Microsoft looking to remove security vendor access to it’s Windows Kernel following CrowdStrike incident.

Microsoft is building new Windows security features to prevent another CrowdStrike incident and are in talks to enable them to do to more to allow them to better protect the core of their OS to prevent outages and widespread impact like the CrowdStrike incident which impacted more then 8.5 million devices and is estimated to have caused more than $10b financial impact.

Fighting against the anti monopolies commissions.

In an ideal world, Microsoft would have right to protect their core kernel code and prevent any third parties interfering or accessing it.

Today, however, law is preventing them from doing this to ensure they adhere to the anti monopolies and anti compete laws in many parts of globe. Instead Microsoft are doing all they can to further harden security around the kernel and Windows security in general.

Their goal is of course to find a comprised way to protect Windows from software issues caused by security vendors to ensure OS integrity without killing third party security vendors but to avoid them needed kernel level access in the first place…

Enhancing Security without Kernel Access

Since July, Microsoft has been in talks with leading security vendors, including CrowdStrike, Broadcom and Sophos, to develop a new security  platform in Windows that still allows security vendors to do their thing, but without Microsoft having to expose full kernel access.

Then last week ( September 10th, 2024), Microsoft, CrowdStrike, and many other security  partners who provide endpoint security technologies got together to discuss ways to boost resiliency and protect our mutual customers’ critical infrastructure.  Aidan Marcuss, Corporate VP of Microsoft Windows and Devices said  “Our objective is to discuss concrete steps we will all take to improve security and resiliency for our joint customers.”

The goal is to  prevent incidents similar to the CrowdStrike outage and enhance the overall security framework of Windows without monopolosing the endpoint and XDR markets.

Benefits to Consumers

For everyday users, this would promises a more secure and stable computing experience in a world where attacks on identity and data theft are increasing at pace. By further reducing the risk of security breaches and system outages, whilst reducing the risk of third party apps and services causing system failures, Microsoft is ensuring that consumers continue to trust them to protect their personal data and maintain smooth operation. Enhanced security measures mean fewer disruptions and a safer online environment, which is crucial in an era where cyber threats are increasingly sophisticated.

Benefits to Business Users

For commerciall/business users, they of course would gain significantly from these new security measures. With sensitive corporate data and identity consistency at risk from attack or breach, Microsoft’s enhanced security framework will provide businesses with greater peace of mind and further increase the trust they already have with Microsoft to protect their data, applications and emails.

Of course, reduced risk of breaches and downtime caused by third party apps and services also translates to increased choice (without fear), and lower costs associated with security incidents and system outages incidents.

Whilst this should enable businesses to  focus more on their core operations, knowing that their IT infrastructure is robust and secure, it doesn’t remove the need for full business continuity planning….

Microsoft’s Perspective and Benefit

For Microsoft, this move is a strategic step to reinforce its commitment to security and reliability. Arguably, Microsoft is the biggest security company in the world and with over a billion devices running the Windows operating system, they have a duty to continue to protect their products from outages caused by, well things out of their control, such as the CrowdStrike update fail!

By working closely with security vendors and regulatory bodies, Microsoft is not only positioning itself as a leader in the cybersecurity space, but also as a partner that works with its software houses (ISVs) and customers to ensure they still have choice over the aspects of Windows they use (or subscribe too) and the third party vendors they choose to work with.

So what about the third party security vendors then?

Security vendors like CrowdStrike, Broadcom, Sophos, Cisco, and Trend Micro also benefit from this collaboration by being part of a more secure and standardised platform. This partnership allows them to continue to innovate and develop advanced security solutions without the complexities and risks associated with kernel access..it also. Means they will continue to get support and help from Microsoft (as a Isv partner) in developing and supporting their products. 

Potential Concerns and Regulatory Involvement

Naturally, there are concerns about potential monopolistic practices. Vendors (and those less. Involved in their initiative) may fear that Microsoft might restrict kernel access for third-party products while retaining it for its own, which could limit their ability to compete effectively, pushing customers to jump. Ship and just adopt Microsoft security products and services.

To address such concerns and ensure transparency, Microsoft has involved US and European government officials in discussions. This move is aimed at addressing regulatory concerns and demonstrating Microsoft’s commitment to a fair and secure computing environment. While the initiative is largely seen as positive, it is crucial for Microsoft to maintain an open and competitive landscape for all security vendors.

Conclusion

Microsoft’s new security measures would represent a significant step towards a safer Windows environment. By working closely with security vendors and involving regulatory bodies, Microsoft is striving to create a secure and fair platform for all users making kernel acess more controlled than it is today. This promises numerous benefits for consumers, business users, and security vendors alike, while also addressing potential concerns about competition and transparency.

Read more. The Register has also covered this story in depth of you want to read more here.

Navigating the Aftermath of the CrowdStrike Cybersecurity Outage: Insights and Strategies

I run a monthly fireside chat panel discussion with IT and Business leaders from a handful of our Cisilion customers. Today, we talked about the outage and reflected on if, can and what we, the industry and our vendors need to do to minimise/prevent this vast impact happening again.

If you missed the "show" - you can watch it below.
September 2024 – Cisilion Fireside Chat

In our September 2024, fireside chat, our panel and I delved into the significant impact and lessons that can be learned from the CrowdStrike outage in July which is estimated to have cost more than $10B US and affected more than 8.5 million Windows devices when CrowdStrike distributed a faulty configuration update for its Falcon sensor software running on Windows PCs and servers.

This update featured a “modification” to a configuration file which was responsible for screening named pipes [Channel File 291]. The faulty update caused an out-of-bounds memory read in the Windows sensor client that resulted in an invalid page fault. The update caused machines to either enter into a bootloop or boot into recovery mode.

Today’s fireside chat conversation covered a range of topics, from the immediate effects of the outage to long-term strategies for enhancing cybersecurity resilience.

The Immediate Impact of the CrowdStrike Outage

The panel began by addressing the widespread disruption caused by the CrowdStrike outage. We discussed the outage’s extensive reach, affecting millions of devices and various sectors, including healthcare, finance, and transportation. In my intro to the episode, I mentioned that “It was really hard to believe…such a small relatively trivial and small update could impact so many people, devices and organisations“. This set the stage for a deeper exploration of the outage’s implications on cybersecurity practices.

As we kicked off, I praised the collaboration between Microsoft and CrowdStrike in addressing the outage. He mentioned that despite initial blame-shifting in the media, there was a concerted effort to resolve the issue, showcasing the importance of vendor cooperation in crisis management. The panel in short didn’t think there was much more Microsoft could have done – the key was updates and openness which is so critical in a global issue like this – as people and businesses need updates and answers as well as help in restoring systems which both Microsoft and CrowdStrike did in drones.

Vendor Reliance and Preparedness

Ken Dickie (Chief Information and Transformation Officer at Leathwaite), emphasised the importance of incident management and the worlds’ reliance on third-party and cloud providers. He shared his insights into the challenges of controlling the fix and the revelation of technology’s utility nature to leadership teams stating that it can be hard to explain to “IT” on “how little control we had over the actual fix“. Matthew Wallbridge (Chief Digital and Information Officer at Hillingdon Council) echoed the sentiment, stressing the need for preparedness and the role of people in cybersecurity, stating, “It’s less about the technology, it’s more about people.”

Supply Chain Risks

Matthew raised concerns about supply chain risks, highlighting recent attacks on media and the need for better understanding and mitigation strategies. This part of the discussion underscored the interconnected nature of cybersecurity and the potential vulnerabilities within the supply chain.

Goher Mohammed (Group Head of InfoSec at L&Q Group.) mentioned the impact on their ITSM due to vendor reliance in the supply chain, which degraded their service, emphasising the need for resilience and contingency plans. This led to further discussions about how important understanding the importance of the Supply Chain validation is in our security and disaster recovery planning and co-ordination. Matt talked frequently about “control the controllable” but ask the right questions to the ones (vendors) you can’t control. Goher said that whilst L&Q were not directly affected, they did experience “degraded service due to supply chain impacts“, emphasising the need for resilience and contingency plans and review of that of their supply chain(s).

Resilience and Disaster Recovery Planning

The conversation then shifted to strategies for enhancing resilience. Here I discussed how we at Cisilion are revisiting our own disaster recovery plans to include scenarios like the Crowdstrike outage.

We discussed a lot about the cost of resilience and that there is a “limit” to what you can mitigate against before the cost skyrockets out of control with very little reduction in risk. It was agreed there are many things that can’t “easily” be mitigated in this particular scenario, but that we can be better prepared.

The panel talked about various strategies that “could be considered” including recovering to “on-prem”, re-visiting the considerations around multi-cloud strategies and the potential benefits of edge computing in mitigating risks associated with device reliance.

We also discussed whether leveraging technologies such as Cloud PCs, and Virtual Desktops have a part to play in recovery and preparation as well as whether using Bring Your Own Devices would/could/should be a bigger part of our IT and desktop strategy, along with, of course SASE technology to secure access.

Goher advised “do a real audit, understand the most critical assets, the impact they have further down the line and whether there is more that can be done to mitigate against outage/failure/issue“. This led us into an interesting side discussion around Secure Access Service Edge (SASE) – emphasising the “importance of not relying on trusted devices alone”.

The Human Aspect of IT Incidents

David Maskell (Head of IT and Information Security at Thatcham Research) brought a crucial perspective to the discussion, focusing on the human aspect of IT incidents. He reminded the audience of the importance of supporting IT teams during crises, highlighting the stress and pressure they face. The panel agreed with David, all of whom emphasised the importance of ensuring teams are looked after, highlighting the human aspect of managing IT incidents especially when things are not directly controllable (such with Cloud outages) and the need for good, solid communications to the business.

Ken also reflected on leadership’s reaction to the outage, emphasising the “gap in understanding the reliance on technology” that many business leaders (especially those not from a techy background) have”. The days of “it’s with IT to fix” are clearly not as simple as they once were!

Conclusion: The Path Forward

As we concluded the discussion, the panel dwelled over the lessons and tips to offer viewers, each other and the industry.

In general the guidance acoss the panel were around

  1. The importance of regular security reviews, external audits, and business continuity testing.
  2. The need to adopt a proactive stance around cyber security and technology outages, ensuring that their teams are prepared (they run testing and attack/outage simulations).
  3. Ask more questions of your supply chains – they may be your weakest link. Are they secure, and are their recovery plans robust?
  4. Map your critical systems and know the impact on an outage – what is the continuity plan – if devices are affected, how can people access your technology – look at Cloud PCs (such as Windows 365), can you support the use of personal devices (look at SASE technologies such as Cisco Secure Connect)
  5. Review your technology dependencies. It’s not necessarily about multi-vendor but this might be a consideration – even for backup.

In summary, the CrowdStrike outage serves as a stark reminder of the vulnerabilities inherent in our reliance on technology and the critical need for comprehensive cybersecurity strategies.

Microsoft wants to lock down the kernel after CrowdStrike hiccup knocks out millions of Windows devices.

Windows Kernel Security - Image by Designer (AI)

Microsoft is reviewing their options and looking to push for significant changes to their Windows security architecture in the after math of the major outage caused by a “faulty” CrowdStrike update last a couple of week back. The impact of the faulty update, is thought to have afftected around 8.5 million Windows devices and services when the faulty update caused Windows devices to reboot and enter their protected recovery mode.

Microsoft acknowledges the inherent ‘tradeoff’ kernel-level cybersecurity solutions pose and confirms the root cause of the global outage.

This has prompted Microsoft to reassess the level of control that third party security vendors have over the deepest parts of their operating system and they are considering limiting kernel- level access for these vendors.

This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience“. | John Cable | Microsoft see blog post,


Time to bring control back?

John Cable, Microsoft’s VP of program management for Windows servicing and delivery, discussed passionately their viewpoint in a blog post named “Windows resiliency: Best practices and the path forward.” In this post, he emphasised the need for “end-to-end resilience” and discussed potential changes Microsoft are reviewing that could mean restricting kernel access for third party security vendors such as CrowdStrike.

Snipit from John Cable’s blog post | July 2024


The CrowdStrike update bug, which resulted in widespread system crashes, has clearly highlighted the risks associated with allowing third-party security apps and services to operate at the kernel level – a new approach is needed.

Privileged access, though advantageous for detecting threats, can result in disastrous failures if mishandled. Microsoft is investigating alternatives that circumvent future kernel access issues, including VBS enclaves and the Azure Attestation service. Employing Zero Trust methodologies, these solutions aim to bolster security without incurring the dangers inherent in kernel-level operations.

Why do Microsoft let third parties access the kernel?

In short, they dont have much choice (see below).

While Microsoft may be looking to further restrict access to its Windows kernel going forward, they have used this event to  explain why third-parties antivirus and security vendors to access the “core of Windows” the first place.

The Windows kernel is a deep layer of its operating system. Kernel-level cybersecurity lets developers do more to protect machines, can perform better, and can be harder for threat actors to alter or disable.

When a kernel-level cybersecurity solution loads at the earliest possible time, it gives users (and companies) the most data and context possible when threats arise and also ensures protection can kick in at the earliest stage of the Operating Systems boot up stage rather than waiting for the OS to load and then running as a normal system process.

The EU may prevent changes over anti-trust claims

Whilst this makes common sense to most, after all why shouldn’t Microsoft be able to restrict access to ensure stability of an operating system used by more than a billion users, their push for change is likley to face resistance from both cybersecurity vendors and regulators.

Back in 2006, Microsoft tried to restrict kernel access around the release of Windows Vista, but was met with opposition and a ruling that preventing them doing this, citing anti compete. In contrast, however, Apple successfully managed to lock down their kernel level
access in macOS in 2020. The market for Windows software is of course far larger than Apple’s MacOS and Microsoft is an open platform for developers to build upon so any changes will need to be done in a way that make this possible without preventing developers software doing what they are supposed to do!

Microsoft has attributed part of the CrowdStrike outage to the 2009 European Union antitrust agreement, which mandates that Microsoft must provide kernel-level access to third-party software vendors. Conversely, Apple started to phase out kernel extensions in macOS in 2020, encouraging software vendors to adopt the “system extension framework” due to its reliability and security advantages.

It is not the first and wont be the last time either that the EU have played the anti-trust card. Microsoft has recently had to decouple Teams from Microsoft 365 as a response to competitors such as Zoom citing Mcirosoft have an unfair advantage. They have had recent claims against them with Internet Explorer and Edge.

Zero Trust Kernel Protection mayt be the way forward

The blog post indicates that Microsoft is not proposing a complete shutdown of access to the Windows kernel. Rather, it highlights alternatives like the newly introduced VBS enclaves, which offer an isolated computing environment that doesn’t necessitate kernel mode drivers for tamper resistance.

“These examples use modern Zero Trust approaches and show what can be done to encourage development practices that do not rely on kernel access…We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community vendors”.
John Cable | Microsoft Windows VP

Trade off between “anti-compete” and stability.

Microsoft acknowledges that the tradeoff of kernel-level cybersecurity products is that if it glitches out, it can’t be easily fixed, saying in their blog that. “all code operating at kernel level requires extensive validation because it cannot fail and restart like a normal user application.”

As such companies have to demonstrate strict quality and testing controls over their software. The CrowdStrike issue occurred since this wasn’t a new product but” simply” and software patch by CrowdStrike that… well, went wrong.

Microsoft can’t vet every patch and every update released by their “trusted” ISVs/third parties, especially when it comes to security updates which these security vendors need to roll out requently.

“There is a tradeoff that security vendors must rationalise when it comes to kernel drivers. Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode.” | Microsoft

What ever happens – businesses still need to have backup and remediation processed in place.

In response to the CrowdStrike incident, Microsoft deployed over 5,000 support engineers to aid affected organizations and provided continuous updates via the Windows release health dashboard. They rapidly developed recovery tools to assist companies in their recovery efforts, while emphasising the significance of business continuity planning, secure data backups, and the adoption of cloud-native strategies for managing Windows devices to bolster resilience against future incidents.

Further whitepapers and guidance will be released in the coming months and I expect this will lead to Microsoft, and their third party vendors releasing more recovery tools and guidance.


Summary

Microsoft “confirmed that CrowdStrike’s analysis that this was a read-out-of-bounds memory safety error in the CrowdStrike developed CSagent.sys driver,” Microsoft explained in their technical analysis of the crash and why the impact was so huge in a technical paper published last week.

Reviewing the security architecture and access to the kernel is definately needed, but their approach and desire to prevent future issues with third party glitches will likley be at the brunt of complaints from third party security vendors and the EU anti-compete regulators.

Apple “seem” to have a much easier ride when it comes to doing what they want – they say “jump” and developers say “how high”. Microsoft repeatedly have to “please” regulators far more – this recent huge global impact, may work in Microsoft’s favour however, to bring some control and governance in the name of system and business stability which I am sure will get the backing of everyone and every organisation impacted.

One thing is for certain -Microsoft wont take this sitting down. They will work hard to continue to protect their OS which is run on billions of devices and used by almost all coporations, education and crititical infrastrucutre. Change will happen!

“Windows Recall” feature postponed days ahead of launch

Windows Recall is (was) a new AI powered feature, exclusive for Copilot+PCs that can capture snapshots of your screen every few seconds allowing the user to essentially rewind back to a point in time to back track on work, application state and documents being worked on,

Recall overview (Microsoft)

Announced as the headline feature for the new generation of Copilot+PCs, this new flagship Windows Recall will now arrive at a later date, with a wider public  preview coming soon for Windows Insiders.

There has been many questions, concerns and clarity demanded from the public and tech pros about this new feature since it was announced in May, with concerns over whether Microsoft had “gone too far” in finding a use for AI and the new NPU powered Copilot+PCs. The fact this has not been through the usual process of testing my Microsoft’s loyal Windows Insider testing community was also surprising for such a huge new feature.

The first of the new Copilot+PCs are launching next week (June 18th), and in an expected update have said that their headlining “Windows Recall” feature will not be shipped at launch and  now arrive a few weeks later in an update.

Is Windows Recall too much?

Recall was heavily criticised after sourced said that recall stored it’s Recall  data in an unencrypted state, raising huge concerns among IT experts, users and anti-Windows fans!

Last week, Microsoft released a blog and announcement to try to alleviate these concerns by reassuring people that Windows Recall would encrypt data and require the user to be physically present at the device (via multi factor authentication) to access recall. They were clear however, that not only was Recall safe but they it would ship next week with the arrival of the Copilot+PCs.

The Cisilion Fireside Chat suspected so much.

Just this week, I hosted a fireside chat, and we discussed the view of Recall from a security and privacy violation.

There’s a link to the episode here if you’d like to hear the views of a number of IT leaders…but the view of my customer panel ahead of (the now postponed) launch include:

We’ve gone to extraordinary lengths to protect our data and here we are Tada you can now just have a look at what Kim was sharing three minutes ago.” [link]

“It undermines years and years and years of work and unless they can work out a way there’s no way I’m letting this anywhere near my en.” [00:08:25][Link]

“You are the attack surface… we have to remind the the owners of the business that ultimately it’s their heads on the Block if things go wrong.” [00:45:32]

In short, our panel, beleived that Recall might face significant challenges before its implementation, possibly leading to its postponement or modification, especially in enterprise environments. They highlight the need for clear communication, education, and possibly policy changes to address the concerns raised – looks like this is exactly what happened.

Microsoft committed to trust and privacy but is it enough?

Just earlier this week, Microsoft had said that all images are encrypted, stored and analyzed locally, using on-device AI capabilities to understand their context. When logged into your Copilot+ PC, you can easily retrace your steps visually using Recall to find things from apps, websites, images, and documents that you’ve seen, operating like your own virtual and completely private “photographic memory.” You are always in control of what’s saved. You can disable saving snapshots, pause temporarily, filter applications and delete your snapshots at any time.

The question still on people minds is is this enough, how does this work if viewing content other people are sharing on screen when Recall is being used and what happens if a device is compromised or user subject to ransomware or phishing attack and get access to this device…

Postponed not cancelled?

Perhaps to ensure the backlash over recall doesn’t impact Copilot+PC sales, these new devices will not ship with Recall initially. Microsoft have said that Windows Recall will be added in a future Windows update, but has not given a timeframe for when this will be. This will give their huge Windows Insider Community time to test this with Microsoft and provide the much needed feedback, tuning controls and more.

The updated Microsoft blog post states the following:

Recall will now shift from a preview experience broadly available for Copilot+ PCs on June 18, 2024, to a preview available first in the Windows Insider Program (WIP) in the coming weeks. Following receiving feedback on Recall from our Windows Insider Community, as we typically do, we plan to make Recall (preview) available for all Copilot+ PCs coming soon

Copilot+PCs still get loads of new AI Goodness.

Of course, Recall wasn’t the only AI infused feature that Copilot+PCs will include, and the other rest of the AI features that Microsoft showcased will still be available to use. These include live captions and translations across all apps, new Windows Studio Effects for meetings and video, new. Image creation and generation tools across the stock Windows Apps including paint and photos.

Time will tell

Time and testing wil tell whether this feature gets simply delayed, hugely altered or scrapped all together. What do you think?


Microsoft June 13 2024 Blog Post: https://blogs.windows.com/windowsexperience/2024/06/07/update-on-the-recall-preview-feature-for-copilot-pcs/

Copilot+PC – Fastest, most AI-ready Windows PCs ever built.

Today (20th May 2024), Microsoft CEO Satya Nadella unveiled a new category of PC that features the latest generative AI tools built directly into Windows and powered by the latest generation of AI computing hardware. Microsoft say this is “the most significant change to the Window platform in decades“.

Microsoft said this entirely new class of Windows PC is engineered to unleash the power of distributed AI in conjunction with the latest generation of AI-Powered chip sets from Qualcomm which bring new AI hardware which will power these new AI features which will be “part of” the Windows OS.

Microsoft call this new category ‘Copilot Plus’… which will see the creation of the latest, fastest, most AI-ready Windows PCs ever built. Copilot+ PCs represent a significant advancement in computing, offering powerful performance and pioneering AI capabilities. Equipped with Snapdragon® X Elite and Snapdragon X Plus processors, these PCs are engineered to provide peak processing efficiency and swift response times.

Copilot+ PCs can run AI workloads up to 20x faster and 100x more efficiently than traditional PCs.

Microsoft have also announced today, their first Copilot+ PCs, in both the new Surface Pro 11 and Surface Laptop 7 – both powered by these new AI Chipsets. They are also working with Acer, ASUS, Dell, HP, Lenovo, Samsung who will also be bringing their Copilot+ PCs to market.

Here’s the Sizzle Video.

Copilot+PC – Microsoft (c)

As Microsoft took to the stage in front of the world’s tech press, they said that they estimate more than fifty million “AI PCs” will be sold over the next 12 months, given the appetite for devices powered by ChatGPT-style technology.

“…more than 50 million AI PCs will be sold over the next 12 months”

Satya Nadella | Microsoft.

The Copilot+ PC is here

The concept of Copilot+ PC is not merely to offer a handful of AI features. Instead, it is about having a dedicated Neural Processing Unit (NPU) on a Copilot+ PC that continuously runs multiple language models in the background of Windows 11. These models will monitor all your activities on your PC to provide contextual information whenever you need to prompt Copilot effectively. Microsoft refers to this functionality as Recall, describing it as a “sensor for AI.”

Satya Nadella announcing the Copilot+PC
Satya Nadella announcing the Copilot+PC

As suggested in the sizzle video above, this implies that a Copilot+ PC can retrieve a line from a document you write or reviewed days earlier, remind you of a commitment or action you made in an email last week, or monitor your web browsing to suggest frequently visited websites and services based on your current activity or “intent”. Whilst there are clear privacy concerns, Microsoft claims that Copilot+ becomes an AI superpower when fully operational and respects your privacy at all times – helping you to do more.

Constant monitoring will be at the heart of a Copilot+ PC, but Microsoft say that it’s substantial AI computing power can do much much more. For example, there will be many creative tools that leverage AI, ranging from Photoshop’s generative AI fill to Microsoft’s AI image generation, to AI video and voice effects in meetings. With a Copilot+ PC, these functions are executed locally on the device – saving time, reducing the need to rely in cloud services and reducing CPU workload and power consumption.

Microsoft have said that users will always be in control and will have the option to disable the always-on AI tracking and to be able to review and delete these AI snapshots individually.

To be classed as Copilot+ status, PCs must be able to deliver at least 40 Tera Operations Per Second (TOPS) of AI processing power from the Neural Processing Unit (NPU). This represents a significant increase from previous offerings, such as Intel’s Meteor Lake, which provided only 10 TOPS from the NPU.

Under the Hood of a Copilot + PC

So, what is powering these new Copilot+ PCs? Despite Microsoft announcing the Surface Pro 10 and Surface Laptop 6 for business earlier this year, the new Copilot+ PCs are not powered Intel or AMD chips.

“Over the past year, we have seen an incredible pace of innovation of AI in the cloud with Copilot allowing us to do things that we never dreamed possible…..

Now, we begin a new chapter with AI innovation on the device…..

We have completely reimagined the entirety of the PC, from silicon to the operating system, the application layer to the cloud, with AI at the center, marking the most significant change to the Window platform in decades”

Microsoft (May 2024)

Instead, the initial series exclusively features the Snapdragon X Elite or Snapdragon X Plus chips, each boasting more than 40 TOPS of AI power. According to Qualcomm, these chips provide over four times the AI power of their competitors‘ chips and have more than enough power to run the latest AI infused games.

The Copilot+PC also include the dedicated button to prompt the Copilot AI assistant at any time.

Security is also AI Powered

Microsoft focussed heavily on Security. As with the current ARM powered devices such as the Surface Pro X and Surface Pro 9 5G, every Copilot+ PC comes secured out of the box.

The Microsoft Pluton Security processor (which goes way beyond TPM) is activated by default on all Copilot+ PCs, and they are introducing several new features, updates, and defaults in Windows 11 24H2 that will simplify, yet enhance user security. Additionally, Microsoft are integrated additional personalised privacy controls to safeguard personal and sensitive data.


Microsoft’s vision is to ensure this new AI standards for PCs will enable the next generation of AI development which is timely given their annual Build Conference runs this week in which they will be driving new development capability to develops eager to ride the AI gravy train for Windows system and application development.

As the primary investor in OpenAI, the creators of ChatGPT, Microsoft also confirmed that the newly announced GPT-4o model, which powers the chatbot, will also be integrated into Copilot+ PCs “soon”. GPT-4o is currently available in preview in Azure AI.

Microsoft Surface – Are you ready for what m”ai” be next?

Next week is Microsoft Build, and the day before (that’s Monday 20th May), Microsoft is set to host a significant event in-person in Seattle about the the future and of Windows, Surface and Copilot.

The event (which is not being live streamed unfortunatley) takes place at 17:00 UK Time (10:00am Pacific Time) and will showcase (I hope filled with the famous Microsoft sizzle videos) the next wave of innovation for Surface, Windows and Copilot powered by new AI powered chipsets…

As usual Microsoft has not disclosed specific details about what is being announced, but there have been many “suggestive” leaks, predications and teases about what is coming. What we do know is that this will be a big and “special” announcement.

This year, Microsoft have already launched the first generation of new AI PC with the release of the Surface Pro 10 and The Surface Laptop 6 which were built on the new Intel AI Boost technology – which you can read more about here.

So what is being announced?

We know this is a pretty big annoucement and we do know that this is the year of AI and the year of the AI PC, so we can expect some pretty exciting annoucements. Despite the various leaks, we wont know until monday what is actually coming, but we do know that Microsoft’s previous product updates were only around the Intel based devices and their ARM powered devices haven’t yet received an update.

Windows Insiders will be well aware of the all the AI innovating coming to the next generation of Windows 11 so we can expect some new AI wow to be announced for Windows 11 as Microsoft gear up for the 24H2 update coming later this year.

Next Generation of Windows and Surface (and Copilot)

Given the new Qualcomm chipsets such as the Snapdragon Elite X, it would make sense for this to feature in the announcements. These new chipsets (which I discussed here) provide huge NPU capabilities which are needed to process AI workloads efficiently without sloooooooowing down the device so it will be exciting to see if these feature in the future of Surface and Windows!

Will Copilot work “locally/Offline?

What? Well today, all the AI and Copilot experiences we have seen with Windows 11 (and Microsoft 365 Copilot) take place in the cloud, but I also wonder if Microsoft will discuss their plans and advancements around local/on-device Generative AI experiences. With the newer AI Boost PCs from Intel, what is now available with Qualcomm and what Microsoft have in their arsenal with Copilot and OpenAI, it will be interesting to see what Microsoft can tell us about how they could de-couple the AI experiences, providing the ability to run local LLMs “on chip”. This of course is as much about the software (Windows OS) as it is the hardware that powers it.

What about Windows 365?

I hope so – since Windows 365 is very much part of the Windows story and I’m hoping we will hear some updates about what is coming to Windows 365. We have seen huge performance and boot time increases this year, new innovation with Windows 365 Boot and Windows 365 Switch (i have covered this in another blog) so be great to see what is next for Windows 365. There were also many things annouced over the past 12 months such as offline mode that haven’t yet made it to market – could this be finally coming?

Will 2024 be the year of Windows 11 on ARM?

We are not even six months into 2024, yet we have already seen some of the most exciting innovation to hit the PC in a decade.

Earlier this year we saw the birth of the “AI-PC” which saw Intel ship their new Core Ultra chipset which includes their AI Boost technology (essentially an NPU) along with the much improved Intel Arc graphics chips which brought performance increases far beyond the i5 and i7 chipsets we have been using for years.


Why do we need NPUs again?

As we use increasingly more AI services, whether that is image blurring, sound enhancement or running a local LLMs on your device, Neural Processing Units (NPUs) are much much faster at processing these workloads locally and because they do all the hard work, the CPU doesn’t need too, also freeing up CPU time increasing overall performance. . This therefore also leads to more efficient processing and less battery use.


I remember back (too many) years ago, when the chipset battle was between Intel and AMD. This has moved on significantly of late though with Qualcomm now a real contender in realm of AI workloads, portability and battery/eco performance. Qualcomms new Snapdragon chipsets are built on what was previously called “Oryon” which was designed by NUVIA (which QualComm brought for $1.4 Billion in 2021).

Interesting fact: Nuvia was founded by a group of ex-Apple engineers who were responsible for the original Apple M1 + chipset architecture.

This Oryon chipset (known now as the Snapdragon X series) has been the result of that acquisition and ongoing investment. These ARM chip brings an amazing addition to lower power usage and energy consumption, mobile connectivity, longer battery life and amazing performance (especially with AI workloads) and will soon be running the current and next generation of Windows 11 on ARM technology.

Is Surface RT – Back from the Dead?

Well, yes and no – more sort of.

If you have been using Microsoft hardware (and Surface in particular for while, you may remember the Infamous Surface RT device that Microsoft launched in 2012 along side the Intel Powered Surface Pro (v1). Whilst not a success at the time (and laughed at by many), this was the real exploration of using ARM architecture in mainstream computing running a desktop Operating System (Windows 8.1 back then). Windows 8.1 RT was based on Windows 8 at the time but compiled specifically for the ARM chipset that drove the Surface RT.

Surface RT was a hybrid tablet developed by Microsoft. It was the first personal computer designed in-house by Microsoft and was released in October 2012. It ran on Windows RT, a version of Windows 8 optimised for ARM processors. It has a quad-core Nvidia Tegra processor, 2GB of memory, a 10.6-inch display, a USB 2.0 port, HDMI-out, and a magnesium chassis.

But it failed right? It did – but the failing (in part) was not really down to the ARM technology itself, it was more because the mainstream computing world only really knew the world of Win32 or x64 applications which were built on a totally different architecture and could not run on ARM. There were a number of Win32 applications that were recompiled for ARM and made available via the (then limited) App Store, but these were few and far between (a bit like Windows Phone) which meant that Surface RT was a good good for web browsing and web apps, plus the stock apps and re-compiled Office Applications which worked quite well.

ARM – “I’ll be back”

With the “fail” of Windows RT, ARM was pretty much a thing of the past until 2019, when Microsoft released the Surface Pro X, which I still love and use today. This was the start of a new era for Windows on ARM (some seven years later) which saw Windows 10 (WoA) running on a Microsoft customised Qualcomm which Microsoft called the SQ1.

The SQ1 was based on Qualcomm’s Snapdragon 8cx laptop chip but with some customization.
It combined Snapdragon hardware with AI capabilities, resulting in a powerful chipset, which gave impressive battery life (well more than in the intel version), and quick charging (to 80% in just an hour). It also featured 4G connectivity in addition to Wi-Fi. Graphics are powered by the Adreno 685 GPU

Microsoft did a brilliant job of this. They produced a super sleek and super thin, fanless Surface Pro device which ran full Windows 10 on ARM. Unlike the Surface RT, whist it could of course run native ARM apps, it was also able to run x64 apps through x64 emulation. These apps did ran slower than they would on their intel counterparts, but and ability to run these apps without recompiling the code removed (mostly) the “app gap”. With devices now going to market (other vendors followed), it also saw software giants like Adobe, beginning to develop their own apps compiled for ARM to run natively. Looking ahead to today, there’s a good steady (and growing) number of apps that are natively compiled for ARM.

As Windows 11 was released in October 2021, we saw a new and refreshed experience for fans of ARM devices with the the support to run Win32 and x64 apps through emulation as well as native ARM apps of course. Microsoft have recently released updated to their ARM powered Surface Pro devices (only Surface Pro devices currently ship with an ARM option), the latest being the Surface Pro 9 5G which features the Microsoft SQ3 processor.

The SQ3 was built on Qualcomm's Snapdragon 8cx Gen 3. This is an 8-core processor with 8 threads and is based on the second generation of Qualcomm Snapdragon chips. Graphics are powered by the Adreno 690 GPU. This also features 5G connectivity.

The Future of AI Powered PCs

There is no doubt we are witnessing a seismic shift in the market as devices are next generation devices are being primed for AI capabilities, and it’s nothing short of revolutionary. With Intel shipping their new AI powered chipsets in the fist part of 2024 and with what is coming from Qualcomm in the second half, 2024 looks to be the year for Windows 11 on ARM with new devices coming soon from leading PC/Laptop manufacturers, including new Microsoft Surface devices based on the rumours! Apple of course have also announced the M4 for their newest devices.

Intel Ultra with AI Boost

Earlier this year, Microsoft led the charge with the Surface Pro 10 for Business, armed with the Intel Core Ultra processor. What makes this processor different to the previous Intel generations is what they call their integrated AI Boost! This cutting-edge feature turbocharges performance by processing AI tasks locally. This results in a significant reduction in reliance on the CPU and, in some fortunate cases, even the GPU. This means faster, more efficient processing that’s sure to supercharge your productivity, powered by the Intel NPU.

Qualcomm Snapdragon Elite

But that’s not all! Qualcomm has also thrown its hat into the ring with the Snapdragon X1E Elite and Plus chipsets. This comes hot on the heels of their acquisition of Nuvia, marking a bold new chapter in their AI journey which we are about to start seeing hit the market.

Qualcomm AI Engine, Snapdragon X Elite can run generative AI models with over 13 billion parameters on-device. Qualcomm claims it has 4.5 times faster AI processing than its competitors. Qualcomm has called Snapdragon X Elite the “most powerful, intelligent, and efficient processor in its class for Windows,”

Apple M4

Yes so Apple have recently announced their new M4 Processor which will power the new iPad Pro. Apple say that the M4 promises 50% faster CPU performance than Apple’s M2 and is four times faster than the M2 in GPU performance.

Intel vs Qualcomm vs Apple

While benchmarking processor performance can sometimes be influenced by the manufacturer or even be misleading to the end user, the numbers below are really interesting to see.

The new Intel Core Ultra 5 chipset has also shown significant improvement, boasting a score of 2,150 and 10,450 for single core and multicore respectively. These numbers highlight the rapid advancements in AI capabilities and the potential they hold for our work.

The Qualcomm Snapdragon X Elite made a grand entrance with a single core score of 2,574 and a multicore score of 12,562. This immediately positions it as a formidable contender, outperforming the Ryzen 9 7940HS.

Qualcomm has added an AI engine to the X Elite too, which they say is capable of 75 TOPS (trillion operations per second) — that’s a huge increase over the roughly 34 TOPS the Intel Core 7 165H chip is capable of.

There are not yet scores for the Apple M4 to compare against the Snapdragon X Elite since the benchmarks for the M4 are not out yet.

Conclusion

With the latest iterations of Windows 11, we have a mature and stable build of ARM on Windows, that can run Intel apps in both Win32 and x64 mode, as well as native ARM applications. There are more apps than ever that run native ARM in Windows – and even Google have now launched an ARM version of their Chrome Browser.

The marked performance of the Snapdragon shows that will accelerate both the performance and advancements of AI edge compute in Windows 11, along with the efficiency and battery life expected. With this, the next generation of Qualcomm AI PCs on Windows 11 looks extremely exciting.

As we move into the second half of 2024, I think business, consumers, education and more are going to be super excited about the ability to get a new range of super quiet, super fast, super efficient devices with a real stonker of battery life that is able to run AI and traditional workloads with a breeze. All powered by Windows 11 on ARM and Snapdragon X Elite at the core.

So is 2024 the year for Windows 11 on ARM ?

Pavan Davuluri now in charge of Windows and Surface.

Surface Under One Roof

Following Panos Panay’s competitor move to Amazon last year, Microsoft split up the Windows and Surface management structure with Pavan Davuluri looking after the Surface division and Mikhail Parakhin leading a new team that looked after Windows and web experiences.

As of this week, these divisions have again been consolidated, like they were under Panos, with both Windows and Surface being run by Pavan Davuluri. Pavan has been with Microsoft for more than twenty-three years and was a huge driver behind the recent custom-designed Surface processors (SQ) developed in collaboration with Qualcomm.

According to a memo obtained by The Verge, Microsoft says merging the two teams will “enable us to take a holistic approach to building silicon, systems, experiences, and devices that span Windows client and cloud for this AI era.”

Pavan Davuluri – Microsoft Surface and Windows Chief 2024

Personally, I think its great to see the reunion of Windows and Surface teams under Pavan which sits within Microsoft’s Engineering and Devices organisation, headed by Rajesh Jha.

This move also comes after Microsoft’s appointment of DeepMind co-founder Mustafa Suleyman as CEO of a new dedicated AI division within Microsoft which has presumably prompted a re-evaluation of their team structures as Microsoft look forward to an FY25 fueled by new advances in Copilot, big updates in Windows and Microsoft’s new AI-PCs.

Reflection

This move is welcomed by Windows enthusiasts, as it promises increased collaboration and cohesion between Microsoft’s hardware and software endeavours and just makes sense to see development of the OS that powers Surface (and of course the other OEMs) being overseen by the same person.

Windows 11 PCs to get Copilot key as Microsoft embeds AI in Windows.

Windows Keyboard with Copilot Button

Microsoft today, 4th Jan 2024, announced that Copilot in Windows is coming out of preview. They also announced the next significant step forward for Copilot in Windows and the future of the AI Powered PC. Microsoft say that the future of Windows, Silicon and Copilot, are the next stage of enabling the significant shift towards “a more personal and intelligent computing future where AI will be seamlessly woven into Windows from the system to the silicon, to the hardware“.

The next technology shift, driven by AI innovation is continuing to grow exponentially and is posed to fundamentally change the way we use and access technology forever.

“From reinventing the way people search with Copilot in Bing, and unlocking productivity with Copilot for Microsoft 365, to reimagining how people get things done on the PC with Copilot in Windows”.

Yusuf Mehdi | Chief Marketing Officer | Microsoft


Microsoft, in their blog, talk about 2023 being the year of the birth of Generative AI, with 2024 being the year of the AI Powered PC.

The AI Powered PC

As significant as the introduction of the Windows Key was in the 1990s, the introduction of a new Copilot key will be the first significant change (in over 30 years) that is coming to the Windows PC keyboard starting with new devices shipping this year.

The Copilot key, which will sit near the space bar and replace the right ALT-GR key on most keyboards, will invoke the Copilot in Windows experience to make it seamless for people to engage Copilot in their day-to-day work or lives and is designed to make it easier for everyone to be part of the AI transformation more easily.

AI – from Chip to the Cloud

In same way Microsoft approaches security – Chip, OS and Cloud, they are taking the same approach with AI. Starting with their own NPUs in Surface and now across their eco system OEM partners, Microsoft say that there is huge momentum from AMD, Intel and Qualcomm, all of whom have launched dedicated NPUs to unlock the power of edge AI processing in their latest chipsets and with the Consumer Electronics Show (CES) just round the corner, we expect to see many new innovation and advances coming from Microsoft and the rest of the Windows OEMs this year. This powerful combinations and advances coming to Windows OS, their Copilot Cloud system and advances in NPUs, the next twelve months seem very exciting.

Microsoft say they are committed to the pace of development in Copilot and Windows and are positioning Windows to be “the destination for the best AI experiences”. This combined with the development of their AI Cloud Services and the new local processing made possible by new hardware and silicon, will allow Windows to be an “operating system that blurs the lines between local and cloud processing“. The year ahead promises to be nothing short of extraordinary!

Note: Copilot in Windows is being rolled out gradually to Windows Insiders in select global markets. The initial markets for the Copilot in Windows preview include North America, United Kingdom and parts of Asia and South America. It will come additional markets over time.

Microsoft Surface first?

It’s unknown at the moment what OEMs will start to ship devices with the new Copilot key, but according to leaks and social media, Microsoft is rumoured to be launching updates to the Surface Pro Surface Laptop family this year and these will ship with the new Copilot key.


If you want to lean more.

Read the full article from the Windows Blog.

Read more about Copilot in Windows on my blog here.

Microsoft re-innovates the Windows Insider program

The Windows Insider program, which launched 9 years ago in 2014, was first used to gain early public feedback on the final stages of the development of Windows 10, is currently undergoing a huge restructure in terms of how testing will be carried out with Windows Insiders including a new “Canary Channel” for testers who want to be at the very forefront of trying the newest Windows features.

New Windows Insider Builds | Image (c) Microsoft

Why the changes? Well, Microsoft now update Windows 11 a little at a time (though moment updates). These will consist of collections of quality and feature updates that will be bundled together and released a few times a year. More extensive changes (those which update the kernel and core underlying OS) will be confined to annual “feature updates”. This is expected to now be the foundation for future changes to Windows.

This blog summarises the key changes. For the verbose version, checkout the official Windows Insider Blog

The “new” Insider Rings

Canary Channel

The existing “Dev” channel, will soon (this month) be renamed to the “Canary” channel in which the newest and more experimental changes and features will be showcased for feedback.

The Canary channel will enable Windows Insiders to gain the earliest access to new builds with minimal validation and little. This build will not be recommended for daily drivers as users are likley to be testing builds that could be unstable, not working correctly and less tested that’ll those in the current Dev Channel.

These will be builds in the 25000 series.

The Dev Channel

The new “Dev Channel” will now be a half way house between the existing Dev and Beta channels. Insiders in this channel will continue to be able to test early features that may never make it to the stable version (release) of the Windows operating system. They will be better tested, will have the level of documentation and build notes that Insiders have become accustomed too and will be more stable.t

These will be builds in the 23000 series.

Beta and Release Channels

The Beta and Release Preview channels are not currently being changes. The Beta channel will remain more stable than the Dev channel, and Microsoft say that features in this build are likely to make it into future final release builds of Windows.

Beta builds will be in the 22000 series.

Getting on the right Channel

The restructuring of the Windows Insider Channels will require some choices to be made.

Anyone / any device currently on the Dev channel will be automatically moved to the Canary channel, where they will continue to receive Windows updates with build numbers in the 25000s range. These will be less stable that the current Dev channel.

Windows Insider Channel Selector (in setting -> Windows Update)



Anyone wanting to move to the new Dev channel (to obtain the 23000 series builds) will require to initiate a clean build (rebuild) of their device and to then re-enrol their device on the new Dev Channel.

Users on the Beta and Release Preview channel will not need to do anything thought they will be able to move to the new Dev channel without needing to reinstall the OS.

Microsoft is showcasing the ‘Future of Hybrid Work’ Powered by Windows

Microsoft has annouced a Windows centred event on April 5 which will be led by Windows Chief Product Officer, Panos Panay and is focused on how “Windows Powers the Future of Hybrid Work”

Registration is open now

The official web registration page for the event is already live with the virtual event scheduled for 4PM UK time (8:00 AM US Pacific Time).

Whilst not much is known about the content of the event, it will likley be aimed at commercial customers and will highlight many of the new ans upcoming features (currently being tested and developed with Windows Insiders) designed to improve and enhance the Windows 11 experience and tablet experience.

It won’t just be about Windows 11

The event will likley not only be about Windows 11. Since this is about the future of work, expect to hear about further hybrid work enhancements use this event to across other aspects of Microsoft 365 and (as in previous events) may be some surprise new product announcements. There will also likley be updates to device management tools and further enhancements to Windows 365 Cloud PC and Azure Virtual Desktop services.

The Microsoft’s webpage for the event also states that there will be break-out sessions which will deep dive into demos around upcoming enhancements to Windows tools for productivity and collaboration, management, and security.

Watch it live on April 5th

I will be watching live (hopefully), and will share any key news and updates after the event. Leading Windows sites and of course the Windows blog will also be updates and the event unfolds.

This link will download calendar file so you can quickly add it to your calendar.