Hypervisor-protected Code Integrity enablement

Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.

HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

See Virtualization Based Security System Resource Protections for more details on these protections.

Default enablement

Starting with Windows 11, new installations on compatible systems have memory integrity turned on by default. This is changing the default state of the feature in Windows, though device manufacturers and end users have the ultimate control of whether the feature is enabled.

Hardware features for automatic enablement

Memory integrity to be turned on by default when a PC includes the following minimum hardware features:

Component Detail
  • Intel 8th generation or later starting with Windows 11, version 22H2 (11th generation Core processors and newer only for Windows 11, version 21H2)
  • AMD Zen 2 architecture and newer
  • Qualcomm Snapdragon 8180 and newer
RAM Minimum 8GB
Storage SSD with a minimum size of 64GB
Drivers HVCI-compatible drivers must be installed. See Hypervisor-Protected Code Integrity (HVCI) for more information about drivers.
BIOS Virtualization must be enabled

If you're building an image that won't automatically enable Memory integrity, you can still configure your image so that it's turned on by default.


Auto-enablement pertains only to clean installs, not upgrades of existing devices.


The China and Korea markets are excluded, to avoid anti-cheat compatibility issues.


Intel 11th generation Core desktop processors are not included in current default enablement logic. However, they are a recommended platform for HVCI and can have HVCI be enabled by the OEM.

HVCI and VBS controls

This section enumerates how device manufacturers and end users can interact with HVCI and VBS. To learn about how to control HVCI state as an administrator, see Enable HVCI Using Group Policy.

Turn on Memory integrity

Windows will turn Memory integrity on by default for systems that meet certain hardware requirements. If your hardware doesn't include a hardware combination for Windows to automatically turn on Memory integrity, you can choose to enable it in their image by configuring registry keys in an image.

Users can also manually enable Memory integrity using the Core isolation page in the Windows Security app.

Set the following two registry keys in your image This configuration will Turn on Memory integrity in kernel mode in the same way that the OS default enablement logic will.

Registry key Value
HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity Enabled=1
HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity WasEnabledBy=1

The WasEnabledBy registry key controls a setting that safeguards against having an unbootable device. When set, the device will automatically turn off HVCI if the system crashes during boot, likely caused by Memory Integrity blocking an incompatible boot-critical driver. This autodisable functionality is in the process of being deprecated, though it is currently the recommended configuration.


For high security systems, WasEnabledBy should NOT be set.


Identifying HVCI state

The following volatile regkey reflects the state of HVCI:

Registry key Value
HKLM\System\CurrentControlSet\Control\CI\State HVCIEnabled

Other ways of checking HVCI state are to look at MsInfo32 under Virtualization-based Security Services Running or look at the Core Isolation settings page to see the value of Memory integrity.

Debugging Driver Issues

Check the Code Integrity logs to see if any drivers were blocked from loading as a result of HVCI. These are in Event Viewer under the following path:

Applications and Service Logs\Microsoft\Windows\CodeIntegrity\Operational

Generally, HVCI compatibility events have EventID=3087

Check results of HVCI default enablement

To see details on the results of HVCI default enablement, check the setupact.log and search for HVCI. You should see one of the following result logs, as well as the succeeding/failing checks leading to the enablement decision:

HVCI Enabled: SYSPRP HVCI: Enabling HVCI

HVCI not enabled: SYSPRP HVCI: OS does not meet HVCI auto-enablement requirements. Exiting now.

If the device opted out of HVCI enablement via the regkey method detailed above, then this will be the only log from HVCI sysprep. If the device had a compatibility issue, it should be identified in the preceding logs with the error message:

SYSPRP HVCI: Compatibility did not pass. VBS_COMPAT_ISSUES 0xXXXXXXXX

The following is an enumeration of the potential VBS Compat Issues. Each issue is represented by a single index in a bit array, and the error message outputs the hex value resulting from each error bit being present.


You'll notice some indexes are missing from the table below. Some compat requirements have been changed or deprecated, and are only relevant in older OS versions without the default enablement logic.

Bit Index Compat Issue
0 Unsupported architecture (eg. x86)
1 SLAT required
3 IOMMU required
4 MBEC/GMET Required
5 UEFI Required
6 UEFI WX Memory Attributes Table required
7 ACPI WSMT table required
8 UEFI MOR Lock required
10 Hardware virtualization required
11 Secure Launch required
13 Device failing to meet 64GB minimum required volume size
14 System drive SSD required
15 Device failing minum Intel SoC requirements
16 QC SoC does not specify VBS enablement
17 8GB RAM required

An example of an error code and error identification: VBS_COMPAT_ISSUES 0x000000C0

0x000000C0 -> 00000000011000000 -> Bit indexes 6 and 7 are active -> UEFI WX Memory Attributes Table required, ACPI WSMT table required