No more blue screens: How Microsoft is making Windows more resilient

The Crowdstrike disaster in July 2024 gave Microsoft a black eye. How could third-party security software fail so spectacularly — to the point that millions of Windows PCs became unbootable unless system administrators physically fixed them in person? 

That’s the question Microsoft has been trying to answer with the Windows Resiliency Initiative, which is now bearing fruit. Beyond that, Microsoft has been implementing changes to make Windows more resilient in general, ensuring Windows PCs can fix themselves and another outage can’t wreak the same havoc Crowdstrike did.

With that in mind, let’s look at what Microsoft has in store for Windows 11 PCs. And, yes, this includes the end of the famous blue screen of death.

Want more Windows PC insights? Sign up for my free Windows Intelligence newsletter. I’ll send you free in-depth Windows Field Guides as a special welcome bonus!

The advent of hotpatching

Hotpatching, which is usually buried in talk about enterprise reliability, is one of the most interesting changes Microsoft has been working on — and while this change is currently aimed at enterprise users, it isn’t hard to imagine a version of it extending to regular PC users down the road. And it has the potential to affect how everyone uses Windows.

Despite the technical name, hotpatching is simple: When Windows downloads and installs the monthly security update, it can immediately apply the update without a reboot. 

The difference may seem subtle, since Windows 11 PCs could already install an update without a reboot. But previously the security fix wouldn’t take effect until after rebooting — something that many people delayed until it was more convenient for them, leaving their PC unprotected in the meantime. 

With hotpatching, it all happens automatically, eliminating the need to reboot for Windows updates. Perhaps you’ll still have to reboot once a year for the biggest update, but overall, your PC is going to be better protected than before.

A recent Microsoft blog post buries talk of hotpatching and instead discusses how only organizations running Windows 11 Enterprise can use hotpatching with the “Windows Autopatch” cloud service.

That’s true — this is first and foremost for IT departments with Windows 11 PCs. But as Microsoft continues working on the technology, it’s worth considering how easily this could expand beyond Enterprise versions of Windows at some point down the line. Imagine a future version of Windows — perhaps Windows 12? — where a headline feature was “no more rebooting for Windows Updates.” We might be closer to that than you think!

The self-healing PC

Quick Machine Recovery may be the best new Windows feature most people will never think about — even if they use it!

Windows has something called the Windows Recovery Environment, and Windows boots right to it if your PC can’t start properly —  often fixing common problems your PC faces. However, when CrowdStrike dragged down PCs across the world, the recovery environment couldn’t automatically fix it, forcing system administrators to manually fix each affected PC in person.

Quick Machine Recovery is designed to avoid situations like that by acting as a “self-healing” system of sorts for Windows computers. In short, it ensures that the recovery environment can get solutions to problems from the internet. Let’s say another antivirus program, a bad driver, or even a buggy Windows Update takes down PCs and the recovery environment can’t fix them. With this update, when in the recovery environment, your PC can connect to Microsoft’s server (over Wi-Fi or wired Ethernet) and download fixes directly from Microsoft. And if Microsoft spots a problem affecting a large number of PCs, it can address it preemptively without all the manual fixes that were needed during CrowdStrike.

The Windows Recovery Environment has been able to access the network for years — dating back to Windows 10 — but now Microsoft is putting that network access to better use.

The Windows Recovery Environment is getting a huge upgrade.Chris Hoffman, Foundry

Microsoft says this will be available later in this summer. While enterprises can activate it on Windows 11 Professional and Enterprise, it’s also available on Windows 11 Home, where it’s turned on by default. It should help Windows silently recover from the worst errors without all the manual work.

The…black screen of death?!

Microsoft is about to end blue screen of death errors forever — by getting rid of the traditional blue screen. Instead, if your system encounters an unexpected failure and needs to restart, you’ll see a black screen of death instead. (Luckily, we’ll still be able to call them “BSODs.”)

The new black screen of death won’t show you a frowny face anymore.Chris Hoffman, IDG

Surprisingly, this color swap isn’t just an aesthetic choice — it’s part of a “simplified user interface.” Instead of the large frowny face and scannable QR code that were ushered in with the Windows 8 BSOD (and that, by most counts, few people actually used), almost all that appears on the new black screen of death is the stop code and the explanation of what caused the problem — in short, the technical information that actually matters. This should make it easier for people to remotely troubleshoot systems without the clutter.

More importantly, Microsoft already did a lot of work with Windows 11’s 24H2 update on speeding up this reboot. According to the company, the crash dump collection process, which is how Microsoft captures pertinent crash information when your system blue-screens or black-screens, now takes about two seconds. With the reboot process faster than ever, the idea of whipping out your phone to scan a QR code seems quaint.

User-mode antivirus

More importantly, the biggest architectural change for Windows is getting antivirus and other security software out of the Windows kernel. This is why CrowdStrike’s disastrous update was so difficult to fix: Because the security software runs at such a low level in Windows, Windows couldn’t say “Oops, this didn’t work, let’s fix it” — instead, the whole system crashed.

When Microsoft was designing Windows Vista nearly 20 years ago, the company wanted to get security software out of the Windows kernel. But, with Microsoft starting to offer its own antivirus at the time, security companies argued it was being anti-competitive and would hurt their business. Stung by the US government going after it allegedly monopolizing the web browser market on Windows, Microsoft backed off and let security companies continue to integrate at a low level with Windows, despite tightening down other parts of the operating system.

With CrowdStrike’s explosion, though, Microsoft decided to take another crack at this. The result is the “Windows endpoint security platform,” which will arrive in private preview form for Microsoft’s antivirus partners this month. They’ll be able to create antivirus and endpoint security software that runs outside the Windows kernel, ensuring they won’t cause the operating system to fail if they encounter a problem. 

In other words, this is user-mode antivirus — antivirus software that runs as a normal process without getting its hooks into the Windows kernel in a way that can cause serious problems. 

This isn’t ready to go for regular PC users yet, but antivirus companies will be starting to work on software that takes advantage of it soon. And in a Microsoft blog post, the company provides quotes from a variety of companies like Bitdefender, Sophos, Trend Micro, and CrowdStrike itself about how excited they are to be partnering with Microsoft on this. Microsoft appears to be trying to move carefully so that it’s not seen as a monopolist — especially in case a security company comes after them, like back in 2006.

Overall, this is good news and should make Windows more reliable. It’s possible the reduced access to deep parts of Windows could make some security software less powerful. But, after the CrowdStrike disaster, it’s clear changes to Windows were needed — and should have been made long ago.

Protected print mode and driver cleanup

Speaking of the Windows kernel, many hardware drivers run in there, too. It was major news when USB showed up all those years ago and you could plug in a USB drive, keyboard, mouse, or another standard device and it would just work without needing to hunt down a hardware driver for each device. We take it for granted now, but imagine having to install SanDisk’s driver suite to copy files off a USB flash drive!

Printers never quite caught up, though. (That was a bigger problem than you might realize, since printer drivers have historically been a frequent source of security problems.)

That’s all starting to change. We’re in the middle of a big migration to a standard printer driver system, though it’s easy to miss it. Windows is currently in a hybrid mode where it accepts both traditional legacy printer drivers and modern printer drivers for Mopria-certified printers. You can activate Windows Protected Print mode under Settings > Bluetooth & devices > Printers & scanners on Windows 11. When you do, Windows will block the installation of older third-party drivers and force the usage of the “Windows modern print stack.” 

Windows protected print mode isn’t on by default yet, but it’s the future.Chris Hoffman, Foundry

Microsoft is also starting to delete old legacy drivers from Windows Update — you can still install them if you want, but Windows Update won’t automatically download them on your PC when you plug in an old device. It looks like Microsoft is slowly cleaning up the hardware driver, which can only be good news for security and reliability. (Microsoft doesn’t mention this work as part of the Windows Resiliency Initiative, but it’s closely related.)

Encryption by default

Last but not least, disk encryption has always been a little confusing on Windows. Professional editions of Windows got access to full BitLocker drive encryption, while Home editions of Windows got access to the simplified BitLocker device encryption feature — but only if their hardware supported it.

Encryption is critical for data security, though — it’s the only thing that stops a thief, or anyone else who gets ahold of your laptop, from digging through all your personal documents. 

With Windows 11’s 24H2 update, released near the end of 2024, Microsoft lowered the hardware requirements and started activating BitLocker device encryption by default on new Windows 11 installations in more scenarios. It still requires you sign in with a Microsoft account — Microsoft will back up your BitLocker recovery key to your Microsoft account, ensuring Home users have a backup method if they lose their password.

While this also isn’t part of the resiliency initiative — at least, not officially — with more Windows 11 PCs using secure encryption for their storage, this definitely falls into the same general bucket. It’s important to note, though, that while you can poke around in Settings or Control Panel to see whether Windows is using encryption, Windows doesn’t normally call this out or warn you if your PC’s storage isn’t encrypted for some reason.

Windows often automatically encrypts the storage on new PCs.Chris Hoffman, Foundry

AI features on Copilot+ PCs get a lot of hype, and it’s easy to drum up interest by showing off screenshots of new Start menu and taskbar designs. But these rarely-discussed, under-the-hood features that increase security and resiliency are what will ultimately make Windows better for everyone — both enterprises with fleets of PCs and the average user with a Windows 11 PC at home. It’s great to see Microsoft focusing on improvements like these.

Want to stay up to date on Windows? Sign up for my free Windows Intelligence newsletter. You’ll get free copies of Paul Thurrott’s Windows Field Guides as a bonus when you sign up, too!No more blue screens: How Microsoft is making Windows more resilient – ComputerworldRead More