Just as operating system files and applications can contain security vulnerabilities, so too can hardware device drivers.
Microsoft recently introduced a new feature, Microsoft Vulnerable Driver Blocklist, to address these risks. The feature lets organizations block the use of device drivers known to contain security vulnerabilities. While blocking such drivers might seem like an obvious step toward improving an organization’s overall security, there is an old saying that applies here: Just because you can do something doesn’t mean that you should.
While I don’t want to discourage anyone from blocking vulnerable device drivers, it is important to consider the potential ramifications before doing so.
3 Considerations for Blocking Device Drivers
In a perfect world, blocking vulnerable device drivers would not be a big deal. Once you blocked a device driver, a new and secure driver would be available to take its place. In reality, that just isn’t always the case.
The most obvious risk is losing access to certain hardware devices. This is especially true for legacy hardware that is no longer supported. It is also true for hardware created by lesser-known vendors that might not update their hardware products as frequently as well-known vendors do.
While the idea of losing access to certain hardware devices is certainly an important concern, it is not the only thing to think about. There are two more considerations to weigh before you decide to block vulnerable device drivers.
One such consideration is that there are applications that have embedded device drivers. In my own environment, for example, I have a scanner application that includes embedded device drivers. In addition, I sometimes use a CAD application that has drivers embedded within the application. The odds are slim that you also use these particular applications, but such applications that contain embedded device drivers do indeed exist.
When an application has embedded device drivers, it is impossible to decouple the application from the embedded driver (unless the vendor happens to have a solution for this). As such, blocking vulnerable device drivers could potentially cause these types of applications to stop working.
The third thing to consider is that Microsoft has acknowledged that blocking vulnerable device drivers can, on rare occasions, cause Windows to produce a “Blue Screen of Death” error.
As I mentioned earlier, I’m not trying to discourage anyone from taking the initiative to block vulnerable device drivers. After all, eliminating security vulnerabilities is usually a good thing. My point is that before you begin to block vulnerable device drivers on production systems, it is extremely important to first test the configuration in a lab environment.
How to Use Microsoft Vulnerable Driver Blocklist
Now that I have discussed some of the potential adverse effects of blocking device drivers, you may be wondering how the process works.
Microsoft only recently introduced Microsoft Vulnerable Driver Blocklist, so make sure to run Windows Update to make sure that you have the latest Windows build. Incidentally, the Microsoft Vulnerable Driver Blocklist feature will be supported for use with Windows 10 and 11, as well as Windows Server 2016 and 2022. You must have hypervisor-protected code integrity enabled on the device to use the feature.
To find Microsoft Vulnerable Driver Blocklist, go to the Windows Security app. Once there, click on Device Security, followed by Core Isolation. You will see a toggle switch to turn the Microsoft Vulnerable Driver Blocklist on or off.
Microsoft vice president of enterprise and OS security David Weston shared a preview of the interface in Twitter post in late March.