Microsoft launches new driver blocking feature to boost security in Windows

Microsoft sign

Microsoft is giving Windows users an easy way to avoid drivers that are known to contain vulnerabilities, helping to improve security.

The company is adding a vulnerable driver blocklist option to Windows Defender Application Control (WDAC) which will help to ensure that only trusted drivers can be installed. The new security measure is available to users of Windows 10, Windows 11 and Windows Server 2016 on systems with hypervisor-protected code integrity (HVCI) enabled, and Windows 10 in S Mode.

See also:

Microsoft says that because of the strict requirements it has put in place for code that runs in the kernel, bad actors now exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. This is the reason for introducing the latest security feature.

The company writes:

Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they’re quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy.

The vulnerable driver blocklist stands in the way of third-party drivers with any of the following attributes:

Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernelMalicious behaviors (malware) or certificates used to sign malwareBehaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel

Microsoft goes on to advise users:

Microsoft recommends enabling HVCI or S mode to protect your devices against security threats. If this isn’t possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It’s recommended to first validate this policy in audit mode and review the audit block events.

Image credit: yu_photo / Shutterstock

Author: Martha Meyer