Microsoft is set to enhance the security of its Windows operating systems by blocking untrusted kernel drivers. This initiative, starting with the April 2026 update, will apply to Windows 11 and Windows Server 2025, effectively preventing these drivers from loading unless they are certified through the Windows Hardware Compatibility Program. This move is designed to minimize security risks by reducing the potential attack surface for malicious entities.
Addressing Legacy Security Vulnerabilities
The cross-signed root program, initially introduced in the early 2000s, allowed third-party certificate authorities to issue Windows-trusted code-signing certificates. However, this system lacked the necessary assurances for kernel code security and compatibility. As developers controlled their own private keys, it became a target for credential theft, which enabled attackers to deploy rootkits.
In 2021, Microsoft deprecated this signing program, and its associated certificates have since expired. Despite this, Windows continued to trust these outdated certificates to ensure legacy hardware compatibility, presenting a security risk that the new update aims to eliminate.
Implementation of New Security Measures
Under the new policy, drivers will be blocked on systems by default, with notifications displayed to users. Microsoft aims to sever the remaining trust from the old program by requiring vendors to pass stringent identity verification, submit comprehensive test results, and undergo malware scanning to obtain a Microsoft-owned certificate.
To avoid system disruptions, Microsoft is implementing an explicit allow list for widely used, highly reputable cross-signed drivers. The update will also introduce an evaluation mode, where the Windows kernel will audit driver load signals to prevent interruptions to critical functions. Enforcement will only occur after meeting specific runtime and restart thresholds.
Options for Enterprise Environments
For organizations using internally developed custom kernel drivers, Microsoft offers alternative solutions. Enterprises can bypass the default block by utilizing an Application Control for Business policy. This approach involves signing the policy with an authority rooted in the device’s UEFI Secure Boot variables, allowing administrators to explicitly trust private signers.
This method ensures that threat actors cannot load malicious drivers arbitrarily, while legitimate internal operations remain unaffected. As a result, enterprises can maintain their security posture without compromising operational efficiency.
Stay updated with the latest developments in cybersecurity by following us on Google News, LinkedIn, and X. Contact us to share your stories and insights.
