In Windows Server, Core isolation (also available in Windows 10 and Windows 11) is a security feature that protects core operating system (OS) processes from tampering and malicious software. When this feature is enabled, Windows uses hardware virtualization features to create a secure virtualized area to run it’s core system processes. So, as an additional layer of protection it will protect those important OS processes from being tampered by anything, like malware and other security vulnerabilities, running outside this secure area.
And Memory integrity, also known as Hypervisor-protected Code Integrity (HVCI), is a Windows virtualization based security (VBS) feature which is an integral and critical component of Core isolation. It’s main purpose is to prevent any malicious code or programs of using low-level drivers to hijack your host and to access any high-security processes. So, by protecting and hardening the Windows Kernel it makes sure that any code running inside there is entirely safe and trustworthy.
If you are interested, you can read more about Virtualization-based Security via this Microsoft Docs link
- 64-bit CPU with virtualization extensions (Intel VT-X, AMD-v)
- Second Level Address Translation (SLAT)
- IOMMUs or SMMUs (Intel VT-D, AMD-Vi, ARM64 SMMUs)
- HVCI-compatible drivers
- Trusted Platform Module (TPM) 2.0
Enable Core isolation and Memory integrity
To enable these features logon to your Hyper-V host(s) and open Windows Security Center by pressing Windows key + R to open the Run dialog box. Type in windowsdefender: and click OK to open the Windows Security Center window.
On the Windows Security window, select Device security and click on Core isolation details.
Set the Memory integrity toggle to On. When you do this a Windows Security pop-up window will open which prompts you to restart your host. Click on Restart to reboot your host and to apply the changes.
After the reboot Core isolation and Memory integrity will be enabled.
For better security and protection against malware and other malicious software, I would recommend to enable Core isolation and Memory integrity on all your Windows Server 2022 Hyper-V hosts. Just keep in mind that enabling this features requires a reboot of the host(s).