π―Microsoft is making Windows 11 safer by blocking certain drivers that could be harmful. They are also adding new features to help users avoid scams and keep their computers running smoothly.
The Flaw
Microsoft has announced a significant update for Windows 11 and Windows Server 2025 aimed at enhancing system security. Starting with the April 2026 update, the operating system will block untrusted cross-signed kernel drivers by default. This change addresses vulnerabilities associated with the deprecated cross-signed root program, which allowed third-party certificate authorities to issue Windows-trusted code-signing certificates. While this was intended to facilitate driver installation, it inadvertently opened doors for malicious actors to exploit these drivers.
The cross-signed root program, introduced in the early 2000s, has long been a target for credential theft, leading to the deployment of rootkits. Despite Microsoft deprecating this program in 2021, legacy certificates continued to be trusted to maintain compatibility with older hardware. This update finally severs that trust, ensuring that only drivers certified through the Windows Hardware Compatibility Program can load automatically.
What's at Risk
By blocking these untrusted drivers, Microsoft significantly reduces the attack surface for potential threats. Malicious actors often exploit kernel-level vulnerabilities to gain unauthorized access to systems, making this update crucial for enhancing overall security. The new policy mandates that vendors undergo rigorous testing and malware scanning before receiving a protected Microsoft-owned certificate. This ensures a higher level of trust in the drivers that are allowed to run on the system.
However, the update also introduces an explicit allow list for reputable cross-signed drivers to prevent disruptions. This careful approach helps maintain system stability while enhancing security. The Windows kernel will audit driver load signals, ensuring that critical functions are not interrupted during the transition to this new policy.
Patch Status
As of the April 2026 update, the new policy will be enforced on systems, with notifications displayed when drivers are blocked. Microsoft is implementing this change in phases, starting with an evaluation mode. During this phase, the system will monitor driver loads and only enforce the block after certain runtime and restart thresholds are met. If an unsupported driver is detected, the evaluation timer resets, allowing for a smoother transition.
Additionally, Microsoft released the cumulative update KB5083769, which includes significant structural enhancements to Windows 11, advancing the operating system to OS Builds 26200.8246 and 26100.8246. This update combines the latest security patches with non-security improvements, ensuring enterprise and commercial devices remain protected against emerging attack vectors.
Immediate Actions
For users and organizations, this update emphasizes the importance of keeping systems current and compliant with the latest security standards. Administrators should review their driver installations and ensure that they are using certified drivers from reputable sources. Additionally, organizations should prepare for the transition by familiarizing themselves with the new Application Control for Business policy if they rely on custom drivers.
This proactive approach not only strengthens system integrity but also helps mitigate the risks associated with legacy drivers that have been exploited in the past. As Microsoft continues to enhance its security protocols, staying informed and prepared will be key to maintaining a secure computing environment.
Additional Security Enhancements
The April 2026 update also introduces critical security upgrades, such as enhanced Remote Desktop phishing protection, which provides users with clearer warnings and connection settings when launching .rdp files. Furthermore, the management of Secure Boot certificates has been revamped, allowing for better monitoring and automatic updates based on device performance. These enhancements collectively contribute to a more secure Windows environment, addressing both existing vulnerabilities and potential future threats.
This update is a proactive measure by Microsoft to close security gaps left by legacy systems and improve overall trust in device drivers, crucial for enterprise environments.
