Microsoft is implementing a major change to how Windows handles kernel drivers. The company is discontinuing its default trust of drivers signed via the outdated cross-signed root program.
Instead, only drivers approved through the Windows Hardware Compatibility Program (WHCP) will be allowed to load. With this step, Microsoft aims to further strengthen the operating system’s security without completely sacrificing compatibility.
According to The Register, this change means that some older drivers and hardware may no longer function, especially when vendors stop releasing updates. As a result, the measure affects not only security but also the use of legacy systems.
The change will be rolled out with the April 2026 Windows update and applies to Windows 11 24H2, 25H2, and 26H1, as well as Windows Server 2025. In future versions of Windows, this model will be enforced by default.
Kernel drivers play a crucial role in Windows because they have direct access to the system’s core. That is why Microsoft now wants to allow only verified and trustworthy drivers. The WHCP program forms the foundation and checks drivers for malware and compatibility. Only approved drivers receive an official signature from Microsoft.
Older driver program poses security risk
The cross-signed root program offered developers a way to sign drivers without direct intervention from Microsoft. Security was less stringent, and developers had to manage certificates themselves, which led to abuse and certificate theft. Although the program was discontinued in 2021, these drivers remained trusted in certain situations.
Microsoft is trying to strike a balance between stricter security and compatibility. Many systems still use drivers without WHCP certification. That is why the company is introducing an evaluation phase in which Windows checks whether the new policy can be enabled without issues.
If it becomes apparent during this phase that drivers do not comply, the system remains in evaluation mode. Once these drivers are phased out, the policy can still be activated. The Register adds that workarounds do exist to continue using certain drivers, but that these are limited and not suitable for all scenarios.
For organizations that rely on specific or internal drivers, Microsoft offers an alternative via Application Control for Business. This allows the default policy to be customized, though this primarily applies to internal or confidential applications and is not a broad solution for outdated drivers.
With this change, Microsoft makes it clear that the future of Windows revolves around strictly controlled drivers. Ultimately, the direction seems to be that only WHCP-certified drivers will still have access to the kernel, which strengthens security but puts pressure on older hardware.