Hypervisor-protected Code Integrity enablement
Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
See Virtualization Based Security System Resource Protections for more details on these protections.
Starting with Windows 11, new installations on compatible systems have memory integrity turned on by default. This is changing the default state of the feature in Windows, though device manufacturers and end users have the ultimate control of whether the feature is enabled.
Hardware features for automatic enablement
Memory integrity to be turned on by default when a PC includes the following minimum hardware features:
|Storage||SSD with a minimum size of 64GB|
|Drivers||HVCI-compatible drivers must be installed. See Hypervisor-Protected Code Integrity (HVCI) for more information about drivers.|
|BIOS||Virtualization must be enabled|
If you're building an image that won't automatically enable Memory integrity, you can still configure your image so that it's turned on by default.
Auto-enablement pertains only to clean installs, not upgrades of existing devices.
The China and Korea markets are excluded, to avoid anti-cheat compatibility issues.
Intel 11th generation Core desktop processors are not included in current default enablement logic. However, they are a recommended platform for HVCI and can have HVCI be enabled by the OEM.
Opt out of HVCI enablement
Since HVCI relies on the Windows Hypervisor, the security benefits provided by Memory integrity do have tradeoffs for device performance and power.
Some devices that are especially sensitive to performance (e.g. gaming PCs) may choose to ship with HVCI disabled. Given the impact to the overall device security, we recommend you thoroughly test these scenarios before doing so.
To opt devices out of HVCI default enablement, ensure that the following registry key is set on the devices:
When this registry key is set, the sysprep provider for HVCI enablement will skip all other checks and decide to not enable HVCI. All other avenues to enable HVCI will still be available (Settings app, Group policy, etc).
This registry key is configured to persist across device reset, so HVCI will no be automatically enabled after a reset.
HVCI and VBS controls
This section enumerates how device manufacturers and end users can interact with HVCI and VBS. To learn about how to control HVCI state as an administrator, see Enable HVCI Using Group Policy.
Turn on Memory integrity
Windows will turn Memory integrity on by default for systems that meet certain hardware requirements. If your hardware doesn't include a hardware combination for Windows to automatically turn on Memory integrity, you can choose to enable it in their image by configuring registry keys in an image.
Users can also manually enable Memory integrity using the Core isolation page in the Windows Security app.
Set the following two registry keys in your image This configuration will Turn on Memory integrity in kernel mode in the same way that the OS default enablement logic will.
The WasEnabledBy registry key controls a setting that safeguards against having an unbootable device. When set, the device will automatically turn off HVCI if the system crashes during boot, likely caused by Memory Integrity blocking an incompatible boot-critical driver. This autodisable functionality is in the process of being deprecated, though it is currently the recommended configuration.
For high security systems, WasEnabledBy should NOT be set.
Turn off Memory integrity
For systems where Windows automatically turns on Memory integrity, OEMs can choose to turn the feature off.
Users can also manually turn off Memory integrity using the Core isolation page in the Windows Security app.
Registry keys for turning off Memory integrity
Clearing the following registry keys will cause HVCI to not enable on the next boot. VBS will automatically disable as well, as long as the hypervisor or other VBS features are not explicitly enabled.
If Group Policy specifies that HVCI is enabled, this registry key change will not be honored.
Turn off VBS
If any VBS features are enabled when you set this key, it will override this value and turn on VBS
Devices with the Hypervisor enabled will automatically get configured for VBS. If you want to ensure that VBS is not enabled on devices that get the Hypervisor enabled set the following registry key. Please ensure you understand the security and performance tradeoffs before doing so. Note the only tangible performance difference between bare hypervisor and having VBS enabled is in Hibernate/resume, due to hiberfile encryption.
Make sure HVCI is never automatically enabled via sysprep on upgrades or clean installs
Identifying HVCI state
The following volatile regkey reflects the state of HVCI:
Other ways of checking HVCI state are to look at MsInfo32 under Virtualization-based Security Services Running or look at the Core Isolation settings page to see the value of Memory integrity.
Debugging Driver Issues
Check the Code Integrity logs to see if any drivers were blocked from loading as a result of HVCI. These are in Event Viewer under the following path:
Applications and Service Logs\Microsoft\Windows\CodeIntegrity\Operational
Generally, HVCI compatibility events have EventID=3087
Check results of HVCI default enablement
To see details on the results of HVCI default enablement, check the setupact.log and search for HVCI. You should see one of the following result logs, as well as the succeeding/failing checks leading to the enablement decision:
SYSPRP HVCI: Enabling HVCI
HVCI not enabled:
SYSPRP HVCI: OS does not meet HVCI auto-enablement requirements. Exiting now.
If the device opted out of HVCI enablement via the regkey method detailed above, then this will be the only log from HVCI sysprep. If the device had a compatibility issue, it should be identified in the preceding logs with the error message:
SYSPRP HVCI: Compatibility did not pass. VBS_COMPAT_ISSUES 0xXXXXXXXX
The following is an enumeration of the potential VBS Compat Issues. Each issue is represented by a single index in a bit array, and the error message outputs the hex value resulting from each error bit being present.
You'll notice some indexes are missing from the table below. Some compat requirements have been changed or deprecated, and are only relevant in older OS versions without the default enablement logic.
|Bit Index||Compat Issue|
|0||Unsupported architecture (eg. x86)|
|6||UEFI WX Memory Attributes Table required|
|7||ACPI WSMT table required|
|8||UEFI MOR Lock required|
|10||Hardware virtualization required|
|11||Secure Launch required|
|13||Device failing to meet 64GB minimum required volume size|
|14||System drive SSD required|
|15||Device failing minum Intel SoC requirements|
|16||QC SoC does not specify VBS enablement|
|17||8GB RAM required|
An example of an error code and error identification:
0x000000C0 -> 00000000011000000 -> Bit indexes 6 and 7 are active -> UEFI WX Memory Attributes Table required, ACPI WSMT table required