How to Enable HVCI (Hypervisor-Protected Code Integrity) in Windows
HVCI — short for Hypervisor-Protected Code Integrity — is one of the most powerful security features built into modern Windows. It uses virtualization technology to protect the Windows kernel from malicious or unsigned drivers and code. Enabling it correctly, however, depends on a combination of hardware capabilities, firmware settings, and how your system is configured.
What HVCI Actually Does
At its core, HVCI works by isolating the kernel — the deepest layer of the operating system — inside a secure, virtualized environment. Even if malware tries to load a compromised or unsigned driver, HVCI prevents that code from being executed in kernel memory.
This matters because kernel-level attacks are among the hardest to detect and remove. By enforcing code integrity checks at the hypervisor level, HVCI raises the bar significantly for the kind of driver-based attacks commonly used in rootkits and advanced persistent threats.
HVCI is part of a broader set of Windows security features grouped under Virtualization-Based Security (VBS). VBS creates an isolated region of memory using the CPU's virtualization extensions, and HVCI runs inside that protected region.
Hardware Requirements You Need to Meet First
Not every machine can run HVCI effectively. Before enabling it, your system needs to meet several baseline requirements:
| Requirement | Details |
|---|---|
| CPU | Must support virtualization extensions (Intel VT-x or AMD-V) |
| IOMMU | Intel VT-d or AMD-Vi required for full protection |
| Secure Boot | Must be enabled in UEFI/BIOS firmware |
| TPM | TPM 2.0 strongly recommended (required for some configurations) |
| UEFI firmware | Legacy BIOS (CSM mode) is not supported |
| 64-bit OS | Windows 10 or Windows 11, 64-bit only |
If your system is running in CSM (Compatibility Support Module) mode or has virtualization disabled in firmware, HVCI won't function even if Windows shows the option. You'll need to check your UEFI settings first.
How to Enable HVCI in Windows 10 and Windows 11 🛡️
Method 1: Through Windows Security Settings
This is the most straightforward route for most users:
- Open Windows Security from the Start menu or system tray
- Navigate to Device Security
- Click Core isolation details
- Toggle Memory integrity to On
- Restart your PC when prompted
"Memory integrity" is Microsoft's user-facing name for HVCI. Once enabled and the system reboots, the hypervisor begins enforcing code integrity checks on all kernel-mode code.
Method 2: Through Group Policy (Windows Pro, Enterprise, Education)
For IT administrators or users managing multiple machines:
- Open Group Policy Editor (
gpedit.msc) - Navigate to:
Computer Configuration > Administrative Templates > System > Device Guard - Open Turn On Virtualization Based Security
- Set it to Enabled
- Under Virtualization Based Protection of Code Integrity, select Enabled with UEFI lock or Enabled without lock depending on your deployment needs
- Apply and restart
The UEFI lock option writes the configuration to firmware, making it harder to disable remotely — useful in managed environments but something to consider carefully before applying.
Method 3: Via Registry (Advanced Users)
If Group Policy isn't available:
- Open Registry Editor (
regedit) as Administrator - Navigate to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceGuardScenariosHypervisorEnforcedCodeIntegrity - Set the
EnabledDWORD value to1 - Restart
This method requires precision. Incorrectly modifying the registry can cause boot issues, so only use this path if you're comfortable working in the registry directly.
What Happens If an Incompatible Driver Is Installed?
HVCI blocks unsigned or incompatible kernel drivers. In practice, this means some older peripherals — particularly legacy audio interfaces, certain virtualization tools, or older security software — may stop working after enabling HVCI. Windows will typically warn you if an incompatible driver is detected during or after the toggle.
If a driver blocks the feature from turning on, you'll see a notification identifying the problem driver. You can then decide whether to update, replace, or remove that driver — or weigh whether HVCI is worth the trade-off in your specific setup.
Performance Considerations
HVCI does introduce a small but measurable performance overhead, particularly in scenarios involving frequent kernel transitions. On modern CPUs with hardware-level virtualization support (especially processors from 2019 onward), this overhead is generally minimal in everyday workloads. Older or low-power CPUs may see a more noticeable impact in CPU-intensive tasks.
Machines that ship with Windows 11 from manufacturers often have HVCI enabled by default as part of the baseline security requirements — so on newer hardware, the performance cost is typically already factored in at the design stage.
Verifying That HVCI Is Running ✅
After enabling and restarting, you can confirm the status:
- In Windows Security > Device Security > Core isolation details, "Memory integrity" should show as On
- In System Information (
msinfo32), look for the Virtualization-based security section — it should list HVCI under Running services - Use the Device Guard and Credential Guard hardware readiness tool (a Microsoft-provided PowerShell script) for detailed hardware compatibility reporting
The Variables That Shape Your Outcome
Whether HVCI works smoothly on your system depends on a specific intersection of factors: the age and architecture of your CPU, whether your firmware has virtualization and Secure Boot properly configured, which drivers are currently installed, and how performance-sensitive your workload is.
A developer running virtualization software, a gamer with legacy peripheral drivers, and an enterprise IT admin managing a fleet of modern laptops will each encounter meaningfully different situations when enabling this feature. The steps are the same — but the outcome, compatibility, and impact depend entirely on what's running underneath.