MBEC for Windows 11: Mode Based Execution Control Required in CPU

If you check Windows 11 compatibility using the Microsoft PC Health Check app, WhyNotWin11 tool etc., you may see that the CPU is unsuitable for Windows 11 because the processor doesn’t support MBEC.

MBEC for Windows 11

What is MBEC?

The complete form of MBEC is Mode Based Execution Control. MBEC virtualization provides an extra layer of protection from malware attacks in a virtualized environment. It enables hypervisors to verify and enforce the integrity of kernel-level code more reliably. MBEC provides finer-grain control on execute permissions to help protect the integrity of system code from malicious changes. It offers additional refinement within the Extended Page Tables by turning the Execute Enable (X) permission bit into two options: XU for user and XS for supervisor pages.

The CPU selects one or the other based on permission of the guest page and maintains an invariant for every page that does not allow it to be both writable and supervisor-executable simultaneously. A benefit of this feature is that a hypervisor can more reliably verify and enforce the integrity of kernel-level code. The value of the XU/XS bits is delivered through the hypervisor, so hypervisor support is necessary.

MBEC for Windows 11 Support

Many users wonder why an Intel Gen 6 or 7 is unsuitable for Windows 11, but an Intel Gen 8 is. Windows 11 requires a security function (in addition to TPM 2.0) that only the current CPUs from Kaby Lake or AMD Zen 2 and higher can handle. It is called MBEC (Mode Based Execution Control) at Intel and is part of HVCI (Hypervisor-Protected Code Integrity).

Under AMD, it is called GMET (AMD Guest-Mode Execute Trap for NPT) and under ARM TTS2UXN (ARM Translation Table Stage 2 Unprivileged Execute-Never).

HVCI is known to all of us as core insulation. This can be activated under Windows Security -> Device Security. This prevents malicious code from attacking “high-security processes”, as Microsoft describes it. If you have an up-to-date CPU, the MBEC safety function is also activated. In the case of an older CPU, the MBEC is only emulated and is therefore at the expense of the CPU’s power. The computer can therefore become slower. Compared to the older processors and the hardware support in the new CPUs, an increase in performance is guaranteed.

The Windows 11 Requirements Check Tool shows exactly what the problem with the CPU really is. The function itself has already been documented for Windows 10.

This also clarifies why an AMD Zen 1 or Intel Gen 6 or 7 is not suitable for Windows 11, although the performance of the CPUs is almost identical. But well, you can still install Windows 11 manually through the bypass trick if you want.

Even if some motherboard manufacturers now activate TPM 2.0 and try to provide TPM for Windows 11 for the respective board in other ways, the MBEC function in the CPU is missing, and every tool will continue to complain.

Leave a Reply