Microsoft is removing trust for kernel drivers that haven't been through the Windows Hardware Compatibility Program (WHCP) in a bid to further secure the Windows kernel. The company targets an old wound: the long-deprecated cross-signed root program, a trust path Microsoft created in the early 2000s and has spent the last two decades regretting.
On the surface, this looks like routine technical housekeeping. Behind it lies something more revealing: a company confronting the costs of historical decisions, the difficulty of unwinding legacy systems at scale, and the genuine tension between security and compatibility that no amount of engineering can fully resolve.
The cross-signed root program was meant to enable third-party developers to sign kernel drivers without sending them through Microsoft. The signing program, administered by third-party certificate authorities, required driver authors to store and protect the private keys of the certificate, which led to abuse and credential theft that put customers and their platforms at risk. The program was deprecated in 2021, and all certificates have since expired. Yet the drivers are still broadly trusted in the Windows kernel.
That changes in April 2026. The change will end with the April 2026 Windows Update and will apply to Windows 11 24H2, 25H2, and 26H1 and Windows Server 2025.
The risk is real. Security researchers have documented multiple cases where attackers exploited this vulnerability to load malicious kernel drivers that appeared properly signed. By eliminating cross-signed certificate validation, Microsoft closes a pathway that sophisticated attackers have used to deploy rootkits and other kernel-level malware. Drivers certified through WHCP are checked by Microsoft for malware and compatibility, with the aim of making it significantly harder for malicious code to be injected into the kernel, the most sensitive part of the operating system.
But Microsoft's approach reveals institutional learning. Rather than simply flipping a switch, the company is staging the transition. The policy will roll out in "evaluation mode," where the Windows kernel will monitor and audit driver loads to determine whether activating the policy will cause compatibility issues. Windows 11 systems will undergo a 100-hour evaluation period with at least 3 restarts to test driver compatibility before activating the stricter security measures.
For organisations with legacy drivers, exceptions exist. Microsoft will maintain an explicit allow list of reputable drivers signed by the cross-signed program. The allow list ensures a secure and compatible experience for a limited number of widely used, and reputable cross-signed drivers. Businesses can also use Application Control for Business if they have control over UEFI Secure Boot authorities to allow custom signers not trusted in the Windows kernel by default, enabling customers to run privately signed drivers on enrolled systems without degrading security.
The challenge lands hardest on vendors of older or specialised hardware. Those who cannot or will not update their drivers to meet current WHCP standards face a hard choice: invest in modernisation or accept incompatibility with new Windows systems. Hardware vendors that are still shipping or supporting old driver trees will now need to invest in WHCP workflows, or risk becoming second-class citizens on the newest Windows platforms. That is good for the health of the ecosystem overall, but it also raises the bar for smaller vendors that lack the resources to redo signing and certification pipelines quickly.
The new trust policy is carefully curated based on billions of driver load signals and real-world usage data across Windows 11 and Windows Server 2025 from the past two years. The driver load signals and input from the developer community have helped shape this policy to ensure a smooth transition for customers. That telemetry-first approach marks a shift: Microsoft is using observed ecosystem behaviour, not principle alone, to decide what dies.
Closing an old trust path while maintaining a complex ecosystem is rarely clean. Microsoft knows this. The evaluation mode, the allow list, and the staged rollout all acknowledge that security cannot be imposed without friction. What the company is gambling on is that the friction of managing legacy drivers is now smaller than the security risk of keeping them trusted by default.
Whether that gamble pays off depends partly on vendors, partly on enterprises, and partly on how many obscure devices out there depend on drivers nobody has touched in a decade. The April 2026 deadline is firm. So is the calculation: a few years of disruption against 20 years of vulnerability.