Enabling Windows 11 22H2 Core Isolation Memory Integrity feature using Intune

In Windows 10 and 11, the operating system can provide protection from malicious code by isolating certain processes in the PC’s memory using virtualization on supported hardware. This protection runs under Memory Integrity under Core Isolation feature. With Windows 11 22H2, Microsoft made this feature default. However, as of writing this post, Memory Integrity will only turn on new devices by default. For existing devices upgrading to Windows 11 22H2, the feature will need to be managed separately.

Memory integrity is also known as Hypervisor-protected Code Integrity (HVCI). Being a device guard feature, it hasn't made to the dedicated security profiles under Endpoint Security Attack Surface Rules in Intune as a standalone policy. Official documentation by Microsoft suggests that it can be enabled as part of Applocker Code Integrity CSP.

Alternatively, one can also enable it through the Applocker policy in Application control ASR, if you want to enable Applocker policy as a whole.

If you do use the CSP or the built-in App locker application control policy, then be prepared for the additional forced reboot needed for enabling the feature.

If you don't want to enable Applocker, just like me, and only want to enable HVCI feature, then luckily there is another option. Follow the steps below to enable it -

1. Sign-in to the Microsoft Endpoint Manager Admin Center

2. Browse to Devices – Windows – Configuration Profiles

3. Click Create Profile

4. Select Platform as Windows 10 and later

5. Select Profile as Settings catalog

6. Provide a Name and hit next.

7. Click on Add settings.

8. Search and select for 'Hypervisor Enforced Code Integrity' as shown below.