The problem:

One of my customers are experiencing some issues under Windows security on their Azure Ad joined Windows 22H2 machines. The memory integrity is off despite having the all the latest Security baselines from Intune.

For the users perspective its annoying and alarming to get a warning in the taskbar and this can lead to a unnecessary call to the support.

The solution:

As the security baselines do not include the setting needed to activate memory integrity we need to create a separate policy for this.

The setting we are after is called “Hypervisor Enforced Code Integrity” and can be found under Settings catalog. The category is: Virtualization Based Technology, and the setting we want to enable is “(Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFi lock.“

Create a new policy as above and deploy it to your testmachine or a few pilot users and the problem should be resolved.

If the machine reports that “this setting is managed by your administrator” under Core isolations please reboot the machine as this change requires a reboot to be fully applied

Since this enhances security I strongly recommend enabling this.