Microsoft is going to re-certify old kernel drivers in Windows 11 and Windows Server. Only drivers that still meet new security standards will continue to work from April onwards.
Microsoft announced in a blog post that it will more strictly oversee support for kernel drivers in Windows. Starting with the April 2026 update, kernel drivers once signed by outdated software will have to earn their certificate again. The old certificates no longer provide sufficient guarantees for driver security and compatibility, Microsoft writes.
From now on, only drivers that meet the strict requirements of the Windows Hardware Compatibility Program (WHCP) can be loaded by default. Microsoft will maintain a limited list of ‘trusted’ drivers to prevent compatibility issues. The change applies to supported Windows 11 versions and Windows Server 2025, and will also be in effect for all new versions in the future.
The new policy ensures that only WHCP-certified drivers gain access to the kernel, significantly reducing the attack surface. Microsoft points out that drivers are a critical part of the Windows ecosystem and that their integrity is essential for a secure working environment. Older drivers pose an invisible security risk.
Evaluation mode
Every driver gets a fair chance to prove itself. Microsoft is providing an evaluation phase in April to avoid compatibility issues. During this phase, the system will monitor and audit all driver loads to determine if the new policy can be safely activated.
read also
Microsoft wages war on external printer drivers: Is a printer graveyard looming in Windows?
A certificate will only be granted once strict criteria are met, such as a minimum of 100 runtime hours and three restarts for Windows 11. For Windows Servers, a minimum of two restarts applies. Drivers that do not meet the new standards will be blocked. If untrusted drivers are detected during evaluation, the evaluation period is reset and the policy remains in evaluation mode.
For organizations that rely on specific, non-WHCP-certified drivers, Microsoft offers a solution via Application Control for Business. With this policy, companies can manually allow drivers that are not trusted by default, provided they are signed by an authorized key in the Secure Boot environment. This approach ensures that security is maintained without sacrificing compatibility.
Confusion surrounding printers
Microsoft acknowledges that many users and organizations rely on older drivers for their hardware or software. Striking a balance between security and compatibility sometimes proves difficult. In February, Microsoft caused confusion by making it seem as though old printers would lose support in Windows. In the long run, Microsoft wants to move away from third-party drivers in Windows as quickly as possible and steer users toward its own software.