Microsoft is adding a new driver-blocklist feature to Windows Defender on Windows 10 and 11

Microsoft is adding a new security option to Windows Defender that is meant to help protect against malicious drivers on Windows 10 and 11 devices.
Written by Mary Jo Foley, Senior Contributing Editor
Credit: Microsoft

Microsoft is adding a new Vulnerable Driver Blocklist feature to Windows Defender on Windows 10, Windows 11, and Windows Server 2016 or newer releases. This feature is aimed at helping IT Pros to protect users against malicious and exploitable drivers.

Microsoft Vice President of OS Security and Enterprise David Weston tweeted about the new Windows security option on March 27. 

The feature will be enabled by default on Windows 10 in S Mode, as well as on devices that have the Memory Integrity Core Isolation feature, which relies on virtualization-based security. (This Core Isolation Memory Integrity feature also is known as Hypervisor-protected Code Integrity or HVCI). More details are available in this Microsoft article about recommended driver block rules

This blocking feature will rely on a list of blocked drivers maintained by Microsoft in conjunction with OEM partners. As explained on ghacks.net, the reason these drivers may be marked as blocked is they are known security vulnerabilities that can be exploited to elevate Windows kernel privileges; they act as malware or certificates used to sign malware, or they exhibit behaviors that circumvent the Windows Security Model and can be used to elevate Windows kernel privileges.
I've asked Microsoft whether this new driver-blocking feature will be available on all versions of Windows 10 and 11 and when it will be fully deployed. No word back so far.

Update (March 29): A Microsoft spokesperson said this feature already exists for Windows 10, Windows 11 and Server 2016 and later. The spokesperson didn't specify which SKUs of each of those (or all) are getting this feature. The emailed response: "This security feature is available on Windows 10, Windows 11, and Windows Server 2016 and above. For more information, check out this Microsoft Doc."

In other security-related news, Microsoft announced plans for a new U.S. Government cloud environment -- Office 365 Government Secret -- on March 28. Currently in government review, this new Secret cloud is designed for the U.S. Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and U.S. Government partners working within Secret environments with Microsoft's Software as a Service (SaaS) capabilities for all data classifications. The Office 365 Government Secret cloud environment is built on Microsoft's Azure Government classified environments. 

Editorial standards