How our new approach strengthens customer protection while preserving app compatibility
Today, we’re excited to announce a significant step forward in our ongoing commitment to Windows security and system reliability: the removal of trust for all kernel drivers signed by the deprecated cross-signed root program. This update will help protect our customers by ensuring that only kernel drivers that the Windows Hardware Compatibility Program (WHCP) have passed and been signed can be loaded by default. To raise the bar for platform security, Microsoft will maintain an explicit allow list of reputable drivers signed by the cross-signed program. The allow list ensures a secure and compatible experience for a limited number of widely used, and reputable cross-signed drivers. This new kernel trust policy applies to systems running Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025 in the April 2026 Windows update. All future versions of Windows 11 and Windows Server will enforce the new kernel trust policy. This update continues a long sequence of changes Microsoft has taken over the years to reduce the attack surface on Windows and reinforces our commitment to safeguarding customers. Drivers are a critical part of the Windows ecosystem, and ensuring their integrity is essential to providing a secure and trustworthy environment.
The Microsoft WHCP certification program is a rigorous driver signing process that helps us ensure our driver vendor partners are continuously vetted and comply with the latest security and compliance requirements. The WHCP program scans all driver submissions for malware and requires Hardware Lab Kit (HLK) test results to verify drivers are compatible with the Windows OS and Windows hardware. Driver submissions that pass partner identity vetting and security and compatibility scanning are signed by Microsoft-owned and protected code signing certificates that authorize trust for the drivers across the Windows ecosystem.
Despite the high security and compliance bar imposed by the WHCP program, third-party drivers signed by the cross-signed root program are until now still broadly trusted in the Windows kernel. The cross-signed root program was introduced in the early 2000s to support and enable code integrity for third-party drivers on the Windows platform. This program provided driver publishers with Windows-trusted code signing certificates with varying degrees of partner vetting and zero assurances around the security and compatibility of kernel code. The signing program, administered by third-party certificate authorities, required driver authors to store and protect the private keys of the certificate, which led to abuse and credential theft that put our customers and their platforms at risk. The program was deprecated in 2021, and all certificates have since expired. However, trust for these certificates has persisted in specific use cases and scenarios. That changes starting now.
Balancing security with compatibility
We know our customers depend on a diverse set of applications and hardware, many of which today rely on third-party cross-signed drivers. We know driver and application security are required by our customers but cannot come at the expense of compatibility and productivity. As a result, our new kernel trust policy responsibly raises the security bar while ensuring essential and reputable cross-signed drivers are still trusted in Windows. This helps minimize disruption and preserve the rich compatibility for which Windows is known. The new trust policy is carefully curated based on billions of driver load signals and real-world usage data across Windows 11 and Windows Server 2025 from the past two years. The driver load signals and input from our vibrant developer community have helped shape this policy and feature to help ensure a smooth transition for our customers.
How the secure enablement works
To make this transition as seamless as possible, the new kernel trust policy will roll out in evaluation mode starting with the April 2026 Windows update servicing release to Windows 11 24H2, 25H2, 26H1, and Windows Server 2025. During evaluation mode, the Windows kernel will monitor and audit all driver loads to determine if the new trust policy can be safely activated without causing compatibility issues caused by blocking critical cross-signed drivers. A system will remain in evaluation mode until all evaluation criteria are met:
|
Evaluation Criteria |
Evaluation Metric |
|
Number of system hours |
|
|
Number of boot sessions |
|
By requiring two distinct evaluation criteria, we ensure that a diverse set of drivers across boot-start and runtime scenarios is evaluated before activating the feature. Once all evaluation criteria are met, the feature determines whether the system should activate the policy by assessing the drivers loaded during evaluation mode:
- If all drivers loaded during the evaluation period are trusted by the kernel policy, the system activates and enforces the new kernel trust policy. Enforced systems are now protected against untrusted drivers from the cross-signed program, not on the kernel trust policy. These drivers will be blocked from running on enforced systems and the following notification is displayed:
- If any cross-signed drivers are audited during the evaluation period and determined they would not pass the new kernel trust policy, the policy is not activated and remains in evaluation, and the evaluation period is reset. The system stays in evaluation mode until the drivers blocking enablement are no longer audited.
The evaluation mode ensures that systems using untrusted cross-signed drivers for legitimate, less frequent scenarios won’t be impacted by an ecosystem-wide enforced policy. At the same time, systems where driver compatibility is not impacted by the policy will safely enforce to reduce the kernel attack surface and improve security. Application Control for Business always provides the ability to configure a more restrictive security policy, if desired, enabling you to further restrict the drivers and applications running on your systems.
For more information on the driver policy, please visit https://go.microsoft.com/fwlink/?linkid=2352532
Allowing custom kernel drivers via App Control policy
To run certain drivers not supported by the new kernel policy in your environment, Windows now supports a method to securely override the default kernel policy using an Application Control for Business (formerly WDAC) policy. Confidential drivers that cannot be signed through the Microsoft Windows Hardware Compatibility Program (WHCP) via Hardware Dev Center (HDC) and drivers developed for internal only scenarios are well positioned for this policy. Otherwise, drivers targeted for the Windows ecosystem must be WHCP certified and signed through the Microsoft HDC portal.
Customers with confidential or internal-only driver scenarios, who have control over the UEFI Secure Boot authorities , can use this new feature to allow custom signers not trusted in the Windows kernel by default. The App Control policy enables customers to run privately signed drivers on enrolled systems without degrading security. The policy must be signed by an authority in the device’s Secure Boot Platform Key (PK) or Key Exchange Key (KEK) variables to ensure the policy is applicable to only their environment. By default, Application Control policies are designed to restrict the default kernel policy. When these policies are PK or KEK signed, kernel trust can be expanded to trust components and certificates otherwise not trusted in Windows.
The April 2026 Windows update servicing release will support this new policy type in Application Control for Business on systems running Windows 11 24H2, 25H2, 26H1 and Windows Server 2025. For more information on allowing custom kernel drivers and building a custom policy, visit https://go.microsoft.com/fwlink/?linkid=2348122.
We are committed to delivering the best possible Windows experience - one that is secure, reliable, and fully compatible with your workflows. As we roll out the kernel trust policy, we’ll continue to listen to customer feedback, work closely with hardware and software partners, and refine our processes to ensure both security and compatibility remain top priorities. Thank you for joining us on this journey toward a safer, more resilient Windows ecosystem.
Securing the present, innovating for the future
Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design and by default, from Windows to the cloud, enabling trust at every layer of the digital experience.
The updated Windows Security book and Windows Server Security book are available to help you understand how to stay secure with Windows. Learn more about Windows 11, Windows Server, and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website.
Bookmark the Security blog to keep up with our expert coverage on security matters.
Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft
