Today, we’re excited to announce a significant step forward in our ongoing commitment to Windows security and system reliability: the removal of trust for all kernel drivers signed by the deprecated cross-signed root program. This update will help protect our customers by ensuring that only kernel drivers that the Windows Hardware Compatibility Program (WHCP) have passed and been signed can be loaded by default. To raise the bar for platform security, Microsoft will maintain an explicit allow list of reputable drivers signed by the cross-signed program. The allow list ensures a secure and compatible experience for a limited number of widely used, and reputable cross-signed drivers. This new kernel trust policy applies to systems running Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025 in the April 2026 Windows update. All future versions of Windows 11 and Windows Server will enforce the new kernel trust policy.
↫ Peter Waxman at the Windows IT Pro Blog
The cross-signed root program was discontinued in 2021, and ran since the early 2000s, so I think it’s fair to no longer automatically assume such possibly old and outdated drivers are still to be trusted.
This might become a double-edged sword for those dependent on outdated and unmaintained drivers for old or esoteric hardware, and I doubt Microsoft knows about every single piece of tech that still needs the cross-signed drivers. Granted, there was already a risk involved in using that kind of hardware on a networked computer; hopefully anyone in such a position is smart enough to do so on an air-gapped machine.
Still, the move makes sense.
Morgan,
I’ve lost many devices due to windows upgrades/updates. I have a feeling this is going to be another round of forced deprecation by microsoft.
At least I’ve managed to ditch windows for daily driving, but unfortunately I own some specialty devices like an oscilliscope that are stuck on windows and I fear could be one of the casualties from this. Ugh, microsoft makes it so hard to like windows, but manufacturers make it so difficult to leave. It just leaves me frustrated.
Thom Holwerda,
It will mean some drivers as recent as 2021 that work, were signed, and installed by users could stop working after a windows update. I don’t know if the “evaluation time bomb” accounts for devices that the user still uses but aren’t currently connected? From the impression given by the article it’s going to be impractically difficult for normal users to bypass this once activated. I wonder how many tons of ewaste this will create across the world. Sometimes there are genuine incompatibilities that are unfortunate, but unavoidable. However in cases like this when companies do it as a matter of policy, I feel they should shoulder some of the responsibility for the harms their actions impose on society.