After a recent Windows 10 update, I went spelunking into some unfamiliar features, including the new “Memory Integrity” option that’s part of the also new “Windows Defender System Guard.”
It’s a pretty cool idea. The technical details are outlined in the Windows Insider Blog post, “Windows Defender System Guard: Making a leap forward in platform security with memory integrity,” but the concept is simple: Win10 now can use Microsoft’s virtualization technology (Hyper-V) to sandbox parts of itself and the apps you run, making it very hard for a malicious app to get at and modify the core OS code.
According to the above-cited blog page, the two key elements are that “the kernel memory pages are only made executable after passing code integrity checks inside the secure runtime environment, and executable pages themselves are never writable.” That sounds great, and should go a long way to making your PC malware-resistant.
But the catch — there’s always a catch — is that “Memory Integrity” only works with newer software that plays by Win10’s new rules. Older software (especially drivers) may fail; and elements of Hyper-V may conflict with even fully up-to-date copies of other virtualization software.
Want to see if Memory Integrity works on your system? It’s easy to toggle on and off. (It’s not a high-risk thing, but make a backup first, just in case.)
Open Settings, and click to Windows Defender Security Center -> Device security -> Core Isolation/Details -> Memory Integrity -> On/Off. You’ll have to reboot after changing the toggle.
In my case, turning on Memory Integrity caused three problems. Although my current, main PC is well-maintained and running the latest-available system software and drivers, it’s a few years old now, and the manufacturer is no longer updating some drivers. Thus, the “latest-available” drivers aren’t necessarily new or fully current.
First thing I noticed was that my (Realtek-based) sound system went silent; reinstalling the latest-available drivers didn’t help. Losing sound was a problem because I lost text-to-speech (I use that for proofreading), and could no longer hear error/warning sounds. It would have been worse if I used my PC for entertainment, but most of my music/video activity is now on my smartphone and smartTV — not my PC. Still, a soundless PC is far from ideal.
Second, my printer somewhat died; the basic functions still worked, but I lost access to some advanced features provided by the printer’s OEM drivers. That’s an annoyance, but not major: I hardly print anything anymore.
But third and most seriously, Virtualbox stopped working; none of my virtual PCs would load or run, instead generating the somewhat snarky error message, “Virtualbox Raw-mode is unavailable courtesy of Hyper-V…”. (“Courtesy of?” Really?)
Losing Virtualbox looked to be a huge pain, because I keep (and use) live, fully-working reference copies of every version of Windows, from Win95 onward, in my PC.
I need those different VPC Windows versions — at least Win7/8/10 — for my work, so having to start over with a different virtualization scheme was not a happy thought.
So I toggled Memory Integrity back off, and was glad to see everything return to normal — albeit without the new, extra safeguards I’d hoped for.
My two big takeaways from this: Memory Integrity is a great idea, and well worth enabling if your system and setup can support it. I wish mine did.
But, the second takeaway is the realization that my several-years-old system just isn’t up to snuff anymore. Besides trouble with Memory Integrity, my PC also has trouble with some other advanced, hardware-based security features such as Win10’s “Trusted Platform Module (TPM) Technology.” (Microsoft explanation here.) If your PC supports TPM, you’ll see it as a “Security Processor” option in Windows Defender Security Center -> Device security. On my PC, this option does not appear; thus I also do not have access to this desirable and advanced security feature; my hardware doesn’t support it.
So, if I want to fully take advantage of best-available system security, I’ll need a newer system.
Looks like I have some hardware shopping in my future!
there is a tpm in your cpu you need to enable it in bios…
Having later hardware won’t help. VirtualBox still won’t run (except in Turtle mode) when memory integrity is turned on.