Microsoft is closing a security gap that has been open for roughly twenty years. Starting with the April 2026 Windows update, the company will remove default trust for kernel drivers signed through the old cross-signed root program, requiring instead that all new kernel drivers be certified through the Windows Hardware Compatibility Program (WHCP). The change affects Windows 11 builds 24H2, 25H2, and 26H1, along with Windows Server 2025, with all future versions enforcing the policy going forward.
The cross-signed root program was introduced in the early 2000s to enable code integrity for third-party drivers by allowing them to be authenticated through third-party certificate authorities countersigned by Microsoft. Those certificates have since expired, but Windows has continued trusting drivers signed under that program. That backdoor has been exploited through what security researchers call Bring Your Own Vulnerable Driver (BYOVD) attacks, where attackers load old, legitimately signed but exploitable drivers to gain kernel-level access and then disable security tools for fun and profit.
The April update will initially deploy in evaluation mode: the Windows kernel will monitor and audit driver loads without actually blocking anything, accumulating data across 100 hours of runtime and two or three restart cycles. If during that evaluation window all drivers that load are already trusted under the new policy, the system moves to enforcement automatically. If any cross-signed driver is detected, the system stays in evaluation mode until those drivers are no longer loading.
Microsoft is also maintaining an explicit allow list of reputable, widely-used drivers that were previously vetted through the old program, covering a transitional window for legitimate legacy hardware. Enterprises with unavoidable custom or internal drivers can also use Application Control for Business (formerly WDAC) policies to authorize those specific drivers without degrading the overall security model.
For most enthusiast builders running modern hardware with recent drivers, this will be entirely transparent. Where it could bite is with older specialty peripherals, unusual audio interfaces, legacy game peripherals, or niche add-in cards where the vendor has not maintained WHCP-certified drivers. If you run older hardware with drivers that have not been updated in years, now is a good time to check whether current WHCP-signed versions exist. If a device lacks them and the manufacturer is no longer active, you may eventually be looking at a compatibility break once enforcement kicks in.