Microsoft launches new driver blocking feature to boost security in Windows

Microsoft is giving Windows users an easy way to avoid drivers that are known to contain vulnerabilities, helping to improve security.

The company is adding a vulnerable driver blocklist option to Windows Defender Application Control (WDAC) which will help to ensure that only trusted drivers can be installed. The new security measure is available to users of Windows 10, Windows 11 and Windows Server 2016 on systems with hypervisor-protected code integrity (HVCI) enabled, and Windows 10 in S Mode.

See also:

• Microsoft relents and makes it easier to change the default web browser in Windows 11
• Microsoft releases KB5011563 update for Windows 11 to fix Settings and upgrade notifications
• After tests, Microsoft has decided to add the 'System requirements not met' watermark to Windows 11

Microsoft says that because of the strict requirements it has put in place for code that runs in the kernel, bad actors now exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. This is the reason for introducing the latest security feature.

The company writes:

Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy.

The vulnerable driver blocklist stands in the way of third-party drivers with any of the following attributes:

• Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
• Malicious behaviors (malware) or certificates used to sign malware
• Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel

Microsoft goes on to advise users:

Microsoft recommends enabling HVCI or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in audit mode and review the audit block events.

Image credit: yu_photo / Shutterstock