deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Coorected HVCI an virtualizacion as well as some information about the features of HVCI. #2704

Browse Source
This commit is contained in:
Jose Ortega 2019-03-23 04:02:02 -06:00
parent 3127c0947a
commit 6a63a791a0
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -24,6 +24,18 @@ Some applications, including device drivers, may be incompatible with HVCI.
This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
>[!NOTE]
>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*.
>[!TIP]
> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisors software emulation of this feature, called Restricted User Mode (RUM).". Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
## HVCI Features
* HVCI protects modification of the Code Flow Guard (CFG) bitmap.
* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
## How to turn on HVCI in Windows 10
To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
@ -279,6 +291,6 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
### Requirements for running HVCI in Hyper-V virtual machines
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time.
- HVCI and [virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.