Windows tightens driver trust
Microsoft is changing how Windows drivers are trusted and has added native Sysmon telemetry to recent releases. The Windows Hardware Compatibility Program (WHCP) is being set as the default signing path to replace cross-signing, with enforcement expected via cumulative updates; a March Windows 11 update also added native Sysmon integration and a taskbar network speed test. (windowsnews.ai 1) (windowsnews.ai 2)
Windows is changing which low-level drivers it trusts by default, cutting off most old cross-signed drivers in the April 2026 security update. (techcommunity.microsoft.com) Microsoft said systems running Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025 will enforce the new kernel trust policy in that April 2026 update. The company said only drivers that pass the Windows Hardware Compatibility Program and are signed through Microsoft’s Hardware Dev Center will load by default, with a limited allow list for some widely used older drivers. (techcommunity.microsoft.com) A driver is the software layer that lets Windows talk to hardware, from graphics cards to storage controllers. Because kernel drivers run with the operating system’s highest privileges, Microsoft has spent years tightening signing rules around them. (learn.microsoft.com) (support.microsoft.com) Cross-certificates for kernel-mode code signing are already marked deprecated in Microsoft’s driver documentation, and Microsoft now says cross-signed certificate authorities are no longer trusted by default starting in April 2026. The standard path is submission through the Windows Hardware Compatibility Program, which includes Microsoft review and signing. (learn.microsoft.com 1) (learn.microsoft.com 2) Microsoft is pairing that trust change with more built-in visibility into what happens inside Windows. Its March 10, 2026 cumulative update, KB5079473, shipped for Windows 11 versions 24H2 and 25H2 as OS Builds 26100.8037 and 26200.8037. (support.microsoft.com) (catalog.update.microsoft.com) That release arrived alongside new Microsoft documentation for built-in System Monitor, or Sysmon, an optional Windows feature on Windows 11 and Windows Server 2025. Microsoft says Sysmon stays resident across reboots and logs detailed events such as process creation, network connections, and file timestamp changes to the Windows event log. (learn.microsoft.com 1) (learn.microsoft.com 2) Microsoft also published setup and tuning guides in early 2026 that explain how administrators can enable built-in Sysmon, collect its events, and filter the signal to manage volume. The event set includes process execution, network communication, file modification, and configuration-change records. (learn.microsoft.com 1) (learn.microsoft.com 2) (learn.microsoft.com 3) For hardware makers and enterprise information technology teams, the immediate task is checking whether any older cross-signed driver still matters in their fleet and, if so, whether it is covered by Microsoft’s allow list or needs a Windows Hardware Compatibility Program submission. For security teams, the same spring release cycle adds more native telemetry inside Windows as Microsoft narrows what can run in the kernel. (techcommunity.microsoft.com) (learn.microsoft.com) The through line is simple: Microsoft is making it harder for unsigned or lightly vetted code to sit closest to the operating system, while giving administrators more first-party tools to watch what still gets through. (techcommunity.microsoft.com) (learn.microsoft.com)
