Kernel isolation memory embedding is a great security feature, but you can’t enable it if the WD driver interferes with the kernel isolation mechanism. Full error message:
Unable to enable Core Isolation memory integrity due to incompatible driver “WDCSAM64_PREWIN8.SYS”.
The problem occurs when a user tries to enable Core Isolation storage integration but cannot. When he checks for incompatible drivers, he finds that the problem was created by a WD driver. The problem is not limited to a specific system manufacturer, and you get the following message:
- Driver date: 11/29/2015
- Driver version: 18.104.22.168
- Published name: oem16.inf
What is memory integrity with core isolation?
Virtualization-based security was originally only available for Windows 10 Corporate releases. In April 2018, however, Microsoft acknowledged the error. Windows has long been considered less secure than competing operating systems such as macOS and Linux, and support for hardware virtualization has become more common.
With Intel VT-x (or AMD-V if you have a Ryzen chip), core isolated memory integrity creates a bubble of system memory that is separated from the rest of the computer. This allows you to run processes that attackers shouldn’t manipulate, such as. B. Security software and critical system processes. This means that even if you have malware, it won’t be able to penetrate the most important parts of your system.
As you can imagine, this is a very good safety net, but there are problems with those who use virtual machines. Because system virtualization is already “exhausted” by memory isolation, users will experience errors. While primary isolation in general is often enabled for Windows 10 systems, some of the updates related to memory integrity are usually disabled by default. Also, if it encounters a driver that does not support it, it tends to be deactivated again.
Before moving on to a solution to enable kernel isolation, make sure that virtualization is enabled in your system’s BIOS (you may need to enable SVM in your BIOS overclocking page if it is available).
Enable core isolation and memory integrity
You can see if your computer has basic isolation features enabled, and you can enable or disable memory protection in the Windows Defender Security Center application. (This tool will be renamed Windows Security as part of the October 2018 update.)
- To open it, search for “Windows Defender Security Center” from the Start menu or choose Preferences > Update and Security > Windows Security > Open Windows Defender Security Center.
- If your PC hardware has kernel isolation enabled, you will see the message “Virtualization-based security is running to protect key parts of your device.
- To enable (or disable) memory protection, click the Kernel Isolation Details link.
- This screen will show you whether or not memory integrity is enabled. This is the only option at this time.
- To enable memory integrity, set the switch to “On.” If you are having problems with an application or device and need to disable memory integrity, go back here and turn the switch on.
- You will be prompted to restart your computer. The change will not take effect until you do so.
Fixed major isolation issues
On rare occasions, application compatibility issues may arise when primary isolation is enabled. In this case, you may need to disable this feature to resolve the issue.
If you try to disable storage integrity in the Windows Defender Security Center, but this option is inactive with the message “This option is controlled by your administrator,” you can disable it through the registry:
Disclaimer: This is a friendly reminder that editing the registry is risky and can irreversibly damage your installation if done incorrectly. It is recommended that you make a full backup of your PC before proceeding.
- Use the Windows Key + R key combination to open the Run command.
- Type regedit and click OK to open the registry.
- Find the following path:
- HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ DeviceGuard \ Scenarios \ HypervisorEnformedCodeIntegrity
- Double-click the “Enabled” button.
- Set the value from 1 to 0.
- Click OK.
After completing these steps, restart your computer for the changes to take effect.