Windows-itpro-docs: AMD and MBEC

@officedocsbot assign @e0i

@sylveon. processor requirements are mentioned in this website.
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

or

https://www.techrepublic.com/article/microsofts-new-hardwarefirmware-security-standards-promise-highly-secure-windows-10-devices/

or

https://www.bleepingcomputer.com/news/security/microsoft-releases-standards-for-highly-secure-windows-10-devices/

The official page says nothing about MBEC on AMD, the Tweet referred on BleepingComputer was talking exclusively about Intel CPUs, and while TechRepublic says I should have it, Windows reports I don't on my Ryzen 2600X system. Those articles only contributed to the confusion further.

@sylveon Thank you for pointing this out and helping improve MS Docs. Please have a look at this link and let me know if it helps in any way. https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements.

So if I understand correctly, AMD cpus do not have MBEC at all and to use HVCI on those machines the hypervisor emulation of it (Restricted User Mode) is used?

@sylveon As far as I know yes, that's correct. Coming back to your question on the equivalent of a 7th generation Intel Core CPU, it would be the AMD Ryzen 7 2700x from what I have researched.

Thanks, that's all that I wanted to know - might be good to point that out in the documentation though.

@syl

Upon your feedback, We have updated the content with relevant changes accordingly. Thanks.

Ryzen 3600:

Get-CimInstance -Namespace ROOT\Microsoft\Windows\DeviceGuard -ClassName Win32_DeviceGuard


AvailableSecurityProperties                  : {1, 2, 3, 4, 5, 7}
CodeIntegrityPolicyEnforcementStatus         : 0
InstanceIdentifier                           : UUID
RequiredSecurityProperties                   : {0}
SecurityServicesConfigured                   : {0}
SecurityServicesRunning                      : {0}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version                                      : 1.0
VirtualizationBasedSecurityStatus            : 0
PSComputerName                               :

Security property №7 is available. Does it mean that MBEC-like feature is supported on the latest generation of AMD CPUs?

List of properties provided by Microsoft is incomplete. This link sheds some light on 5 and 6, but nothing about 7.

The table here is more complete and 7 is indeed the presence of MBEC.

@sylveon ,

Interesting! I will benchmark it with and without HVCI to see if there is a substantial penalty.
Here is an output of DG readiness script:

> .\DG_Readiness_Tool_v3.6.ps1 -Capable
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Checking if the device is DG/CG Capable
 ====================== Step 1 Driver Compat ======================
Driver verifier already enabled
Verifying each module please wait ....
Completed scan. List of Compatible Modules can be found at C:\DGLogs\DeviceGuardCheckLog.txt
No Incompatible Drivers found
 ====================== Step 2 Secure boot present ======================
Secure Boot is present
 ====================== Step 3 MS UEFI HSTI tests ======================
Copying HSTITest.dll
HSTI Duple Count: 1
HSTI Blob size: 20
String: 01,00,00,00,01,00,00,00,14,00,00,00,00,00,00,00,BB,00,00,C0,
HSTIStatus: True
HSTI is absent
 ====================== Step 4 OS Architecture ======================
64 bit arch.....
 ====================== Step 5 Supported OS SKU ======================
This PC edition is Supported for DeviceGuard
 ====================== Step 6 Virtualization Firmware ======================
Virtualization firmware check passed
 ====================== Step 7 TPM version ======================
TPM 2.0 is present.
 ====================== Step 8 Secure MOR ======================
Secure MOR is available
 ====================== Step 9 NX Protector ======================
NX Protector is available
 ====================== Step 10 SMM Mitigation ======================
SMM Mitigation is absent
 ====================== End Check ======================
 ====================== Summary ======================
Device Guard / Credential Guard can be enabled on this machine.

The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:
HSTI is absent
SMM Mitigation is absent

To learn more about required hardware and software please visit: https://aka.ms/dgwhcr

On my AMD Ryzen 5 2600 (with enabled Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline - Sept2019Update.zip) i got:

###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Checking if the device is DG/CG Capable
 ====================== Step 1 Driver Compat ======================
HVCI is already enabled on this machine, driver compat list might not be complete.
Please disable HVCI and run the script again...
Driver verifier already enabled
 ====================== Step 2 Secure boot present ======================
Secure Boot is present
 ====================== Step 3 MS UEFI HSTI tests ======================
Copying HSTITest.dll
HSTI Duple Count: 0
HSTI Blob size: 0
String:
HSTIStatus: False
HSTI is absent
 ====================== Step 4 OS Architecture ======================
Unknown architecture
 ====================== Step 5 Supported OS SKU ======================
This PC edition is Supported for DeviceGuard
 ====================== Step 6 Virtualization Firmware ======================
Virtualization firmware check passed
 ====================== Step 7 TPM version ======================
TPM 2.0 is present.
 ====================== Step 8 Secure MOR ======================
Secure MOR is available
 ====================== Step 9 NX Protector ======================
NX Protector is available
 ====================== Step 10 SMM Mitigation ======================
SMM Mitigation is available
 ====================== End Check ======================
 ====================== Summary ======================
Machine is not Device Guard / Credential Guard compatible because of the following:
Unknown OS, OS Architecture failure..

HSTI is absent

To learn more about required hardware and software please visit: https://aka.ms/dgwhcr

@Reeced40 As far as I know yes, that's correct. Coming back to your question on the equivalent of a 7th generation Intel Core CPU, it would be the AMD Ryzen 7 2700x from what I have researched.

Where did you read that? Why isn't the Ryzen 7 2700 (without X) or the ryzen 5 2600 not enough?

Someone can help?
@RAJU2529
@e0i
@Reeced40

@beerisgood. your processor does not support Device guard.
for more information technical specifications see Below site
https://www.amd.com/en/products/cpu/amd-ryzen-5-2600

@RAJU2529 yes i found that, but not why the Ryzen 3600 serie provide it.

Both the Ryzen 7 2700 and 7 2700X don't list Device Guard.
Not even the 7 3700X or 7 3800X

@beerisgood. Adding it new features or updating existing features depends upon the AMD decisions, so we can't comment. Write an email to amd support team and ask them to provide list of amd processors which support device guard

@beerisgood , seems like it is a combination of a chipset, CPU and maybe what is enabled in OEM's UEFI. Found this:

|CPU|Chipset|MBEC supported?|
|:-|:-|:-|
|3600|B450|Yes|
|3900X|X570|Yes|
|3200G|A320|No|
|3900X|B350|Yes|
|3700X|X570|Yes|
|3700X|X370|Yes|

@RAJU2529 , when you are saying "we can't comment", are you speaking for a MS team? I believe this issue is not about DG in general, but about mode-based execution control (aka MBEC) specifically.

FYI the reason 3200G is flagged as not supporting it here is because it's Zen+, chances are MBEC got added with Zen 2, hence why 3600 supports it but not 2700x, 2700 or 2600. (which are Zen+ CPUs)

@beerisgood. not for MS team, its for AMD design

Just installed a 3700x in my PC, and I now see MBEC present too:

@beerisgood. not for MS team, its for AMD design

I guess you make the quote wrong. @asvc ask that question

Ref. PR #6003 & PR #6008 -- both targeting the same file (and the same section) for a different type of update.

Just installed a 3700x in my PC, and I now see MBEC present too:

Hey, nice config!
What motherboard have you installed?

Getting offtopic but https://ca.pcpartpicker.com/user/sylve0n/saved/WWHqkL