We have a default policy when hvci is enabled. You can just merge in these drivers if you want or even better just create a Corp wide allow list based on audits and the powe shell tools. You can actually use software KMCI as well if for some reason you don’t want to use VBS
-
-
Replying to @dwizzzleMSFT @SwiftOnSecurity
Any tips on how to parse this collection of words about HVCI?pic.twitter.com/fy8mi0m3J2
1 reply 0 retweets 2 likes -
Replying to @wdormann @SwiftOnSecurity
Yeah we need to fix that doc. Okay so basically here is the deal. hvci gives the secure kernel control over all executable pages for both kernel and user mode
2 replies 0 retweets 7 likes -
So what that means is on older CPU when hvci is enabled every time a USER or KERNEL image gets loaded we have to VM Exit into secure kernel to check against policy
2 replies 0 retweets 4 likes -
I missed this in the documentation at my last job and enabled HVCI on older PCs. It basically made Excel completely useless because of the performance hit. And to turn it off you have to physically touch the machine, it can't be scripted.
1 reply 0 retweets 1 like -
It would be interesting to see some real-world statistics for how HVCI affects performance. Both with a modern-enough CPU to support the performance enhancements that
@dwizzzleMSFT mentioned, as well as with systems that aren't so lucky.1 reply 0 retweets 0 likes -
I didn't run any benchmarks, but I didn't see any noticeable performance difference on 7th Gen or later with HVCI on.
1 reply 0 retweets 1 like -
This is expected you would only see smaller changes in specific benchmarks which is why we should clarify the docs
1 reply 0 retweets 1 like -
And just in case anyone is tempted to kick the wheels on HVCI, be aware that the 7th Generation Intel Core processors that support the optimization required to use it efficiently was released 3 years ago. If your computer isn't "new" or if you use VMware, you're probably SOL.
1 reply 0 retweets 1 like -
I don't know if I agree that it's required to use it "efficient" MBEC is about getting you close to perf neutral. HVCI without MBEC still has light years less overhead than less effective protectiona like AV
1 reply 0 retweets 2 likes
This is where I'd like to see some benchmarks I guess. Greg says on an older processor the machine became essentially unusable. I cannot test this myself as my work machine has VMware Workstation on it and so anything needing Hyper-V is out of the question. My home PC is too old.
-
-
If he could submit an issue from the feedback tool I'd be happy to look into it. We have had some issues with microcode firmware updates so it would be good to look at. If overhead is user perceptible there is a problem we should look at as that's unexpected even for older cpu
1 reply 0 retweets 1 like -
Although now that I look at what I just typed, saying that my home PC "is too old" already factors in the potentially-incorrect assumption that a CPU earlier than a 7th Generation Intel Core won't efficiently use HVCI. It's perhaps an excellent test case for testing the impact.
1 reply 0 retweets 0 likes - 12 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.