Microsoft is taking a major step to harden the Windows operating system against kernel-level threats by removing trust for drivers signed by the deprecated cross-signed root program<\/a>.<\/p>\n Starting with the April 2026 update, Windows 11 and Windows Server 2025 will block these untrusted drivers by default.<\/p>\n This policy ensures that only drivers certified through the Windows Hardware Compatibility Program can load automatically, significantly reducing the attack surface for malicious actors.\u200b<\/p>\n The cross-signed root program was introduced in the early 2000s to allow third-party certificate authorities to issue Windows-trusted code-signing certificates.<\/p>\n However, this system provided no assurances regarding the security or compatibility of the kernel code. Because developers managed their own private keys, the program became a frequent target for credential theft<\/a>, allowing threat actors to deploy rootkits.\u200b<\/p>\n Microsoft officially deprecated this signing program in 2021, and all related certificates have since expired. Despite this, Windows continued to trust these legacy certificates to maintain compatibility with legacy hardware.<\/p>\n This new update finally severs that lingering trust. Moving forward, the certification pipeline requires vendors to pass strict identity vetting, submit rigorous test results, and undergo malware scanning before receiving a protected Microsoft-owned certificate.<\/p>\n To prevent system crashes, Microsoft is introducing an explicit allow list <\/a>for highly reputable, widely used cross-signed drivers.<\/p>\n The kernel update will also deploy in a careful evaluation mode. The Windows kernel will audit driver load signals<\/a> to ensure the new policy will not disrupt critical functions.<\/p>\n The system will only enforce the block after meeting specific runtime and restart thresholds.\u200b If an unsupported driver is detected during this audit phase, the system resets the evaluation timer and holds off on enforcement.\u200b<\/p>\n Enterprise environments relying on<\/span>\u00a0internally developed custom kernel drivers<\/a> have alternative options. Organizations can securely bypass the default block using an Application Control for Business policy.<\/p>\n By signing this policy with an authority rooted in the device\u2019s UEFI Secure Boot variables<\/a>, administrators can explicitly trust private signers.<\/p>\n This ensures threat actors cannot arbitrarily load malicious drivers while legitimate internal operations continue uninterrupted.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Windows 11 and Server 2025 Update to Block Untrusted Cross-Signed Kernel Drivers by Default<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nClosing a legacy Security Gap<\/strong><\/h2>\n
![\"Drivers](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEinWAlInjWHf2GM65LtCVYzvGiTX7pW2PFVGHKivwTfXzN6oOpbOpbgalRaNZa4A1L3v_gDp197nlCfSRDuU6tCGbDCUOUyOldQVCDx_s-SO5lPYJcWalK6428OJ2odYuRHGAG4EUdeIng8M6rD1ExBO3tbELl5z9lgDhhy9unNyhV4RpAs72ukAXK9kkE\/s1600\/Screenshot%25202026-03-27%2520200901%2520%25281%2529.webp?ssl=1\")