Advancing Windows driver security: Removing trust for the…

[Microsoft removes kernel trust for deprecated cross-signed drivers, enforcing WHCP-signed drivers by default in Windows 11/Server April 2026 update. An allow list preserves select drivers; evaluation mode and App Control policies enable compatibility and controlled overrides.]

Today Microsoft removed trust for kernel drivers signed by the deprecated cross-signed root program. This change restricts kernel driver loading to WHCP-signed drivers, with a curated allow list for legacy compatibility.

Main feature/change and impact

Microsoft now enforces a new kernel trust policy that removes default trust for cross-signed drivers. The policy requires drivers to be signed through the Windows Hardware Compatibility Program (WHCP) to load by default. A limited allow list preserves essential, widely used cross-signed drivers. This reduces kernel attack surface and prevents drivers signed with weaker vetting from running on updated systems.

Practical implications

The April 2026 update places systems into evaluation mode before enforcement. Evaluation audits driver loads for specified hours and restarts to avoid unintended breaks. Admins can use Application Control for Business policies to allow private or internal drivers. WHCP-signed drivers remain the supported path for broad Windows ecosystem compatibility and security.

“This update will help protect our customers by ensuring that only kernel drivers that the Windows Hardware Compatibility Program (WHCP) have passed and been signed can be loaded by default.”

Microsoft will roll the policy out to Windows 11 24H2, 25H2, 26H1, and Windows Server 2025. Systems remain in evaluation mode until two criteria are met. If any disallowed cross-signed driver is observed, the evaluation resets and enforcement is delayed. Administrators must plan testing and WHCP submission for third-party drivers used in production. Closing: Organizations should inventory kernel drivers and prioritize WHCP certification for critical components. Use App Control for Business to permit confidential or internal drivers while retaining Secure Boot protections. Monitor audit logs during the evaluation period and prepare to remediate non-compliant drivers before enforcement.

Key points from the article:

Cross-signed kernel drivers lose default trust in Windows April 2026 update.

WHCP-signed drivers become the default trusted kernel drivers.

Allow list preserves widely used reputable cross-signed drivers.

Evaluation mode audits driver loads before enforcing the policy.

App Control enables secure overrides for internal or confidential drivers.

Related Coverage:

• Tune in, skill up: Windows at Tech Takeoff 2026
• Windows 365 available in US Gov Texas for Government Community Cloud customers
• Windows 365 Frontline in shared mode expands to Norway East, France Central and Spain Central

From the Windows IT Pro Blog articles

---