Hi Anadi,
The quickest and most reliable method is to query the Code Integrity operational log, which records every driver that blocks Memory Integrity (HVCI). Microsoft logs Event ID 3087 and related Code Integrity events containing the full driver path, file name, and signing information when a driver is incompatible with HVCI. This is the same data that Windows Security uses to populate the "Review incompatible drivers" list.
On an affected machine, run:
Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" |
Where-Object { $_.Id -in 3087,3023,3024,3033,3063 } |
Select-Object TimeCreated, Id, Message
If Windows Security already identified incompatible drivers, you can enumerate them directly from the driver store and extract publisher information:
pnputil /enum-drivers
For a specific driver:
Get-AuthenticodeSignature "C:\Windows\System32\drivers<driver>.sys" |
Select-Object Status, SignerCertificate
``
For large-scale reporting, I typically use:
Get-CimInstance Win32_PnPSignedDriver |
Select DeviceName, DriverProviderName, DriverVersion, InfName
This gives you the provider, version, and INF package name, which is much safer for scripted removal than deleting .sys files directly. Once you've identified the offending package, remove it with pnputil /delete-driver <oemxx.inf> /uninstall /force and then re-test HVCI. Avoid deleting driver binaries from System32\drivers manually, as that can leave orphaned driver store entries and cause servicing issues.
Hope it helps!
Harry.