Microsoft is making a significant change to how Windows handles kernel drivers, and if you’re running Windows 11 or Windows Server 2025, this one affects you directly.
Windows 11 will no longer trust old drivers by default under new Kernel Trust Policy.
Starting with the April 2026 Windows Update, Microsoft will stop trusting kernel drivers signed under its old cross-signed root program. Going forward, only drivers that have cleared Microsoft’s Windows Hardware Compatibility Program (WHCP) will be allowed to load by default. The company says the move is aimed squarely at reducing attack surfaces that bad actors have exploited for years.
The cross-signed program dates back to the early 2000s and was essentially a workaround to get third-party drivers working on Windows before stricter certification processes existed. The problem? It gave driver publishers signing certificates with minimal vetting and no real security guarantees. Worse, developers had to store private keys themselves, which led to credential theft and outright abuse. Microsoft officially deprecated the program in 2021, but remnants of that trust have lingered until now.
To avoid breaking things for everyday users, Microsoft is being cautious about the rollout. The new policy starts in evaluation mode, quietly watching which drivers load on a given machine. A system needs at least 100 hours of runtime and three restarts before Windows decides whether to enforce the new rules. If any flagged driver shows up during that window, enforcement gets postponed, and the clock resets.
For businesses running proprietary or internal-only drivers that can’t go through WHCP certification, Microsoft is offering an escape hatch through Application Control for Business policies — though it requires control over UEFI Secure Boot authorities, so it’s not a casual workaround.
The change affects Windows 11 versions 24H2, 25H2, and 26H1, along with Windows Server 2025, with all future Windows releases expected to follow the same policy.
