The configuration of Core Isolation and Memory Integrity in Windows It has become a key issue for anyone seeking enhanced PC security, especially in environments where malware and system attacks are commonplace. While it may initially seem like a "hidden" feature among the advanced settings, it actually plays a fundamental role in protecting the operating system's core.
In the following lines you will find a very complete guide that explains What exactly is core isolation?How virtualization-based memory integrity (VBS) works, what requirements and limitations it has, how to enable or disable it from the graphical interface or via Registry, PowerShell or policies, and what real impact it can have on your computer's performance and compatibility.
What is Core Isolation in Windows and what is it used for?
The call Core isolation It is an advanced security feature built into Windows 10, Windows 11, and Windows Server that relies on the virtualization-based security (VBS)Its objective is to run certain critical operating system components in an environment isolated from the rest of the processes, greatly reducing the attack surface against malware and exploits that attempt to compromise the kernel.
When you enable Core Isolation, the system creates a protected virtual environment Leveraging the Windows hypervisor, this isolated environment runs high-security functions, preventing malicious code that manages to execute on the normal system from easily interacting with the kernel or manipulating critical memory structures. This logical separation acts as an extra barrier between the system and anything coming from outside, whether it's an infected attachment, a program of dubious origin, or a faulty driver.
Imagine you open a email with a malicious attachmentWithout this isolation, an exploit could take advantage of system vulnerabilities to escalate privileges and reach the kernel. With Core Isolation enabled, much of the critical logic is protected within this virtualized environment, severely limiting the malware's ability to operate, even if it manages to execute with elevated privileges in the non-isolated part of the system.
What is memory integrity and what role does it play in VBS?
Within Core Isolation, the star piece is the so-called Memory integrity, also known as HVCI (Hypervisor-Enforced Code Integrity). This functionality moves code integrity checking from kernel mode to the secure VBS environment, so that the hypervisor acts as a root of trust and ensures that only signed and legitimate code is loaded into the kernel.
With Active Memory Integrity, the system restricts kernel memory allocations These could be used for code injection attacks or to disable security mechanisms. Because integrity validation is performed in an isolated environment, an attacker who manages to compromise the traditional kernel has a much harder time disabling these protections, as the verification process itself is beyond their reach.
Among the most relevant internal functions, memory integrity is responsible for Protect the Control Flow Guard (CFG) bitmap Applied to kernel-mode drivers, these measures also strengthen the code integrity process that validates that other privileged processes have valid certificates. These measures significantly limit attempts to redirect execution flows to malicious code or load untrusted binaries into the kernel.
Core insulation requirements and compatibility
Although Windows integrates these features by default, Not all devices are compatible or they are enabled by default. For Core Isolation and memory integrity to function correctly, the hardware and firmware must meet a number of conditions: hardware virtualization support (Intel VT-x, AMD-V), secure boot, certain CPU extensions such as MBEC/GMET, and, in server or virtualization environments, additional virtual machine isolation capabilities.
In many cases, these options also depend on the BIOS/UEFI settingsIf virtualization or secure boot are disabled at the firmware level, VBS will not be able to start and kernel isolation features will not be available, even if you enable them from Windows. Additionally, some older or poorly maintained drivers may be incompatible with these technologies, causing errors. Blue screens such as the IRQL_NOT_LESS_OR_EQUAL error or directly preventing the activation of memory integrity.
How do I enable or disable Core Isolation from Windows Security?
The simplest and best-oriented way for home or office users is to manage core isolation from the device itself. Windows Security application, where most of the system's security settings are grouped into a single panel.
To review and modify these options, you can follow a sequence similar to this in Windows 10 and Windows 11: open the Windows Security app from the shield icon in the system tray or using search, then go to Device security and you locate the block of Core isolationOn that screen, a message usually appears indicating whether memory integrity is enabled or not, along with a potential vulnerability warning when it remains disabled.
Within Core insulation details You'll find the switch to turn Memory Integrity on or off, as well as the option called Microsoft's list of blocked vulnerable driversThis prevents drivers known to have serious flaws from loading. Once you enable memory integrity, the system will prompt you to restart your computer to apply the changes, and upon restarting, you should see a green confirmation icon next to the kernel isolation section.
Yes, when you turn it on, they appear performance issues, FPS drops in games Or even if you get blue screens, you can always go back to that same panel and turn the switch off. Windows lets you change this setting as many times as you want, which is handy if, for example, you only want to activate it at specific times (like when you're using unknown USB drives or installing software from dubious sources).
Impact on performance and when to activate it or not
It is important to understand that Core Isolation, and especially memory integrity, These features are not free in terms of performance.Each additional layer of security means more checks, more code validation, and more work for the CPU to examine what's running on the system. On powerful PCs, this might be barely noticeable, but on less powerful machines or when playing demanding games, you might see a drop in FPS or a less smooth response.
Many users have reported that, after activating core isolationGames and graphics applications run somewhat worse, and disabling it restores their previous fluidity. In some specific cases, they have even encountered critical errors such as the BSOD Critical_Process_Died when trying to activate it, especially if there were old or poorly designed drivers that didn't work well with these protections.
Therefore, it makes sense to consider the context of use. If you primarily use your PC for gaming and high-performance tasks In a relatively controlled environment, with good security habits (not downloading suspicious executables, avoiding shady websites, keeping Windows Defender updated), you might prefer to leave Core Isolation disabled to get the most out of your hardware. However, if you browse a lot, frequently open attachments, connect external third-party devices, or the computer is shared in libraries, offices, or educational institutions, it's highly recommended to sacrifice a little performance in exchange for significantly greater security.
Memory integrity and hardware isolation: how the system protects
When discussing this function, it is also frequently mentioned that separates high-security processes from the rest of the system, establishing a virtual barrier between what we could consider primary hardware (motherboard, CPU, GPU, RAM, and main storage) and peripheral hardware (USB devices, printers, external drives, etc.). The idea is that any interaction with critical components goes through stricter filters.
This protection does not replace Windows Defender nor does it replace other traditional antimalware solutions, but rather complements them. The antivirus remains responsible for scanning files, detecting malware patterns, and blocking known threats, while kernel isolation monitors attack vectors targeting the kernel itself and the most sensitive memory structures. It is generally recommended to keep Windows Defender always enabled and, optionally, to add the essential security software depending on the specific needs.
How to enable kernel isolation in Windows 11 step by step?
In Windows 11, enabling this feature is quite straightforward and doesn't require any registry edits if you prefer a simpler approach. Essentially, it involves accessing system settings, navigating to the security section, and locating the Windows Security panel to enable kernel isolation and memory integrity.
The typical route involves opening the Configuring Windows (for example with Win + I), go to Privacy & Security, walk into Windows security and tap the button that opens the application. From there, in the side menu, you choose Device securityYou locate the Core Isolation block, access the details, and activate the control of Memory integrity If it's turned off. After closing the window and restarting the system, the function is enabled; for general tips on how Improve security in Windows 11 You can review supplementary guides.
You can repeat this same process as many times as you like. In some scenarios, it might be useful to turn it on only when needed, for example when You are going to connect a USB drive from someone else.This is especially important when working with external drives of unknown origin or if you share the computer with multiple users. While not a foolproof shield, it reduces the chances of malware exploiting a driver vulnerability to infiltrate the kernel level.
Activation in Windows 10 and similarities with Windows 11
Windows 10 also features kernel isolation and memory integrity, and The way to activate it is very similar It's similar to Windows 11, with minor differences in the names of some menus. Again, the process involves going through the Settings panel, the Security section, and the Windows Security app.
In this case, you open Settings, you go into Update and security, you choose Windows security and then the category of Device securityThere you'll find the Core Isolation section, and within the details, the switch to turn Memory Integrity on or off. You can change this setting whenever you need to, which is useful if you alternate between periods of intensive internet browsing and gaming sessions where you want to squeeze every last bit of FPS out of your system.
Enable Memory Integrity and VBS from the command line (Registry)
For corporate environments or advanced users who want to automate VBS configuration and memory integrity, The Windows Registry offers fairly granular controlUsing the REG command-line tool, you can add and modify the necessary keys to enable the hypervisor and virtualization-based protections at startup; before doing so, it is recommended to create registry backups.
A typical configuration involves enabling security-based virtualization, requiring specific platform features, activating hypervisor-enforced code integrity, and tweaking UEFI locking. This is done by modifying entries under the key HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard and its subkey Scenarios\HypervisorEnforcedCodeIntegrity, adjusting values ​​such as EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, Locked, Enabled or Mandatory, all of them in REG_DWORD format with numeric values ​​that define the behavior.
For example, you can set VBS without memory integrity just by enabling EnableVirtualizationBasedSecurityor combine it with the key RequirePlatformSecurityFeatures to require secure boot (value 1) or secure boot plus DMA protection (value 3). The parameter Locked allows you to define whether UEFI locking is applied or not, and the option Mandatory It causes the system to not continue booting if the hypervisor, the secure kernel, or one of its dependent modules does not load correctly.
In the HypervisorEnforcedCodeIntegrity subtree, the value Enabled It directly controls whether memory integrity is enabled, while the key Locked For that same scenario, it decides whether to lock it with UEFI. Additionally, there is a value called WasEnabledBy which is used to control how the graphical interface is presented to the user: if it is removed, the UI displays the message "This setting is managed by your administrator" and the switch appears disabled; if it is set to a specific value, the interface behaves normally again.
Management via App Control for businesses and PowerShell
In enterprise deployments where security policies are centralized, App Control for businesses (formerly Windows Defender Application Control) offers another way to enable memory integrity in a more structured manner. Its setup wizard allows you to create or edit an application control policy and select the option to Code integrity protected by hypervisor on the policy rules page.
In addition to the graphical interface, it is possible to use the PowerShell cmdlet Set-HVCIOptions, designed specifically to adjust HVCI options, or directly edit the App Control directive XML, modifying the element value to activate the desired protections. These approaches are especially useful when you want to apply the same configuration to many devices without having to modify them individually, and can be complemented with Security policies via secpol.msc in managed environments.
Check if VBS and Memory Integrity are enabled
To accurately check if security-based virtualization and memory integrity They are actually active and runningWindows provides several tools geared towards administrators and advanced users, including a specific WMI class and the classic msinfo32.
The WMI class Win32_DeviceGuardAccessible from PowerShell with elevated privileges using the Get-CimInstance command and the namespace root\Microsoft\Windows\DeviceGuard, it returns numerous fields related to the security properties of VBS and HVCI. These include:
The unique identifier InstanceIdentifier and self of the class, which is currently usually 1.0, as well as the list AvailableSecurityPropertieswhich indicates what hardware-based security features are present on the device, such as hypervisor support, secure boot, DMA protection, secure memory overwrite, NX protections, SMM mitigations, MBEC/GMET, or APIC virtualization.
Field RequiredSecurityProperties specifies which elements are necessary for VBS to be enabled on that device (for example, requiring secure boot or DMA protection), while SecurityServicesConfigured It shows whether services such as Credential Guard, memory integrity, System Guard Secure Launch, SMM firmware measurement, or kernel-mode stack protection have been configured, including whether the latter is in audit or enforced application mode.
Related to the above, SecurityServicesRunning It indicates which services are actually running at that moment, differentiating between configured and operational. Other important fields are: CodeIntegrityPolicyEnforcementStatus, which reveals whether the system code integrity policy is disabled, in audit mode, or in enforced mode; UsermodeCodeIntegrityPolicyEnforcementStatus, which offers the same information but focuses on user-mode code; and VirtualizationBasedSecurityStatus, which clarifies whether VBS is disabled, simply enabled but inactive, or fully enabled and running.
Lastly, VirtualMachineIsolation y VirtualMachineIsolationProperties They indicate the level of virtual machine isolation available and the supported technologies, such as AMD SEV-SNP, security-based virtualization, or Intel TDX, which are relevant when you want to apply these protections in virtualized environments.
If you prefer a more visual approach, you can run msinfo32.exe With elevated privileges, the System Information window will open. At the bottom of the System Summary section, there is a block dedicated to VBS features and their states, detailing whether virtualization-based security is enabled and which specific components are active.
Hardware-imposed stack protection and its relationship to memory integrity
Within the family of protections that revolve around Core Isolation, we find the hardware-enforced stack protection, a function based on specific capabilities of modern CPUs (such as Intel Control-Flow Enforcement Technology or AMD Shadow Stack) intended to prevent malicious code from manipulating return addresses on the kernel-mode stack to redirect execution towards malicious payloads.
In compatible processors, the CPU maintains a second copy of the return addresses in a read-only shadow stack, inaccessible to normal drivers. If a program or driver attempts to modify the return address on the main stack, the CPU detects the discrepancy by comparing it to the reference stored in the shadow stack. When this occurs, the system triggers a critical error (the typical blue screen) and halts execution, blocking the attempt to hijack the execution flow.
Not all controllers are compatible with this defense, since Some legitimate drivers alter return addresses for non-malicious purposes. For this reason, Microsoft has been working with multiple manufacturers to ensure their latest versions support hardware-based stack protection. This feature can be enabled or disabled via a switch in the Windows Security interface, but for it to function, memory integrity must be enabled, and a CPU that implements the aforementioned technologies is required.
If, when trying to activate it, the system warns that there is a incompatible driver or serviceIt's advisable to check for updates on the device manufacturer's website or the website of the application in question. Sometimes, the problematic component is a service associated with a driver that only loads when the program starts, so it may be necessary to uninstall that software or avoid using it altogether if you want to keep stack protection enabled.
Troubleshooting and rollback in case of failures
Enabling VBS, memory integrity, or stack protection may affect some systems. certain drivers stop loading or the system becomes unstableIn the best-case scenario, simply updating the drivers from Device Manager or the manufacturer's website will suffice; in more serious situations, a critical error may occur during startup.
If, after enabling these functions, the system does not start correctly or behaves erratically, one option is to resort to Windows Recovery Environment (Windows RE)First, it's advisable to disable any policies (such as Group Policy) that were used to enforce VBS and HVCI. Then, boot the affected computer into Windows RE, log in, and from there, you can change the corresponding Registry key to disable memory integrity by setting the Enabled value of HypervisorEnforcedCodeIntegrity to 0. Upon restarting, the system should boot again without this protection, which usually restores stability if the problem was a compatibility issue. If the problem is a serious boot failure, consult the guide on [the relevant section]. INACCESSIBLE_BOOT_DEVICE error.
In environments where it is also desired manage visual warnings When these warnings appear in Windows Security (like the yellow exclamation mark icon when memory integrity is disabled), things get complicated. Simply tweaking the Registry isn't always enough, and often it's necessary to combine Group Policy, Intune, or other management tools to hide these warnings without having to go to each computer individually to dismiss the message from the local interface—something that also requires administrator privileges.
Memory integrity in Hyper-V virtual machines
Memory integrity not only protects physical systems; it can also be applied to virtual machines running on Hyper-Vwhere it behaves very similarly to how it would on a real computer. From within the virtual machine, the steps to enable the feature are essentially the same: activate VBS, ensure that memory integrity can be initiated, and meet the virtualized hardware requirements.
It is important to understand that this protection protects the guest virtual machine against malware that runs within it, but it doesn't add extra security to the host. From the host system, it's possible to disable memory integrity for a specific VM using Hyper-V management commands (such as Set-VMSecurity with the VBS exclusion option), so the administrator maintains control over which guests take advantage of these features and which don't.
For Hyper-V virtual machines to use memory integrity, the host must be running at least Windows Server 2016 or Windows 10 version 1607and the VMs must be Generation 2, with a modern operating system (Windows 10 or Windows Server 2016 or later). It is also possible to combine memory integrity with nested virtualizationprovided that the Hyper-V role is first enabled within the virtual machine itself and the necessary conditions are met.
There are certain limitations that should be known: some virtual devices, such as the virtual fiber channel adaptersThese disks are not compatible with memory integrity, so the virtual machine must be excluded from VBS before adding them using Hyper-V security options. The same applies to pass-through disks configured with AllowFullSCSICommandSet, which require disabling virtualization-based security for that VM before using them.
Alternatives when Core Isolation is not viable
In teams where the hardware does not meet requirementsIf drivers generate constant conflicts or the performance impact is too high, it makes sense to consider alternative solutions for running risky applications without compromising the main system. Among the most widely used are technologies such as Docker or the use of complete virtual machines.
Docker allows you to create container-type isolated environments where applications can be run in an encapsulated manner. In Windows, it can be used to set up a kind of separate "mini-system" in which to test suspicious software or specific services, knowing that when the container is closed and deleted, all its contents disappear without a trace on the host. For more complex tests or when a complete desktop is required, the classic approach is to configure a virtual machine with Windows and run potentially dangerous programs there; if something goes wrong or malware is detected, simply destroy the VM and create a new one.
While these alternatives do not exactly replicate the type of defense offered by kernel-level memory integrity, they do provide a practical level of insulation very useful when it is not possible or advisable to activate Core Isolation on the physical system itself.
The configuration of Core Isolation, Memory Integrity, and Related Protections in Windows It offers a qualitative leap in security at the cost of additional resource consumption and some headaches with incompatible drivers; knowing in depth how they work, how to enable or disable them, how to validate them with Win32_DeviceGuard and msinfo32, and what alternatives exist when they are not viable, allows you to adjust the ideal balance between performance and protection according to the actual use you give to your PC or your infrastructure. Share the guide and more people will learn all about Core Isolation and Memory Integrity in Windows.