Windows 10 Isolated User Mode (IUM)

Windows 10 Isolated User Mode (IUM) is a virtualization-based security feature in Windows 10 that uses secure kernels to keep business data and processes separate from the underlying operating system (OS).

IUM, which made its debut in Windows 10, works directly with Windows 10's other virtualization-based security features, Credential Guard and Device Guard. Credential Guard and Device Guard both rely on IUM to keep data and applications safe. Credential Guard uses IUM to defend against pass the hash attacks, in which hackers steal a hashed key to gain access into a new authenticated session in the same network. IUM boosts Device Guard so that only administrators with trusted permissions can access and change the application control policy. This helps protect devices against attackers who infiltrate and download malicious apps.

Isolated User Mode processes

Windows 10 Isolated User Mode is designed to protect more sensitive data and processes than what a normal instance of Windows 10 would run. The Virtual Secure Mode (VSM) creates two modes: normal mode and secure mode. The secure mode is IUM. Each mode has its own memory capacity that holds the data. The data is assigned to either normal or secure mode by the Second Level Address Translation (SLAT) from the Hyper-V hypervisor. The SLAT divides the memory into Virtual Trust Levels, splitting the memory into normal or secure mode at boot time for the duration of the runtime, protecting all data that requires permissions in IUM.

Windows 10 IUM, VSM and Secure
Kernel and how they repel against

The IUM processes run on the same platform as the normal processes, but are separated by the hypervisor into a different memory store that is more secure. This means that any processes handled in IUM are restricted to users IT grants access to. It is not possible to attach anything to an IUM process, which means that attackers cannot add malware to code running in IUM.  Any IUM processes that are transferred to the normal mode are encrypted to defend against potential malware or compromised kernels.

How to enable Isolated User Mode

To enable IUM, enter "turn Windows Features on or off" in the Cortana search box, scroll to Isolated User Mode and click the box to enable it. The device will need to reboot when this happens, so save all user data first. Then go to the Group Policy Editor, and select Computer Configuration, Administrative Templates, System, Device Guard and double-click on Turn On Virtualization Based Security. Select Enabled, click OK, and perform a second reboot.

This was last updated in October 2017

Continue Reading About Windows 10 Isolated User Mode (IUM)

Dig Deeper on Desktop management