Virtualization Base Security on clean install of Windows 11 Pro?


win11rocks

New member
Local time
1:18 PM
Posts
6
OS
Win10 Pro
Currently running Windows 10 Pro and ran the Windows 11 compatible tool checker and all passed. So I’m ready to upgrade to 11.

My question is, will the Virtualization Based Security be enabled by default if performing a CLEAN INSTALL of Windows 11 Pro?

Currently, Core Isolation on my Windows 10 is Off.

How would I know if it’s enabled?
Is it under Device Security and then Core Isolation?

Also, I have 16Gb of RAM, will it slow down my system? I don’t do gaming just basic things like web browsing, YouTube, Google Earth and Office apps.

For Memory Integrity or Core Isolation to work, what else do I need to enable? In my BIOS, I have all Virtualization related settings enabled.
 

My Computer

System One

  • OS
    Win10 Pro
The 64-bit versions of Windows 10 and Windows 11 will likely have Hypervisor-Protected Code Integrity protocol up and running by default, but for security’s sake you should check out your system settings to be sure.

No, it will not impact your computer speed.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    Erica6
    Memory
    Micron Technology DDR4-3200 16GB
    Graphics Card(s)
    NVIDIA GeForce RTX 3060
    Sound Card
    Realtek ALC671
    Monitor(s) Displays
    Samsung SyncMaster U28E590
    Screen Resolution
    3840 x 2160
    Hard Drives
    SAMSUNG MZVLQ1T0HALB-000H1
And what settings would those be to check? Memory Integrity was off the whole time since I’m using Windows 10.

What other settings should I need to check to make sure this is going to be enabled by default when installing Windows 11?
 
Last edited:

My Computer

System One

  • OS
    Win10 Pro
Hypervisor-protected code integrity (HVCI) is labeled Memory integrity in the Windows Security app and it can be accessed via Settings > Update & Security > Windows Security > Device security > Core isolation details > Memory integrity.

f the Virtualization-based Security is not enabled even after following the aforementioned guides, you need to check if your computer complies with the system requirements:

x64 CPU
SLAT or Second Level Address Translation
Intel VT-D or AMD-Vi
Trusted Platform Module 2.0
SMM protection supported firmware
UEFI memory reporting
Security MOR 2
HVCI or Hypervisor Code Integrity
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    Erica6
    Memory
    Micron Technology DDR4-3200 16GB
    Graphics Card(s)
    NVIDIA GeForce RTX 3060
    Sound Card
    Realtek ALC671
    Monitor(s) Displays
    Samsung SyncMaster U28E590
    Screen Resolution
    3840 x 2160
    Hard Drives
    SAMSUNG MZVLQ1T0HALB-000H1
My question is, will the Virtualization Based Security be enabled by default if performing a CLEAN INSTALL of Windows 11 Pro?

Currently, Core Isolation on my Windows 10 is Off.
Yes, for a clean install of 11 Home or Pro it should be enabled by default. It will only be off if there are incompatible drivers installed. This default is one of the reasons W11 requires an 8th gen Intel processor or above, MS say that turning it on with 7th gen or earlier can have an impact on performance.

How would I know if it’s enabled?
Is it under Device Security and then Core Isolation?
Yes. If it is off, then try turning Memory Integrity on. It will either turn on, or tell you it can't with a link that will list the incompatible driver(s) preventing it. This hasn't changed since Windows 10, you could try now with your current W10 and see it it can be enabled.
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB Samsung EVO 870 SSD
    Internet Speed
    50 Mbps
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October. Windows Update offered the 22H2 Feature Update on 20th September 2022. It got the 23H2 Feature Update on 4th November 2023 through Windows Update.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Beta as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, and Canary builds as a native boot .vhdx.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Lattitude E4310
    CPU
    Intel® Core™ i5-520M
    Motherboard
    0T6M8G
    Memory
    8GB
    Graphics card(s)
    (integrated graphics) Intel HD Graphics
    Screen Resolution
    1366x768
    Hard Drives
    500GB Crucial MX500 SSD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround. In-place upgrade to 22H2 using ISO and a workaround. Feature Update to 23H2 by manually installing the Enablement Package.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Beta as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, and Canary builds as a native boot .vhdx.
Got it👍

I tested this using my older laptop which is quite old now running Windows 10 and it works! No driver error warnings.

Since I’m running as LOCAL ACCOUNT, does Credential Guard need to be enabled as well or is that more intended for Domain joined accounts?
 

My Computer

System One

  • OS
    Win10 Pro

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    Erica6
    Memory
    Micron Technology DDR4-3200 16GB
    Graphics Card(s)
    NVIDIA GeForce RTX 3060
    Sound Card
    Realtek ALC671
    Monitor(s) Displays
    Samsung SyncMaster U28E590
    Screen Resolution
    3840 x 2160
    Hard Drives
    SAMSUNG MZVLQ1T0HALB-000H1
My question was, is this really needed for standalone Local accounts or machines?

I’m guessing it’s only for protection on Domain joined systems and accounts.
 

My Computer

System One

  • OS
    Win10 Pro
The answer to your question would be that it depends on how you use your PC and whether that use puts you at real risk from the protection that Credential Guard or any of the other 'Guard' features offers. There are many overviews and descriptions of what the feature offers, independent of any Microsoft speak. Here's one which should be reliable;


It also serves to highlight some of the possible reasoning behind the much criticised increased hardware spec for Windows 11
 

My Computers

System One System Two

  • OS
    macOS (plus VMs: Windows XP, 7, 10 Home/Pro, 11 Home/Pro, Linux Distros)
    Computer type
    Laptop
    Manufacturer/Model
    a) Apple MacBook Pro (Intel) - 2019 b) Apple MacBook Pro M1 MAX - 2021
    CPU
    a) Intel i9 b) M1 MAX (ARM)
    Memory
    a) 16GB b) 32GB
    Hard Drives
    a) 1TB SSD + 256GB SD Card b) 1TB SSD (+ 1TB SD Card)
    Browser
    a) Safari/Vivaldi/DuckDuckGo b) Safari/DuckDuckGo
    Antivirus
    -
  • Operating System
    Windows 11 Pro (plus VirtualBox VMs: Windows 11 Pro & Linux Distros)
    Computer type
    Laptop
    Manufacturer/Model
    a) Microsoft Surface Book 2, b) HP Spectre X360
    CPU
    a) i7, b) i7
    Memory
    a) 16GB, b) 16GB
    Hard Drives
    a) 1TB SSD, b) 1TB SSD
    Browser
    a) MS Edge, b) MS Edge
    Antivirus
    a) Defender, b) Defender
I enabled Memory Integrity from the Windows Security app. But how can I know or tell if its with the Enabled with UEFI Lock?
I know there is a Group Policy to have this enabled with Enabled with UEFI Lock. See image of the Group Policy settings.

But as mentioned, I turned this On using the Windows Security app.

My machine is a standalone system. And also, machine is not connected to any remote machines. Capture.PNG

Capture.PNG
 

My Computer

System One

  • OS
    Win10 Pro
how can I know or tell if its with the Enabled with UEFI Lock?
I enabled this setting from the Windows Security app only.

I know there is a Group Policy to have this enabled with Enabled with UEFI Lock.
Unless you enable it in Group policy then no, by default UEFI Lock would not be enabled.
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB Samsung EVO 870 SSD
    Internet Speed
    50 Mbps
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October. Windows Update offered the 22H2 Feature Update on 20th September 2022. It got the 23H2 Feature Update on 4th November 2023 through Windows Update.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Beta as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, and Canary builds as a native boot .vhdx.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Lattitude E4310
    CPU
    Intel® Core™ i5-520M
    Motherboard
    0T6M8G
    Memory
    8GB
    Graphics card(s)
    (integrated graphics) Intel HD Graphics
    Screen Resolution
    1366x768
    Hard Drives
    500GB Crucial MX500 SSD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround. In-place upgrade to 22H2 using ISO and a workaround. Feature Update to 23H2 by manually installing the Enablement Package.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Beta as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, and Canary builds as a native boot .vhdx.
So this is what I had to do to ensure UEFI Lock option is enabled below:

1. First, I had to disable the Memory Integrity option from the Windows Security app.
2. And then, went into Group Policy and enabled the Code Integrity with UEFI Lock option from Group Policy.
3.Then, I had to restart my system in order for the changes to take effect.

As far as system performance, I don't see any difference :-)

Many thanks for all your help on this (y)

Capture.PNGcoreiso.PNGsysinfo.PNG
 
Last edited:

My Computer

System One

  • OS
    Win10 Pro

Latest Support Threads

Back
Top Bottom