Windows 11 comes with a lot of security features to help prevent your PC from running into major issues. Those features include Secure Boot and, of course, Microsoft Defender, but there's another one you might not be too familiar with: Core isolation.

You might have seen core isolation mentioned in Windows before, but what exactly does it do? Should you keep it enabled on your PC? The short answer is yes, but let's take a closer look at why.

What does Core Isolation do?

It keeps core systems safe from being tampered with

Most users probably know core isolation from Windows 10 onwards. The feature was made available to all editions of Windows 10 starting with version 1803 back in 2018, and it's been around ever since. Before that, this feature was exclusively in Enterprise editions of Windows 10.

Core isolation uses what's called virtualization-based security, or VBS, to help keep your computer safe from threats. In essence, VBS and core isolation make it so that vital system and security processes run in a virtualized environment, which is isolated from the rest of the system. In a way, you can say these processes run in a virtual machine. By isolating these processes with a virtualization layer, Windows can protect them from malicious third-party software that may threaten to tamper with them.

Even if your computer does get infected with malware, these essential processes are kept out of reach so that they can't be compromised. This makes core isolation a hugely important feature for security, which is why it's enabled by default, and you don't even have the option to disable it entirely.

Core isolation does require some special hardware, but any PC that runs Windows 11 should have the necessary components, which include TPM 2.0 support and having Secure Boot enabled in the BIOS. Some Windows 10 machines may not meet the requirements, though.

What is memory integrity?

An additional layer of protection

One of the main capabilities under core isolation in Windows 10 and 11 is called memory integrity, and as we mentioned above, it can sometimes be turned off on new PCs, as well as after upgrades. Memory integrity, also known as Hypervisor-protected Code Integrity (HVCI), prevents malicious code from being injected into processes with low-level access to the Windows kernel, such as device drivers, which could seriously compromise your PC. By isolating these processes, Windows keeps them out of reach for malicious actors.

Again, this feature can sometimes be disabled, but you can make sure it's enabled by opening the Windows Security app on your PC and heading to the Device security section, then Core isolation details. There's a dedicated memory integrity toggle here.

What are the downsides of core isolation and memory integrity?

There can be compatibility issues

Part of the reason memory integrity is often disabled on Windows 11 has to do with compatibility. Because it relies on the Windows virtualization capabilities, it can sometimes conflict with certain drivers that also attempt to use HVCI, even though developers have been mandated to comply with new HVCI compliance requirements for years now. Some old drivers may still prevent memory integrity from working, or enabling memory integrity may break specific functionality in some drivers. With most modern devices, it shouldn't be an issue, but older drivers can cause problems.

Memory integrity may also not play well with certain virtualization software for running virtual machines. Generally, only one program can use your computer's virtualization hardware at any given time, so memory integrity blocks other apps from being able to do so. Of course, VMs can usually still run, but without hardware virtualization enabled.

In these cases, if you notice some functionality is missing, you may have to disable memory integrity in the core isolation settings.

You should have core isolation and memory integrity enabled

Despite some of the potential compatibility issues that can come from having memory integrity enabled, this is a feature we recommend having enabled unless you've had a specific problem with having it on. Any feature that enhances the security of your PC can only be a good thing, especially when it can be hard to identify malicious software by yourself.