Detailed CPU and UEFI capability checks for virtualization

[verdy-p]

Please detail the CPU capacilities that are required or strongly suggested, notably for virtualization, at least for information, because they are not easy to find and check :

• SLAT
• support of large pages (more than 4KB, possibly more than 1MB)
• 5-layers page translation (recent CPUs, still not used in Windows 10)
• extended physical addressing space (more than 36 bits in 64-bit mode, and more than 48 bit of virtual space)
• support of extended 64-bit pointers in small pages
• Intel VT-x, Intel TXT (LT) : Microsoft dropped the Win10 support of TXT, keeping only VT-x for HVCI
• Credential Guard
• NX protection inside the UEFI preboot environment during measurements in the UEFI firmware Windows pre-boot image (not just when the standard boot loader will be launched)
• Driver Guard
• HSTI (not clearly explained by Microsoft or manufacturers, never exposed to final customers by hardware sellers)
• MOR (not clearly explained by Microsoft or manufacturers, never exposed to final customers by hardware sellers)
• SMM mitigation (not clearly explained by Microsoft or manufacturers, never exposed to final customers by hardware sellers)
• MDAG (part of Windows Defender) has lower requirements than HVCI which requires full virtualization
• DDA requirements for drivers (dynamic assignement of PCI resources, enforcing the use of the IOMMU to allow devices to be virtualized and remapped with separate isolated intances and enforce DMA protection). On Intel, this is calls "VT-d" and must be enabled in UEFI BIO settings (using secure boot, or UEFI boot mode, with CSM/legacy boot mode disabled, are not enough).
• As well as other mitigations proposed by CPU makers in their supported microfirmware (since the "bleeding attacks", there are more and more side channels discovered, some are patchable, some require disabling some CPU features with some impact on performance, but this should not block running Windows, given today's performances of most PCs that pass most of their time waiting with several cores left idle in low power mode and waking up rapidly)
• Mitigations proposed for other devices (notably bus adapters and bridges, or inside the loadable of many firmware microcontrolers for system management, including power management and external memory caches, DMA and interrupt controlers)

A power shell script by Microsoft does all these checks (and a few more) in a convenient command line tool:

https://docs.microsoft.com/fr-fr/windows/security/identity-protection/credential-guard/dg-readiness-tool

This tool (initially made in its version 3.6 for Windows 10) has very recently be updated on June 1 with a new version with additional compliance checks, and methods to check the capabiltiies, or to attempt to enable them in Windows and in the UEFI environment.

We can expect this tool to be updated once again: Microsoft has created a lot of confusion with the win11 announcements, and its self-contradicting documents that are silently modified after the fact (Microsoft Corp can blame Microsoft China for this nightmare, and I don't see how Microsoft will avoid delaying the release of Win11 or a severe revision of its announcements; customers arounf the world are already complaining for the lies or absence of preparation and information, and breach in their supprot contract with Microsoft; even customers of the most recent costly Microsoft Surface tablets are not eligible to the upgrade with the current requirements).

Another tool from Sysinternal.com (now owned by Microsoft) can also help, notably "coreinfo.exe" which gives many capabilities of the CPU (but some virtualizations capabilities are not detected if an hypervisor is already running, which forcibly hides and protect them, notably the hardware virtualization support of the native CPU: this is the case also when booting windows in Secure mode; the only way is to try booting windows in unsafe mode in the WinPE recovery environment; change UEFI settings, remove the safeboot mode, then reboot a few times while interrupting it in the middle with the reset button, this should force loading the recovery environment, where you can run the "coreinfo.exe" tool, from an external USB drive with the CMD console). You can also launch the WinPE environment by forcing your PC to boot in unsafe boot from a bootable USB drive containing any Windows installation ISO (don't install it, jsut open the command console in advanced options of the recovery menu)...

How was that possible ? An internal Microsoft suicide to kill Windows or a secret strategy largely benefiting to Chinese PC manufacturers ?

[ghost]

Probably requires a seperate screen for advanced users.

[jesseinsf]

No need to display a detailed check as many people will not understand a word you are saying. Just have the word "Virtualization" added to the list. The detailed check should be don't like everything is in the list (In the background). And in the description, it should just have name of the BIOS feature name which is enabled.
Example: Intel Virtualization Technology and Intel VT-d/VT-x enabled.

[rcmaehl]

I would also add that DirectX 12 is either not required when running Win11 in HyperV or it is not being detected correctly. WhyNotWin11 says I'm not compatible due to DirectX 12 yet I'm actually running Win11 Insider.

Insider is a LOT less strict about requirements. Additionally, if dxdiag errors out or it's not reported correctly in the first place then this can occur. #58 should fix this

[JohnLGalt]

Insider is a LOT less strict about requirements. Additionally, if dxdiag errors out or it's not reported correctly in the first place then this can occur. #58 should fix this

Exactly. I wish more people realized that.

[jgstew]

My point was less about Insider, more about Hyper-V likely having lesser requirements for running Win11.

[JohnLGalt]

I think you have to realize that you cannot really say that right now because the only builds we have are Insiders, which have lower requirements all around, so that could be why the requirements seem lower in Hyper-V, VBox, VMWare and other hypervisors.

[verdy-p]

virtualization is almost required in Windows 11 now for many features (even if you don't want to install a guest OS in a VM using the Hyper-V host manager. It is used now for security (VBS, HVCI, MDAG...), or for containers, or for LXSS (which now allows installing any Linux environement with a Microsoft-provided kernel using paravirtualization to use full integration within Windows,but within the context os the currently connected Windows user; distributions are now available in the Microsoft Store); it is used as well for development (e,.g. in Visual Studio, to install an Android emulator, and soon it will be used for running Android apps directly within Windows). The Hyper-V core can also be used to install containers (including Docker); it is also used now inside several graphics accelerators; it is used as well for deploying remotely-adminsitered applications within a sandbox: Windows virtualizes itself.
Support for hardware virtualization is anyway needed even if you boot Windows 11 by disabling Hyper-V in EFI boot parameters), but prefer using another hyper-visor running either as a service in windows or in the context of a local windows user only for his own VMs. Hyper-V also allows another secondary-level hypervisor to run on top of Windows itself in Hyper-V (secondary-level hypervisors however will not control the full hardware: this works for running vmWare on top of Hyper-V, so that you don't need to disable Hyper-V, and many new other Windows services depending on it, to run a VM.
Very soon, Windows 11 will allow booting on something else than Hyper-V, and will be able to control this other "core" hypervisor": other hyperviros are already preparing themselves to offer the needed secure APIs via their "hyper-bus" using a common protocol. This will also be used by Microsoft to improve the hosting of Windops virtual servers inside Azure (which uses large farms of servers already running Linux-based hypervisors, instead of Hyper-V itself on bare-metal
Deeps changes are being developed inside "HAL" and the Windows kernel so that Windows will be more independant of the hypervisor on which it runs. May be these new windows HAL and kernels will not be available on PC only licenced for Windows Home or Pro, only for those with Enterprise or Student or Server E3/E5 licences of Windows.
All modern OSes now want to use virtualization, prefertably with hardware support (notably with multiple cores, the IOMMU, avanced APIC, support for large pages, extended adressing space, 5-level paging of memory, notably LA57 allowing new kinds of sandboxing, isolation, and better support of NUMA and stricter control of resources usage, notably against time-based attacks on memory caches, or on vitualized-I/O caches notably for networking, graphics and audio rendering or encoding, including for remote desktop via RDP, or for virtulized performance counters used by guest apps and services running in VMs or containers).

[TheDarkerPhantom]

virtualization is almost required in Windows 11 now for many features (even if you don't want to install a guest OS in a VM using the Hyper-V host manager. It is used now for security (VBS, HVCI, MDAG...), or for containers, or for LXSS (which now allows installing any Linux environment with a Microsoft-provided kernel using paravirtualization to use full integration within Windows, but within the context os the currently connected Windows user; distributions are now available in the Microsoft Store); it is used as well for development (e.g. in Visual Studio, to install an Android emulator, and soon it will be used for running Android apps directly within Windows). The Hyper-V core can also be used to install containers (including Docker); it is also used now inside several graphics accelerators; it is used as well for deploying remotely-administered applications within a sandbox: Windows virtualizes itself.
Support for hardware virtualization is anyway needed even if you boot Windows 11 by disabling Hyper-V in EFI boot parameters), but prefer using another hyper-visor running either as a service in windows or in the context of a local windows user only for his own VMs. Hyper-V also allows another secondary-level hypervisor to run on top of Windows itself in Hyper-V (secondary-level hypervisors however will not control the full hardware: this works for running VMware on top of Hyper-V, so that you don't need to disable Hyper-V, and many new other Windows services depending on it, to run a VM.
Very soon, Windows 11 will allow booting on something else than Hyper-V, and will be able to control this other "core" hypervisor": other hypervisor are already preparing themselves to offer the needed secure APIs via their "hyper-bus" using a common protocol. This will also be used by Microsoft to improve the hosting of Windows virtual servers inside Azure (which uses large farms of servers already running Linux-based hypervisors, instead of Hyper-V itself on bare-metal
Deeps changes are being developed inside "HAL" and the Windows kernel so that Windows will be more independent of the hypervisor on which it runs. May be these new windows HAL and kernels will not be available on PC only licensed for Windows Home or Pro, only for those with Enterprise or Student or Server E3/E5 licenses of Windows.
All modern OSes now want to use virtualization, preferably with hardware support (notably with multiple cores, the IOMMU, advanced APIC, support for large pages, extended addressing space, 5-level paging of memory, notably LA57 allowing new kinds of sandboxing, isolation, and better support of NUMA and stricter control of resources usage, notably against time-based attacks on memory caches, or on virtualized-I/O caches notably for networking, graphics and audio rendering or encoding, including for remote desktop via RDP, or for virtualized performance counters used by guest apps and services running in VMs or containers).

Hardware Virtualization (VT-x or AMD-V) support absolutely is not required for Windows 11. However, any processor that is supported by Windows 11, has support for VT-x or AMD-V so it does not matter. Most Windows 11 Home machines will never see VT-x enabled unless they install a hypervisor like VMWare or VirtualBox since it doesn't support Hyper-V

[verdy-p]

Microsoft has been clear that it wants hardware virtualiaztion in Windwos 11 for secirity, including HVCI (and VBS for Enterprise version). And processor or EFI BIOS that does not properly support it won't pass the qualification test. Microsoft made its selection of processors by only choosing those that have a builtin support (but it's not the only requirement, because there are also requirements in the EFI BIOS, and in device drivers (notably graphics drivers that MUST be DCH-compatible; and not that even if the non-DCH driver is not used, or disabled, that drivers for now MSY also be compeltely uninstalled, i.e. compeltely removed from the DriversStore, otherwise HVCI will not work at boot, and Windwos will complain about illegal DMA accesses made by attmpts of Windwos to load the driver at boot time, just to perform some PNP probe, even if that probe fails and the driver is instantly unloaded: this happens when these drivers are slso signed and have a WHQL signature, including Intel drivers, or evven if Windows has been instructed to not use these drivers,, it still performs the device probing at boot during the PNP enumeration, and even if finally that device driver is not installed and not visible in the device manager, not even as a "hidden" device; IMHO this is a critical bug of the Windows kernel: PNP is not safe at all if the simple presence of a driver can force HVCI and VBS to be turned off).

That's why I wrote "hardware virtualization is ALMOST required" (capitalization added). Microsofot does not want to admit it, publicly, but visibly its very restrictive list of criteria is based on this (at least) and there are probably other (untold) reasons (that Microsoft also does not want us to know: even their new version of the compatibility checker program REFUSES to give any reason and just sends us to their generic commercial page with basic requirements for Windows 11. All the rest is hidden and only availabel to its OEM partners. Users cannot get the truth, and their test simply does not even run at all, and pretends that the PC is not compatible, without giving any reason we could possibly fix!