Microsoft announced that starting from April 2026, Windows 11 will no longer load kernel drivers with certificates issued under the 'Legacy Cross-Signed Root Program' by default to enhance system security and stability. Previously, Microsoft retired this program in 2021, but some legacy drivers remained active in the system. Under the new strategy, the Windows kernel will only accept drivers signed through the Windows Hardware Compatibility Program (WHCP). Meanwhile, Microsoft will maintain an explicit 'allow list' to include certain legacy drivers with a long history and strong reputation, enabling them to still be loaded under the new strategy. The new strategy will initially be rolled out in 'evaluation mode,' allowing for monitoring and auditing of system operations without immediately enforcing a block on relevant drivers. Enterprise administrators can also override the default kernel trust strategy through configuration policies to load internally developed or customized drivers in specific scenarios. Microsoft stated that the new kernel strategy will be rolled out in phases and will closely monitor customer feedback to further optimize the actual experience.