Microsoft has announced a significant change to Windows kernel policy that will phase out default trust for drivers signed under the legacy cross-signed root program. This decades-old program, which allowed third-party partners to provision Windows-trusted code signing certificates, was retired in 2021 but its expired certificates remain trusted by the kernel in certain scenarios. Beginning April 2026, the Windows kernel will only accept drivers signed through the Windows Hardware Compatibility Program, though an explicit allow list will maintain compatibility for reputable legacy drivers.
The new policy will apply to Windows 11 versions 24H2, 25H2, 26H1, Windows Server 2025, and all future releases. To prevent disruption, Microsoft will initially launch the policy in evaluation mode, monitoring systems over time to audit driver compatibility. Organizations needing custom internal drivers can override the default kernel policy using Application Control for Business configurations. The company based this decision on billions of telemetry signals collected from Windows devices over the past two years.
Read more...