Hardware compatibility for Windows Server 2016 Virtualization-based protection of Code Integrity and Shielded VM Guarded Host

Overview

Windows Server 2016 introduces a new Virtualization-based code protection to help protect physical and virtual machines from attacks that are modifying system code. To achieve this high protection level, Microsoft works in tandem with the computer hardware manufacturers (OEM) to prevent malicious writes into system execution code. This protection can be applied to any system and is being used as one of the building blocks for implementing the Hyper-V host health in the Shielded VM scenario.

As with any hardware-based protection, some systems might not be compliant due to issues such as the incorrect marking of memory pages as executables or by actually trying to modify code at runtime, which may result in unexpected failures including data loss or a blue screen error (also called a stop error).

To be compatible and fully support the new security feature on Windows Server 2016, OEM needs to implement the Memory Address Table defined in UEFI 2.6, which is published in Jan. 2016. The adoption of the new UEFI standard takes time, meanwhile, to prevent customers encountering issues, we want to provide information about systems and configurations that we have been testing this feature set with as well as systems that we know to be non-compatible.

Non-Compatible systems

The following configurations are known to be non-compatible with the Virtualization-based protection of code integrity and cannot be used as a host for Shielded VMs:

• Dell PowerEdge Servers running PERC H330 RAID Controllers

Compatible systems

These are the systems we and our partners have been testing within our environment. Please make sure that you verify the system works as expected in your environment:

• Virtual Machines – You can enable Virtualization-based protection of code integrity on virtual machines running on Windows Server Hyper-V host.
• More to be added