Configuring Core Isolation and Memory Integrity in Windows

If you use Windows 10 or 11, you've probably seen the notification at some point. Core isolation e “Memory integrity disabled” in Windows Security. Many people think it's important, but it's not at all clear what it actually does, what advantages it has, what it can break, or how to configure it properly, especially when tools like Hyper-V, third-party solutions, or antivirus programs that also use virtualization come into play.

In the following lines you will find a very complete guide to understanding what they are Core Isolation and Memory Integrity, how they work under the hood (including the security-based virtualization, VBS) component, how to enable or disable them from the graphical interface, the Registry, or via policies, how to verify that everything is working, and what common problems you might encounter, such as conflicts with drivers, software like BlueStacks, or virtualization. hardware from Kaspersky.

What is Core Isolation in Windows

The call core insulation It is an advanced security feature included in Windows 10 and Windows 11 which takes advantage of virtualization to separate the operating system kernel from the rest of the processes that run on the computer. The idea is simple: if the kernel is running in a more isolated and controlled environment, it is much more difficult than a malware or an attacker manages to inject code into that sensitive area.

When you enable Core Isolation, Windows creates a protected and virtualized environment where critical parts of the system run, so that malicious code arriving via a file, a faulty driver, or an app cannot directly access kernel memory. This logical separation relies on hardware virtualization technologies and the Microsoft hypervisor.

Imagine you open a email attachment infected with malwareWithout kernel isolation, a well-designed exploit could use a system vulnerability to escalate privileges and write to critical memory areas, affecting the kernel and completely compromising the system. With Core Isolation enabled, such an attack is "confined" to an environment where it cannot directly manipulate the kernel, greatly reducing its impact.

In addition to isolating processes, the system leverages hardware memory to store sensitive information in protected areasThis reduces the attack surface. This does not replace antivirus software or other security measures. good practiceBut it adds a very powerful extra layer against sophisticated threats.

What is Memory Integrity and what role does it play in security?

Within the isolation of the core itself, the most important part is the so-called memory integrity or Memory Integrity. This feature relies on the virtualization-based security (VBS) Windows to run the kernel code integrity mechanism within an isolated virtual environment, completely separate from the normal operating system.

In practice, Memory Integrity ensures that Only code that is properly signed can be loaded into the kernel. and considered trustworthy. To achieve this, it uses the Windows hypervisor, which creates a small, secure "underworld" that acts as a root of trust, even if the main kernel were compromised. If you need to test unsigned code in controlled environments, see how activate developer mode in a safe way.

One of the key capabilities of this function is that restricts kernel memory allocations These could be used to exploit vulnerabilities or escalate privileges. If an attacker attempts to modify critical memory structures after memory integrity is enabled, the system blocks them or causes a controlled failure before allowing the threat to proceed.

Another important task is to protect elements such as the kernel-mode drivers Control Flow Guard (CFG) bitmapThis structure helps Windows monitor the flow of code execution in the kernel; if malware manages to alter it, it could redirect execution to malicious parts. With Memory Integrity, this type of manipulation becomes much more difficult.

Furthermore, memory integrity safeguards the code integrity process in kernel modeIt is responsible for verifying that other trusted kernel processes have valid certificates and that the loaded code has not been modified. If anything seems amiss, the driver loader blocks it.

Relationship between VBS, Core Isolation and Memory Integrity

To understand it properly, it is advisable differentiate several concepts that Windows uses together, although they are often referred to as if they were the same thing:

• VBS (Virtualization-Based Security)This is the core technology used by the Windows hypervisor to create one or more protected memory containers. Security services run within these containers, which the system treats as more trustworthy than the kernel itself.
• Core Isolation: is the umbrella of user-visible features in Windows Security that leverage VBS to protect the kernel and other critical processes.
• Memory Integrity: is one of those components within kernel isolation, specifically responsible for kernel code integrity and limiting dangerous memory allocations.

It is possible to enable only VBS without activating Memory Integrity, or combine VBS + memory integrity to have much stronger protection, which is what Microsoft recommends in most professional and business scenarios.

How to enable or disable Core Isolation and Memory Integrity from the interface

For a home user, the easiest way to control these functions is through the application itself. Windows securitywhich is usually accessible from the blue shield-shaped icon located in the system tray, next to the clock. If you don't see it, you can search for "Windows Security" using the combination Windows + S.

Once the app is open, go to the section “Device Security”There you will see a block called “Core isolation”On many devices, a message appears that looks something like “Memory integrity is disabled. The device may be vulnerable.”, which indicates that Core Isolation is available, but the Memory Integrity portion is not working.

To change it, tap on “Core insulation details”A screen with advanced options will open, among which you will see the switch for “Memory integrity”When activated, Windows will begin blocking the loading of drivers or kernel code that do not meet security requirements.

On that same screen, the option to also appear is usually displayed. “List of vulnerable Microsoft drivers”When enabled, the system prevents drivers that Microsoft has flagged as problematic or with known vulnerabilities from running, adding another layer of protection against attacks based on malicious drivers.

After enabling memory integrity, it's normal for Windows to ask you Restart the system To apply the changes, you'll see a notification in the bottom right corner with a button to restart directly. After restarting, if everything goes well, a green confirmation icon will appear next to "Kernel Isolation" in "Device Security," indicating that the protection is active.

Advanced configuration via Registry for VBS and Memory Integrity

In professional environments or when you want to automate configuration on multiple computers, it is common to use Windows Registry and scripts (before touching anything, do a registry backup) to enable or fine-tune VBS and Memory Integrity. The relevant keys are located under the path:

HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard

A recommended configuration Enabling VBS and non-locking memory integrity in UEFI involves setting the following values ​​from a console with administrator privileges:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f

If you want to fine-tune the settings, you can use each key separately depending on what you need to activate:

• Enable VBS only (without memory integrity)
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
• Require only Boot Secure Boot for VBS (value 1)
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
• Require secure boot + DMA protection for VBS (value 3)
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
• Configure VBS without UEFI locking (Locked = 0)
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
• Configure VBS with permanent UEFI lock (Locked = 1)
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
• Activate Memory Integrity (HVCI)
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
• Configure UEFI non-locked memory integrity (Locked = 0)
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
• Configure memory integrity with UEFI lock (Locked = 1)
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
• Force VBS (and Memory Integrity) into mandatory mode
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f

When the value is marked Mandatory = 1, the Windows loader It does not allow the system to continue booting If the hypervisor, the "secure kernel," or any of its dependent modules fail to load, it is a drastic measure intended for environments where security takes precedence over availability.

Another interesting issue is the control of the graphical interface for memory integrityIf you want it to appear dimmed and display the message “This setting is managed by your administrator”, you can run:

reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f

And if you later decide to give the user normal control over that switch again, you can restore with:

reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f

Enable memory integrity with App Control for Business

In companies that manage large workforces, it is often more convenient to use the policies of App Control for Business (old Windows Defender Application Control) to enable centralized memory integrity. There are several ways to do this:

1. Through the Application Control Assistant, when creating or editing a policy, by selecting the option “Hypervisor-protected code integrity” on the policy rules page.
2. Using the cmdlet of PowerShell Set-HVCIOptions, which allows you to activate, deactivate or adjust the behavior of HVCI (Hypervisor-Enforced Code Integrity) from administration scripts.
3. Editing directly the App Control Policy XML and modifying the value of the element <HVCIOptions>to adapt it to the needs of each organization.

How to check if VBS and memory integrity are active

Once you believe you have everything set up correctly, it is important verify what is actually enabled and runningWindows offers several tools for this, both online and offline. commands as from the graphical interface.

Checking with the WMI class Win32_DeviceGuard

In Windows 10, Windows 11, and Windows Server 2016 or later, there is a specific WMI class for VBS and Device Guard: Win32_DeviceGuardFrom an elevated PowerShell console, you can obtain the information with:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

The output of this command It includes a good number of fieldsSome particularly useful ones are:

• InstanceIdentifier: unique string to identify the device within WMI.
• Version: version of the WMI class, currently usually 1.0.
• AvailableSecurityPropertiesList of security properties supported by the hardware and system for VBS and memory integrity. Each number indicates an available capacity:
  0: no relevant properties
  1: Hypervisor compatibility
  2: Secure Boot available
  3: DMA protection available
  4: Secure memory overwrite
  5: Available NX protections
  6: SMM mitigations
  7: MBEC/GMET available
  8: APIC virtualization available
• CodeIntegrityPolicyEnforcementStatus: indicates how the code integrity policy is being applied in the system:
  0: deactivated
  1: in audit mode
  2: in reinforced mode
• RequiredSecurityProperties: specifies which security properties are necessary to enable VBS on that computer, using the same numbering as before (1 for hypervisor, 2 for Secure Boot, 3 for DMA, etc.).
• SecurityServicesConfigured: indicates which virtualization-based security services are configured:
  0: none
  1: Credential Guard is configured
  2: configured memory integrity
  3: System Secure Boot protection configured
  4: Measurement of configured SMM firmware
  5-7: Different modes of hardware-applied stack protection and hypervisor-enhanced paging translation
• SecurityServicesRunning: similar to the previous one, but shows which services are actually running (0 for none, 1 for Credential Guard active, 2 for memory integrity running, etc.).
• UsermodeCodeIntegrityPolicyEnforcementStatus: user mode code integrity status (0 disabled, 1 audit, 2 enforced).
• VirtualizationBasedSecurityStatus: probably the key field for VBS:
  0: VBS is not enabled
  1: VBS is enabled but not running
  2: VBS enabled and running
• VirtualMachineIsolation y VirtualMachineIsolationPropertiesThese describe the supported virtual machine isolation level. Possible values ​​include AMD SEV-SNP (1), Virtualization-based Security (2), and Intel TDX (3).

Using msinfo32.exe to view the VBS status

If you prefer something more visual, you can launch msinfo32.exe From Run or from a PowerShell window with administrator privileges. Once "System Information" opens, in the section “System Summary” Towards the bottom you will see a block dedicated to “Virtualization-based security” with details on whether VBS is enabled, what functions it uses, and what requirements the equipment meets.

Common problems and troubleshooting when using memory integrity

It's not all advantages. Activating Core Isolation and especially Memory Integrity can lead to problems. driver conflicts, performance losses, or even blue screensespecially on computers with older hardware or outdated drivers.

One of the most typical mistakes is that a device driver stops loading or starts causing crashes at runtime. The solution almost always involves trying to update the driver from the Device administrator or from the manufacturer's website to a signed and HVCI-compatible version.

In other cases, after activating the feature, some users have seen that the FPS in games drops significantly or that certain virtualization applications (such as BlueStacks or similar emulators) stop working or become very unstable. This can be because memory integrity makes intensive use of the processor's virtualization capabilities and blocks techniques that these applications use. apps used previously.

There are also reports of computers that blue screens are displayed when trying to enable kernel isolation or after a reboot with Memory Integrity enabled. In those situations, if you can't log into the system normally, you can resort to Windows Recovery Environment (Windows RE).

The typical procedure In case of a serious failure, it would be:

1. Disable beforehand, if possible, group policies, Intune, or other tools that might be enforcing VBS and memory integrity.
2. Boot the computer into Windows RE (for example, by interrupting the boot process several times or using installation media) and access the console.
3. Once inside Windows RE, manually modify the Registry to Disable Memory IntegrityFor example, with:
   reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
4. Restart the device and check if the startup returns to normal.

Implementing memory integrity in Hyper-V virtual machines

Memory integrity is not limited to physical equipment: it can also be enable within Virtual machines of Hyper-V almost the same way as on a regular PC. From the guest system's perspective, the activation steps are equivalent.

However, it should be noted that the protection applies to guest virtual machine contentIn other words, it helps defend the VM against malware and attacks executed within it, but It does not protect the host or the platform administratorA host administrator can disable memory integrity for a VM with a simple PowerShell command:

A host administrator can Disable memory integrity of a VM with a simple PowerShell command:

Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true

To use Memory Integrity in Hyper-V there are a number of minimum requirements:

• El Hyper-V host It must run at least Windows Server 2016 or Windows 10 version 1607.
• La The virtual machine must be Generation 2 and run, at a minimum, Windows Server 2016 or Windows 10.
• Memory integrity can be combined with nested virtualizationIf you want to install the Hyper-V role within the VM itself, you will first need to enable the nested virtualization environment on the host.
• Los virtual fiber channel adapters They are not compatible with Memory Integrity. Before connecting one to the VM, it is necessary to exclude it from virtualization-based security using Set-VMSecurity.
• The option AllowFullSCSICommandSet Direct pass disks also do not support memory integrity. If you want to use it, you must disable virtualization-based security for that virtual machine.

Core Isolation and its impact on performance: Is it worth it?

A recurring question is whether it's worth having Core Isolation and Memory Integrity enabled when you notice that the computer loses some performanceThe fans start running or certain programs stop working properly.

Some users have reported, for example, that when activating this option BlueStacks stops working or that specific management tools such as Alienware Command Center They stop properly monitoring the hardware, causing the fans to run wildly. The cause is usually drivers or services that aren't designed to work with HVCI.

It is also relatively common for players to notice a FPS reduction in demanding games When memory integrity is enabled, the virtualization overhead and extra kernel checks add some latency and resource consumption. It's not dramatic on all systems, but it is noticeable on some.

In these cases, the decision depends on your priorities: if your usage is very intensive in games or incompatible programs, it may make sense temporarily disable core isolationIn return, it is advisable to take extra precautions: avoid downloads Avoid suspicious websites, do not visit dubious websites, and always keep your antivirus software active and up-to-date, such as Microsoft Defender or another reliable solution.

If, on the other hand, you don't notice any glitches or significant performance issues when you activate Core Isolation, then it's highly recommended. Keep it on as an additional layer of defense., Especially in portable that travel, work teams or devices that handle sensitive data.