Windows 11 Enhances Windows Kernel Driver Security

Microsoft is introducing a major security improvement in Windows 11 and Windows Server 2025 by changing how kernel drivers are trusted and loaded, significantly enhancing Windows kernel driver security. Starting with the April 2026 update, the operating system will block untrusted cross-signed kernel drivers by default.

This update ensures that only drivers verified through Microsoft’s Windows Hardware Compatibility Program (WHCP) are allowed to run automatically. By enforcing stricter validation, Microsoft is reducing the risk of attackers using malicious drivers to gain deep, kernel-level access to systems.

This enhancement is crucial for maintaining high standards of Windows kernel driver security across all devices.

Kernel drivers operate at the core of the operating system, so any weakness in how they are signed or validated can be exploited. By removing support for legacy signing methods, Microsoft is closing a long-standing security gap.

Removal of Cross-Signed Drivers and Security Impact

The older cross-signing model allowed third-party certificate authorities to approve drivers without strict validation from Microsoft. While this approach helped with compatibility in the past, it also introduced security risks.

Attackers have historically abused this model by stealing signing keys and using them to install rootkits and other advanced malware. Even though Microsoft deprecated cross-signing in 2021, older certificates were still trusted by Windows systems until now.

With this update, that trust is fully removed. Drivers must now go through a stricter approval process that includes:

Identity verification of the vendor
Security and compatibility testing
Malware scanning before certification

This significantly reduces the chances of malicious drivers being loaded into the Windows kernel.

Deployment Approach and Enterprise Considerations

To avoid disruptions, Microsoft is rolling out this change in stages. Initially, the system will monitor and evaluate driver activity before enforcing the block. This allows organizations to identify compatibility issues early.

Additionally, Microsoft will maintain an allow list for widely used legacy drivers to prevent system failures. If unsupported drivers are detected, enforcement may be delayed until the system is stable.

For enterprise environments, there is still controlled flexibility. Organizations that rely on custom kernel drivers can allow them using Application Control for Business policies. These policies must be securely signed and tied to UEFI Secure Boot, ensuring only trusted internal drivers are permitted.

Overall, this update marks a significant step toward strengthening Windows security by limiting kernel-level attack vectors and enforcing modern driver validation standards.