How to Disable HVCI/KMCI in Windows 11: A Step-by-Step Guide

By / September 1, 2025

Want to install a legacy driver, use a low-level utility, or debug kernel code and Windows 11 keeps blocking you with Memory integrity warnings? That’s HVCI at work—good for security, inconvenient when you need deep system access. In this guide, we’ll walk through safe, repeatable ways to disable HVCI (Hypervisor-protected Code Integrity) and KMCI (Kernel-Mode Code Integrity) on Windows 11—plus how to turn them back on when you’re done.

⚠️ Important: HVCI/KMCI protect you from kernel-level malware and bad drivers. Disabling them reduces system security. Only do this if you understand the risks, and re-enable afterward.

What Are HVCI, KMCI, VBS, and “Memory Integrity”?

  • KMCI (Kernel-Mode Code Integrity): Verifies kernel drivers are signed and trustworthy.
  • HVCI (Hypervisor-protected Code Integrity): Runs code integrity checks inside VBS (Virtualization-Based Security) using the Windows hypervisor.
  • VBS: A secure, isolated region of memory used for protections like HVCI, Credential Guard, etc.
  • Memory integrity: The Windows Security app’s friendly name for HVCI.

Should You Disable HVCI/KMCI? Pros & Cons

Pros

  • Lets you install older or unsigned drivers for hardware, debuggers, or niche tools.
  • Useful for lab work, compatibility testing, and certain developer workflows.

Cons

  • Lower security against rootkits and kernel-level exploits.
  • Some compliance frameworks expect these protections to stay enabled.
  • May affect features that depend on VBS/Hyper-V (e.g., Credential Guard, Windows Sandbox).

If you only need one driver, consider updating or replacing the driver first (see the “Fix drivers without disabling HVCI” section).

Before You Start: Check If HVCI/VBS Are Enabled

Option 1: Check in Windows Security

  1. Press Windows + S, type Windows Security, open it.
  2. Go to Device security → Core isolation → Core isolation details.
  3. If Memory integrity is On, HVCI is active.

Option 2: Check in System Information (msinfo32)

  1. Press Windows + R, type msinfo32, press Enter.
  2. In System Summary, find Virtualization-based security.
    • Running → VBS (and likely HVCI) is active.
    • Not enabled → HVCI is likely off.

Method 1: Turn Off Memory Integrity (GUI) — Fast & Simple

This is the cleanest user-level method and works on most systems.

  1. Open Windows Security.
  2. Go to Device security → Core isolation → Core isolation details.
  3. Toggle Memory integrity Off.
  4. Restart your PC when prompted.

Re-enable later: Return here and toggle On, then restart.

💡 If Windows says certain drivers are incompatible, it will list them here. You can try updating or removing those drivers (see the driver-fix section) instead of disabling HVCI entirely.

Method 2: Disable via Group Policy (Pro/Enterprise/Education)

Great for managed devices or if the toggle is greyed out.

  1. Press Windows + R, type gpedit.msc, press Enter.
  2. Navigate to:
    Computer Configuration → Administrative Templates → System → Device Guard
  3. Open Turn on Virtualization Based Security.
  4. Set to Disabled (or Not Configured if another policy is enabling it).
    • If you use Enabled, expand Virtualization-based Protection of Code Integrity and set Disabled.
  5. Click Apply → OK.
  6. Open an elevated terminal and run: gpupdate /force
  7. Restart your PC.

Re-enable later: Set Turn on Virtualization Based Security to Enabled, choose Virtualization-based Protection of Code Integrity: Enabled with UEFI lock (or as required), Apply, gpupdate /force, and restart.

Method 3: Disable via Registry (Advanced Users)

If you don’t have Group Policy (e.g., Windows 11 Pro without admin templates) or want scriptable control.

⚠️ Caution: Editing the registry incorrectly can cause system issues. Create a restore point and export the keys you modify: open Registry Editor, select the key, File → Export.

  1. Press Windows + R, type regedit, press Enter.
  2. Go to:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
      • Value: EnableVirtualizationBasedSecurity → set to 0
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
      • Value: Enabled → set to 0
  3. Close Registry Editor and restart.

Re-enable later: Set EnableVirtualizationBasedSecurity=1 and Enabled=1, then restart.

PowerShell (elevated) alternative:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f

Method 4: Disable the Hypervisor (Last Resort)

Turning off the Windows hypervisor disables VBS (and therefore HVCI), but it also impacts Hyper-V, WSL2, Windows Sandbox, Device Guard/Credential Guard, Docker Desktop (Hyper-V backend), etc.

  1. Open Command Prompt (Admin) or Windows Terminal (Admin).
  2. Run: bcdedit /set hypervisorlaunchtype off
  3. Restart your PC.

Re-enable later:

bcdedit /set hypervisorlaunchtype auto

Restart again.

Method 5: Disable Using Windows Features (If Hyper-V is Forcing VBS)

If Hyper-V or related components keep re-enabling the hypervisor:

  1. Press Windows + R, type optionalfeatures.exe, press Enter.
  2. Uncheck: Hyper-V, Virtual Machine Platform, Windows Hypervisor Platform, Windows Sandbox (as applicable).
  3. Click OK and restart.
  4. If needed, also run bcdedit /set hypervisorlaunchtype off (Method 4).

Re-enable later: Check the features you need again and restart.

Fix Driver Incompatibilities Without Disabling HVCI (Recommended)

In many cases, you can keep Memory integrity On by updating or replacing problem drivers.

Find the Problem Drivers

  • Windows Security → Device security → Core isolation → Core isolation details
    If Memory integrity can’t be enabled, Windows will often list incompatible drivers with file names (e.g., oem12.inf, XYZDriver.sys).

Update or Replace

  • Windows Update: Settings → Windows Update → Check for updates.
  • Device Manager:
    1. Press Windows + X → Device Manager.
    2. Right-click the device → Update driverSearch automatically.
  • Vendor Website: Download a Windows 11 or WHQL-signed driver.
  • Remove the Culprit:
    1. In Device Manager, right-click device → Uninstall device → check Delete the driver software for this device (if shown).
    2. Reinstall with a newer/signed driver.

If you must use an older driver, consider disabling HVCI temporarily, do your task, then re-enable.

Troubleshooting: Common Hiccups & Fixes

The Memory Integrity Toggle Is Greyed Out

  • Managed by your organization: Group Policy or MDM is enforcing it. Use Method 2 (GPO) or contact your admin.
  • Core isolation requires virtualization: Ensure Intel VT-x/AMD-V (SVM) and Hyper-V virtualization are available if you’re trying to enable later. (For disabling, this is less relevant.)

You Disabled It but msinfo32 Still Shows VBS Running

  • Some changes require two reboots (after policy + after hypervisor change).
  • Verify Group Policy is applied: gpupdate /force Then reboot.

bcdedit Fails or Says Access Denied

  • Ensure you launched the terminal as Administrator.
  • Secure Boot typically doesn’t block bcdedit for this change, but BitLocker may prompt on next boot—have your recovery key handy.

Performance Changed After Disabling

  • HVCI can have a small performance overhead; disabling it may increase performance slightly in some scenarios. The tradeoff is reduced security. Re-enable when you’re done.

Security & Compliance Considerations

Disabling HVCI/KMCI may also disable or weaken:

  • Credential Guard / LSA protection
  • Windows Defender Application Control (WDAC) scenarios
  • Windows Sandbox and other Hyper-V-based features
  • Some enterprise compliance baselines (CIS, Microsoft Security Baselines)

If you’re in a corporate environment, verify policy with your security team.

How to Re-Enable HVCI/KMCI Safely

Re-enable with Windows Security

  1. Windows Security → Device security → Core isolation details
  2. Toggle Memory integrity OnRestart.

Re-enable with Group Policy

  • Set Turn on Virtualization Based Security to Enabled and choose Virtualization-based Protection of Code IntegrityEnabled.
  • Run gpupdate /forceRestart.

Re-enable Hypervisor

bcdedit /set hypervisorlaunchtype auto

Restart, then turn Memory integrity on.

Script It: Quick On/Off Snippets (Admin Terminal)

Use at your own risk; always test in a lab first.

Turn OFF HVCI/VBS

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
bcdedit /set hypervisorlaunchtype off
shutdown /r /t 5

Turn ON HVCI/VBS

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 1 /f
bcdedit /set hypervisorlaunchtype auto
shutdown /r /t 5

When You Should Not Disable HVCI/KMCI

  • You handle sensitive data (finance, healthcare, legal) on this device.
  • It’s a work-managed or compliance-scoped machine.
  • You don’t have a known need (e.g., you’re just troubleshooting a random issue).
  • You cannot verify the provenance of the driver you plan to install.

Best Practices If You Must Disable

  • Create a restore point (search “Create a restore point” → Create).
  • Export the registry keys you’ll touch.
  • Note your BitLocker recovery key (just in case).
  • Disconnect from untrusted networks while protections are off.
  • Re-enable HVCI as soon as you’re done.

Quick Summary of Methods

  • GUI Toggle (Windows Security): Fastest. Great for one-off changes.
  • Group Policy: For Pro/Enterprise and managed devices; policy-driven control.
  • Registry: Scriptable; works without GPO.
  • bcdedit: Nuclear option—turns off the hypervisor; impacts Hyper-V/WSL2/Docker.

Conclusion

Turning off HVCI/KMCI in Windows 11 can get you past tough driver blocks and enable specialized tools—but it trades away valuable protection. Start with the Windows Security toggle; if that’s blocked, move up to Group Policy or Registry. Reserve bcdedit for last-resort scenarios because it disables the hypervisor entirely. And once you’re done, turn the protections back on to keep your system resilient against kernel-level threats.

FAQs

1) What’s the difference between Memory integrity and HVCI?
They’re effectively the same in Windows 11 terminology—Memory integrity is the user-friendly name for HVCI, which enforces kernel code integrity inside VBS.

2) If I disable HVCI, will WSL2 and Hyper-V still work?
If you use only the GUI/registry/policy methods, Hyper-V can remain available. If you use bcdedit /set hypervisorlaunchtype off, the hypervisor (and thus WSL2, Hyper-V, Sandbox, Docker Hyper-V backend) will stop working until you set it back to auto.

3) The toggle is greyed out—how do I change it?
It’s likely enforced by Group Policy/MDM. Use Method 2 (GPO) or contact your admin. On personal devices, ensure you’re an administrator and no third-party security tool is enforcing VBS.

4) Is there a way to keep HVCI on but allow one driver?
Not reliably for unsigned/legacy drivers. Best path: obtain a WHQL-signed, Windows 11-compatible driver from the vendor. You can temporarily disable HVCI, install the driver, complete your task, then re-enable.

5) After I re-enable Memory integrity, Windows still lists a bad driver. What now?
Remove or update the driver. Use Device Manager to uninstall (with “Delete the driver software for this device” if available), then install a signed driver. Check Windows Update and the hardware vendor’s site for newer packages.

Related Posts:

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top