Overview
- With the April 2026 update, Windows 11 24H2, 25H2, 26H1 and Windows Server 2025 will stop trusting kernel drivers signed under the old cross-signed root program.
- Microsoft will first run a telemetry-led evaluation mode that audits every driver load and turns on enforcement only if no incompatible cross-signed drivers appear.
- Devices must log at least 100 hours of runtime and the required restarts before enforcement can begin, with three restarts on PCs and two on servers.
- To limit breakage, Microsoft will keep a small allow list of widely used legacy drivers and offers a secure override for internal drivers via an Application Control for Business policy signed with the device’s Secure Boot keys.
- Microsoft says the legacy program had weak vetting and exposed stolen signing keys, and it built the new policy using billions of driver-load signals, though outlets note some very old or unsupported hardware may need updates or workarounds.