Key Points
- A missing or unavailable Memory Integrity toggle usually indicates virtualization prerequisites are disabled or incompatible kernel drivers are blocking Memory Integrity.
- Verify platform prerequisites, such as UEFI, Secure Boot, TPM, and firmware-level virtualization, before troubleshooting deeper issues.
- Locate outdated drivers using Windows Security’s Core Isolation panel or PowerShell commands like Get-WindowsDriver, then update or uninstall them to restore HVCI compatibility.
- Misconfigured policies can silently re-disable HVCI on reboot; ensure WDAC rules, Smart App Control mode, and Intune/GPO baselines allow WHQL-signed drivers to load under VBS.
- After prerequisites, drivers, and policies align, toggle Memory Integrity on, reboot, verify it stays active, and record approved driver versions for deployment consistency.
Core isolation uses virtualization-based security to protect kernel memory. However, sometimes you will get the warning “Core isolation not available” in Windows 11 when you try to activate it. If the feature or its Memory integrity toggle is missing or grayed out, this usually means that virtualization prerequisites have not been met or there are incompatible drivers in your system.
A guide for fixing the “Core isolation not available” error in Windows 11
📌 Prerequisites:
- You need local administrator access on a test device.
- You need to have a comfortable maintenance time window for firmware and driver updates.
- You need to have access to Device Security, Event Viewer, and Windows PowerShell with elevated permissions.
Method 1: Confirm platform and virtualization prerequisites
First, you need to verify that it supports and has the following features enabled:
- UEFI
- Secure Boot
- TPM
- Virtualization in firmware and Virtual Machine Platform or Hyper-V components
Once you’ve verified that these features are here, go to Windows Security > Device security and see if Core Isolation is available. If not, apply the different methods.
Method 2: Identify and remove blocking drivers
- Go to Windows Security.
- Click Device security > Core isolation details.
- There, you should see a list of incompatible drivers. Update or uninstall them accordingly.
If there are no drivers listed, you need to perform a manual inventory of kernel drivers for unsigned or legacy components. To do that, deploy this command in Windows PowerShell:
Get-WindowsDriver -Online | Where-Object {$_.Signer -eq "Unsigned"} | Select-Object ClassName, OriginalFileName, ProviderName
Once deployed, look for:
- Unsigned drivers
- Drivers older than Windows 10/2016 generation
- Obsolete filter drivers
- Utility software installed before your Windows upgrade
These things may be causing the issue. Uninstall or update them accordingly.
Method 3: Align with policy and application control
There are several things within your computer that can be blocking Core Isolation. Go through all of them and ensure that they’re configured properly.
Windows Defender Application Control (WDAC)
WDAC can block certain kernel-mode drivers or may have specific signing or CI rules. To change this, you need to:
- Open Event Viewer.
- Go to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
- See if there are any errors related to blocked kernel drivers.
You also need to review applied WDAC policies (use Get-CIPolicy in Windows PowerShell or view them in your MDM profile) to confirm they support kernel driver compatible rules. Make sure that there’s no policy that conflicts with HVCI enforcement.
Smart App Control
- Go to Windows Security.
- Click App & browser control > Smart App Control.
- Check whether it’s Off, On, or in Evaluation Mode.
- If it’s On and you see conflicts with Core Isolation in Event Logs, set Smart App Control to Evaluation Mode.
Security Baselines (Intune, GPO, CIS, DoD, OEM baselines)
The following security baselines may intentionally enforce or block Core Isolation to fail without you noticing:
- VBS / HVCI
- Device Guard policies
- LSA Protection
- Credential Guard
- Driver load policies
To remedy this, you need to:
- Go to Group Policy Editor.
- Navigate to Computer Configuration > Administrative Templates > System > Device Guard
- There, you’ll find Deploy Windows Defender Application Control and Turn On Virtualization Based Security. Configure these policies accordingly.
You should also review your Intune security baselines if applicable. Make sure that there are no conflicting CI, virtualization, or driver policies being enforced.
Method 4: Update firmware and core drivers
Update BIOS or UEFI firmware from the OEM
Outdated BIOS or UEFI firmware can block Memory Integrity because of the following reasons:
- You may not have full virtualization-based security (VBS) support
- You may be using deprecated ACPI tables or microcode
- Your firmware may contain bugs affecting HVCI, virtualization, or secure boot
- Your device may fail to properly initialize Intel VT-x, AMD-V, or IOMMU/VT-d
To update BIOS and UEFI firmware, go to your system’s manufacturer’s website and see if there are updates available. If there are, download them and follow the instructions on how to install them.
Update chipset drivers from the OEM
Chipset drivers control how your system interacts with the computer’s CPU cores, I/O controllers, memory, virtualization extensions, and power states. If your chipset drivers are outdated, they can block HVCI because they don’t support modern kernel DMA protections, fail to expose virtualization requirements, or use old or unsigned kernel components.
To update your chipset drivers, figure out what your chipset driver is by going to Device Manager. Once you know what driver you need to update, go to the manufacturer’s website and see if there are updates available. Download and install them if there are.
Update storage drivers (SATA, NVMe, RAID)
Storage drivers can block Memory Integrity if they are:
- Unsigned
- Using legacy filter drivers
- Using older Intel RST, RAID, or AHCI drivers incompatible with HVCI
To update your storage drivers, figure out what your storage driver is by going to Device Manager. Once you know what driver you need to update, go to the manufacturer’s website and see if there are updates available. Download and install them if there are.
Update graphics drivers
GPU drivers have deep access to kernel memory. This means that outdated graphics drivers often appear in the “Incompatible Drivers” list that block Memory Integrity.
To update your graphics drivers, figure out what your graphics driver is by going to Device Manager. Once you know what driver you need to update, go to the manufacturer’s website and see if there are updates available. Download and install them if there are.
Method 5: Validate and enable memory integrity
Now that you’ve gone through all the things that may be blocking Memory Integrity, it’s time to activate it. To do that, you need to:
- Open Windows Security.
- Go to Device security > Core isolation details.
- Toggle Memory integrity on.
- Restart the computer when prompted.
- Go back to Core isolation details and see if it stays on and there are no incompatible drivers left.
What else do you need to do
Evidence and Audit Trail
After successfully activating Memory Integrity, make sure you keep records of everything you’ve done. Capture screenshots of the Core isolation page before and after you resolved the issue, and record the driver names and versions you removed or updated. Store all your evidence in your RMM, and make sure that the device model, BIOS version, and policy scope are logged in the ticket.
Fleet Rollout and Guardrails
To make sure that you avoid a repeat incident, you need to:
- Pilot best practices on representative models and make sure they work how you need them to.
- Have a record of approved driver versions per model and add them to your onboarding runbook.
- Pair with your Credential Guard and LSA protection posture for a consistent security baseline.
Best practices summary table when activating Core Isolation in Windows 11
Practice | Purpose | Value Delivered |
| Verify virtualization and Secure Boot. | This ensures that the device meets all the necessary prerequisites when activating Core Isolation. | You will have fewer false starts. |
| Update or remove blockers. | This will unblock Memory Integrity and ensure that your system drivers are properly updated. | You’ll have stronger kernel protections. |
| Use OEM-signed drivers. | This ensures your drivers are compatible with Memory integration. | This will give you fewer regressions. |
| Document approved drivers | This makes audits easier and makes things repeatable. | This will make future rollouts faster. |
| Pilot before fleet change | You’ll find edge cases more easily and can plan for them accordingly. | This will reduce risks during full implementation. |
Troubleshooting for Microsoft Memory Integrity activation
Problem | Solution |
| Memory integrity toggle is missing or grayed out. | A driver is incompatible, or virtualization is off. Update or remove the driver and verify firmware settings. |
| Feature returns after reboot as off. | A policy or application control setting may be reverting state. Check WDAC or management profiles. |
| A legacy device is required for operations. | Contact the vendor and ask for a signed, compatible driver. If that’s not possible, isolate usage and document the exception. |
| Core isolation is present, but crashes occur after enabling. | Roll back the last driver change, and test incrementally to isolate the culprit. |
Enhance device protection by activating Memory Integrity on your Windows 11 computers
There are many possible reasons why core isolation isn’t available on a computer. The first thing you need to do is fix the foundations by verifying if the feature is actually available. If that doesn’t work, eliminate driver blockers and align with policy. If prerequisites are met and drivers are updated, you can be sure that Memory Integrity will stay on and strengthen your endpoint baseline.
Related Links:
- How to Enable Credential Guard and LSA Protection Across Client Devices
- What Is Virtualization? Definition & Overview
- How to Enable CPU Virtualization in Your Computer BIOS
- Virtualization vs Cloud Computing: What’s the Difference?
- How to Turn On or Off Core Isolation Virtualization-based Security in Windows 10
