The blocklist is updated with each new major release of Windows, typically 1-2 times per year, including most recently with the Windows 11 2022 update released in September 2022. The most current blocklist is now also available for Windows 10 20H2 and Windows 11 21H2 users as an optional update from Windows Update. Microsoft will occasionally publish future updates through regular Windows servicing.

Notices where this attachment appears

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:13 JST Will Dormann

   in reply to

   One of the 3 vulnerabilities that I've outlined is that the on-endpoint driver blocklist is a differently-maintained list than the online list.
   Am I being pedantic and nit-picking here?

   Per MSRC, the discrepancy is intentional:

   Lastly, regarding the Online Driver Blocklist, the online list is supposed to be a superset

   Let's say that theoretically this is not a lie...
   1) How well known is it that the online Microsoft recommended driver block rules list is intentionally a superset of what endpoints see? The language in the online blocklist clearly says that the blocklist gets put on endpoints via Windows Update. 🤔

   2) Let's pick a sample driver used by the years-old exploit KDU. Driver number 1 provided by this tool is RTCore64.sys
   This driver is definitely in the online Microsoft recommended driver block rules list. Let's test it out in a Windows 11 with the "Microsoft Vulnerable Driver Blocklist" option enabled.
   Oh... it loads? And it allows us to disable driver signature verification?
   This seems less than ideal.

   Tell me, oh internet public, why might Microsoft intentionally choose to allow a years-old public exploit to continue to work?

   Oh, right. It's easier to blow off a researcher with a "this is intentional" as opposed to actually read the report that they submitted and address the problem. 🤦♂️