Implement Microsoft's Vulnerable Driver Blocklist
Use Microsoft's list to stop harmful drivers from running on systems.
Plain language
Microsoft's vulnerable driver blocklist is a tool that helps stop problematic software drivers from running on your computer systems. If these drivers aren't blocked, they can let viruses or hackers into your system, potentially causing personal data theft, financial loss, or business disruption.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Microsoft's vulnerable driver blocklist is implemented.
Why it matters
Unblocked vulnerable Windows drivers can be abused to gain kernel access, bypass EDR, and cause data breaches or outages.
Operational notes
Keep Microsoft's vulnerable driver blocklist enabled, update it via Windows updates, and validate blocked driver events in logs/EDR.
Implementation tips
- The IT team should regularly update their systems with the latest blocklist from Microsoft. This can be done by enabling Windows Update, which automatically downloads and installs the latest list as part of security updates.
- A manager or system owner should ensure that any third-party tools used in the organisation adhere to Microsoft's security practices, including how they handle drivers. They can do this by confirming with vendors that the tools are compliant with Microsoft’s blocklist policy.
- System owners should hold a quarterly review session with the IT team to confirm that Microsoft's blocklist is applied on all company computers. This involves checking system settings and updates logs for evidence of the blocklist being active.
- IT managers should train staff on identifying and avoiding the installation of questionable drivers. This can be done by organising workshops or providing training material explaining the risks associated with harmful drivers.
- The HR department should work with IT to incorporate blocklist policy into the onboarding process. This ensures new employees understand the importance of not bypassing security measures related to driver installations.
Audit / evidence tips
-
Aska report from the IT team that lists systems where the blocklist is implemented
GoodLogs indicating regular updates with timestamps matching recent blocklist updates
-
GoodSigned vendor documents or emails stating compliance with blocklist policies
-
Askto see the meeting records where driver security was discussed
GoodDated notes with attendees and action items focusing on blocklist checks
-
GoodDetailed materials covering risks of bad drivers and steps to report suspicious activities
-
Askto see the onboarding checklist from HR
GoodA checklist that includes steps to inform new hires about the blocklist and driver security protocols
Cross-framework mappings
How ISM-1659 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 8.7 | ISM-1659 requires organisations to implement Microsoft’s Vulnerable Driver Blocklist to reduce the chance malware or attackers can use vu... | |
| Annex A 8.8 | ISM-1659 requires organisations to implement Microsoft’s Vulnerable Driver Blocklist as a specific technical measure to reduce exposure t... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AC-ML2.3 | E8-AC-ML2.3 requires implementing Microsoft’s recommended application blocklist to prevent execution of risky user-mode applications | |
| link Related (1) expand_less | ||
| E8-AC-ML3.3 | E8-AC-ML3.3 requires organisations to implement Microsoft’s vulnerable driver blocklist to prevent known vulnerable drivers from loading ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.