Microsoft cracks down on old Windows kernel drivers

Microsoft is removing trust for kernel drivers that haven't been through the Windows Hardware Compatibility Program (WHCP) in a bid to further secure the Windows kernel. The company is targeting kernel drivers signed by the long-deprecated cross-signed root program. Although all the certificates associated with the program have expired, the drivers are "still broadly trusted in the Windows kernel." That will end with the April 2026 Windows Update. While Microsoft prides itself on backward compatibility, blocking cross-signed drivers will affect some legacy use cases and applications. To that end, the policy will roll out in "evaluation mode," where the Windows kernel will monitor and audit driver loads to determine whether activating the policy will cause compatibility issues. Microsoft introduced the cross-signed root program in the early 2000s to enable code integrity for third-party drivers. However, third parties administered the signing program, requiring authors to store and protect the private keys associated with those certificates. According to Microsoft, this "led to abuse and credential theft that put our customers and their platforms at risk." Whether the Windows architecture should have allowed this is moot. The problem now is balancing security with compatibility. "We know driver and application security are required by our customers  but cannot come at the expense of compatibility and productivity," said Microsoft. Hence the evaluation mode, and keeping "essential and reputable cross-signed drivers" still trusted in Windows. Windows boss promises to heal the operating system's self-inflicted wounds Microsoft fixes broken Windows update days after vowing fewer broken updates Microsoft: Removing some Copilots will improve Windows 11 Microsoft breaks Microsoft account sign-ins in Windows 11 with latest update That said, administrators can still allow custom kernel drivers via the Application Control for Business policy to override the default kernel policy. Microsoft foresees this being used for confidential or internal-only driver scenarios, rather than to support a legacy device or application. "The policy must be signed by an authority in the device's Secure Boot Platform Key (PK) or Key Exchange Key (KEK) variables to ensure the policy is applicable to only their environment," Microsoft stated. "Otherwise, drivers targeted for the Windows ecosystem must be WHCP certified and signed through the Microsoft HDC portal." Microsoft's decision has been a while coming, certainly since it deprecated the cross-signed root program years ago. That knowledge will not, however, make things any easier for users with drivers that are now on the naughty step and with vendors unlikely or unable to refresh them. Workarounds exist, but Microsoft's decision clearly signals the company's direction of travel. Eventually, Microsoft will bar any code that hasn't passed the WHCP certification process from kernel-based shenanigans. The change will apply to Windows 11 24H2, 25H2, and 26H1 and Windows Server 2025. ® × Narrower topics Active Directory Azure Bing BSoD Excel Exchange Server HoloLens Internet Explorer LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams .NET Office 365 OS/2 Outlook Patch Tuesday Pluton SharePoint Skype SQL Server Visual Studio Visual Studio Code Windows 10 Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360