Blog Post

Windows IT Pro Blog
6 MIN READ

Advancing Windows driver security: Removing trust for the cross-signed driver program

Peter_Waxman's avatar
Peter_Waxman
Icon for Microsoft rankMicrosoft
Mar 26, 2026
How our new approach strengthens customer protection while preserving app compatibility Today, we’re excited to announce a significant step forward in our ongoing commitment to Windows security and...
Updated Mar 25, 2026
Version 1.0
security
windows 11
burkhard-ritter's avatar
burkhard-ritter
Copper Contributor
Apr 30, 2026

This change is potentially catastrophic for our customers and for us.
We've spent a few days now trying to understand how this works in detail. It would be great to get some clarifications:

  • From this blog post we assumed that the change would roll out with the April security update (KB5083769). Did it?
  • We have reports from customers using Windows Insider Preview where our driver has been blocked. We have not heard from customers on a regular Windows that our driver has been blocked − but I would expect that this should be the case by now.
  • We have at least one system that should be in enforcement mode by now (as explained https://support.microsoft.com/en-us/windows/the-windows-driver-policy-ecd2a78c-750c-415d-93f2-e37302ce0443) − but this is not the case. It is still in evaluation mode. Which makes me wonder if we misunderstand the mechanism described above (100 hours, 3 reboots) or if it works differently or if it has not yet rolled out at all. It would be great to get better insight into how this works.

To me it seems quite unresponsible how Microsoft is rolling out this change:

  • Our team is reasonably well informed, following announcements, blogs, etc. Still, we were not aware that our driver was deprecated and will now stop working.
  • The two-phased approch with evaluation and enforcement mode seems resonable at first glance − but in practice it is anything but. In practice, for end customer (and for us) there is no way to know if and when our drivers (and thus our hardware) will stop working. For end customers, critical hardware will simply stop working one day. You find out on that day, no pre-warning. What a situation to be in! (Our hardware is often used every few weeks to every few months by our customers.)
  • The way to disable or work around this security feature is not suitable for end customers.

Just to be clear: I totally understand why Microsoft is taking this step (better security), but I disagree with how the change is being rolled out. Why not show a user visible warning for a year or so, if deprecated drivers are being used?

Lastly, why do we not simply ship an updated, properly signed driver? Our enrollment for the hardware partner program got somehow stuck; I've been in contact with Microsoft Support for over six weeks to resolve the situation and with no clear expectation that this will be resolved at all within a reasonable amount of time. I started the enrollment process originally in early February. To say that this is frustrating is an understatement.

I would appreciate clarification about how exactly this feature works. I would truly appreciate finally getting enrolled in the hardware partner program.