Technology Microsoft is changing a Windows kernel policy that's been around for decades

[Parkinsond]

Content source

https://www.neowin.net/news/microsoft-is-changing-a-windows-kernel-policy-thats-been-around-for-decades/

Microsoft has decided to take another step in advancing the security and overall robustness of Windows 11.

The company has announced that it will soon remove the ability for kernel drivers signed by the legacy cross-signed root program to be loaded by default. This is a deprecated program that was introduced in the early 2000s that allowed the provisioning of Windows-trusted code signing certificates after vetting from third-party partners. Microsoft retired this program in 2021, and all certificates issued through this process have since expired, but are still trusted by the kernel and persist in some scenarios.

However, this is changing soon. Starting from April 2026, the Windows kernel will only accept drivers that have been signed through its Windows Hardware Compatibility Program (WHCP). However, for compatibility reasons, Microsoft will still maintain an explicit allow list that will allow the kernel to load old, but reputable, drivers vetted through the cross-signed root program. This new implementation will apply to Windows 11 24H2, 25H2, 26H1, Windows Server 2025, and all future client and server versions of Windows.

https://www.neowin.net/news/microsoft-is-changing-a-windows-kernel-policy-thats-been-around-for-decades/

 

[oldschool]

So this looks like another case of MS policy: "Out with the old and in with the new ... but not exactly"?

 

[TairikuOkami]

I have little trust in MS. Using 26H2 canary, I have recently got the first BSOD in this century and considering the mess MS made with stable updates, there is a lot work to do.