Microsoft plans to enhance Windows 11 security measures. From April 2026, the company will gradually eliminate support for obsolete kernel drivers as a direct counter to a persistent vulnerability affecting the OS for an extended period.
In a recent post on the Windows IT Pro blog, Microsoft revealed intentions to stop recognizing drivers authenticated through the obsolete cross-signed root initiative. This method, originating in the early 2000s, once served as the primary way to integrate third-party components into the Windows kernel.
The core issue stemmed from certifications handled by outside entities with minimal verification processes. Such lax oversight enabled exploitation and the theft of signing credentials, resulting in tampered drivers. Even after the initiative ended in 2021, Windows systems kept permitting numerous legacy drivers until this upcoming shift.
In the future, Windows will primarily accept kernel drivers validated through the formal Windows Hardware Compatibility Program (WHCP). Microsoft performs these validations, scrutinizing for threats like malware and ensuring operational harmony.
The primary goal is to substantially reduce opportunities for harmful software to infiltrate the kernel, the operating system's most critical component.
Microsoft states that this updated approach draws from comprehensive telemetry, including analysis of billions of driver loading events across the last two years. Input from developers has also shaped the rollout strategy.
Although disclosed the day before, the adjustment will not take effect right away. Microsoft is initiating a preliminary evaluation phase on devices, outlined as follows:
During this phase, the Windows kernel will track and log all driver installations to assess whether the revised trust rules can be implemented without disrupting essential operations due to rejected legacy cross-signed components.
Devices will stay in this evaluation state until specific benchmarks are achieved. For Windows 11 machines, this requires 100 hours of runtime and a minimum of three reboots.
Should every driver encountered in the evaluation window comply with the kernel's trust standards, the system will enable and apply the new policy. Once enforced, these setups will block unverified drivers from the old cross-signed system that fail the current criteria.
Conversely, if evaluation reveals any cross-signed drivers that wouldn't meet the new standards, the policy activation halts, the evaluation resets, and the device continues in monitoring mode until those problematic drivers cease to appear.
Notably, devices identifying incompatible drivers will operate in a diagnostic state indefinitely and avoid the complete policy shift.
To balance security gains, Microsoft is establishing an exceptions registry for select legacy drivers deemed reliable, allowing them to persist in operation.
Enterprises gain flexibility to customize policies. Administrators can employ specialized controls to maintain in-house or bespoke drivers, but solely within rigorous oversight frameworks.
Microsoft offers Application Control for Windows to facilitate this, enabling firms to authorize proprietary or uncertified drivers—such as those for internal tools or niche equipment—on a case-by-case basis.
The implementation kicks off with the April 2026 software update and will integrate as a standard element in subsequent Windows releases.
For everyday users, this evolution translates to bolstered protection in Windows 11. It will complicate efforts by attackers to exploit altered or vulnerable drivers.
That said, some individuals might encounter unexpected hurdles, particularly with aging peripherals dependent on unsupported drivers. Microsoft counters this through the gradual deployment and built-in allowances.