Microsoft is set to enhance the security of its Windows operating systems by blocking untrusted cross-signed kernel drivers by default. This change, effective with the April 2026 update, will apply to Windows 11 and Windows Server 2025, aiming to mitigate potential security risks associated with legacy drivers.
Understanding Cross-Signed Kernel Drivers
Introduced in the early 2000s, the cross-signed root program allowed third-party certificate authorities to issue code-signing certificates trusted by Windows. This system enabled developers to sign their kernel-mode drivers, facilitating compatibility with Windows systems. However, the program lacked stringent security measures, as developers managed their own private keys without comprehensive oversight. This oversight made the system susceptible to credential theft, allowing malicious actors to deploy rootkits and other malware by exploiting these trusted certificates.
Deprecation and Continued Trust
Recognizing the security vulnerabilities inherent in the cross-signed root program, Microsoft deprecated it in 2021. Despite the deprecation and the expiration of related certificates, Windows continued to trust these legacy certificates to maintain compatibility with older hardware and software. This continued trust posed ongoing security risks, as it provided a potential avenue for attackers to exploit outdated drivers.
Implementation of the New Policy
With the upcoming April 2026 update, Microsoft will remove trust for drivers signed by the deprecated cross-signed root program. This policy change means that only drivers certified through the Windows Hardware Compatibility Program (WHCP) will load automatically. The WHCP requires vendors to undergo rigorous identity verification, submit comprehensive test results, and pass malware scanning before receiving a Microsoft-owned certificate. This process ensures that only secure and compatible drivers are permitted to operate within the Windows kernel.
Mitigating Potential Disruptions
To prevent system crashes and maintain stability, Microsoft is introducing an explicit allow list for highly reputable and widely used cross-signed drivers. This measure ensures that essential drivers continue to function while the new policy is enforced. Additionally, the kernel update will deploy in an evaluation mode, where the Windows kernel will audit driver load signals to assess the impact of the new policy. Enforcement will only occur after specific runtime and restart thresholds are met, allowing for a gradual transition and minimizing potential disruptions.
Options for Enterprise Environments
Organizations that rely on internally developed custom kernel drivers have alternative options to ensure continued functionality. Enterprise environments can securely bypass the default block by implementing an Application Control for Business policy. By signing this policy with an authority rooted in the device’s UEFI Secure Boot variables, administrators can explicitly trust private signers. This approach ensures that legitimate internal operations continue uninterrupted while preventing unauthorized drivers from loading.
Implications for Security
This policy change represents a significant step in enhancing the security posture of Windows operating systems. By blocking untrusted cross-signed kernel drivers, Microsoft aims to reduce the attack surface available to malicious actors. Kernel-mode drivers operate at a high privilege level within the operating system, and compromising them can lead to severe security breaches. Ensuring that only trusted and verified drivers are allowed to load helps protect the integrity of the system and the data it processes.
Recommendations for Users and Administrators
Users and system administrators should prepare for this change by reviewing the drivers currently in use within their environments. Identifying any drivers signed with the deprecated cross-signed certificates and updating them to versions certified through the WHCP is crucial. For organizations with custom drivers, implementing the necessary Application Control policies will ensure continued functionality without compromising security.
Conclusion
Microsoft’s decision to block untrusted cross-signed kernel drivers by default in Windows 11 and Windows Server 2025 underscores the company’s commitment to enhancing security. By enforcing stricter driver certification requirements, Microsoft aims to protect users from potential threats associated with legacy drivers. Users and administrators are encouraged to take proactive steps to ensure compatibility and maintain the security of their systems in light of this upcoming change.
