Microsoft Tells Crusty Old Kernel Drivers to Get with the Windows Hardware Compatibility Program

The cross‑signed root program, introduced in the early 2000s, allowed third‑party vendors to sign kernel drivers with a Microsoft‑issued root certificate. Over time, the decentralized key management led to credential theft and driver abuse, prompting Microsoft to deprecate the scheme. By ending trust for these drivers, Microsoft aligns Windows kernel integrity with modern code‑signing standards, reducing the risk of malicious code executing at the highest privilege level.

Microsoft’s rollout uses an "evaluation mode" that logs driver load attempts without blocking them, giving enterprises a safety net to identify compatibility issues before the policy becomes mandatory. Administrators can leverage the Application Control for Business policy to whitelist essential legacy drivers, but such exceptions require a signed policy anchored to the device’s Secure Boot Platform Key or Key Exchange Key. This approach balances security with the platform’s famed backward compatibility, while nudging vendors toward WHCP certification for future driver releases.

Looking ahead, the move signals a broader industry shift toward stricter driver vetting and tighter supply‑chain security. Vendors with aging hardware will need to either update their drivers through the Microsoft Hardware Dev Center or provide documented workarounds for customers. For IT leaders, the priority is to audit existing driver inventories, test the evaluation mode in pilot environments, and plan migration paths to WHCP‑approved drivers. Embracing these practices will safeguard Windows deployments against kernel‑level threats while maintaining operational continuity.