VBS, HVCI & isolation
Virtualization-based security features that protect credentials and kernel code.
What you should already know
This topic is marked expert. Skim these first if any of them feel unfamiliar.
Guided paths in this branch
Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.
Virtualization & VBS
Hyper-V partitions, enlightened I/O, and virtualization-based security.
Step 3 of 3 in this path
Follow this pathOfficial Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
Credential Guard and HVCI lean on the hypervisor to enforce memory integrity beyond classic kernel patches.
Mental model
The hypervisor enforces extra boundaries: isolated VTLs, secure kernels, and code integrity policies.
How it works
- 1VBS uses the hypervisor to host secure world components.
- 2HVCI restricts what kernel code can execute using hardware and policy.
- 3Features trade compatibility and performance for stronger isolation.
Key terms
- VBS
- Virtualization-Based Security; hypervisor-enforced security features.
- HVCI
- Hypervisor-protected Code Integrity; restricts executable kernel pages.
Credential Guard isolating secrets
LSA secrets can live in an isolated environment even if malware runs in the normal kernel.
Common misconception
VBS requires hypervisor support but is not the same as 'running a VM on your desktop'. It is a security architecture.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
intermediate
Hyper-V & partitions
Root vs child partitions, vCPUs, and synthetic devices.
Related topic
beginner
Security
Access tokens, privileges, integrity, and how Windows decides who can do what.
Related topic
intermediate
LSASS, SAM, and local security policy
The protected security process and data stores behind local accounts and policy decisions.
Related topic