Windows is finally fixing a years-old security hole in April

Microsoft is strengthening security in Windows 11. Starting in April 2026, outdated kernel drivers will be phased out – the company’s response to a well-known security issue that has plagued Windows for years.

In a Windows IT Pro blog post, Microsoft announced that it would stop trusting drivers signed through the deprecated “cross-signed root program.” This procedure dates back to the early 2000s and has long been considered the standard for allowing third-party drivers into the Windows kernel.

The problem ? Certification was carried out by external authorities and provided only limited security checks. This has led to abuse and theft of signature keys, opening the door to manipulated drivers. Although the program was discontinued in 2021, Windows has continued to accept many of these older drivers, until now.

Only verified drivers are allowed now

Going forward, Windows will by default only allow kernel drivers certified through the official Windows Hardware Compatibility Program (WHCP). These drivers are checked, among other things, by Microsoft for malware and compatibility.

The goal is to make it significantly more difficult to inject malicious code into the kernel, the most sensitive part of the operating system.

Microsoft also points out that the new policy is based on extensive telemetry data, particularly data extracted from billions of driver loading operations over the past two years. Developer feedback was also incorporated into the implementation.

By the way: If you’re using Windows 11 Home, you’re missing out on the many benefits of Windows 11 Pro. To learn more, check out our comparison of Windows 11 Home and Pro. If you want to upgrade, buy it cheaply from the PCWorld software store: now only $59 instead of $99.

The deployment will be gradual

Even though the announcement was made yesterday, the change will not be immediate. Microsoft is launching what’s called a “trial mode” for PCs, which involves the following:

The Windows kernel will monitor and audit all driver loads to determine if the new trust policy can be safely enabled without causing compatibility issues caused by blocking a critical cross-signed driver.

A system will remain in evaluation mode until all evaluation criteria are met. For Windows 11, this means 100 hours of system operation and at least 3 system reboots.

If all drivers loaded during the evaluation period are trusted by the kernel policy, the system enables and enforces the new kernel trust policy. Applied systems are now protected against untrusted drivers originating from the cross-signed program, rather than the kernel trust policy.

If cross-signed drivers are audited during the evaluation period and determine that they will not respect the new kernel trust policy, the policy is not enabled and remains in evaluation, and the evaluation period is reset. The system remains in evaluation mode until the drivers blocking activation are no longer audited.

Important: Systems with incompatible drivers detected will remain in diagnostic mode for the time being and will not be affected by the full transition.

Exceptions and special rules

It’s not entirely without compromise: Microsoft is introducing an exceptions list, which includes older drivers classified as trustworthy and intended to continue working.

Companies can also set their own rules. Special policies allow in-house or custom-developed drivers to continue to be used, but only under strictly controlled conditions.

To this end, Microsoft offers Application Control for Windows, a feature that allows organizations to selectively approve their own drivers or drivers that are not officially certified (for example, for internal applications or specialized hardware).

Which versions of Windows are affected?

The new security policy applies to:

• Windows 11 version 24H2 and later
• Windows Server 2025

The rollout begins with the April 2026 Update and will subsequently become a permanent feature in new versions of Windows.

More safety, potential side effects

For you as a user, this change means one thing above all: greater security when using Windows 11. Attacks via manipulated or insecure drivers will be made much more difficult with this policy.

But some users may encounter unforeseen problems, for example if very old hardware relies on drivers that are no longer supported. Microsoft limits this risk thanks to its progressive deployment and its exceptions.