Virtualization Base Security on clean install of Windows 11 Pro?


win11rocks

New member
Local time
12:44 PM
Posts
6
OS
Win10 Pro
Currently running Windows 10 Pro and ran the Windows 11 compatible tool checker and all passed. So I’m ready to upgrade to 11.

My question is, will the Virtualization Based Security be enabled by default if performing a CLEAN INSTALL of Windows 11 Pro?

Currently, Core Isolation on my Windows 10 is Off.

How would I know if it’s enabled?
Is it under Device Security and then Core Isolation?

Also, I have 16Gb of RAM, will it slow down my system? I don’t do gaming just basic things like web browsing, YouTube, Google Earth and Office apps.

For Memory Integrity or Core Isolation to work, what else do I need to enable? In my BIOS, I have all Virtualization related settings enabled.
 

My Computer

System One

  • OS
    Win10 Pro

FreeBooter

Well-known member
Power User
VIP
Local time
2:44 PM
Posts
1,062
Location
Adana
OS
Windows 11
The 64-bit versions of Windows 10 and Windows 11 will likely have Hypervisor-Protected Code Integrity protocol up and running by default, but for security’s sake you should check out your system settings to be sure.

No, it will not impact your computer speed.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    Erica6
    Memory
    Micron Technology DDR4-3200 16GB
    Graphics Card(s)
    NVIDIA GeForce RTX 3060
    Sound Card
    Realtek ALC671
    Monitor(s) Displays
    Samsung SyncMaster U28E590
    Screen Resolution
    3840 x 2160
    Hard Drives
    SAMSUNG MZVLQ1T0HALB-000H1

win11rocks

New member
Thread Starter
Local time
12:44 PM
Posts
6
OS
Win10 Pro
And what settings would those be to check? Memory Integrity was off the whole time since I’m using Windows 10.

What other settings should I need to check to make sure this is going to be enabled by default when installing Windows 11?
 
Last edited:

My Computer

System One

  • OS
    Win10 Pro

FreeBooter

Well-known member
Power User
VIP
Local time
2:44 PM
Posts
1,062
Location
Adana
OS
Windows 11
Hypervisor-protected code integrity (HVCI) is labeled Memory integrity in the Windows Security app and it can be accessed via Settings > Update & Security > Windows Security > Device security > Core isolation details > Memory integrity.

f the Virtualization-based Security is not enabled even after following the aforementioned guides, you need to check if your computer complies with the system requirements:

x64 CPU
SLAT or Second Level Address Translation
Intel VT-D or AMD-Vi
Trusted Platform Module 2.0
SMM protection supported firmware
UEFI memory reporting
Security MOR 2
HVCI or Hypervisor Code Integrity
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    Erica6
    Memory
    Micron Technology DDR4-3200 16GB
    Graphics Card(s)
    NVIDIA GeForce RTX 3060
    Sound Card
    Realtek ALC671
    Monitor(s) Displays
    Samsung SyncMaster U28E590
    Screen Resolution
    3840 x 2160
    Hard Drives
    SAMSUNG MZVLQ1T0HALB-000H1

Bree

Well-known member
Guru
VIP
Local time
11:44 AM
Posts
7,362
Location
S/E England, UK
OS
Windows 11 Home
My question is, will the Virtualization Based Security be enabled by default if performing a CLEAN INSTALL of Windows 11 Pro?

Currently, Core Isolation on my Windows 10 is Off.
Yes, for a clean install of 11 Home or Pro it should be enabled by default. It will only be off if there are incompatible drivers installed. This default is one of the reasons W11 requires an 8th gen Intel processor or above, MS say that turning it on with 7th gen or earlier can have an impact on performance.

How would I know if it’s enabled?
Is it under Device Security and then Core Isolation?
Yes. If it is off, then try turning Memory Integrity on. It will either turn on, or tell you it can't with a link that will list the incompatible driver(s) preventing it. This hasn't changed since Windows 10, you could try now with your current W10 and see it it can be enabled.
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB Samsung EVO 870 SSD
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October. Windows Update offered the 22H2 Feature Update on 20th September 2022.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro.

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 128GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro 22H2 Insider Beta as a native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 128GB NVMe ssd, supported device running Windows 11 Pro.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Lattitude E4310
    CPU
    i5 M 520
    Motherboard
    0T6M8G
    Memory
    4GB
    Screen Resolution
    1366x768
    Hard Drives
    500GB HDD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround. In-place upgrade to 22H2 using ISO and a workaround.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro.

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 128GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro 22H2 Insider Beta as a native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 128GB NVMe ssd, supported device running Windows 11 Pro.

win11rocks

New member
Thread Starter
Local time
12:44 PM
Posts
6
OS
Win10 Pro
Got it👍

I tested this using my older laptop which is quite old now running Windows 10 and it works! No driver error warnings.

Since I’m running as LOCAL ACCOUNT, does Credential Guard need to be enabled as well or is that more intended for Domain joined accounts?
 

My Computer

System One

  • OS
    Win10 Pro

FreeBooter

Well-known member
Power User
VIP
Local time
2:44 PM
Posts
1,062
Location
Adana
OS
Windows 11

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    Erica6
    Memory
    Micron Technology DDR4-3200 16GB
    Graphics Card(s)
    NVIDIA GeForce RTX 3060
    Sound Card
    Realtek ALC671
    Monitor(s) Displays
    Samsung SyncMaster U28E590
    Screen Resolution
    3840 x 2160
    Hard Drives
    SAMSUNG MZVLQ1T0HALB-000H1

win11rocks

New member
Thread Starter
Local time
12:44 PM
Posts
6
OS
Win10 Pro
My question was, is this really needed for standalone Local accounts or machines?

I’m guessing it’s only for protection on Domain joined systems and accounts.
 

My Computer

System One

  • OS
    Win10 Pro

LeLibran

Well-known member
Member
VIP
Local time
11:44 AM
Posts
218
OS
MacOS (plus VirtualBox VMs: Windows 7/10 Pro/11 Pro, Linux - Debian & Variants)
The answer to your question would be that it depends on how you use your PC and whether that use puts you at real risk from the protection that Credential Guard or any of the other 'Guard' features offers. There are many overviews and descriptions of what the feature offers, independent of any Microsoft speak. Here's one which should be reliable;


It also serves to highlight some of the possible reasoning behind the much criticised increased hardware spec for Windows 11
 

My Computers

System One System Two

  • OS
    MacOS (plus VirtualBox VMs: Windows 7/10 Pro/11 Pro, Linux - Debian & Variants)
    Computer type
    Laptop
    Manufacturer/Model
    Apple MacBook Pro 2019 (Intel)
    CPU
    i9
    Memory
    16GB
    Hard Drives
    1TB SSD
    Browser
    Safari/MS Edge/Vivaldi
    Antivirus
    -
  • Operating System
    Windows 11 Pro (plus VirtualBox VMs: Windows 10 & Linux - Debian & Variants)
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface Book 2
    CPU
    i7
    Memory
    16GB
    Hard Drives
    1TB SSD
    Browser
    MS Edge/Vivaldi
    Antivirus
    Defender

win11rocks

New member
Thread Starter
Local time
12:44 PM
Posts
6
OS
Win10 Pro
I enabled Memory Integrity from the Windows Security app. But how can I know or tell if its with the Enabled with UEFI Lock?
I know there is a Group Policy to have this enabled with Enabled with UEFI Lock. See image of the Group Policy settings.

But as mentioned, I turned this On using the Windows Security app.

My machine is a standalone system. And also, machine is not connected to any remote machines. Capture.PNG

Capture.PNG
 

My Computer

System One

  • OS
    Win10 Pro

Bree

Well-known member
Guru
VIP
Local time
11:44 AM
Posts
7,362
Location
S/E England, UK
OS
Windows 11 Home
how can I know or tell if its with the Enabled with UEFI Lock?
I enabled this setting from the Windows Security app only.

I know there is a Group Policy to have this enabled with Enabled with UEFI Lock.
Unless you enable it in Group policy then no, by default UEFI Lock would not be enabled.
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB Samsung EVO 870 SSD
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October. Windows Update offered the 22H2 Feature Update on 20th September 2022.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro.

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 128GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro 22H2 Insider Beta as a native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 128GB NVMe ssd, supported device running Windows 11 Pro.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Lattitude E4310
    CPU
    i5 M 520
    Motherboard
    0T6M8G
    Memory
    4GB
    Screen Resolution
    1366x768
    Hard Drives
    500GB HDD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround. In-place upgrade to 22H2 using ISO and a workaround.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro.

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 128GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro 22H2 Insider Beta as a native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 128GB NVMe ssd, supported device running Windows 11 Pro.

win11rocks

New member
Thread Starter
Local time
12:44 PM
Posts
6
OS
Win10 Pro
So this is what I had to do to ensure UEFI Lock option is enabled below:

1. First, I had to disable the Memory Integrity option from the Windows Security app.
2. And then, went into Group Policy and enabled the Code Integrity with UEFI Lock option from Group Policy.
3.Then, I had to restart my system in order for the changes to take effect.

As far as system performance, I don't see any difference :-)

Many thanks for all your help on this (y)

Capture.PNGcoreiso.PNGsysinfo.PNG
 
Last edited:

My Computer

System One

  • OS
    Win10 Pro

Latest Support Threads

Top Bottom