whitelist a driver

[westyles]

Hello.
Is there any way to whitelist a old driver that has been blocked WDAC by MS default?
The driver is now blocked because of a leaked certificate, and I don't want to remove all the blocking or testsignining ON mode.

[HotCakeX]

Hi,
The Microsoft recommended driver block rules are digitally signed by MSFT so we can't add supplemental policies to them since we don't have the private key of their certificate, so modifying it isn't an option. But we still have other options.

If you really want to run that vulnerable driver, first disable the block list in Microsoft defender -> Device Security

It's grayed out because of this

and it will remain that way until you turn off Secure boot in your UEFI settings, then perform a restart, deactivate Memory Integrity, restart again, and then disable the vulnerable block list. The additional restarts are due to the UEFI lock mechanism.

Now you need to grab the block list from here, save it as XML file, remove the rules responsible for blocking your driver, then convert it to .CIP file using ConvertFrom-CIPolicy and deploy it. You can even generate a certificate using Build-WDACCertificate and then deploy it using Deploy-SignedWDACConfig.

[westyles]

Thanks for the detailed answer!
It turns out that it can only be replaced with its own rules, first disabling security and those MS rules.
And after these changes, is it possible to re-enable secure boot or something else?

[HotCakeX]

Yes, you can enable secure boot again without turning on memory integrity. You can also set this policy to "Disabled" so it won't automatically be turned on later