Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/CyberSecurity News/Microsoft Blocks Untrusted Kernel Drivers in Windows 11, Server 2025
CyberSecurity News

Microsoft Blocks Untrusted Kernel Drivers in Windows 11, Server 2025

Key Takeaways Microsoft is enhancing Windows security by discontinuing support for drivers signed via its legacy cross-signed root program. Starting with the April 2026 updates, Windows 11 and...

Marcus Rodriguez
Marcus Rodriguez
March 28, 2026 3 Min Read
60 0

Key Takeaways

  • Microsoft is enhancing Windows security by discontinuing support for drivers signed via its legacy cross-signed root program.
  • Starting with the April 2026 updates, Windows 11 and Windows Server 2025 will automatically block these older, less secure drivers.
  • This change aims to significantly reduce the risk of kernel-level attacks, such as rootkits, by ensuring only Windows Hardware Compatibility Program-certified drivers can load.
  • An explicit allow list and a phased enforcement mechanism are in place to prevent system disruptions, and enterprises have options for custom driver support.

Microsoft Bolsters Windows Kernel Security by Blocking Legacy Drivers

Microsoft is rolling out a critical security upgrade for its Windows operating system, specifically targeting kernel-level vulnerabilities. The tech giant announced it would no longer endorse drivers signed through its outdated cross-signed root program, a move designed to fortify Windows against sophisticated threats.

Table Of Content

  • Key Takeaways
  • Microsoft Bolsters Windows Kernel Security by Blocking Legacy Drivers
  • Addressing a Persistent Security Weakness
  • What You Should Do

Beginning with the April 2026 update cycle, both Windows 11 and Windows Server 2025 will automatically prevent these unverified drivers from loading. This proactive measure ensures that only drivers rigorously certified through the Windows Hardware Compatibility Program (WHCP) can operate, thereby substantially narrowing the attack surface available to malicious actors.

Addressing a Persistent Security Weakness

The cross-signed root program, established in the early 2000s, permitted third-party certificate authorities to issue code-signing certificates trusted by Windows. However, this system lacked robust mechanisms to verify the security or compatibility of the kernel code. A major flaw was that developers managed their own private keys, making the program a prime target for credential theft, which subsequently facilitated the deployment of malicious rootkits.

Microsoft officially phased out this signing program in 2021, and all associated certificates have since expired. Despite this deprecation, Windows continued to trust these legacy certificates to maintain compatibility with older hardware and software configurations.

The upcoming update finally eliminates this residual trust. Moving forward, the driver certification process mandates that vendors undergo stringent identity verification, submit comprehensive test results, and pass malware scans before being issued a secure, Microsoft-owned certificate.

To mitigate potential system stability issues, Microsoft has created an explicit allow list for highly reputable and widely used cross-signed drivers, ensuring their continued functionality. Additionally, the kernel update will be deployed with a careful evaluation phase. The Windows kernel will monitor driver load signals to confirm that the new policy does not interfere with critical system operations. Enforcement will only proceed once specific runtime and restart thresholds are met without incident. If an unsupported driver is detected during this audit, the system will reset the evaluation timer, delaying full enforcement until compatibility is assured.

For enterprise environments that rely on internally developed custom kernel drivers, alternative solutions are available. Organizations can securely bypass the default blocking mechanism by implementing an Application Control for Business policy. By signing this policy with an authority rooted in the device’s UEFI Secure Boot variables, administrators can explicitly trust private signers. This method ensures that legitimate internal operations continue uninterrupted while preventing threat actors from arbitrarily loading malicious drivers.

What You Should Do

  • For End-Users: Ensure your Windows 11 system is regularly updated. If you encounter issues with specific hardware drivers after April 2026, check with the hardware manufacturer for updated, WHCP-certified drivers.
  • For IT Administrators: Begin auditing your environment for reliance on cross-signed drivers. Plan for driver updates for all hardware and software components. For custom, in-house kernel drivers, prepare to implement Application Control for Business policies signed with a UEFI Secure Boot-rooted authority to maintain functionality.
  • For Driver Developers: Ensure all new and updated drivers are submitted through the Windows Hardware Compatibility Program for certification to guarantee compatibility and security with future Windows versions.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

CISA Adds Critical Aqua Security Trivy Scanner Vulnerability CVE-2023-39325 to KEV Catalog

Next Post

European Commission confirms cyberattack after AWS account compromise

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us