Processors
Intel® Processors, Tools, and Utilities
14922 Discussions

HVCI and MBEC

HHH03
Beginner
8,587 Views
With Windows 11 around the corner, there’s a lot of talk about older CPU’s. Specifically virtualization security. MBEc support seems to be the main question, native support or emulation. Intel ark only indicates Xeon 2nd and 3rd generation Scaleable CPUS and some Xeon W’s having native support for it.
Is that the case or is it being called something else on other CPU versions or is it only included in Xeon Scaleable 2nd and 3rd and some Xeon X generations?
0 Kudos
6 Replies
IntelSupport
Community Manager
8,571 Views

Hello HHH03,


Thank you for posting your question on this Intel® Community.


Mode-based Execution Control (MBE) is an Intel® Virtualization Technology (Intel® VT-x) new feature. As you pointed out, it is natively supported on Intel® Xeon® Scalable, 2nd, and 3rd Gen Intel® Xeon® Scalable processors. 


To better assist you, could you please provide us with additional details about the CPU, or CPU families, you are currently using?


Wanner G.

Intel Customer Support Technician


0 Kudos
HHH03
Beginner
8,564 Views
I’m presently using a pair of Xeon E5-2687W V4’s. There’s a lot of discussion about MBEc in Windows HVCI security. I know my Xeons don’t have MBEc, they do have (Intel VT-x.)
I’m not sure how they would perform using Windows HVCI security mode. If you have insight on how they would perform using HVCI, it would be appreciated much.
Thanks HHH03
0 Kudos
IntelSupport
Community Manager
8,556 Views

Hello HHH03,


I will look into this request, and provide an update soon. 


In the meantime, what I can recommend is that you review the following documentation available from Microsoft* about HVCI on Windows* 10:


Enable virtualization-based protection of code integrity

https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity


Wanner G.

Intel Customer Support Technician


0 Kudos
Wanner_G_Intel
Moderator
8,039 Views

Hello HHH03,


Please find below an update to your thread. 


The performance overhead of HVCI is reduced when the processor supports MBEC. If HVCI is turned on, but the processor does not support MBEC, the result would be higher overload compared to processors that do support MBEC.


From an Intel CPU perspective, support for MBEC can be ascertained by checking if Bit 54 of MSR 48BH (IA32_VMX_PROCBASED_CTLS2) is set. This is described in detail in Intel Software Developer Manual Volume 3C Section 23.6.2 & Appendix A.3.3. SDM is at: http://www.intel.com/sdm


From a Windows perspective, when HVCI is enabled and the system is rebooted, msinfo32.exe output will list "Mode-based Execution Control" in the "Virtualization-based Security Available Security Properties" line. Alternate methods to query this information is described in the Microsoft article https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity 


On the server processor side, Xeon Broadwell generation processors do not support MBEC. Skylake generation processors introduced support for MBEC.


We hope you find this information helpful. 


Wanner G.

Intel Customer Support Technician


0 Kudos
Wanner_G_Intel
Moderator
7,859 Views

Hello HHH03,


Were you able to review the information I shared on my previous post. 


If you need any further assistance, please let me know. 


Wanner G.

Intel Customer Support Technician


0 Kudos
Wanner_G_Intel
Moderator
7,707 Views

Hello HHH03,


Since I have not heard back from you, I will proceed to close this thread.


I hope you found the information we shared helpful. 


Wanner G.

Intel Customer Support Technician


0 Kudos
Reply