What Are “Core Isolation” and “Memory Integrity” in Windows 10?

Windows 10’s April 2018 Update brings “Core Isolation” and “Memory Integrity” security features to everyone. These use virtualization-based security to protect your core operating system processes from tampering, but Memory Protection is off by default for people who upgrade.

What is Core Isolation?

In the original release of Windows 10, virtualization-based security (VBS) features were only available on Enterprise editions of Windows 10 as part of “Device Guard.” With the April 2018 Update, Core Isolation brings some virtualization-based security features to all editions of Windows 10.

Some Core Isolation features are enabled by default on Windows 10 PCs that meet certain hardware and firmware requirements, including having a 64-bit CPU and TPM 2.0 chip. It also requires your PC supports the Intel VT-x or AMD-V virtualization technology, and that it’s enabled in your PC’s UEFI settings.

When these features are enabled, Windows uses hardware virtualization features to create a secure area of system memory that’s isolated from the normal operating system. Windows can run system processes and security software in this secure area. This protects important operating system processes from being tampered with by anything running outside the secure area.

Even if malware is running on your PC and knows an exploit that should allow it to crack these Windows processes, the virtualization-based security is an additional layer of protection that will isolate them from attack.

RELATED: Everything New in Windows 10’s April 2018 Update, Available Now

What Is Memory Integrity?

The feature known as “Memory Integrity” in Windows 10’s interface is also known as “Hypervisor protected Code Integrity” (HVCI) in Microsoft’s documentation.

Memory Integrity is disabled by default on PCs that upgraded to the April 2018 Update, but you can enable it. It will be enabled by default on new installations of Windows 10 going forward.

This feature is a subset of Core Isolation. Windows normally requires digital signatures for device drivers and other code that runs in low-level Windows kernel mode. This ensures they haven’t been tampered with by malware. When “Memory Integrity” is enabled, the “code integrity service” in Windows runs inside the hypervisor-protected container created by Core Isolation. This should make it nearly impossible for malware to tamper with the code integrity checks and gain access to the Windows kernel.

Virtual Machine Problems

As Memory Integrity uses the system’s virtualization hardware, it’s incompatible with virtual machine programs like VirtualBox or VMware. Only one application can use this hardware at a time.

You may see a message saying Intel VT-X or AMD-V is not enabled or available if you install a virtual machine program on a system with Memory Integrity enabled. In VirtualBox, you may see the error message “Raw-mode is unavailable courtesy of Hyper-V” while Memory Protection is enabled.

Either way, if you encounter a problem with your virtual machine software, you must disable Memory Integrity to use it.

Why Is It Disabled By Default?

The main Core Isolation feature shouldn’t cause any problems. It’s enabled on all Windows 10 PCs that can support it, and there’s no interface for disabling it.

However, Memory Integrity protection can cause problems with some device drivers or other low-level Windows applications, which is why it’s disabled by default on upgrades. Microsoft is still pushing developers and device manufacturers to make their drivers and software compatible, which is why it’s enabled by default on new PCs and new installations of Windows 10.

If one of the drivers your PC requires to boot is incompatible with Memory Protection, Windows 10 will silently turn Memory Protection off to ensure your PC can boot and work properly. So, if you try enabling it and reboot only to find it’s still disabled, that’s why.

If you encounter problems with other devices or malfunctioning software after enabling Memory Protection, Microsoft recommends checking for updates with the specific application or driver. If no updates are available, turn off Memory Protection.

As we mentioned above, Memory Integrity will also be incompatible with some applications that require exclusive access to the system’s virtualization hardware, such as virtual machine programs. Other tools, including some debuggers, also require exclusive access to this hardware and won’t work with Memory Integrity enabled.

How to Enable Core Isolation Memory Integrity

You can see whether your PC has Core Isolation features enabled and toggle Memory Protection on or off from the Windows Defender Security Center application. (This tool will be renamed “Windows Security” as part of the October 2018 Update.)

To open it, search for “Windows Defender Security Center” in your Start menu or head to Settings > Update & Security > Windows Security > Open Windows Defender Security Center.

Click the “Device Security” icon in the Security Center.

If Core Isolation is enabled on your PC’s hardware, you’ll see the message “Virtualization-based security is running to protect the core parts of your device” here.

To enable (or disable) Memory Protection, click the “Core Isolation Details” link.

This screen shows you whether Memory Integrity is enabled or not. That’s the only option here for now.

To enable Memory Integrity, flip the switch to “On.” If you encounter application or device problems and need to disable Memory Integrity, return here and flip the switch to “Off.”

You’ll be prompted to restart your computer, and the change will only take effect once you have.

More Windows Defender Exploit Guard Features

Core Isolation and Memory Integrity are some of the many new security features Microsoft has added as part of Windows Defender Exploit Guard. This is a collection of features designed to secure Windows against attack.

Exploit protection, which protects your operating system and applications from many types of exploits, is enabled by default. This replaces Microsoft’s old EMET tool, and includes anti-exploit features we previously recommended installing Malware Anti-Exploit for. All Windows 10 users now have exploit protection.

There’s also Controlled Folder Access, which protects your files from ransomware. It’s not enabled by default because it requires some configuration. If you enable this feature, you’ll have to allow applications access before they can access files in your personal file folders.

RELATED: How Windows Defender’s New Exploit Protection Works (and How to Configure It)

Going forward, Memory Integrity will be enabled by default on all new PCs, providing additional protection against attacks. Only advanced users who use virtual machine software and other tools that require access to the system virtualization hardware will have to disable it.

Leave a Reply

Your email address will not be published. Required fields are marked *