Microsoft Blocks Untrusted Kernel Drivers in Windows 11, Server 2025
Key Takeaways Microsoft is enhancing Windows security by discontinuing support for drivers signed via its legacy cross-signed root program. Starting with the April 2026 updates, Windows 11 and...
Key Takeaways
- Microsoft is enhancing Windows security by discontinuing support for drivers signed via its legacy cross-signed root program.
- Starting with the April 2026 updates, Windows 11 and Windows Server 2025 will automatically block these older, less secure drivers.
- This change aims to significantly reduce the risk of kernel-level attacks, such as rootkits, by ensuring only Windows Hardware Compatibility Program-certified drivers can load.
- An explicit allow list and a phased enforcement mechanism are in place to prevent system disruptions, and enterprises have options for custom driver support.
Microsoft Bolsters Windows Kernel Security by Blocking Legacy Drivers
Microsoft is rolling out a critical security upgrade for its Windows operating system, specifically targeting kernel-level vulnerabilities. The tech giant announced it would no longer endorse drivers signed through its outdated cross-signed root program, a move designed to fortify Windows against sophisticated threats.
Table Of Content
Beginning with the April 2026 update cycle, both Windows 11 and Windows Server 2025 will automatically prevent these unverified drivers from loading. This proactive measure ensures that only drivers rigorously certified through the Windows Hardware Compatibility Program (WHCP) can operate, thereby substantially narrowing the attack surface available to malicious actors.
Addressing a Persistent Security Weakness
The cross-signed root program, established in the early 2000s, permitted third-party certificate authorities to issue code-signing certificates trusted by Windows. However, this system lacked robust mechanisms to verify the security or compatibility of the kernel code. A major flaw was that developers managed their own private keys, making the program a prime target for credential theft, which subsequently facilitated the deployment of malicious rootkits.
Microsoft officially phased out this signing program in 2021, and all associated certificates have since expired. Despite this deprecation, Windows continued to trust these legacy certificates to maintain compatibility with older hardware and software configurations.
The upcoming update finally eliminates this residual trust. Moving forward, the driver certification process mandates that vendors undergo stringent identity verification, submit comprehensive test results, and pass malware scans before being issued a secure, Microsoft-owned certificate.
To mitigate potential system stability issues, Microsoft has created an explicit allow list for highly reputable and widely used cross-signed drivers, ensuring their continued functionality. Additionally, the kernel update will be deployed with a careful evaluation phase. The Windows kernel will monitor driver load signals to confirm that the new policy does not interfere with critical system operations. Enforcement will only proceed once specific runtime and restart thresholds are met without incident. If an unsupported driver is detected during this audit, the system will reset the evaluation timer, delaying full enforcement until compatibility is assured.
For enterprise environments that rely on internally developed custom kernel drivers, alternative solutions are available. Organizations can securely bypass the default blocking mechanism by implementing an Application Control for Business policy. By signing this policy with an authority rooted in the device’s UEFI Secure Boot variables, administrators can explicitly trust private signers. This method ensures that legitimate internal operations continue uninterrupted while preventing threat actors from arbitrarily loading malicious drivers.
What You Should Do
- For End-Users: Ensure your Windows 11 system is regularly updated. If you encounter issues with specific hardware drivers after April 2026, check with the hardware manufacturer for updated, WHCP-certified drivers.
- For IT Administrators: Begin auditing your environment for reliance on cross-signed drivers. Plan for driver updates for all hardware and software components. For custom, in-house kernel drivers, prepare to implement Application Control for Business policies signed with a UEFI Secure Boot-rooted authority to maintain functionality.
- For Driver Developers: Ensure all new and updated drivers are submitted through the Windows Hardware Compatibility Program for certification to guarantee compatibility and security with future Windows versions.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.