Windows 11 and Windows Server 2025 will block these untrusted drivers by default starting with the April 2026 update This article explores untrusted drivers default. . This policy makes sure that only drivers that have been certified by the Windows Hardware Compatibility Program can automatically load.
The cross-signed root program was started in the early 2000s so that third-party certificate authorities could give out code-signing certificates that Windows would trust. Because developers were in charge of their own private keys, the program was often targeted by credential thieves, who could then use rootkits. Before getting a protected Microsoft-owned certificate, vendors must go through strict identity checks, submit detailed test results, and have their software scanned for malware. The Windows kernel will check driver load signals to make sure that the new policy won't interfere with important functions.
If the audit phase finds an unsupported driver, the system resets the evaluation timer and waits to enforce. To stop the system from crashing, Microsoft is making a clear allow list for cross-signed drivers that are very well-known and widely used. Enterprise environments that use custom kernel drivers made in-house have other choices.
By signing this policy with an authority based on the device's UEFI Secure Boot variables, administrators can be sure that private signers are who they say they are. This makes sure that threat actors can't load malicious drivers at random while normal internal operations go on without a hitch.
