How to Disable Memory Integrity Selectively for One Driver on Windows 11

Quick fix: Memory Integrity (HVCI) doesn’t support per-driver exceptions — it’s all-or-nothing. If a single driver isn’t HVCI-compatible, your options are: replace the driver with a compatible version, remove the device, or disable HVCI globally. Microsoft’s HVCI Readiness Tool flags the offending driver so you can decide which to do.

You want Memory Integrity (HVCI) enabled for the security benefit, but one specific driver fails its compatibility check. Windows lets HVCI stay on but loads that driver in a degraded compatibility mode — or refuses to enable HVCI at all if the driver is critical. You want HVCI on for everything else and the one driver loaded normally.

What HVCI requires and why exceptions don’t exist

HVCI uses Hypervisor-Protected Code Integrity to enforce that all kernel-mode code is signed and free of writable+executable memory pages. The protection is a binary state — either every loaded driver passes verification, or HVCI is essentially defeated by the one that doesn’t. Per-driver exceptions would create a hole; Microsoft doesn’t expose them.

The choices are: get the driver to HVCI-compatibility (newer version, replace the device), remove the device entirely, or accept that HVCI must be off if you can’t live without that device.

Method 1: Run the HVCI Readiness Tool and identify the driver

1. Download HVCI Compatibility Check Tool from Microsoft Docs (search “hvcirdytool”).
2. Extract to a folder.
3. Open elevated Command Prompt in that folder.
4. Run hvcirdytool.exe scan.
5. Open the generated HTML report. Look at Incompatible drivers.
6. Note the driver file name and publisher.

Method 2: Update or replace the offending driver

1. Visit the manufacturer’s site for an updated driver explicitly mentioning HVCI compatibility (or Windows 11 22H2+).
2. If no update exists, the driver may have been discontinued. Check if the device has a Microsoft-class driver alternative (Device Manager → the device → Update driver → Browse my computer → Let me pick).
3. For old printers, scanners, capture cards: the Microsoft generic class driver is often HVCI-compatible where the vendor driver isn’t.
4. For drivers without alternatives, uninstall the device (Device Manager → Uninstall device with “Delete driver software” checked) and forgo the feature.
5. After updating/removing, re-run hvcirdytool to confirm no incompatible drivers remain.

Method 3: Accept HVCI off and run other Core Isolation features

If the incompatible driver is essential and can’t be replaced:

1. Open Windows Security → Device security → Core isolation details.
2. Leave Memory integrity off.
3. Check other Core Isolation features: Credential Guard, Hypervisor-Protected Code Integrity exception list (the “Driver isolation” option in newer builds). Enable what your hardware supports.
4. Use SmartScreen, Defender, and Tamper Protection to cover the gap HVCI would have filled.

How to verify the fix worked

• If HVCI is on: Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object SecurityServicesRunning — 2 means HVCI is active.
• hvcirdytool reports no incompatible drivers.
• The system boots and runs normally; the offending device works (if replaced) or is uninstalled (if removed).

If none of these work

If a system-critical driver fails HVCI and can’t be updated, that hardware doesn’t support HVCI — older laptops, certain virtualization-aware drivers, and pre-2018 motherboards are common. Replacing the hardware is the only path to HVCI. For users who really want HVCI but can’t replace hardware, consider running the Windows install in a VM where HVCI is enabled at the hypervisor level instead of at the guest OS level.

Bottom line: HVCI has no per-driver exceptions. Update/replace the bad driver, remove the device, or accept HVCI off. The Readiness Tool is the diagnostic; the choice is yours.