Microsoft announced a major shift in Windows 11's driver security policy, ending support for outdated cross-signed drivers by default. Starting with the April 2026 update (Windows 11 24H2, 25H2, 26H1, and Windows Server 2025), the Windows NT Kernel will reject drivers lacking valid security certificates from the Windows Hardware Compatibility Program (WHCP). This ends a 20-year-old practice allowing expired certificates to run trusted code, tightening security but risking compatibility issues for older hardware.

To ease adoption, Microsoft will maintain a curated allow list of reputable cross-signed drivers, ensuring critical software like printer utilities remains functional. During the evaluation phase, Windows will monitor driver behavior before fully enforcing the policy, minimizing disruptions. Organizations relying on custom kernel drivers can use Application Control for Business (WDAC), which leverages Secure Boot trust anchors like the Platform Key for internal approvals. This balances modern security needs with legacy system requirements.

The move prioritizes long-term security over backward compatibility, pushing manufacturers to adopt WHCP-certified drivers. While older drivers won't vanish immediately, the policy signals Microsoft's commitment to phasing out outdated practices. For users, this means potential updates to hardware/software ecosystems to meet stricter certification standards.

Microsoft's strategy reflects a broader industry trend toward stricter driver vetting. By mandating WHCP compliance, the company aims to reduce vulnerabilities from unvetted code while maintaining flexibility for enterprise environments. The transition period ensures stability, but the ultimate goal is a more secure Windows ecosystem.