[Macha]

They probably had to, in the same way that banks had to use crowdstrike. Much as it's easy for banks to say "we use crowdstrike, like everyone else" rather than implement a bespoke and accountable framework for risk assessment and mitigation for every type of endpoint use case (and argue that case to both the auditor and regular). In this case it's easier for Microsoft to say "see, they can run in kernel space" rather than provide a bunch of API functions that achieve what's needed, convince all third party vendors to use them, and put in place a process to convince an auditor that Microsoft security software will never use any knowledge or functionality from the OS outside this.

[ghusto]

Exactly this. Microsoft did this poorly, so they were forced to allow others to do things poorly too.

[Macha]

I guess I don't think that's the sole reason, as I think the incentives would still be in place even if Microsoft authored security software did not run anything in kernel space.

[ghusto]

You mean in terms of third-parties wanting that level of access regardless? I agree, but it would be an easy "no" then.

[Macha]

In terms of Microsoft convincing regulators that they aren't and won't use any OS knowledge or private APIs ever.