In Windows 10 and 11, some users find there is a feature named Core Isolation in Windows Security. What does the feature use for? Is that necessary to turn it on for your security? On MiniTool Website , this article will answer these questions and tell you how to enable or disable it.
What Is Core Isolation & Memory Integrity?
In this wireless-connected world, invisible potential dangers, such as malware or other types of cyber-attacks, are everywhere and they can wait and seize the right moment sneaking into your PC and bring troubles.
Some types of attack can resort to kernel-level exploits that attempt to run malware with the highest privileges, such as WannaCry and Petya ransomware. This kind of attack can take control of your PC and lock down files, ask you to pay them money or something even worse.
To cope with these cyber dangers and risks, Microsoft issued this feature – Core Isolation & Memory Integrity – to provide added protection against malware and other attacks by isolating computer processes from your operating system and device.
So what is Core Isolation?
Core Isolation is a virtualization-based security that is used to protect the core parts of your device. When this feature is enabled, the supported hardware will use virtualization to create a secure area of system memory isolating certain processes and software in the PC’s memory, so that your operating system can prevent malicious code.
Core Isolation Memory Integrity can be known as another security layer that can protect important operating system processes from being tampered with by anything running outside the secure area.
For its special and powerful functions, it requires your hardware and firmware to be virtualization-supported in the way Windows 10/11 can run applications in the container and make other parts of the system inaccessible.
In the start, this feature is only available on Enterprise editions of Windows 10 but now it has been developed among Windows 10/11 PCs that meet certain hardware and firmware requirements.
If you have noticed before, this feature is set off by default in Device security and the below feature shows you the name Memory integrity, known as Hypervisor-protected Code Integrity (HVCI).
Memory integrity is a subset of Core Isolation and when it is enabled, this service can run inside the hypervisor-protected container created by Core Isolation.
With such an excellent powerful feature, you may wonder why Microsoft set it off by default. According to the feedback of users, this feature can, more or less, dip down your PC performance and the compatibility issue with drivers becomes the biggest hamper.
This feature has high requirements for your device drivers and software. You must ensure your device drivers and Windows applications compatible with the Core Isolation feature.
Once one of your startup drivers has some issues with the feature, it will be disabled automatically so that the next operations can run well. That’s why you find it is off after the startup even though you have manually enabled it.
Besides, some people find that some devices or software will run into troubles after enabling Core Isolation. Under the circumstances, you can check for updates for this device or software.
And you need to notice that some applications can’t run with the Core Isolation feature, such as virtual machines or debuggers. These applications will ask exclusive access to the system’s virtualization hardware and that is forbidden in the Core Isolation-enabled situation.
Enable/Disable Core Isolation Memory Integrity
After knowing all its powerful and effective function, what should you do to enable Core Isolation and Memory Integrity? As we mentioned above, to run this feature, you need to make your PC drivers and applications compatible. So, please make sure your device complies with the standards for hardware security.
- TPM 2.0 (Trusted Platform Module 2.0) and DEP (Data Execution Prevention) need to be enabled.
- UEFI MAT (Unified Extensible Firmware Interface Memory Attributes Table) should be supported.
- Secure Boot needs to be enabled.
Then you can follow the next parts to finish the requirements and enable Core Isolation Memory Integrity.
1. Enable CPU Virtualization
CPU virtualization allows a single CPU to be divided into multiple virtual CPUs for use by multiple VMs and enables a single processor to behave as if it were several separate CPUs.
To enable CPU virtualization, you need to enter the BIOS by pressing the dedicated key after you boot the PC up and see the initial screen.
Note : The key you hit depends on the manufacturer. Esc , Delete , F1 , F2 , F10 , F11 , or F12 are frequently used keys.
If your computer can’t access BIOS, what should you do? In this post, you can know some things you can do to fix the issue.
Then go to the Advanced tab at the top of the screen and click on CPU configuration .
If you are using AMD CPU, please enable SVM Mode from Advanced settings ; if you are using Intel CPU, please enable the option is labeled Intel Virtualization Technology .
After that, you can switch to the Exit tab to save your changes and re-boot your PC. For the next part, you still need to enter BIOS so you can press the key in an appropriate time after the boot.
2. Enable Secure Boot
Secure Boot is designed to ensure that only trusted software can be executed on the system. It can prevent viruses and other malicious software from running on the system.
To enable Secure Boot, you still need to enter the BIOS screen, move to the Boot tab on the top menu, and turn on the Secure Boot option. Then save your changes and reboot your PC to continue the next part.
If you need more information about enable and disable Secure Boot, you can read this post: What Is Secure Boot? How to Enable and Disable It in Windows .
3. Enable TPM 2.0
TPM 2.0 is used to provide hardware-based, security-related functions. This tool can be applied in many features, such as Windows Hello for identity protection and BitLocker for data protection. It can help generate, store, and limit the use of cryptographic keys.
To enable TPM 2.0, there are two situations you can check.
1. Check it in your TPM Management
Step 1: Open the Run dialog box by pressing Win + R and input tpm.msc to enter the Trusted Platform Module (TPM) Management window.
Step 2: Once the window opens, it will show you the status or you can click on the Status section to verify it.
There are three possible messages appear on the screen. Please decide the next move based on your situation.
- TPM is ready for usage – It means TPM 2.0 is already activated and no further action is needed.
- TPM is not supported – It means your motherboard doesn’t support this tool.
- Compatible TPM cannot be found – It means TPM is supported but not activated in your BIOS or UEFI settings. In this way, please follow the next steps to enable the feature in BIOS.
2. Enable TPM in BIOS
You need to enter BIOS by steps as we have mentioned and switch to the Security tab at the top. After locating the option of TPM, enable it.
Note : The name of TPM will change with the different manufacturers of your motherboard, for example, on Intel hardware, it names Intel Platform Trust Technology.