A fundamental shift in Windows 11 security is underway, promising a significantly more robust defense against a long-standing vulnerability. Starting in April 2026, the operating system will begin phasing out support for older, less secure kernel drivers, marking a decisive move to protect the core of the system.
For years, Windows relied on a system of “cross-signed” drivers, a process originating in the early 2000s that allowed third-party drivers into the kernel. While intended to broaden compatibility, this method proved susceptible to abuse. Limited security checks and instances of stolen signature keys opened the door for malicious actors to introduce compromised drivers.
The core issue stemmed from the certification process, handled by external authorities with less stringent verification. This allowed manipulated drivers to slip through the cracks, creating a potential backdoor for malware. Though the original program was discontinued in 2021, many of these legacy drivers remained functional – until now.
The new policy mandates that only kernel drivers certified through the official Windows Hardware Compatibility Program (WHCP) will be trusted by default. This program subjects drivers to rigorous testing by Microsoft, scrutinizing them for malware and ensuring compatibility. The goal is to create a far more secure environment, making it exponentially harder to inject malicious code into the operating system’s most sensitive areas.
This isn’t a decision made lightly. Microsoft emphasizes that the change is backed by extensive data analysis – billions of driver load operations over the past two years – and incorporates valuable feedback from developers. The company is leveraging real-world usage patterns to minimize disruption and maximize effectiveness.
The transition won’t be abrupt. Microsoft is implementing a phased rollout, beginning with an “evaluation mode” for PCs. During this phase, the Windows kernel will meticulously monitor and audit all driver loads, assessing whether the new trust policy can be activated without causing compatibility issues.
A system will remain in evaluation mode until it meets specific criteria: 100 hours of operation and at least three system restarts. If all drivers loaded during this period are deemed trustworthy, the new policy will be activated, providing immediate protection. However, if any questionable drivers are detected, the evaluation period will reset, and the system will remain in diagnostic mode.
Recognizing that a one-size-fits-all approach isn’t feasible, Microsoft is also introducing exceptions. Certain older drivers, deemed trustworthy, will continue to function. Furthermore, organizations can define their own rules, utilizing features like Application Control for Windows to selectively approve internal or custom-developed drivers under controlled conditions.
The new security policy will initially apply to Windows 11 version 24H2 and later, as well as Windows Server 2025. The April 2026 update will mark the beginning of the rollout, establishing this enhanced security as a permanent feature of future Windows versions.
For the average user, this translates to a significantly more secure computing experience. The risk of attacks exploiting vulnerable drivers will be dramatically reduced. While some users with older hardware might encounter compatibility issues, Microsoft’s phased rollout and exception list are designed to mitigate these potential disruptions.
Ultimately, this represents a proactive step towards a more secure future for Windows. By tightening control over kernel drivers, Microsoft is reinforcing the foundation of its operating system and safeguarding users against evolving threats.