Windows 11 — Driver Policy

Tactrix drivers blocked by
Cross-Certificate Policy

KB / April 2026 · Code Integrity enforcement · openport.sys and similar

What happened

Starting with the April 2026 Windows Update, Microsoft began enforcing a new Code Integrity policy that blocks kernel drivers signed with the old cross-certificate program — a legacy signing method that predates the current EV (Extended Validation) Code Signing Certificate requirement.

These drivers are technically signed, but not with a modern EV certificate issued after the WHCP (Windows Hardware Compatibility Program) deadline. Windows now considers their certificate chain untrusted and refuses to load them, resulting in Code 39 in Device Manager and Event ID 3077 in the Code Integrity event log.

Official Microsoft documentation: The Windows Driver Policy — support.microsoft.com ↗

The two policy files

Windows enforces this in two stages via two .cip policy files:

Audit only
{784C4414-79F4-4C32-A6A5-F0FB42A51D0D}.cip

Evaluation phase. Driver loads but violations are logged. Active for ~100 hours / 3 reboots before enforcement begins.

Blocking
{8F9CB695-5D48-48D6-A329-7202B44607E3}.cip

Enforcement phase. Driver is blocked from loading. This is the policy that causes Code 39 and the Application Control error.

Why some PCs have no issue, even with the April 2026 cumulative update? The policy is deployed in two stages: first it lands in Reserved\ (audit mode — drivers are logged but still load), then after approximately 100 hours of use and 3 reboots it probably gets promoted to Active\ (enforcement — drivers are blocked). If your PC received the update recently, it may simply still be in the audit phase.

Before running the script

  • Windows 11 — must be executed from a Windows administrator account
  • Disable Secure Boot in BIOS/UEFI before running — how to disable Secure Boot ↗
  • After running, reboot — then you may re-enable Secure Boot

What the script does

  1. Checks whether Secure Boot is enabled and warns you if so
  2. Takes ownership and grants full access to the .cip files — uses the Administrators SID so it works on any Windows locale (English, German, Italian, etc.)
  3. Removes both policy files from %windir%\System32\CodeIntegrity\CiPolicies\Active\
  4. Removes both policy files from %windir%\System32\CodeIntegrity\CiPolicies\Reserved\ (prevents re-activation)
  5. Mounts the EFI System Partition and removes the policies from there as well
  6. Saves a full log to remove_driver_policy_log.txt next to the script

PowerShell Removal Script

Extract the zip, then right-click runme_as_admin.batRun as administrator.

Download .zip Use at your own risk. Modifies system policy files. Administrator rights and Secure Boot disabled required. No warranty expressed or implied.