Hypervisor-protected Code Integrity enablement

Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.

HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

See Virtualization Based Security System Resource Protections for more details on these protections.

Default enablement

Starting with Windows 11, new installations on compatible systems have memory integrity turned on by default. This is changing the default state of the feature in Windows, though device manufacturers and end users have the ultimate control of whether the feature is enabled.

Hardware features for automatic enablement

Memory integrity to be turned on by default when a PC includes the following minimum hardware features:

Component Detail
Processor
  • Intel 11th generation Core processors and newer
  • AMD Zen 2 architecture and newer
  • Qualcomm Snapdragon 8180 and newer
RAM Minimum 8GB
Storage SSD with a minimum size of 64GB
Drivers HVCI-compatible drivers must be installed. See Hypervisor-Protected Code Integrity (HVCI) for more information about drivers.
BIOS Virtualization must be enabled

If you're building an image that won't automatically enable Memory integrity, you can still configure your image so that it's turned on by default.

Note

Auto-enablement pertains only to clean installs, not upgrades of existing devices.

Note

The China and Korea markets are excluded, to avoid anti-cheat compatibility issues.

Note

Intel 11th generation Core desktop processors are not included in current default enablement logic. However, they are a recommended platform for HVCI and can have HVCI be enabled by the OEM.

Opt out of HVCI enablement

Since HVCI relies on the Windows Hypervisor, the security benefits provided by Memory integrity do have tradeoffs for device performance and power.

Some devices that are especially sensitive to performance (e.g. gaming PCs) may choose to ship with HVCI disabled. Given the impact to the overall device security, we recommend you thoroughly test these scenarios before doing so.

To opt devices out of HVCI default enablement, ensure that the following registry key is set on the devices:

Registry key Value
HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity BlockAutoenablement=1

When this registry key is set, the sysprep provider for HVCI enablement will skip all other checks and decide to not enable HVCI. All other avenues to enable HVCI will still be available (Settings app, Group policy, etc).

Note

This registry key is configured to persist across device reset, so HVCI will no be automatically enabled after a reset.

HVCI and VBS controls

This section enumerates how device manufacturers and end users can interact with HVCI and VBS. To learn about how to control HVCI state as an administrator, see Enable HVCI Using Group Policy.

Turn on Memory integrity

Windows will turn Memory integrity on by default for systems that meet certain hardware requirements. If your hardware doesn't include a hardware combination for Windows to automatically turn on Memory integrity, you can choose to enable it in their image by configuring registry keys in an image.

Users can also manually enable Memory integrity using the Core isolation page in the Windows Security app.

Set the following two registry keys in your image This configuration will Turn on Memory integrity in kernel mode in the same way that the OS default enablement logic will.

Registry key Value
HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity Enabled=1
HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity WasEnabledBy=1

The WasEnabledBy registry key controls a setting that safeguards against having an unbootable device. When set, the device will automatically turn off HVCI if the system crashes during boot, likely caused by Memory Integrity blocking an incompatible boot-critical driver. This autodisable functionality is in the process of being deprecated, though it is currently the recommended configuration.

Note

For high security systems, WasEnabledBy should NOT be set.

Turn off Memory integrity

For systems where Windows automatically turns on Memory integrity, OEMs can choose to turn the feature off.

Users can also manually turn off Memory integrity using the Core isolation page in the Windows Security app.

Registry keys for turning off Memory integrity

Clearing the following registry keys will cause HVCI to not enable on the next boot. VBS will automatically disable as well, as long as the hypervisor or other VBS features are not explicitly enabled.

Registry key Value
HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity Enabled=0

Note

If Group Policy specifies that HVCI is enabled, this registry key change will not be honored.

Turn off VBS

Registry key Value
HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard EnableVirtualizationBasedSecurity=0

Note

If any VBS features are enabled when you set this key, it will override this value and turn on VBS

Devices with the Hypervisor enabled will automatically get configured for VBS. If you want to ensure that VBS is not enabled on devices that get the Hypervisor enabled set the following registry key. Please ensure you understand the security and performance tradeoffs before doing so. Note the only tangible performance difference between bare hypervisor and having VBS enabled is in Hibernate/resume, due to hiberfile encryption.

Make sure HVCI is never automatically enabled via sysprep on upgrades or clean installs

Registry key Value
HKLM\System\CurrentControlSet\Control\DeviceGuard HyperVVirtualizationBasedSecurityOptout=1

Troubleshooting

Identifying HVCI state

The following volatile regkey reflects the state of HVCI:

Registry key Value
HKLM\System\CurrentControlSet\Control\CI\State HVCIEnabled

Other ways of checking HVCI state are to look at MsInfo32 under Virtualization-based Security Services Running or look at the Core Isolation settings page to see the value of Memory integrity.

Debugging Driver Issues

Check the Code Integrity logs to see if any drivers were blocked from loading as a result of HVCI. These are in Event Viewer under the following path:

Applications and Service Logs\Microsoft\Windows\CodeIntegrity\Operational

Generally, HVCI compatibility events have EventID=3087

Check results of HVCI default enablement

To see details on the results of HVCI default enablement, check the setupact.log and search for HVCI. You should see one of the following result logs, as well as the succeeding/failing checks leading to the enablement decision:

HVCI Enabled: SYSPRP HVCI: Enabling HVCI

HVCI not enabled: SYSPRP HVCI: OS does not meet HVCI auto-enablement requirements. Exiting now.

If the device opted out of HVCI enablement via the regkey method detailed above, then this will be the only log from HVCI sysprep. If the device had a compatibility issue, it should be identified in the preceding logs with the error message:

SYSPRP HVCI: Compatibility did not pass. VBS_COMPAT_ISSUES 0xXXXXXXXX

The following is an enumeration of the potential VBS Compat Issues. Each issue is represented by a single index in a bit array, and the error message outputs the hex value resulting from each error bit being present.

Note

You'll notice some indexes are missing from the table below. Some compat requirements have been changed or deprecated, and are only relevant in older OS versions without the default enablement logic.

Bit Index Compat Issue
0 Unsupported architecture (eg. x86)
1 SLAT required
3 IOMMU required
4 MBEC/GMET Required
5 UEFI Required
6 UEFI WX Memory Attributes Table required
7 ACPI WSMT table required
8 UEFI MOR Lock required
10 Hardware virtualization required
11 Secure Launch required
13 Device failing to meet 64GB minimum required volume size
14 System drive SSD required
15 Device failing minum Intel SoC requirements
16 QC SoC does not specify VBS enablement
17 8GB RAM required

An example of an error code and error identification: VBS_COMPAT_ISSUES 0x000000C0

0x000000C0 -> 00000000011000000 -> Bit indexes 6 and 7 are active -> UEFI WX Memory Attributes Table required, ACPI WSMT table required