News: 1774623829

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Microsoft tells crusty old kernel drivers to get with the Windows Hardware Compatibility Program

(2026/03/27)


Microsoft is removing trust for kernel drivers that haven't been through the Windows Hardware Compatibility Program (WHCP) in a bid to further secure the Windows kernel.

The company is [1]targeting kernel drivers signed by the long-deprecated cross-signed root program. Although all the certificates associated with the program have expired, the drivers are "still broadly trusted in the Windows kernel." That will end with the April 2026 Windows Update.

While Microsoft prides itself on backward compatibility, blocking cross-signed drivers will affect some legacy use cases and applications. To that end, the policy will roll out in "evaluation mode," where the Windows kernel will monitor and audit driver loads to determine whether activating the policy will cause compatibility issues.

[2]

Microsoft introduced the cross-signed root program in the early 2000s to enable code integrity for third-party drivers. However, third parties administered the signing program, requiring authors to store and protect the private keys associated with those certificates. According to Microsoft, this "led to abuse and credential theft that put our customers and their platforms at risk."

[3]

[4]

Whether the Windows architecture should have allowed this is moot. The problem now is balancing security with compatibility.

"We know driver and application security are required by our customers  but cannot come at the expense of compatibility and productivity," said Microsoft. Hence the evaluation mode, and keeping "essential and reputable cross-signed drivers" still trusted in Windows.

[5]Windows boss promises to heal the operating system's self-inflicted wounds

[6]Microsoft fixes broken Windows update days after vowing fewer broken updates

[7]Microsoft: Removing some Copilots will improve Windows 11

[8]Microsoft breaks Microsoft account sign-ins in Windows 11 with latest update

That said, administrators can still allow custom kernel drivers via the Application Control for Business policy to override the default kernel policy. Microsoft foresees this being used for confidential or internal-only driver scenarios, rather than to support a legacy device or application.

"The policy must be signed by an authority in the device's Secure Boot Platform Key (PK) or Key Exchange Key (KEK) variables to ensure the policy is applicable to only their environment," Microsoft stated. "Otherwise, drivers targeted for the Windows ecosystem must be WHCP certified and signed through the Microsoft HDC portal."

[9]

Microsoft's decision has been a while coming, certainly since it deprecated the cross-signed root program years ago. That knowledge will not, however, make things any easier for users with drivers that are now on the naughty step and with vendors unlikely or unable to refresh them. Workarounds exist, but Microsoft's decision clearly signals the company's direction of travel. Eventually, Microsoft will bar any code that hasn't passed the WHCP certification process from kernel-based shenanigans.

The change will apply to Windows 11 24H2, 25H2, and 26H1 and Windows Server 2025. ®

Get our [10]Tech Resources



[1] https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-driver-security-removing-trust-for-the-cross-signed-driver-pro/4504818

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aca3sUrMd6C9uvnCO6R9yQAAAMk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aca3sUrMd6C9uvnCO6R9yQAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aca3sUrMd6C9uvnCO6R9yQAAAMk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2026/03/24/windows_boss_promises/

[6] https://www.theregister.com/2026/03/23/emergency_fix_windows_11/

[7] https://www.theregister.com/2026/03/23/windows_quality_commitment/

[8] https://www.theregister.com/2026/03/20/microsoft_account_not_working_have/

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aca3sUrMd6C9uvnCO6R9yQAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[10] https://whitepapers.theregister.com/


Excellent

Paul Hovnanian

Now quit monkeying around with Windows APIs so the old drivers break. And users are left with giant paperweight printer-like objects sitting on their desks. Or accept the fact that only the largest manufacturers can afford to keep up with your revisions. And they'll all move over to platforms that don't try to do everything in kernel space. Requiring that obsession with security.

Still?

Kevin Johnston

I see this so many times from companies like Microsoft (actually, very few seem to be immune) where they have the testing models reversed. Once the code it written it is reasonable to assume it does what you intended and at that point you should be testing to ensure it doesn't do what you do not want it doing. This is the one time you want ill-informed users testing it out so they can try to break it or get to places they are not meant to be.

Whether or not the cross-signed certificates should have been considered, proper testing should have shown it created a scenario where security was now reliant on the weakest link and even created the way for a 3rd/4th party to create malicious code which Microsoft would accept as good.

Detection tools?

Steve Foster

Is there any easy way [for users and/or admins] to detect and identify such drivers today? Or do we have to wait for this policy to generate some sort of log/alert?

Re: Detection tools?

Joe Dietz

If the driver is not signed by a microsoft cert, it is cross signed.

I can't see how this will go wrong /s

blu3b3rry

I can think of quite a few bits of hardware I've used over the years that relied on ancient drivers, in some cases board programmers that had the latest drivers dating from 20 odd years ago.

But I'm sure it'll all be fine and not lead to daft workarounds to get things working. Again.

More landfill

Anonymous Coward

As part of my work I have a number of items of legacy equipment including an ancient scanner that was designed for a specific size of photographic plate. There is no modern equivalent that works with these plates.

The last time the equipment and driver were updated were for Windows XP. Believe it or not the scanner still works with W10!

Time to find an old XP machine and air gap it from the internet.

I can, however, see lots of perfectly useful older gear being junked as a result of this.

Re: I can, however, see lots of perfectly useful older gear being junked as a result of this

Anonymous Coward

doh.... That is the aim. Just look at the silly H/W requirements for W11.

Let's just be friends and make no special effort to ever see each other again.