Microsoft’s vulnerable driver blocklist is implemented
Use Microsoft's blocklist to stop vulnerable drivers from running.
Plain language
This control means using Microsoft's list of blocked drivers to protect your computer systems. Vulnerable drivers can let bad actors take control of your devices, so it's essential to block them. This step helps keep your business safe from potential harm caused by malicious software.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Microsoft’s vulnerable driver blocklist is implemented.
Why it matters
Without this blocklist, compromised systems may run malicious drivers, risking data breaches and operational disruption.
Operational notes
Regularly check for updates to Microsoft's vulnerable driver blocklist so newly identified risky drivers are blocked promptly.
Implementation tips
- The IT team should review all currently installed drivers on company devices to ensure none are on the vulnerable list. This can be done using Microsoft's tools to compare the list of installed drivers against the blocklist.
- The system administrator should update all company computers to ensure they receive the latest Microsoft blocklists. This involves configuring the system settings to automatically update driver policies.
- The security officer should regularly check for updates to Microsoft's blocklist and implement these updates across the organisation. This can be done by setting a schedule to download and verify the latest blocklists from Microsoft.
- IT staff should configure the application control solutions like AppLocker or Windows Defender to enforce the Microsoft blocklist. This involves setting the correct rules within the software to ensure blocked drivers cannot be executed.
- The IT department should ensure that all application control policies are enforced on all devices, including workstations and servers, to prevent unauthorised driver execution.
Audit / evidence tips
-
AskHave all devices in the organisation implemented Microsoft’s vulnerable driver blocklist?
-
GoodSystems show active settings that align with the latest Microsoft driver blocklist policy
-
AskHow frequently are updates to the blocklist applied across the organisation?
-
GoodRecords indicate blocklist updates are applied within a week of release
-
AskWhat procedures are in place to check for compliance?
-
GoodAudit logs detail regular checks and confirm compliance across all devices
Cross-framework mappings
How E8-AC-ML3.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-AC-ML3.3 requires a specific measure: enabling Microsoft’s vulnerable driver blocklist to reduce exposure to driver vulnerabilities | |
| handshake Supports (1) expand_less | ||
| Annex A 8.19 | E8-AC-ML3.3 requires implementing Microsoft’s vulnerable driver blocklist to stop vulnerable drivers from running on Windows systems | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-0298 | E8-AC-ML3.3 requires implementing Microsoft’s vulnerable driver blocklist to prevent execution of known vulnerable drivers | |
| ISM-1163 | E8-AC-ML3.3 requires enabling Microsoft’s vulnerable driver blocklist to stop vulnerable drivers from executing | |
| ISM-1492 | E8-AC-ML3.3 requires implementing Microsoft’s vulnerable driver blocklist to prevent exploitation via known vulnerable kernel drivers | |
| ISM-1703 | E8-AC-ML3.3 requires organisations to implement Microsoft’s vulnerable driver blocklist to stop known vulnerable drivers from running | |
| handshake Supports (4) expand_less | ||
| ISM-1143 | E8-AC-ML3.3 requires implementing Microsoft’s vulnerable driver blocklist as a preventative control against vulnerable drivers | |
| ISM-1643 | E8-AC-ML3.3 requires implementation of Microsoft’s vulnerable driver blocklist to prevent use of known-bad drivers | |
| ISM-1697 | ISM-1697 requires patching non-critical driver vulnerabilities within one month when no working exploits exist | |
| ISM-1808 | E8-AC-ML3.3 requires implementation of Microsoft’s vulnerable driver blocklist to prevent vulnerable drivers executing | |
| link Related (1) expand_less | ||
| ISM-1659 | E8-AC-ML3.3 requires organisations to implement Microsoft’s vulnerable driver blocklist to prevent known vulnerable drivers from loading ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.