Windows 11 25H2: Enhanced Security Without Kernel Access

Windows 11 25H2 is bringing real, foundational improvements to how security tools integrate with the OS.

1725496356 Security Hero

One of the most interesting and important things coming in Windows 11 25H2 is the way Microsoft is rethinking how security tools interact with the operating system—especially antivirus and Endpoint Detection and Response (EDR) software.

The current problem: Security tools get deep Windows kernel access

Right now, most security tools—think CrowdStrike, Bitdefender, and others—need to hook into the Windows kernel to function properly. That’s how they detect and block threats, monitor system behavior, and respond to suspicious activity. But that deep kernel access is a double-edged sword. If something goes wrong, like a buggy update, it can destabilize the entire OS.

We saw exactly that happen last year with CrowdStrike. A faulty sensor update caused widespread blue screens and left many systems stuck in recovery mode. It wasn’t just embarrassing—it was a wake-up call for the entire industry.

Microsoft’s new approach: A safer API

To solve this, Microsoft is working on a new model. Instead of giving third-party security tools direct kernel access, they’re developing an API that allows these tools to monitor the system from user mode.

If you’re not familiar, Windows applications and drivers can run in either user mode or kernel mode. Kernel mode has the most privileges, and while that’s powerful, it also means mistakes can have major consequences. Running more tools in user mode reduces the risk of catastrophic system failures.

Microsoft is actively collaborating with security vendors to gather feedback on this API. And so far, there’s been strong support. These companies want to fix this too. No one benefits from another incident like CrowdStrike’s.

Timeline: Previewing in July, targeting 25H2 release

This new security model is entering private preview in July. Over the next few months, Microsoft will collect feedback from vendors and iterate on the design. The goal is to have it production-ready in time for the full Windows 11 25H2 release later this year.

Once it’s ready, security products will be able to shift more functionality into user mode. That means better stability, less risk of kernel-level issues, and ultimately, a safer Windows environment for everyone.

Why this matters

This is critical work. And I’m glad to see it finally happening—even if it took a high-profile failure to push it forward.

And it’s not just about improving the core Windows experience. It also has implications for Windows on Arm. Many security vendors now support Windows on Arm, but not always with full feature parity. If Microsoft can give them a single, robust API that works across all versions of Windows—including Windows on Arm—it lowers the barrier for those vendors to offer complete support.

That, in turn, helps drive broader adoption of Windows Arm-based devices. And long term, it means Microsoft doesn’t have to maintain separate Intel versions of Windows forever, if they were ever to make a bold move like Apple did a few years ago when it introduced its Arm-based M-series CPUs.

Final thoughts

We could have a whole other discussion about the Arm vs Intel debate (and we will—another time), but the key takeaway here is this: Windows 11 25H2 is bringing real, foundational improvements to how security tools integrate with the OS. It’s a smart move and it’s long overdue.