Implementation guidance for Australian Essential Eight controls in Microsoft environments - ISM controls with PSPF mappings
| Property | Value |
|---|---|
| ISM Control | ISM-1896 |
| Revision | 0 |
| Updated | Dec-23 |
| Guideline | Not provided |
| Section | Authentication hardening |
| Topic | Protecting credentials |
| Essential Eight | ML3 |
| PSPF Levels | NC, OS, P, S, TS |
Memory integrity, also called Hypervisor Enforced Code Integrity, uses virtualization-based security to run kernel mode code integrity inside a secure environment, preventing unsigned or tampered kernel code from executing. Implement this control by enabling the Hypervisor Enforced Code Integrity setting via the settings catalog in Intune/CSP to enable memory integrity across managed devices.123
Memory integrity (HVCI) directly counters Bring Your Own Vulnerable Driver (BYOVD) attacks — one of the most prevalent techniques used by ransomware operators (e.g., BlackByte, Scattered Spider, Lazarus Group) and APT actors to escalate from user-mode to kernel-mode execution. BYOVD works by loading a legitimately signed but vulnerable kernel driver, then exploiting it to execute arbitrary kernel-mode code, disable EDR/AV, or install a rootkit.
With HVCI enabled, the Windows Hypervisor enforces that all kernel-mode code pages are immutable after load and validates each page against the code integrity policy before execution. Vulnerable drivers cannot be exploited to write shellcode to kernel memory because the page table permissions are enforced by the hypervisor — outside the reach of kernel-mode code itself.
| Attack technique | Without HVCI | With HVCI |
|---|---|---|
| BYOVD (vulnerable signed driver) | Kernel-mode code execution | Blocked — code page modification prevented by hypervisor |
| Kernel rootkit installation | Persistent access, EDR bypass | Blocked — unsigned kernel code cannot execute |
| Driver exploit (CVE-2021-34486 class) | Privilege escalation to SYSTEM | Mitigated — code integrity validation in VBS |
| Memory scraping via kernel driver | LSASS/credential theft | Blocked when combined with LSA protection (ISM-1861) |
Hardware prerequisites for HVCI are the same as for Credential Guard (VT-x/AMD-V + SLAT/RVI, IOMMU, UEFI 2.3.1+). On Windows 11 22H2+, HVCI is enabled by default on eligible hardware. The Intune Settings Catalog deployment ensures enforcement across managed devices that meet the prerequisites and flags incompatible drivers via Event ID 3065/3066 in Microsoft-Windows-CodeIntegrity/Operational.
[!NOTE] The Hypervisor Enforced Code Integrity setting will be enabled using the settings catalog in Intune. It will rely on the Virtualization Based Technology configuration to activate memory integrity per ASD and Microsoft guidance.
Dependencies
Intune management required: Devices must be enrolled in Microsoft Intune and joined to Entra ID to apply Intune-based memory integrity configurations. 3
Deployment method via settings catalog: Implement memory integrity using the Virtualization Based Technology > Hypervisor Enforced Code Integrity setting in the settings catalog, or via the HypervisorEnforcedCodeIntegrity node in the VirtualizationBasedTechnology CSP. 3
Hypervisor Enforced Code Integrity readiness: Memory integrity is provided by HVCI; ensure the OS supports memory integrity and the feature is available for deployment. 2
msinfo32 tool or the Windows Security app (Device Security > Core Isolation details) to verify HVCI is active. Event ID 3065 and 3066 in the Microsoft-Windows-CodeIntegrity/Operational log indicate drivers that are incompatible with HVCI and should be updated or removed before broad deployment.