Microsoft is removing trust for kernel drivers signed by the deprecated cross-signed root program, requiring all drivers to pass the Windows Hardware Compatibility Program certification starting April 2026.
Microsoft is removing trust for kernel drivers that haven't been through the Windows Hardware Compatibility Program (WHCP) in a bid to further secure the Windows kernel. The company is targeting kernel drivers signed by the long-deprecated cross-signed root program. Although all the certificates associated with the program have expired, the drivers are "still broadly trusted in the Windows kernel." That will end with the April 2026 Windows Update.
While Microsoft prides itself on backward compatibility, blocking cross-signed drivers will affect some legacy use cases and applications. To that end, the policy will roll out in "evaluation mode," where the Windows kernel will monitor and audit driver loads to determine whether activating the policy will cause compatibility issues.
Microsoft introduced the cross-signed root program in the early 2000s to enable code integrity for third-party drivers. However, third parties administered the signing program, requiring authors to store and protect the private keys associated with those certificates. According to Microsoft, this "led to abuse and credential theft that put our customers and their platforms at risk."
Whether the Windows architecture should have allowed this is moot. The problem now is balancing security with compatibility. "We know driver and application security are required by our customers but cannot come at the expense of compatibility and productivity," said Microsoft. Hence the evaluation mode, and keeping "essential and reputable cross-signed drivers" still trusted in Windows.
Windows boss promises to heal the operating system's self-inflicted wounds Microsoft fixes broken Windows update days after vowing fewer broken updates Microsoft: Removing some Copilots will improve Windows 11 Microsoft breaks Microsoft account sign-ins in Windows 11 with latest update
That said, administrators can still allow custom kernel drivers via the Application Control for Business policy to override the default kernel policy. Microsoft foresees this being used for confidential or internal-only driver scenarios, rather than to support a legacy device or application. "The policy must be signed by an authority in the device's Secure Boot Platform Key (PK) or Key Exchange Key (KEK) variables to ensure the policy is applicable to only their environment," Microsoft stated. "Otherwise, drivers targeted for the Windows ecosystem must be WHCP certified and signed through the Microsoft HDC portal."
Microsoft's decision has been a while coming, certainly since it deprecated the cross-signed root program years ago. That knowledge will not, however, make things any easier for users with drivers that are now on the naughty step and with vendors unlikely or unable to refresh them. Workarounds exist, but Microsoft's decision clearly signals the company's direction of travel. Eventually, Microsoft will bar any code that hasn't passed the WHCP certification process from kernel-based shenanigans.
The change will apply to Windows 11 24H2, 25H2, and 26H1 and Windows Server 2025. ®
No more fake tech news! Add The Register to your Preferred Sources in Google Search
More about Microsoft Windows 11 Windows Server
More like these
20 COMMENTS TIP US OFF Send us news
Comments
Please log in or register to join the discussion