Microsoft is closing one of Windows’ longest-standing security gaps. Beginning with the April 2026 Windows Update, Windows will no longer trust kernel drivers signed under the legacy Cross-Signed Driver Program. Attackers have abused these drivers for years to load malicious or vulnerable components directly into the kernel.

This change affects Windows 11, Windows Server 2025, and all future releases.

🔐 Why Microsoft Is Making This Change

Cross-signed drivers were originally a convenience for vendors who did not want to go through WHCP (Windows Hardware Compatibility Program). Over time they became a major attack surface used for:

• privilege escalation

• EDR bypass

• kernel-level persistence

• disabling security tools during ransomware attacks

Even though the certificates for this program expired years ago, Windows continued to trust these drivers. That trust is now being removed.

🧩 Key Insights From Community Comments

The TechCommunity discussion highlighted several important points:

• Many organizations still rely on legacy industrial, medical, and embedded hardware that only has cross-signed drivers.

• Some vendors never migrated to WHCP, especially niche or low-volume manufacturers.

• Evaluation mode logs will be essential because enforcement will break drivers silently.

• Virtualization tools, USB redirection, and older line-of-business applications often hide cross-signed drivers that teams forget about.

This aligns with what we see in real enterprise environments: hidden technical debt that only surfaces during enforcement.

🛠 How To Verify Whether Your Environment Is Affected

Below are five practical verification methods. Each begins with a Guided Link so you can explore the step in more detail.

1. Check Driver Signatures with PowerShell

List all kernel-mode drivers:

Get-WindowsDriver -Online | Select-Object Driver, ClassName, ProviderName, Date, Version

Check signature details:

Get-AuthenticodeSignature "C:\Windows\System32\drivers\*.sys"

Flag anything showing:

• a non-WHCP certificate

• Status of NotSigned or UnknownError

• a legacy certificate issuer used for cross-signing

2. Use SigCheck from Sysinternals

Scan all drivers:

sigcheck -q -m -i c:\windows\system32\drivers

Look for:

• “Cross-signed”

• “Unsigned”

• “No WHQL”

3. Check Event Logs for Evaluation Mode Alerts

After installing the April 2026 update, Windows logs warnings before enforcement.

Navigate to:

Event Viewer → Applications and Services Logs → Microsoft → Windows → CodeIntegrity → Operational

Look for:

• Event ID 3089 – driver allowed but will be blocked in the future

• Event ID 3091 – driver is cross-signed

These logs are your early warning system.

4. Inspect Driver Signatures in Device Manager

For each device:

1. Open Device Manager

2. Right-click the device and select Properties

3. Open the Driver tab

4. Select Driver Details

5. Check the Digital Signer field

If it does not say Microsoft Windows Hardware Compatibility Publisher, it is not WHCP-signed.

5. Inventory Drivers Across the Fleet with Intune or SCCM

Enterprise-scale verification:

• Intune: Device Diagnostics plus custom scripts

• SCCM: Query Win32_SystemDriver

• Defender for Endpoint: Use Advanced Hunting

Example MDE query:

DeviceFileEvents
| where FolderPath endswith "drivers"
| where FileName endswith ".sys"

🧭 What To Do If You Find Cross-Signed Drivers

• Contact the vendor and request WHCP-signed replacements

• Plan hardware refreshes if the vendor is no longer active

• Isolate legacy systems if replacement is impossible

• Monitor Code Integrity logs weekly until enforcement begins