Microsoft removes antivirus from Windows kernel – Here’s why it matters

• Microsoft is relocating antivirus and endpoint detection tools out of the Windows kernel to enhance system stability and minimize crash risks.
• This shift will isolate security software in user mode, preventing issues like the 2024 CrowdStrike incident that triggered mass Blue Screen of Death errors.
• Microsoft Defender and third-party AV tools will continue to work normally but in a safer, more controlled environment.

Microsoft is restructuring how antivirus (AV) and endpoint detection and response (EDR) software work by removing it from the Windows kernel. The change is nearing private preview and forms part of the larger Windows Resilience Initiative, a long-term strategy to minimize critical system failures, such as the one we saw with CrowdStrike in 2024, which rendered millions of systems unusable after a faulty kernel-level update.

Why Microsoft is making this change

Traditionally, AV and EDR tools have operated deep within the kernel (the privileged core of Windows 11, 10, and older versions) to gain full access to processes, memory, and drivers. On the one hand, that’s what made them effective at catching advanced threats, but on the other hand, it’s also what made them scary, as a bug or bad update in the kernel can bring the entire system crashing down, as seen in the CrowdStrike incident.

By isolating AV/EDR tools in user mode, Microsoft is reducing its access to critical system components, which means if an antivirus engine doesn’t work correctly, it’ll be much less likely to crash the computer.

What it means for regular consumers

For everyday Windows 11 users, this transition will be largely invisible, which is a good thing. The Microsoft Defender Antivirus (or any other third-party antivirus) will continue to run, and your laptop, tablet, or desktop computer will remain protected. However, it’ll work in a safer and more controlled environment in the background.

Will you be able to uninstall Microsoft Defender now? The short answer is no, not yet. Microsoft Defender will remain a default security component in the operating system, especially for users who don’t install third-party AV software. However, relocating Defender out of the kernel may open the door for greater modularity. In the future, it may become easier to disable or replace the default antivirus without compromising system integrity.

Another point to make is that if an antivirus update fails, the rest of your system will be protected, resulting in fewer Blue Screen of Death errors.

In addition, the software giant is working on a new feature called “Quick Machine Recovery,” which allows network administrators to restore devices that can’t boot more quickly, a direct response to the havoc caused by CrowdStrike’s kernel crash. This feature will also be available for consumers, not just organizations.

What it means for businesses

For enterprises and professionals, this is also a welcome change. Kernel-level AV systems have always posed risks, such as a failed update, driver conflict, or missed compatibility check, which can take down thousands of machines in an instant. This architecture change isolates third-party security tools from the critical layers of the operating system, making organizations less fragile to crashes and easier to recover.

Microsoft is already working with partners, including CrowdStrike, Bitdefender, Sophos, Trend Micro, and ESET, to ensure their tools can work outside the kernel. The company also emphasizes that this isn’t a unilateral decision. Instead, it’s a collaborative redesign of how antivirus integrates into the operating system.

Furthermore, the new platform also allows for more controlled deployment of security updates. Technology departments will benefit from phased rollouts, better telemetry, and improved rollback options.

Microsoft also wants to fix the anti-cheat system

Although removing the antivirus from the kernel is a positive step forward, it’s not the only problem. A lot of anti-cheat solutions in games use kernel-level drivers to detect cheating tools and memory tampering. However, that comes with the same risks that AV software has, such as poor coding or outdated updates, which can compromise system stability.

Microsoft is now collaborating with game developers to design non-kernel anti-cheat mechanisms, which could result in more stable gameplay and fewer false-positive bans.

The new architecture for antivirus and EDR tools is currently being developed with Windows 11 and future versions in mind. There’s no indication that this change will be backported to Windows 10. However, since the company plans to make it easier for users to continue using Windows 10 after support ends on October 14, 2025, there’s still a chance that the change will also come to the previous version of the operating system.