The April 2026 Windows update introduces a major security policy change affecting kernel driver trust. This affects Windows 11 Build 24H2, 25H2, 26H1, and Windows Server 2025. Systems can suddenly fail hardware if they run legacy drivers.

No clear error message; the system silently switches to evaluation or enforcement mode. Users may see driver load failures or hardware becoming unavailable after running for 100 hours.

Symptoms

  • Hardware devices disappear from Device Manager without warning.
  • Computer fails to boot due to critical driver load errors.
  • No explicit warnings during install or update.
  • System runs in evaluation mode, delaying enforcement of security rules.

Cause

Microsoft ended the cross-signed root program in 2021. The April 2026 update enforces strict trust rules for kernel drivers, building on the Kernel-Mode Code Signing Policy. The system runs in evaluation mode for 100 hours and 2-3 restarts, auditing driver loads without blocking. After this, it blocks any cross-signed driver not on Microsoft's explicit allow list, permanently disabling hardware using older signed drivers not certified through the Windows Hardware Compatibility Program.

Fix

Manage this change with monitoring and policy tweaks. There is no automatic fix that restores legacy driver trust without changes.

  1. Monitor Evaluation Mode Status

    Let affected systems finish the evaluation period. Open Event Viewer and check System logs for driver audit events. If no cross-signed drivers load successfully during the 100-hour window, the system switches to enforcement mode automatically. Avoid resetting timers during this period.

  2. Check Microsoft's Allow List

    Verify if legacy hardware drivers appear on Microsoft's allow list. Drivers on this list keep working after enforcement without any extra steps.

  3. Query Driver Signing Status

    Use PowerShell to find drivers signed under the old cross-signed root program. Run this in an Administrator session to check certificates:

    Get-ChildItem Cert:\CurrentUser\Root

    Use Get-AuthenticodeSignature to inspect specific driver files. Device Manager also shows driver signing details.

  4. Use Application Control for Business

    For custom or internal legacy drivers you cannot replace, create Application Control for Business policies (formerly WDAC). Sign policies using keys in the device Secure Boot Platform Key or Key Exchange Key. This lets specific drivers run without lowering overall security. Access these settings via Group Policy or Microsoft Intune.

  5. Upgrade or Replace Hardware

    Contact manufacturers for updated drivers certified by the Windows Hardware Compatibility Program. Replace hardware if no updated drivers exist. Certified drivers must be submitted through the Windows Hardware Dev Center.

If that does not work

Roll back the April 2026 update on systems that fail critical tasks. Delay policy enforcement using WSUS or Intune if possible. Watch Microsoft's release health page for compatibility updates and exemptions. Document failed hardware models for long-term supply decisions.

Need help with driver policy migration and endpoint security? Contact Rain City Techworks.