Let’s learn how to enable memory integrity using group policy. Memory integrity is a feature of Windows security that is sometimes referred to as hypervisor-protected code integrity (HVCI) or hypervisor-enforced code integrity.
Core isolation provides added protection against malware and other attacks by isolating computer processes from your operating system and device. It’s an important module in the Windows security. Memory integrity is a feature of core isolation and you can turn it on or off based on your requirements.
By default, the memory integrity is enabled on Windows 11 and Windows 10. However if you install Windows 11 on a VM, you may notice that this feature is disabled. Microsoft recommends various methods to turn on the memory integrity feature which in Intune, SCCM, Group Policy, and Windows registry.
The GPO can help you enable the memory integrity feature on multiple Windows computers that are part of active directory domain. You can apply the GPO to an OU consisting of Windows devices that require turning on the memory integrity feature.
Enable memory integrity using Group Policy
Perform the following steps to turn on the memory integrity feature using group policy:
- Launch the Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
- Navigate to Computer Configuration > Administrative Templates > System > Device Guard.
- Double-click Turn on Virtualization Based Security.
- Select Enabled to activate this policy setting.
- Under Virtualization Based Protection of Code Integrity, select Enabled with UEFI lock.
- Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
Manually Turn on Memory Integrity in Windows Security
If you don’t want to use a GPO to active the memory integrity feature, you can manually enable it from Windows Security.
Click the Start button and type “Core isolation“. Select the Core Isolation system settings from the search results to open the Windows security app. On the Core isolation page, you’ll find Memory integrity along with the toggle. Move the toggle to the right to enable it.
After you enable the memory integrity, you will need to restart the system.