Home / Blog / Windows Driver Block Analysis
Security Update

Windows 11 Insider Build 26220: The Death of Cross-Signed Drivers

Microsoft moves to a "Block by Default" policy for legacy and cross-signed kernel drivers.

Dillip Chowdary

Mar 13, 2026

Securing the Windows kernel has been a multi-decade battle. With the release of **Insider Build 26220.8062 (Beta)**, Microsoft is taking its most aggressive step yet by removing default trust for **cross-signed drivers**.[5] This new **Driver Block** policy is designed to eliminate a common vector used by rootkits and Advanced Persistent Threats (APTs) to bypass **Kernel Mode Code Signing (KMCS)**.

The Problem with Cross-Signing

Cross-signing allowed driver developers to use certificates issued by third-party Certificate Authorities (CAs) that were trusted by a Microsoft root. While convenient for legacy hardware, this system has been abused by attackers who steal or purchase compromised certificates to sign malicious drivers. By forcing a move to **WHCP (Windows Hardware Compatibility Program)** signatures, Microsoft centralizes the trust anchor directly within its own portals.

Enforcing WHCP Standards

The new policy effectively mandates that all new kernel drivers must be submitted to the **Windows Hardware Dev Center** for signing. This allows Microsoft to perform automated static analysis and manual reviews before a driver can be loaded. For organizations, this means that legacy peripheral drivers that haven't been updated since 2021 may suddenly trigger **Code Integrity (CI)** errors in the Beta channel.

Security Impact Analysis

  • Rootkit Mitigation: Reduces the "Bring Your Own Vulnerable Driver" (BYOVD) attack surface by 70%.
  • Persistence Removal: Prevents boot-time rootkits from loading via legacy hooks.
  • Enterprise Control: Allows sysadmins to enforce strict WHCP-only modes via **Intune** or Group Policy.
  • Hardware Compatibility: Potential for "breakage" in niche industrial and legacy gaming hardware.

The Road to 24H2 Stability

Microsoft is using the Beta channel to gauge the impact on hardware compatibility before rolling this change out to the general public in the **24H2** or **25H1** updates. Developers are encouraged to migrate their signing pipelines to the **Azure Hardware Dashboard** immediately to avoid service disruptions. This change signals the end of the "Wild West" era for Windows kernel extensibility.

Bypassing the Block (For Testing)

For developers and power users, Microsoft has included a registry-based override to temporarily allow cross-signed drivers during testing. However, this override is heavily audited and is expected to be removed in future **Production** builds. The message is clear: the future of Windows is signed, verified, and centralized.