If you use Windows 10 or Windows 11 and are concerned about security, you've probably seen in Windows security the options of Core isolation y memory integrityMany users see warnings like “Memory integrity is disabled, your device may be vulnerable,” and it’s not always clear what that means or how to properly enable it without causing problems. If you want to learn more, How to secure your Windows You can consult more resources.
In this guide you will find a very complete explanation, but in clear language, of exactly what it is. Core Isolation, how it works memory integrityThis guide explains the requirements, how to enable it through Windows graphical options, the command line, or advanced policies, and what to do if you encounter errors, blue screens, or performance issues after activation. The goal is to help you make an informed decision about whether you want to enable it and, above all, to configure it confidently. You can also consult our [link to relevant documentation/guide/etc.]. complete guide to security and privacy.
What is Core Isolation and what role does memory integrity play?
The call Core isolation It is an advanced security technology integrated into Windows that relies on the virtualization-based security (VBS)Basically, Windows creates a small, isolated virtual environment within the system itself, which acts as a zone of maximum trust and from which what happens in the system is monitored. kernel and in other critical processes.
Within that protected environment, the following comes into play: memory integrity, Also known as HVCI (Hypervisor-Enforced Code Integrity)This feature requires that code running in kernel mode be properly signed and verified, and it strictly controls how resources are allocated and modified. kernel memory, blocking typical attempts by many types of malware to inject themselves into the core of the system.
When you enable Core Isolation and Memory Integrity, Windows erects a kind of "virtual wall" around the kernel: the Windows hypervisor It isolates a portion of memory where code integrity checks are performed, and the kernel itself becomes much more tightly controlled. This greatly complicates the task of any attacker modifying internal system structures or loading malicious drivers.
All of this is part of a change in the Windows security model: the kernel is no longer assumed to be untouchable, but rather it is assumed that it can be attacked and this is reinforced with an additional layer that runs on that kernel. isolated virtual environmentIt's an approach similar to having a "micro operating system" dedicated to monitoring the main system.
Functions and advantages of memory integrity
Memory integrity is not just "another switch" in Windows Security. It is a key component of VBS and provides several benefits. specific protective layers against attacks on the kernel and drivers.
On one hand, this function protects the Control Flow Guard (CFG) bitmap For kernel-mode controllers, CFG is a technology that attempts to prevent the flow of program execution from being diverted to unexpected memory areas.
Furthermore, memory integrity protects the process itself, code integrity in kernel modeThis entity is responsible for verifying that trusted processes and controllers have valid certificates and have not been tampered with. In this way, not only are others monitored, but also the monitors themselves, reducing the risk of the security mechanism being sabotaged.
Another important contribution is that it strictly restricts the kernel memory allocationsMany privilege escalation techniques or rootkits consist precisely of getting the system to reserve memory in a specific way to inject malicious code.
In practice, all this translates into a noticeable improvement in Windows threat modelThe kernel goes from being a relatively accessible target for certain families of sophisticated malware to being much more protected, especially when combined with other features such as Credential Guard or other hardware-based protections, as well as ASR on Windows.
In practice, all this translates into a notable improvement in the Windows threat model: the kernel goes from being a relatively accessible target for certain families of sophisticated malware to being much more protected, especially when combined with other features such as Credential Guard or other hardware-based protections.
What exactly does Core Isolation protect on your PC?
To fully understand what this function provides, it is helpful to distinguish between primary hardware y peripheral hardwareCore isolation and memory integrity focus primarily on protecting the path that connects the system to that primary hardware (motherboard, CPU, GPU, RAM, main storage unit…), which is where the most delicate things happen.
Meanwhile, everything that is connected through USB or other ports External storage devices (such as mice, keyboards, printers, and mobile phones) are considered peripheral hardware. While these devices aren't the core of the computer, they are a major entry point for malware. Memory integrity helps make it more difficult for malware to directly attack the kernel, even if one of these devices is compromised or uses a vulnerable driver.
It is worth noting that this function It does not replace antivirus software.Windows Defender (or Microsoft Defender) remains essential for analyzing files, processes, and network traffic, and is part of the strategy for Protect your PC from hacks and attacksKernel isolation and memory integrity act as a low-level complement that comes into play when an attack attempts to directly target the operating system. The combination of both greatly strengthens overall security.
However, this extra protection does have its drawbacks. cost in resourcesJust as an access control system with more steps takes longer to let you into your home, the more checks Windows performs on the code loaded into the kernel, the more time and CPU power it consumes. This can be noticeable on very low-end systems or in situations like demanding games.
Advantages and disadvantages: security vs performance
Enabling Core Isolation and memory integrity clearly increases the system securityBut it's not all roses. Many users have noticed that, after activating these options, the FPS in games is reduced or that the system feels somewhat heavier, especially on computers that were already at the hardware limit.
There are also cases where, when core isolation is activated, the following appear blue screens of death (BSOD) or strange blockages. In most of these situations, the origin is usually the same: incompatible controllers or poorly designed that do not meet the strictest code integrity rules required by HVCI.
On the other hand, if your computer usage is relatively conservative (you don't download unusual software, you visit trusted websites, you keep your system updated, and you leave Microsoft Defender active), you might not notice a huge difference in security when you activate Core Isolation, while you might notice a loss of performance, especially in games or very intensive applications.
The sensible recommendation is usually the following: if your equipment is relatively modern, It meets the virtualization requirementsIf you don't see any errors when activating the feature and you don't notice any significant performance issues, it's worth leaving Core Isolation enabled. However, if you start experiencing severe performance drops or instability, you might consider disabling it or using it only at specific times.
In any case, even with all these functions activated, the key element remains the user: avoid strange downloadsNot opening suspicious attachments, not visiting shady websites, and keeping everything updated remains the best defense. Technology helps, but it doesn't work miracles if you're not careful while browsing.
How to enable Core Isolation and Memory Integrity from Windows Security
The most direct and visual way to activate core isolation and memory integrity is through the very Windows Security applicationwhich is integrated into both Windows 10 and Windows 11. The steps are very similar in both systems, although the menu name changes slightly.
In Windows 11, you can open the application by pressing Windows + I to go to Settings and then entering Privacy and security > Windows securitywhere you'll see a button to open it. You can also search for "Windows Security" from the Start menu or click the blue shield icon that usually appears in the system tray.
Once inside Windows Security, go to the section Device securityThere you will find the section called Core IsolationYou will likely see a message indicating that the Memory integrity is disabled and that your device may be vulnerable if you don't activate it.
Click on Core insulation detailsA screen will open with several advanced options. The most important is the switch. Memory integrityBy activating it, Windows will begin to apply these strengthened code integrity policies to the kernel, preventing the loading of potentially malicious drivers or code.
In that same section you can also find, depending on your version of Windows, the option Microsoft Blocklist of Vulnerable DriversThis feature, which is usually enabled by default, prevents certain drivers known to have serious vulnerabilities from loading. Combined with memory integrity, it provides an extra layer of security against problematic drivers.
How to enable memory integrity and VBS using commands and the registry
If you manage multiple computers or want finer control, that's also possible. Enable Core Isolation and Memory Integrity via the command lineThis involves directly modifying specific keys in the Windows Registry. This is very useful in corporate environments or when you want to automate configuration.
To get started, open the Command Prompt as administratorPress Windows + S, type “cmd”, right-click on “Command Prompt” and select “Run as administrator”. Accept the User Account Control prompt if it appears.
The main key to memory integrity lies in HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrityWithin that branch, the value Enabled This controls whether HCVI is enabled (1) or disabled (0). You can enable it with a command similar to this:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 1 /f
Core Isolation depends on the virtualization-based security (VBS) is enabled. That's controlled by the key. HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuardThere you have several important values: for example, EnableVirtualizationBasedSecurity (to turn on the VBS), RequirePlatformSecurityFeatures (to require secure boot and DMA protection with different values) and Locked (to indicate whether UEFI locking is established or not).
A typical set of commands to configure VBS and HVCI without permanently locking anything into the firmware might look something like this, always executed in a console with elevated privileges:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
Using App Control for Business and PowerShell
In organizations that deploy security policies across many computers, Microsoft offers another way to enable memory integrity: App Control for Business, successor to Windows Defender Application Control. From there, HVCI can be included as part of a centralized policy.
One common way is to use the Application Control Assistantwhich guides you through creating or modifying the policy. Within that wizard, on the policy rules page, you can select the option Code integrity protected by hypervisorThis indicates that you want to enable memory integrity on all devices that apply that policy.
Another alternative is to use the PowerShell cmdlet Set-HVCIOptionsThis allows you to configure different HVCI operating modes, such as auditing, forced operation, etc. This is very useful if you want to test the compatibility of your controllers in auditing mode before switching to a strictly forced mode.
Finally, anyone with experience in XML can directly edit the App Control policy file and modify the value of the element <HVCIOptions>This allows for fairly detailed control over how memory integrity is applied in an environment where many computers are managed simultaneously.
This whole approach is more geared towards businesses, but it's good to know that memory integrity can be governed both from the user interface and from policy management tools and scripts, depending on the needs of each environment.
How to check if VBS and memory integrity are actually active
Once you have enabled VBS and memory integrity, it's logical to ask if They're really working or if something has been left unfinished. Windows offers several ways to check this, both graphically and through commands.
One of the most comprehensive is to use the WMI class Win32_DeviceGuardThis is accessible from a PowerShell session with administrator privileges. Running a command like this can generate a fairly detailed report:
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
The output of this command includes fields such as AvailableSecurityPropertieswhich lists which hardware-based security features are present (hypervisor support, secure boot, DMA protection, NX protections, SMM mitigations, MBEC/GMET, APIC virtualization, etc.), and RequiredSecurityProperties, which indicates which properties are necessary for VBS to be enabled correctly.
You will also see fields like SecurityServicesConfigured y SecurityServicesRunningwhich show if services like Credential Guard and memory integrity They are configured and whether they are actually running. For example, a value that includes “2” usually indicates that memory integrity is either configured or running, respectively.
Another key field is VirtualizationBasedSecurityStatusThis will tell you if the VBS is disabled (0), enabled but not running (1), or enabled and fully functioning (2). For Core Isolation to work correctly, this value should ideally be 2.
If you prefer something more visual and less technical, you can turn to msinfo32.exeRun this program (for example, by typing “msinfo32” in the Windows search box) from an elevated privilege session. At the bottom of the System overview You will see a block dedicated to VBS features, indicating whether it is enabled and what related protections are active.
Memory integrity in Hyper-V virtual machines
Memory integrity and Core Isolation aren't just for physical hardware. They can also be enabled within a... Hyper-V virtual machineprovided certain requirements are met. In that scenario, the VM enjoys the same protections as a physical PC against malware that attempts to attack the guest machine's kernel.
To do this, the Hyper-V host It must run at least Windows Server 2016 or Windows 10 version 1607, and the virtual machine must be of 2 generation and run a compatible version of Windows. Inside the VM, the steps to enable Core Isolation are the same as on a regular computer.
It is important to understand memory integrity in the virtual machine Protect the guest, not the hostThe host administrator still has the ability to control the VM's configuration and can, in fact, disable that virtual machine's participation in the VBS with commands such as:
Set-VMSecurity -VMName <NombreVM> -VirtualizationBasedSecurityOptOut $true
Core Isolation and Memory Integrity are two key components of Windows security reinforcement: leveraging hardware virtualization, they add a very deep layer of protection over the kernel and drivers, capable of stopping sophisticated attacks that previously had free rein; however, their activation requires meeting certain hardware requirements and accepting that, on some systems or for very demanding uses, there may be a price to pay in performance or driver compatibility, so it is advisable to carefully consider their use and always rely on good security practices when browsing and installing software.
