🛡️ Essential 8 Guide

Implementation guidance for Australian Essential Eight controls in Microsoft environments - ISM controls with PSPF mappings

About
HOME ← ISM-1655
ISM-1667 →

Microsoft’s vulnerable driver blocklist is implemented.

Property Value
ISM Control ISM-1659
Revision 1
Updated Dec-23
Guideline Not provided
Section Operating system hardening
Topic Application control
Essential Eight ML3
PSPF Levels NC, OS, P, S, TS

Summary

Microsoft’s vulnerable driver blocklist is implemented to prevent loading vulnerable kernel drivers, reducing the risk of kernel-mode malware and privilege escalation. The control is enforced through WDAC policies managed in Intune, following Microsoft guidance to deploy the vulnerable driver blocklist across devices12 The vulnerable driver blocklist is enabled by default on Windows 11 22H2 and later when any of the following are active: Memory integrity (HVCI), Smart App Control, or S mode. The UI toggle in Windows Security → Core isolation is greyed out and cannot be disabled while these features are on.3

There are two complementary enforcement mechanisms:

Mechanism How it works When to use
HVCI (Memory integrity) Kernel-mode blocklist enforced in a hypervisor-isolated environment. Applied automatically. No policy authoring needed. Default on all modern Windows 11 hardware. Enable via Windows Security → Core isolation → Memory integrity.
WDAC policy blocklist Deny rules inside a WDAC XML policy deployed via Intune. Works independently of HVCI — useful on older hardware or Windows 10 devices that cannot run VBS. Required when HVCI is not available. Use the Recommended_Driver_Blocklist.xml template from the WDAC Policy Wizard.
ASR rule (complementary) Blocks applications from writing vulnerable signed drivers to disk. GUID: 56a863a9-875e-4185-98a7-b882c64b5ce5. Does not block an already-present driver. Layer on top of HVCI/WDAC; creates audit events in Advanced Hunting (AsrVulnerableSignedDriverAudited/Blocked).

Justification

Not provided in source documentation.

Design Decision

[!NOTE] The Microsoft vulnerable driver blocklist will be enabled via Intune device security settings. The WDAC configuration will include the Microsoft vulnerable driver blocklist and will be enforced through Intune management.

Prerequisites

Implementation Steps

Turn on Microsoft vulnerable driver blocklist in Intune device security settings

  1. Sign in to the Intune admin center.2
  2. Within Intune, go to Devices and then Configuration Profiles. Next, create a Profile > Platform – Windows 10 or Later, Profile Type Templates and Custom.2
  3. Create a name for the policy (for example, ‘Application Control - Microsoft Allow – Audit’) and select Next.2
  4. Under OMA-URI Settings, select Add. Note: This Information is dependent on the Policy ID generated from the Windows Defender App Control Wizard for the policy XML created from “Create Audit Policy” from the section above: - Name = Microsoft Allow Audit - OMA-URL = ./Vendor/MSFT/ApplicationControl/Policies/CB46B243-C19C-4870-B098-A2080923755C/Policy - Data Type = Base64 (File).2
  5. When the Windows Defender App Control Wizard generated the policy XML, it also created a CIP file. Copy the CIP file and rename the file extension to .BIN for example {CB46B243-C19C-4870-B098-A2080923755C}.bin.2
  6. Upload the BIN under Base64 (File).2
  7. Select Save and follow the prompts to create the Configuration Profile. Deploy the policy to the intended system(s).2
  8. If any vulnerable drivers are already running that the policy would block, you must reboot your computer for those drivers to be blocked.1
  9. Activate and refresh all App Control policies on devices by running the App Control policy refresh tool you downloaded to activate and refresh all App Control policies on your computer.1
  10. To verify the policy, open Event Viewer. Browse to Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational. Select Filter Current Log… Replace “" with "3099" and select OK.

Verify the blocklist is active

  1. Check the registry:

    reg query HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable

    Value 0x1 = enabled; 0x0 = disabled.

  2. Check HVCI / Device Guard status:

    Get-CimInstance -Namespace root\Microsoft\Windows\CI -ClassName Win32_DeviceGuard

    Confirm KernelModeCodeIntegrityPolicyEnabled = True.

Monitor enforcement events

Event log Event ID Meaning
Microsoft-Windows-Windows Defender/Operational 1121 ASR rule blocked (vulnerable driver write blocked)
Microsoft-Windows-Windows Defender/Operational 1122 ASR rule audited (would have blocked in block mode)
Microsoft-Windows-CodeIntegrity/Operational 3023 Driver failed WDAC policy validation (blocked)
Microsoft-Windows-CodeIntegrity/Operational 3076 Audit event — driver would have been blocked
Microsoft-Windows-CodeIntegrity/Operational 3077 Enforcement event — driver was blocked
Microsoft-Windows-CodeIntegrity/Operational 3089 Signature information for a blocked driver

  1. ASD Blueprint: Application control — ASD’s Blueprint for Secure Cloud  2 3 4 5 6 7 8 9

  2. Application and driver control  2 3 4 5 6 7 8 9 10 11

  3. Microsoft recommended driver block rules — Microsoft Learn 

HOME ← ISM-1655
ISM-1667 →