Microsoft is taking significant steps to enhance the security of the Windows kernel by eliminating trust for kernel drivers that have not undergone the Windows Hardware Compatibility Program (WHCP). This initiative specifically targets kernel drivers that are still signed by the now-obsolete cross-signed root program. Although the certificates associated with this program have long since expired, these drivers have remained widely trusted within the Windows kernel. However, this practice will come to an end with the upcoming April 2026 Windows Update.
Transitioning Towards Enhanced Security
While Microsoft has built its reputation on maintaining backward compatibility, the decision to block cross-signed drivers will inevitably impact certain legacy applications and use cases. In light of this, the new policy will be introduced in an “evaluation mode.” During this phase, the Windows kernel will monitor and audit driver loads to assess whether the activation of the policy could lead to compatibility issues.
The cross-signed root program was initially launched in the early 2000s to facilitate code integrity for third-party drivers. However, the program’s administration was left to third parties, which required them to safeguard the private keys linked to those certificates. Microsoft has indicated that this arrangement resulted in instances of abuse and credential theft, thereby jeopardizing customer security and platform integrity.
The debate over whether the Windows architecture should have permitted such vulnerabilities is now secondary to the pressing challenge of balancing security with compatibility. Microsoft acknowledges the necessity of driver and application security for its customers but emphasizes that this cannot come at the cost of compatibility and productivity. This understanding has led to the implementation of the evaluation mode, which will allow “essential and reputable cross-signed drivers” to remain trusted within the Windows ecosystem.
For those administrators who require custom kernel drivers, Microsoft offers the Application Control for Business policy, which allows them to override the default kernel policy. This option is primarily intended for confidential or internal-only driver scenarios, rather than for supporting legacy devices or applications. Microsoft has stipulated that any such policy must be signed by an authority within the device’s Secure Boot Platform Key (PK) or Key Exchange Key (KEK) variables, ensuring that it is applicable solely to their specific environment. In contrast, drivers intended for the broader Windows ecosystem must be WHCP certified and signed through the Microsoft Hardware Dev Center (HDC) portal.
This decision by Microsoft has been anticipated for some time, particularly since the cross-signed root program was deprecated years ago. However, this knowledge does little to alleviate the challenges faced by users with drivers that may soon be rendered obsolete, especially when vendors are either unwilling or unable to update them. While workarounds may exist, Microsoft’s recent announcement clearly delineates the company’s strategic direction. Ultimately, it signals a future where any code that has not successfully navigated the WHCP certification process will be barred from engaging in kernel-level operations.
The forthcoming changes will affect Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2025.
