Core isolation is a security feature of Microsoft Windows that protects important core processes of Windows from malicious software by isolating them in memory. It does this by running those core processes in a virtualized environment.
Note: What you see on the Core isolation page may vary a bit depending on what version of Windows you're running.
Memory integrity, also known as Hypervisor-protected Code Integrity (HVCI) is a Windows security feature that makes it difficult for malicious programs to use low-level drivers to hijack your computer.
A driver is a piece of software that lets the operating system (Windows in this case) and a device (like a keyboard or a webcam, for two examples) talk to each other. When the device wants Windows to do something it uses the driver to send that request.
Tip: Want to know more about drivers? See What is a driver?
Memory integrity works by creating an isolated environment using hardware virtualization.
Think of it like a security guard inside a locked booth. This isolated environment (the locked booth in our analogy) prevents the memory integrity feature from being tampered with by an attacker. A program that wants to run a piece of code which may be dangerous has to pass the code to memory integrity inside that virtual booth so that it can be verified. When memory integrity is comfortable that the code is safe it hands the code back to Windows to run. Typically, this happens very quickly.
Without memory integrity running, the "security guard" stands right out in the open where it's much easier for an attacker to interfere with or sabotage the guard, making it easier for malicious code to sneak past and cause problems.
How do I manage memory integrity?
In most cases memory integrity is on by default in Windows 11, and can be turned on for Windows 10.
To turn it on or off:
Select the Start button and type “Core isolation”.
Select the Core Isolation system settings from the search results to open the Windows security app.
On the Core isolation page, you’ll find Memory integrity along with the toggle to turn it on or off.
Important: For safety we recommend having memory integrity turned on.
To use memory integrity, you must have hardware virtualization enabled in your system’s UEFI or BIOS.
What if it says I have an incompatible driver?
If memory integrity fails to turn on it may tell you that you have an incompatible device driver already installed. Check with the manufacturer of the device to see if they have an updated driver available. If they don’t have compatible driver available, you might be able to remove the device or app that uses that incompatible driver.
Note: If you try to install a device with an incompatible driver after turning on memory integrity, you may see the same message. If so, the same advice applies - check with the device manufacturer to see if they have an updated driver you can download, or don’t install that particular device until a compatible driver is available.
Memory access protection
Also known as "Kernel DMA protection" this protects your device against attacks that can occur when a malicious device is plugged into a PCI (Peripheral Component Interconnect) port like a Thunderbolt port.
A simple example of one of these attacks would be if someone leaves their PC for a quick coffee break, and while they were away, an attacker steps in, plugs in a USB-like device and walks away with sensitive data from the machine, or injects malware that allows them to control the PC remotely.
Memory access protection prevents these kinds of attacks by denying direct access to the memory to those devices except under special circumstances, particularly when the PC is locked or the user is signed out.
We recommend having memory access protection turned on.
Tip: If you'd like more technical detail about this see Kernel DMA Protection.
Every device has some software that's been written to the read-only memory of the device - basically written to a chip on the system board - that is used for the basic functions of the device, such as loading the operating system that runs all the apps we're used to using. Since that software is difficult (but not impossible) to modify we refer to it as "firmware".
Because the firmware loads first and runs "under" the operating system, security tools and features that run in the operating system have a difficult time detecting it or defending against it. Like a house that depends on a good foundation to be secure, a computer needs its firmware to be secure in order to ensure that the operating system, applications, and customer data on that computer are safe.
Windows Defender System Guard is a set of features that helps to ensure that attackers can't get your device to start with untrusted or malicious firmware.
We recommend that you have it turned on if your device supports it.
Tip: If you'd like more technical detail about this, see Windows Defender System Guard: How a hardware-based root of trust helps protect Windows
Microsoft Defender Credential Guard
Note: Microsoft Defender Credential Guard only appears on devices running Enterprise versions of Windows 10 or 11.
While you're using your work or school computer it will be quietly signing into and gaining access to a variety of things such as files, printers, apps, and other resources in your organization. Making that process secure, yet easy for the user, means that your computer has a number of authentication tokens (often referred to as "secrets") on it at any given time.
If an attacker can gain access to one, or more, of those secrets they might be able to use them to gain access to the organizational resource (sensitive files, etc) that the secret is for. Microsoft Defender Credential Guard helps to protect those secrets by putting them in a protected, virtualized, environment where only certain services can access them when necessary.
We recommend that you have it turned on if your device supports it.
Tip: If you'd like more technical detail about this, see How Defender Credential Guard works.
Microsoft Vulnerable Driver Blocklist
A driver is a piece of software that lets the operating system (Windows in this case) and a device (like a keyboard or a webcam, for two examples) talk to each other. When the device wants Windows to do something it uses the driver to send that request. Because of this, drivers have a lot of sensitive access in your system.
Starting with the Windows 11 2022 update we now have a blocklist of drivers that have known security vulnerabilities, have been signed with certificates that have been used to sign malware, or that circumvent the Windows Security Model.
If you have memory integrity, Smart App Control, or Windows S mode on, the vulnerable driver blocklist will be on too.