Core Isolation is a Windows security feature that uses your processor’s built-in virtualization technology to create a protected area of memory completely separated from the rest of the operating system. Its main job is to shield critical system processes from malware that tries to inject malicious code into the Windows kernel, the deepest and most privileged layer of the OS. It’s available in Windows 10 and 11, and its most important sub-feature, Memory Integrity, is the toggle most people encounter in the Windows Security app.
How Core Isolation Actually Works
At a technical level, Core Isolation is the user-facing name for a set of protections built on top of Virtualization-based Security (VBS). VBS uses the same hardware virtualization that powers virtual machines (think VirtualBox or VMware) to split your system into two separate trust levels. The regular Windows environment you interact with runs at Trust Level 0 (VTL0). A second, heavily restricted environment runs at Trust Level 1 (VTL1), handling only a small number of sensitive security functions.
The key insight behind this design is that the Windows kernel itself could be compromised. Rather than trusting the kernel to police its own security, VBS places a thin hypervisor underneath the operating system. That hypervisor has the true view of system memory, which means even if an attacker gains kernel-level access in the regular Windows environment, they still can’t reach the protected enclave at VTL1. Breaking through would require a hypervisor escape, a far more difficult attack.
What Memory Integrity Does
Memory Integrity is the primary feature you control under Core Isolation. Sometimes called Hypervisor-Protected Code Integrity (HVCI), it moves one specific and important task into that protected VTL1 environment: verifying that all code running in kernel mode is legitimately signed and unmodified.
Without Memory Integrity, the code-checking process runs inside the same kernel space that attackers are trying to exploit. With it enabled, the verification happens in the isolated virtual environment where malware can’t tamper with it. Memory Integrity also restricts how the kernel can allocate memory, closing off techniques attackers use to load unsigned drivers or inject code into privileged processes.
Specifically, Memory Integrity protects the Control Flow Guard bitmap for kernel-mode drivers, which prevents attackers from redirecting the normal execution path of a program. It also ensures that trusted kernel processes have valid certificates, blocking unsigned or tampered drivers from loading at all. This is why enabling Memory Integrity sometimes triggers warnings about “incompatible drivers”: drivers that can’t pass these stricter checks are blocked from running.
What Attacks It Prevents
Core Isolation targets some of the most common and dangerous attack techniques used against the Windows kernel. Return-oriented programming (ROP) attacks, for example, work by chaining together small fragments of existing legitimate code to build a malicious payload. Because the attacker reuses code already present in memory, traditional antivirus tools struggle to detect it. Core Isolation’s stack protection features use “shadow stacks” to verify that each function returns to the correct location, breaking these chains before they execute.
Memory-based exploits are another major category. Without VBS, a program running in user space has several potential paths to access kernel memory, and this is the basis of many real-world privilege escalation attacks. With VBS active, only the hypervisor has the true memory map, so those paths are cut off. Drivers associated with known viruses and malware that attempt to hijack return addresses or manipulate control flow are automatically blocked, and Microsoft maintains a vulnerable driver blocklist to catch known offenders.
Hardware Requirements
Core Isolation isn’t a purely software feature. It depends on your processor’s hardware virtualization extensions (Intel VT-x or AMD-V), and this must be enabled in your system’s UEFI or BIOS settings. Many PCs ship with virtualization turned off by default, so if the Memory Integrity toggle is grayed out, that’s the first thing to check.
For full “standard hardware security” status in the Windows Security app, your device also needs:
- TPM 2.0 (Trusted Platform Module), either as a dedicated chip or built into the CPU
- Secure Boot enabled in UEFI
- DEP (Data Execution Prevention) support
- UEFI MAT (Memory Attributes Table) support
Most PCs manufactured after 2018 meet all of these requirements. If you don’t see a “Security processor” entry in the Device Security page, your TPM is either missing or disabled in firmware settings.
Performance Impact
Because Core Isolation runs a hypervisor underneath the OS and adds verification steps to kernel memory operations, it does cost some performance. For everyday tasks like browsing, office work, and video streaming, the difference is negligible on modern hardware.
Gaming is where it becomes noticeable. Benchmarks from outlets like Tom’s Hardware and TechPowerUp show an average frame rate reduction of 5 to 15 percent in GPU-bound or latency-sensitive games with Memory Integrity enabled. Whether that matters depends on your hardware headroom and sensitivity to frame drops. If you’re already hitting your monitor’s refresh rate with room to spare, you likely won’t notice. If you’re pushing for every last frame in competitive titles, it’s a meaningful hit.
How to Enable or Disable It
Open the Windows Security app (search “Windows Security” in the Start menu), then navigate to Device Security and select Core Isolation Details. You’ll see a toggle for Memory Integrity. Flipping it on requires a restart, and Windows will check for incompatible drivers before completing the change.
If you get an incompatible driver warning, Windows will name the specific drivers causing the conflict. The best fix is checking for updated versions through Windows Update or directly from the hardware manufacturer’s website. Microsoft explicitly recommends against deleting drivers to force the toggle on, since doing so can break hardware functionality. Some older peripherals, particularly printers, audio interfaces, and specialty input devices, rely on drivers that were never updated for HVCI compatibility, and in those cases you may need to choose between the device and the feature.
VBS itself can activate automatically when you enable the Virtual Machine Platform in Windows Features, but Memory Integrity still requires its own toggle to be turned on separately.
Should You Leave It On?
For most people, yes. Core Isolation provides meaningful protection against kernel-level exploits that traditional antivirus can’t catch, and the performance cost on modern hardware during normal use is minimal. Windows 11 enables it by default on new installations for good reason.
The main scenarios where disabling it makes sense are competitive gaming where you need peak frame rates, or when you rely on older hardware with drivers that can’t pass integrity checks. If you do disable it, you’re not defenseless, but you are removing one of the stronger layers in Windows’ security stack, specifically the layer designed to protect against the most sophisticated class of attacks.