My summer associate Michael Lin wrote a powershell script to help you find out which vulnerable/malicious drivers from loldrivers.io will successfully load on your HVCI-enabled system: https://github.com/trailofbits/HVCI-loldrivers-check

As of build 25915 (latest Preview) all known API based kernel address leaks no longer work unless requested by a process with SeDebugPrivilege (only available to admin processes)

Monday morning red teaming tip: look at the json files in your Windows system and where they're used

Want to practice your kernel VR and exploitation skills?
Pick any driver from the HVCI driver block list and see what you can find.
Here for example is NCHGBIOS2x64.sys that has some pretty clear issues (systemBuffer is user input):

Microsoft is preparing to kill many known KASLR bypasses in the next release. Unless the calling process has debug privilege enabled, kernel addresses will be stripped from the output data of all leaking NtQuery APIs.
One example: if the caller should not receive kernel addresses, calling NtQuerySystemInformation will SystemModuleInformation class will not leak kernel image base addresses.

Suggestion to use AI to turn the sad smiley face in the BSOD into a happy smiley face if the bug is exploitable

If any of you (like me) need to disable user-mode CET on an entire machine, try this:
bcdedit /set xsaveremovefeature 0x800

This is what defeat looks like