Windows 11 - Update Blocks Untrusted Kernel Drivers by Default
Basically, Microsoft is stopping old, untrusted drivers from running on Windows to keep your computer safer.
Microsoft is enhancing security by blocking untrusted kernel drivers in Windows 11 and Server 2025. This update protects against legacy vulnerabilities and malicious attacks. Users should ensure their drivers are compliant with the new standards.
The Flaw
Microsoft has announced a significant update for Windows 11 and Windows Server 2025 aimed at enhancing system security. Starting with the April 2026 update, the operating system will block untrusted cross-signed kernel drivers by default. This change addresses vulnerabilities associated with the deprecated cross-signed root program, which allowed third-party certificate authorities to issue Windows-trusted code-signing certificates. While this was intended to facilitate driver installation, it inadvertently opened doors for malicious actors to exploit these drivers.
The cross-signed root program, introduced in the early 2000s, has long been a target for credential theft, leading to the deployment of rootkits. Despite Microsoft deprecating this program in 2021, legacy certificates continued to be trusted to maintain compatibility with older hardware. This update finally severs that trust, ensuring that only drivers certified through the Windows Hardware Compatibility Program can load automatically.
What's at Risk
By blocking these untrusted drivers, Microsoft significantly reduces the attack surface for potential threats. Malicious actors often exploit kernel-level vulnerabilities to gain unauthorized access to systems, making this update crucial for enhancing overall security. The new policy mandates that vendors undergo rigorous testing and malware scanning before receiving a protected Microsoft-owned certificate. This ensures a higher level of trust in the drivers that are allowed to run on the system.
However, the update also introduces an explicit allow list for reputable cross-signed drivers to prevent disruptions. This careful approach helps maintain system stability while enhancing security. The Windows kernel will audit driver load signals, ensuring that critical functions are not interrupted during the transition to this new policy.
Patch Status
As of the April 2026 update, the new policy will be enforced on systems, with notifications displayed when drivers are blocked. Microsoft is implementing this change in phases, starting with an evaluation mode. During this phase, the system will monitor driver loads and only enforce the block after certain runtime and restart thresholds are met. If an unsupported driver is detected, the evaluation timer resets, allowing for a smoother transition.
For enterprise environments that rely on custom kernel drivers, Microsoft offers alternative options. Organizations can bypass the default block using an Application Control for Business policy, allowing them to explicitly trust private signers. This ensures that legitimate internal operations can continue without interruption while still protecting against malicious drivers.
Immediate Actions
For users and organizations, this update emphasizes the importance of keeping systems current and compliant with the latest security standards. Administrators should review their driver installations and ensure that they are using certified drivers from reputable sources. Additionally, organizations should prepare for the transition by familiarizing themselves with the new Application Control for Business policy if they rely on custom drivers.
This proactive approach not only strengthens system integrity but also helps mitigate the risks associated with legacy drivers that have been exploited in the past. As Microsoft continues to enhance its security protocols, staying informed and prepared will be key to maintaining a secure computing environment.