Microsoft is taking significant strides to enhance the security of its operating systems by addressing a long-standing vulnerability that has persisted for nearly two decades. With the upcoming April 2026 Windows update, the tech giant will eliminate default trust for kernel drivers that have been signed through the outdated cross-signed root program. This pivotal change mandates that all new kernel drivers must now be certified via the Windows Hardware Compatibility Program (WHCP). This policy shift will impact Windows 11 builds 24H2, 25H2, and 26H1, as well as Windows Server 2025, with future versions adhering to the same standards.
Transitioning to Enhanced Security Measures
The cross-signed root program was established in the early 2000s to facilitate code integrity for third-party drivers, allowing them to be authenticated by third-party certificate authorities that were countersigned by Microsoft. Despite the expiration of these certificates, Windows has continued to trust drivers signed under this program. Unfortunately, this loophole has been exploited in what security researchers refer to as Bring Your Own Vulnerable Driver (BYOVD) attacks. In these scenarios, attackers load outdated, legitimately signed drivers that contain vulnerabilities, thereby gaining kernel-level access and disabling security tools for malicious purposes.
To mitigate these risks, the April update will begin in evaluation mode. During this phase, the Windows kernel will monitor and audit driver loads without blocking any, gathering data over a span of 100 hours and two to three restart cycles. If all drivers loaded during this evaluation period are compliant with the new policy, the system will transition automatically to enforcement mode. Conversely, if any cross-signed drivers are detected, the system will remain in evaluation mode until those drivers are no longer in use.
In addition to these measures, Microsoft will maintain a specific allow list of reputable, widely-used drivers that have previously been vetted through the old program. This will provide a transitional safety net for legitimate legacy hardware. For enterprises that rely on custom or internal drivers, Application Control for Business (formerly known as WDAC) policies can be utilized to authorize these specific drivers without compromising the overall security framework.
For most enthusiasts utilizing modern hardware with up-to-date drivers, this transition is expected to be seamless. However, users with older specialty peripherals, unique audio interfaces, legacy gaming devices, or niche add-in cards may face challenges if their vendors have not kept their drivers WHCP-certified. Those operating older hardware with outdated drivers should take this opportunity to verify the availability of current WHCP-signed versions. If a device lacks such support and the manufacturer is no longer active, users may encounter compatibility issues once the enforcement phase is implemented.
