Processors
Processors (Intel® Core™, Intel® Xeon®, etc); processor utilities and programs (Intel® Processor Identification Utility, Intel® Extreme Tuning Utility, Intel® Easy Streaming Wizard, etc.)
Announcements
This community is designed for sharing of public information. Please do not share Intel or third-party confidential information here.
12253 Discussions

HVCI and MBEC

HHH03
Beginner
2,456 Views
With Windows 11 around the corner, there’s a lot of talk about older CPU’s. Specifically virtualization security. MBEc support seems to be the main question, native support or emulation. Intel ark only indicates Xeon 2nd and 3rd generation Scaleable CPUS and some Xeon W’s having native support for it.
Is that the case or is it being called something else on other CPU versions or is it only included in Xeon Scaleable 2nd and 3rd and some Xeon X generations?
0 Kudos
6 Replies
IntelSupport
Community Manager
2,440 Views

Hello HHH03,


Thank you for posting your question on this Intel® Community.


Mode-based Execution Control (MBE) is an Intel® Virtualization Technology (Intel® VT-x) new feature. As you pointed out, it is natively supported on Intel® Xeon® Scalable, 2nd, and 3rd Gen Intel® Xeon® Scalable processors. 


To better assist you, could you please provide us with additional details about the CPU, or CPU families, you are currently using?


Wanner G.

Intel Customer Support Technician


HHH03
Beginner
2,433 Views
I’m presently using a pair of Xeon E5-2687W V4’s. There’s a lot of discussion about MBEc in Windows HVCI security. I know my Xeons don’t have MBEc, they do have (Intel VT-x.)
I’m not sure how they would perform using Windows HVCI security mode. If you have insight on how they would perform using HVCI, it would be appreciated much.
Thanks HHH03
IntelSupport
Community Manager
2,425 Views

Hello HHH03,


I will look into this request, and provide an update soon. 


In the meantime, what I can recommend is that you review the following documentation available from Microsoft* about HVCI on Windows* 10:


Enable virtualization-based protection of code integrity

https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualizati...


Wanner G.

Intel Customer Support Technician


Wanner_G_Intel
Moderator
1,908 Views

Hello HHH03,


Please find below an update to your thread. 


The performance overhead of HVCI is reduced when the processor supports MBEC. If HVCI is turned on, but the processor does not support MBEC, the result would be higher overload compared to processors that do support MBEC.


From an Intel CPU perspective, support for MBEC can be ascertained by checking if Bit 54 of MSR 48BH (IA32_VMX_PROCBASED_CTLS2) is set. This is described in detail in Intel Software Developer Manual Volume 3C Section 23.6.2 & Appendix A.3.3. SDM is at: http://www.intel.com/sdm


From a Windows perspective, when HVCI is enabled and the system is rebooted, msinfo32.exe output will list "Mode-based Execution Control" in the "Virtualization-based Security Available Security Properties" line. Alternate methods to query this information is described in the Microsoft article https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualizati... 


On the server processor side, Xeon Broadwell generation processors do not support MBEC. Skylake generation processors introduced support for MBEC.


We hope you find this information helpful. 


Wanner G.

Intel Customer Support Technician


Wanner_G_Intel
Moderator
1,728 Views

Hello HHH03,


Were you able to review the information I shared on my previous post. 


If you need any further assistance, please let me know. 


Wanner G.

Intel Customer Support Technician


Wanner_G_Intel
Moderator
1,576 Views

Hello HHH03,


Since I have not heard back from you, I will proceed to close this thread.


I hope you found the information we shared helpful. 


Wanner G.

Intel Customer Support Technician


Reply