Tech Community Live: AMA - Windows Security

Addressing vulnerabilities in the kernel is a top priority for Microsoft and we have a number of initiatives underway to improve our ability to detect and respond to vulnerabilities and malicious code targeting the kernel. As Jordan mentioned live in the AMA, we maintain a blocklist of known vulnerable and compromised drivers which is continuously updated. Security researchers, driver publishers, and others can report suspected malicious or vulnerable drivers using the new submission portal that we announced in December. Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center - Microsoft Security Blog.

You can find the most up-to-date recommended block list at https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules. The policy is also now included as an example policy with Windows and can be found here %windir%\schemas\CodeIntegrity\ExamplePolicies. Customers who use WDAC can incorporate that blocklist into their WDAC policies today. Finally, all customers can activate the blocklist by enabling memory integrity, also known as hypervisor-protected code integrity (HVCI). And most new Windows 11 systems will have HVCI enabled by default.