Windows 11 Will Stop Trusting Legacy Drivers by Default Under New Kernel Policy

Microsoft Modernizes Windows Kernel Driver Policy for Enhanced Security

Microsoft is making a significant change to its Windows 11 kernel driver policy, marking the end of an era for legacy driver support. Historically, Windows allowed older drivers with expired certificates to run, thanks to a cross-signing program introduced in the early 2000s. This approach enabled third-party developers, such as printer manufacturers, to continue using outdated drivers on modern Windows systems—even after their security certificates had expired.

With the upcoming update, Microsoft will require all new drivers to be signed through the Windows Hardware Compatibility Program (WHCP). This move is designed to strengthen Windows security by ensuring that every driver loaded by the NT Kernel meets current certification standards. The change will take effect with Windows 11 versions 24H2, 25H2, 26H1, Windows Server 2025, and all future releases.

Transitioning to WHCP-Certified Drivers

The WHCP process mandates that each driver is validated and signed with a certificate that complies with Microsoft’s latest security requirements. This update aims to reduce the risk of malicious or outdated drivers compromising system integrity. However, Microsoft recognizes the importance of backward compatibility and the plug-and-play experience that users expect from Windows.

To ensure a smooth transition, Microsoft will implement the new policy in evaluation mode starting with the April 2026 Windows update. During this phase, Windows will monitor driver activity and compatibility, only fully enforcing the policy once it is confident that essential hardware and software will continue to function without disruption.

Maintaining Compatibility and Security

Microsoft is also maintaining a curated allow list of reputable cross-signed drivers. This list ensures that widely used legacy drivers can still operate where necessary, minimizing the risk of compatibility issues for critical devices and applications. For organizations that rely on custom kernel drivers—such as those used in confidential or internal environments—Microsoft provides an alternative through Application Control for Business (formerly Windows Defender Application Control, or WDAC).

This solution allows organizations to approve privately signed drivers by linking policies to Secure Boot trust anchors, such as the Platform Key or Key Exchange Key. This approach offers flexibility for specialized scenarios while maintaining a high level of security.

Balancing Security and Compatibility for the Future

Maya Stein Maya is a tech journalist who specializes in PC hardware and semiconductor industry trends. When she’s not writing, she’s building custom PCs and testing the latest peripherals.