Dormann says in a September Twitter thread that he was able to successfully download a malicious driver on an HVCI-enabled device despite the driver being on Microsoft’s blocklist. He subsequently determined that Microsoft’s blocklist had not been updated since 2019 and that Microsoft’s attack surface reduction (ASR) capabilities were also ineffective against rogue drivers. This implies that for the last three years, any device with HVCI enabled has not been protected against harmful drivers.
