New Windows 11 recovery tool to let admins remotely fix unbootable devices

Microsoft is working on a new Windows “Quick Machine Recovery” feature that will allow IT administrators to use Windows Update “targeted fixes” to remotely fix systems rendered unbootable.

This new feature is part of a new Windows Resiliency Initiative launched in response to a widespread July 2024 outage caused by a buggy CrowdStrike Falcon update that rendered hundreds of thousands of Windows devices unbootable, impacting airlines, hospitals, and emergency services worldwide.

Those affected said their Windows hosts got stuck in a boot loop or showed the Blue Screen of Death (BSOD) after installing the latest CrowdStrike Falcon Sensor update.

To ensure that its customers are ready in the event of a similar incident, Microsoft has developed a new Quick Machine Recovery feature that doesn’t require hands-on access to fix Windows boot issues.

“This feature will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC,” said David Weston, the company’s Vice President for Enterprise and OS Security, today.

“This remote recovery will unblock your employees from broad issues much faster than what has been possible in the past.”

Microsoft says it will roll out the Quick Machine Recovery feature to the Windows 11 Insider Program community in early 2025.

Security outside of kernel mode

The company is also working with security vendors as part of the Microsoft Virus Initiative (MVI) to add new Windows features and tools that will allow security software to run outside the Windows kernel to avoid incidents like the July outage in the future.

Windows security software commonly uses Kernel drivers that allow low-level access to the operating system to detect unusual behavior, monitor network traffic, and terminate malicious processes. However, this kernel-level access increases the risk that a buggy driver or update could cause a device to crash and no longer boot properly.

As part of this new initiative, security vendors and Microsoft will adopt Safe Deployment Practices that will require all security product updates to be gradual, leverage deployment rings, and be monitored to ensure minimal negative impact.

“To help our customers and partners increase resilience, we are developing new Windows capabilities that will allow security product developers to build their products outside of kernel mode,” Weston added today.

“This means security products, like anti-virus solutions, can run in user mode just as apps do. This change will help security developers provide a high level of security, easier recovery, and there will be less impact to Windows in the event of a crash or mistake. A private preview will be made available for our security product ecosystem in July 2025.”

Today, part of its Secure Future Initiative (SFI) cybersecurity engineering effort launched in November 2023, the company also launched a new Zero Day Quest hacking event with $4 million in rewards.

Microsoft also shared more details on the new Windows 11 administrator protection security feature, now available in preview and designed to block access to critical system resources using Windows Hello authentication prompts.

“Since launching SFI, we’ve focused the equivalent of 34,000 full-time engineers on the highest-priority security challenges,” Weston said.