deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Microsoft criteria for driver blocks have been updated. WDSI driver submission page is now linked too.

Browse Source
This commit is contained in:
Jordan Geurten 2021-09-30 09:39:22 -07:00
parent ce00ae09a3
commit 8fc109633f
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

@ -33,10 +33,15 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto
- Hypervisor-protected code integrity (HVCI) enabled devices - Hypervisor-protected code integrity (HVCI) enabled devices
- Windows 10 in S mode (S mode) devices - Windows 10 in S mode (S mode) devices
Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. The vulnerable driver blocklist is designed to harden systems against 3rd party-developed drivers across the Windows ecosystem with any of the following:
> [!Note] - Known security vulnerabilities which can be exploited by attackers to elevate privileges in the Windows kernel
> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. - Malicious behaviors (i.e. malware) or certificates used to sign malware
- Behaviors which are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/wdsi/driversubmission).
Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
```xml ```xml
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>