4.2 KiB
title, description, ms.prod, ms.mktglfcycl, ms.localizationpriority, ms.author, author, ms.date
| title | description | ms.prod | ms.mktglfcycl | ms.localizationpriority | ms.author | author | ms.date |
|---|---|---|---|---|---|---|---|
| Enable virtualization-based protection of code integrity | This article explains the steps to opt in to using HVCI on Windows devices. | w10 | deploy | high | justinha | brianlic-msft | 11/07/2017 |
Enable virtualization-based protection of code integrity
Applies to
- Windows 10
- Windows Server 2016
Virtualization-based protection of code integrity (herein referred to as HVCI) is a powerful system mitigation, which leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.
Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see Troubleshooting for remediation steps.
How to Turn on virtualization-based protection of code integrity on the Windows 10 Fall Creators Update (version 1709)
These steps apply to Windows 10 S, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
The following instructions are intended for Windows 10 client systems running the Fall Creators Update (version 1709) that have hypervisor support and that are not already using a Windows Defender Application Control (WDAC) policy. If your device already has a WDAC policy (SIPolicy.p7b), please contact your IT administrator to request HVCI.
Note
You must be an administrator to perform this procedure.
-
Download the Enable HVCI cabinet file.
-
Open the cabinet file.
-
Right-click the SIPolicy.p7b file and extract it. Then move it to the following location:
C:\Windows\System32\CodeIntegrity
Note
Do not perform this step if a SIPolicy.p7b file is already in this location.
-
Turn on the hypervisor:
a. Click Start, type Turn Windows Features on or off and press ENTER.
b. Select Hyper-V > Hyper-V Platform > Hyper-V Hypervisor and click OK.
c. After the installation completes, restart your computer.
-
To confirm HVCI was successfully enabled, open System Information and check Virtualization-based security Services Running, which should now display Hypervisor enforced Code Integrity.
Troubleshooting
A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using Device Manager.
B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see Windows RE Technical Reference. After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
How to Turn off HVCI on the Windows 10 Fall Creators Update
- Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
- Restart the device.
- To confirm HVCI has been successfully disabled, open System Information and check Virtualization-based security Services Running, which should now have no value displayed.