Windows security is a pretty big topic, which makes sense considering that Microsoft"s operating systems are utilized by over a billion users. Naturally, the company has several lines of defenses which offer a layered security approach against different kinds of threats. Microsoft recently teased some big upcoming security updates for Windows 11 too. But for now, we thought it was a good idea to talk about a very important built-in capability in Windows that protects your operating system against malicious drivers.
Vulnerable Driver Blocklist is a security feature under Microsoft"s Core Isolation umbrella for Windows. For those unaware about Core Isolation itself, this is a collection of capabilities that protect "core" Windows processes from malicious software by isolating them in memory. The Vulnerable Driver Blocklist falls within this category because it essentially offers a list of drivers that are restricted by default from ever running in Windows.
Devices like cameras, microphones, keyboards, and more typically communicate with the operating system through drivers. In the past, there have been documented instances of compromised Windows drivers that were being used to exploit the OS. So, in 2022, Microsoft decided that it would mitigate this attack surface by maintaining a list of drivers known to be compromised in Windows installations.
.jpg){kind=link}
The Vulnerable Driver Blocklist is the result of an ongoing collaboration between Microsoft and independent hardware vendors (IHVs) and OEMs. Whenever a driver vulnerability is reported, the Redmond tech giant works with vendors to patch the security threat and add a driver version to the blocklist if the threat factor is significantly high and the risk of breaking compatibility is relatively low.
This is a particularly important aspect to understand. Microsoft"s Vulnerable Driver Blocklist isn"t exhaustive. It doesn"t list all the compromised drivers because sometimes, blocking a driver without the user really knowing about it can cause poor user experience on Windows, such as device malfunctions and the dreaded Blue Screen of Death (BSOD). This is exactly why maintaining the list is always a careful balancing act for Microsoft.
The Vulnerable Driver Blocklist is updated through Windows Update during feature updates, which means that it is modified roughly 1-2 times a year. Whenever a driver vendor issues an update for their compromised software, they can contact Microsoft to update this blocklist.
In most Windows installations, the Vulnerable Driver Blocklist is on by default, and it is enforced when hypervisor-protected code integrity (HVCI), Smart App Control, or S mode is active too. It"s worth noting that this blocklist explicitly denies vulnerable drivers and allows everything else through "Allow All" rules. This is despite Microsoft"s best practice recommendation, which involves maintaining an explicit allowlist approach where drivers are allowed individually rather than blocked; however, it"s understandable that this is not feasible in many cases.
The Vulnerable Driver Blocklist is found in the System32 folder and, as mentioned previously, it is enabled by default, so you don"t really need to do anything. That said, Microsoft does offer an offline XML policy file, which IT admins can download from here. For regular consumers, the Vulnerable Driver Blocklist can be toggled through the Windows Security app or through the Settings app under Privacy & Security > Windows Security.
What do you think about this security feature in Windows? Were you aware of its existence? Let us know in the comments section below!