.
We’re doing our best not only to get the ecosystem moved but to give them compelling reasons to do it. The WRI [Windows Resiliency Initiative] is just one more compelling reason.
The differentiator for Windows has always been customer choice and configuration management, etc. Which has also made opportunities and value propositions for MSSPs and partner providers—systems integrators, who really know how to tailor that operating system to be a full solution for customers.
The partners can rest assured when it comes to WRI or these security things, not only are we building it with a full feature set of options that allow these solution vendors to make the best product for the customers. But we’re always listening for what we missed.
[With Windows 11], we’re able to do quicker releases multiple times a year. We can deliver features as updates.
We are deeply invested in our partners’ success. And we’re open for business in terms of how to continue that.
Will more security vendors join the Microsoft Virus Initiative over time?
The program is binary in the sense of, when we have a requirement, you either meet it or you don’t.
This is ultimately about customer trust requirements, transparency. If you can’t meet the resiliency requirements, you can’t be a partner, which means you don’t get access to these systems.
It’s a great thing for the ecosystem to see people compete on more than just security and detection but the overall solution. Let’s be realistic. Most of our customers would say, ‘Even if you’re 100 percent security and you’re 20 percent in availability or reliability, we don’t want that.’
It’s like saying the fastest car is better than the most reliable. That’s not the case.
It’s great to see the maturity of the ecosystem. And I’ve loved, actually, that part of the post-[CrowdStrike] incident era has been–we’ve seen companies come out and say, ‘This is what we’ve invested in, in availability, etc.’ And we’ve seen customers respond.
There is a maturity of that competitive ecosystem, which is they’re now starting to fill out the capabilities and realize it’s more than just what you can detect. It’s the overall solution. That’s a good thing. It also potentially creates opportunities for newcomers, which is always a healthy thing.
