3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Microsoft to tighten Windows 11 security by blocking legacy cross-signed drivers, with new kernel trust rules rolling out from April 2026.
Microsoft has committed to addressing top user complaints regarding Windows 11 and improving the operating system's performance this year. This isn't surprising, especially considering the findings from a recent report which indicated that Windows isn't doing particularly well in the enterprise space in terms of stability and reliability. Now, Microsoft has decided to take another step in advancing the security and overall robustness of Windows 11.
The company has announced that it will soon remove the ability for kernel drivers signed by the legacy cross-signed root program to be loaded by default. This is a deprecated program that was introduced in the early 2000s that allowed the provisioning of Windows-trusted code signing certificates after vetting from third-party partners. Microsoft retired this program in 2021, and all certificates issued through this process have since expired, but are still trusted by the kernel and persist in some scenarios.
However, this is changing soon. Starting from April 2026, the Windows kernel will only accept drivers that have been signed through its Windows Hardware Compatibility Program (WHCP). However, for compatibility reasons, Microsoft will still maintain an explicit allow list that will allow the kernel to load old, but reputable, drivers vetted through the cross-signed root program. This new implementation will apply to Windows 11 24H2, 25H2, 26H1, Windows Server 2025, and all future client and server versions of Windows.
However, Microsoft understands that some environments may rely on legacy drivers for compatibility reasons. This is why the new kernel trust policy will initially launch in evaluation mode, which will monitor and audit your system hours and boots over a period of time. In the same vein, the Redmond tech firm will also allow you to configure the Application Control for Business (formerly WDAC) policy to override the default kernel policy. This is particularly useful in scenarios where an organization wants to load custom drivers built for internal use.
Microsoft has noted that it will continue rolling out this new kernel policy from April 2026, but it has emphasized that it will continue monitoring feedback from customers to refine the experience. For now, its latest kernel trust policy has been curated based on billions of telemetry signals procured from Windows 11 and Windows Server 2025 devices over the past couple of years.
Hope you enjoyed this news post. Feedback welcome.
Posted Friday 27 March 2026 at 12:26 pm AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.