Microsoft Enhances Windows Security by Blocking Untrusted Kernel Drivers
In a significant move to bolster the security of its operating systems, Microsoft has announced that starting with the April 2026 update, Windows 11 and Windows Server 2025 will block untrusted cross-signed kernel drivers by default. This policy change aims to mitigate potential security vulnerabilities associated with legacy drivers and enhance overall system integrity.
Understanding the Change
Kernel drivers are essential components that allow the operating system to interact with hardware devices. Historically, Microsoft permitted third-party certificate authorities to issue code-signing certificates under the cross-signed root program, introduced in the early 2000s. This program enabled developers to sign their kernel drivers, allowing them to load on Windows systems without undergoing Microsoft’s rigorous certification process.
However, this approach had significant security implications. The cross-signed root program did not provide assurances regarding the security or compatibility of the kernel code. Developers managed their own private keys, making the program a frequent target for credential theft. Malicious actors exploited this vulnerability to deploy rootkits and other malicious software at the kernel level, compromising system security.
Deprecation and Transition
Recognizing these risks, Microsoft officially deprecated the cross-signed root program in 2021. All related certificates have since expired. Despite this deprecation, Windows continued to trust these legacy certificates to maintain compatibility with older hardware and software.
The upcoming April 2026 update marks a decisive step in severing this lingering trust. By blocking untrusted cross-signed kernel drivers by default, Microsoft aims to close a longstanding security gap and reduce the attack surface for potential threats.
Implementation Details
To ensure a smooth transition and prevent system crashes, Microsoft is introducing an explicit allow list for highly reputable and widely used cross-signed drivers. This approach balances security enhancements with the need for compatibility, allowing essential drivers to function while blocking potentially harmful ones.
The kernel update will also deploy in a careful evaluation mode. During this phase, the Windows kernel will audit driver load signals to ensure the new policy does not disrupt critical functions. The system will only enforce the block after meeting specific runtime and restart thresholds. If an unsupported driver is detected during this audit phase, the system resets the evaluation timer and holds off on enforcement, providing administrators with time to address potential issues.
Implications for Enterprises
Enterprise environments that rely on internally developed custom kernel drivers have alternative options to ensure continuity. Organizations can securely bypass the default block using an Application Control for Business policy. By signing this policy with an authority rooted in the device’s UEFI Secure Boot variables, administrators can explicitly trust private signers. This method ensures that threat actors cannot arbitrarily load malicious drivers while legitimate internal operations continue uninterrupted.
Broader Security Context
This policy change is part of Microsoft’s broader strategy to enhance the security of its operating systems. By enforcing stricter controls over kernel drivers, Microsoft aims to mitigate risks associated with unauthorized code execution at the kernel level. This move aligns with other recent security enhancements, such as the introduction of Secure Boot and the deprecation of older, less secure protocols.
Conclusion
Microsoft’s decision to block untrusted cross-signed kernel drivers by default in Windows 11 and Windows Server 2025 represents a significant advancement in operating system security. By eliminating trust in deprecated signing methods and enforcing stricter controls, Microsoft aims to provide users with a more secure computing environment. Administrators and developers should prepare for this change by ensuring that all necessary drivers are properly signed and compliant with the new security standards.
