Microsoft is adding a new Vulnerable Driver Blocklist feature to Windows Defender on Windows 10, Windows 11 and Windows Server 2016 or newer releases. This feature is aimed at helping IT Pros to protect users against malicious and exploitable drivers.
Microsoft Vice President of OS Security and Enterprise David Weston tweeted about the new Windows security option on March 27.
The feature will be enabled by default on Windows 10 in S Mode, as well as on devices that have the Memory Integrity Core Isolation feature, which relies on virtualization-based security. (This Core Isolation Memory Integrity feature also is known as Hypervisor-protected Code Integrity (HVCI). More details are available in this Microsoft article about recommended driver block rules.
This blocking feature will rely on a list of blocked drivers maintained by Microsoft in conjunction with OEM partners. As explained on ghacks.net, the reason these drivers may be marked as blocked is they are known security vulnerabilities that can be exploited to elevate Windows kernel privileges; they act as malware or certificates used to sign malware; or they exhibit behaviors that circumvent the Windows Security Model and can be used to elevate Windows kernel privileges.
I’ve asked Microsoft whether this new driver-blocking feature will be available on all versions of Windows 10 and 11 and when it will be fully deployed. No word back so far.
In other security-related news, Microsoft announced plans for a new U.S. Government cloud environment — Office 365 Government Secret — on March 28. Currently in government review, this new Secret cloud is designed for the U.S. Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and U.S. Government partners working within Secret environments with Microsoft’s Software as a Service (SaaS) capabilities for all data classifications. The Office 365 Government Secret cloud environment is built on Microsoft’s Azure Government classified environments.