Today, we’re excited to announce a significant step forward in our ongoing commitment to Windows security and system reliability: the removal of trust for all kernel drivers signed by the deprecated cross-signed root program. This update will help protect our customers by ensuring that only kernel drivers that the Windows Hardware Compatibility Program (WHCP) have passed and been signed can be loaded by default. To raise the bar for platform security, Microsoft will maintain an explicit allow list of reputable drivers signed by the cross-signed program. The allow list ensures a secure and compatible experience for a limited number of widely used, and reputable cross-signed drivers. This new kernel trust policy applies to systems running Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025 in the April 2026 Windows update. All future versions of Windows 11 and Windows Server will enforce the new kernel trust policy.
↫ Peter Waxman at the Windows IT Pro Blog
The cross-signed root program was discontinued in 2021, and ran since the early 2000s, so I think it’s fair to no longer automatically assume such possibly old and outdated drivers are still to be trusted.
This might become a double-edged sword for those dependent on outdated and unmaintained drivers for old or esoteric hardware, and I doubt Microsoft knows about every single piece of tech that still needs the cross-signed drivers. Granted, there was already a risk involved in using that kind of hardware on a networked computer; hopefully anyone in such a position is smart enough to do so on an air-gapped machine.
Still, the move makes sense.
Morgan,
I’ve lost many devices due to windows upgrades/updates. I have a feeling this is going to be another round of forced deprecation by microsoft.
At least I’ve managed to ditch windows for daily driving, but unfortunately I own some specialty devices like an oscilliscope that are stuck on windows and I fear could be one of the casualties from this. Ugh, microsoft makes it so hard to like windows, but manufacturers make it so difficult to leave. It just leaves me frustrated.
I’ll be honest, I was thinking of you when I wrote that, I know we’ve discussed such devices in the past. I have a couple of musical instrument interfaces that require older Macs and/or older Windows versions, neither of which I have ready access to anymore.
I feel like the ultimate irony is that Windows was at its best (2000, XP, 7) when Microsoft was hell bent on destroying open source and Linux in particular. Now that they have “embraced” open source and Linux, they are hell bent on destroying Windows instead, at least for regular users.
I am one of them. And no one is going to force me to buy new multiple multichannel audio interfaces because someone decided firewire is not worth the single C file required to keep it working in modern macs – so now I use it under Windows.
Or the irreplaceable, such as my film scanner that has last been manufactured in 2005-2006.
I hope I will retire someday (sweet dream) and replacing multiple thousands of euros of perfectly functional equipment every couple of years because the manufacturer decides not to release new drivers (heck, I’d pay for new drivers!) and the ecological disaster that comes with for the sake of the line going up (and not my line), no, thanks.
Apple lost me, Adobe lost me, Microsoft has mostly lost me already. I’ve been hosting my own email for 5 years arleady. My phone is a Librem 5 and, in case things get really hard, I will buy a cheapo smartphone to be able to log into web banking and no one will ever get a cent out of me anymore.
It’s just sickening to pay for the privilege of being disrespected and for being a beta tester.
Thom Holwerda,
It will mean some drivers as recent as 2021 that work, were signed, and installed by users could stop working after a windows update. I don’t know if the “evaluation time bomb” accounts for devices that the user still uses but aren’t currently connected? From the impression given by the article it’s going to be impractically difficult for normal users to bypass this once activated. I wonder how many tons of ewaste this will create across the world. Sometimes there are genuine incompatibilities that are unfortunate, but unavoidable. However in cases like this when companies do it as a matter of policy, I feel they should shoulder some of the responsibility for the harms their actions impose on society.