Further investigation of the endpoint's driver blocklist being out of sync with the online one:
If count Authentihash, filename/version, and code signer entries, a February-2025-patched Win11 box has 1818 entries, while the online Microsoft recommended driver block rules list has 1906. The fact that the online list is more up to date than a thing that gets pushed out on Patch Tuesday is expected, right?
Wouldn't we be so lucky.
If we compare the online driver blocklist vs. the blocklist on fully patched Win11 endpoints and ignore the entries added in December 2024 (which are presumably not present because they're too new) we can break down the missing hashes:
Authentihash:
9 are 2 years old
3 are 1.8 years old
Signer:
3 are 2.4 years old
I'm only comfortable with one of those entries not (yet) being on Windows endpoints. What is the excuse for the rest? If Microsoft is going to maintain two different driver block lists (why?), perhaps it would be wise to do a good job of it? You know, to maybe check that they're in sync? 🤦♂️