Starting with the April update, Windows 11 will no longer automatically trust drivers signed under Microsoft’s legacy cross-signing program. The move targets decades-old signing roots that allowed expired certificates to remain functional, but it also tightens the gate for third-party hardware—especially older peripherals and niche devices.

This isn’t a sudden security overhaul; it’s the culmination of a gradual phase-out. Microsoft first announced the shift in August 2025, but the April 2026 update marks the enforcement window. Systems running Windows 11 versions 24H2, 25H2, and 26H1 will enter an evaluation period where the kernel logs driver activity before enforcing strict WHCP-only trust. That means even drivers that worked flawlessly under previous builds may now trigger warnings or fail to load unless they carry a fresh WHCP certificate.

What power users need to watch

The immediate impact is twofold: hardware compatibility and workflow continuity. Older TV capture cards, industrial I/O modules, or legacy printer drivers that relied on cross-signed certificates may no longer function without explicit allow-listing. Microsoft maintains a curated exception list for widely used devices, but the burden of vetting now falls on end-users and IT teams rather than the OS.

Windows 11 shifts security stance: expired drivers face new trust barriers
  • Driver trust shift: WHCP-certified drivers only; cross-signed roots deprecated
  • Evaluation mode: April 2026 update logs activity before enforcement
  • Backward compatibility: Trusted legacy drivers still load, but not by default

Alternatives for custom environments

Enterprises that need privately signed kernel code can bypass the new policy via Application Control for Business (formerly WDAC). This path requires linking trust anchors—such as Platform Key or Key Exchange Key—to Secure Boot, effectively creating a whitelist for internal-only drivers. It’s not a seamless workaround; it demands deeper configuration and ongoing maintenance, but it offers a controlled path forward for organizations stuck with legacy hardware stacks.

The bigger question is whether this policy will accelerate the retirement of older hardware or force vendors to re-certify en masse. Microsoft’s long-term goal is clear: WHCP should become the universal standard, but the transition period gives power users and sysadmins a final window to upgrade—or risk being locked out.

Where things stand now: most systems will see warnings or failures for expired drivers starting April; WHCP certification becomes mandatory for new hardware; custom environments can opt into WDAC for continued support.