{
	"id": "0c4ae098-0f41-44a8-9a64-b0c46278f810",
	"created_at": "2026-04-06T01:29:31.334959Z",
	"updated_at": "2026-04-10T03:23:52.229447Z",
	"deleted_at": null,
	"sha1_hash": "6bf5f23b20a5baa06af995e2ec82fbeb64851d2a",
	"title": "Microsoft recommended driver block rules",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47059,
	"plain_text": "Microsoft recommended driver block rules\r\nBy jsuther1974\r\nArchived: 2026-04-06 01:12:50 UTC\r\nMicrosoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit\r\nvulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the\r\nWindows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft\r\nworks closely with our IHVs and security community to ensure the highest level of driver security for our\r\ncustomers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched\r\nand rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against non-Microsoft-developed drivers across the Windows ecosystem with any of the following attributes:\r\nKnown security vulnerabilities that an attacker could exploit to elevate privileges in the Windows kernel\r\nMalicious behaviors (malware) or certificates used to sign malware\r\nBehaviors that aren't malicious but circumvent the Windows Security Model and an attacker could exploit\r\nto elevate privileges in the Windows kernel\r\nDrivers can be submitted to Microsoft for security analysis at the Microsoft Security Intelligence Driver\r\nSubmission page. For more information about driver submission, see Improve kernel security with the new\r\nMicrosoft Vulnerable and Malicious Driver Reporting Center. To report an issue or request a change to the\r\nblocklist, including updating a block rule once a fixed version of a driver is available, visit the Microsoft Security\r\nIntelligence portal.\r\nNote\r\nBlocking drivers can cause devices or software to malfunction, and in rare cases, lead to blue screen. The\r\nvulnerable driver blocklist isn't guaranteed to block every driver found to have vulnerabilities. When we produce\r\nthe blocklist, Microsoft attempts to balance the security risks from vulnerable drivers with the potential effect on\r\ncompatibility and reliability. The blocklist included in this article and in the associated downloadable files usually\r\ncontains a more complete set of known vulnerable drivers than the version in the OS and delivered by Windows\r\nUpdate. It's often necessary for us to hold back some blocks to avoid breaking existing functionality while we\r\nwork with our partners who are engaging their users to update to patched versions. As always, Microsoft\r\nrecommends using an explicit allowlist approach to security wherever possible, but when that isn't feasible, the\r\nuse of this blocklist is a critical tool to disrupt malicious actors.\r\nSince the Windows 11 2022 update, the vulnerable driver blocklist is enabled by default for all devices, and can be\r\nturned on or off via the Windows Security app. Except on Windows Server 2016, the vulnerable driver blocklist is\r\nalso enforced when either memory integrity, also known as hypervisor-protected code integrity (HVCI), Smart\r\nApp Control, or S mode is active. Users can opt in to HVCI using the Windows Security app, and HVCI is on by-default for most new Windows 11 devices.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules\r\nPage 1 of 3\n\nThe blocklist is updated with each new major release of Windows, typically 1-2 times per year. The most current\r\nblocklist is now also available as an optional update from Windows Update. Microsoft will occasionally publish\r\nfuture updates through regular Windows servicing.\r\nCustomers who always want the most up-to-date driver blocklist can also use App Control for Business to apply\r\nthe latest recommended driver blocklist included in this article. For your convenience, we provide a download of\r\nthe most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of\r\nthis article.\r\nMicrosoft recommends enabling HVCI or S mode to protect your devices against security threats. If this setting\r\nisn't possible, Microsoft recommends blocking this list of drivers within your existing App Control for Business\r\npolicy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare\r\ncases, blue screen. You should first validate this policy in audit mode and review the audit block events before\r\ndeploying an enforced version.\r\nImportant\r\nMicrosoft also recommends enabling the Attack Surface Reduction (ASR) rule Block abuse of exploited\r\nvulnerable signed drivers to prevent an application from writing a vulnerable signed driver to disk. The ASR rule\r\ndoesn't block a driver already existing on the system from loading, however enabling Microsoft vulnerable\r\ndriver blocklist or applying this App Control policy prevents the existing driver from loading.\r\nIf you prefer to apply the vulnerable driver blocklist, follow these steps:\r\n1. Download the App Control policy refresh tool\r\n2. Download and extract the vulnerable driver blocklist binaries\r\n3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b\r\n4. Copy SiPolicy.p7b to %windir%\\system32\\CodeIntegrity\r\n5. Run the App Control policy refresh tool you downloaded in Step 1 above to activate and refresh all App\r\nControl policies on your computer\r\nTo check that the policy was successfully applied on your computer:\r\n1. Open Event Viewer\r\n2. Browse to Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational\r\n3. Select Filter Current Log...\r\n4. Replace \"\u003cAll Event IDs\u003e\" with \"3099\" and select OK.\r\n5. You should find a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and ID\r\nfrom PolicyInfo settings found in the blocklist App Control Policy XML in this article. NOTE: Your\r\ncomputer might have more than one 3099 event if other App Control policies are present.\r\nNote\r\nIf any vulnerable drivers are already running that the policy would block, you must reboot your computer for\r\nthose drivers to be blocked. Running processes aren't stopped when activating a new App Control policy without\r\nreboot.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules\r\nPage 2 of 3\n\nThe recommended blocklist xml policy file can be downloaded from the Microsoft Download Center.\r\nThis policy contains Allow All rules. If your version of Windows supports App Control multiple policies, we\r\nrecommend deploying this policy alongside any existing App Control policies. If you do plan to merge this policy\r\nwith another policy, remove the Allow All rules before merging it if the other policy applies an explicit allowlist.\r\nFor more information, see Create an App Control Deny Policy.\r\nNote\r\nTo use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer\r\noperating system. The policies available at the Microsoft Download Center link provided earlier in this article also\r\ninclude versions for Windows Server 2016.\r\nMerge App Control for Business policies\r\nSource: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-d\r\nriver-block-rules\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules"
	],
	"report_names": [
		"microsoft-recommended-driver-block-rules"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438971,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6bf5f23b20a5baa06af995e2ec82fbeb64851d2a.pdf",
		"text": "https://archive.orkl.eu/6bf5f23b20a5baa06af995e2ec82fbeb64851d2a.txt",
		"img": "https://archive.orkl.eu/6bf5f23b20a5baa06af995e2ec82fbeb64851d2a.jpg"
	}
}