Microsoft is updating a long-standing kernel policy that had allowed old drivers with expired certificates to run and remain trusted by the Windows 11 NT Kernel. An early 2000s program for cross-signing root programs as valid will no longer function, ending a path that let NT Kernel-trusted code signing programs continue to execute after their certificates expired.
That change affects third-party driver developers that relied on older signing arrangements, including cases such as printer makers shipping old printer drivers without a valid security certificate. Microsoft will use its April update to instruct the Windows NT Kernel to only accept new drivers signed through the Windows Hardware Compatibility Program (WHCP). The WHCP will ensure that each driver receives a valid security certificate that meets Microsoft’s security standards.
The update will be implemented with OS versions Windows 11 24H2, 25H2, 26H1, Windows Server 2025, and future releases. Despite this change, Microsoft will still allow Windows to load older, trusted drivers to maintain backward compatibility and its long-standing plug-and-play feature. The April 2026 Windows update will begin enforcing the new policy in evaluation mode on supported systems. During this period, Windows will monitor driver activity and only fully activate the policy once it determines that doing so will not cause compatibility issues.
Microsoft is also maintaining a curated allow list of reputable cross-signed drivers, ensuring that widely used software and hardware can continue to function where necessary. The approach is designed to ease the transition while moving Windows toward stricter driver trust requirements under the kernel.
