"Whilst compiling and linking code, it analyzes and discovers every location that any indirect-call instruction can reach. It builds that knowledge into the binaries (in extra data structures). It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe, locations. If that check fails at runtime, the Operating System closes the program"
I will evaluate this, e.g. performance impact and effectiveness against JOP/ROP attacks, when I'm free, and update this post then :-)
MJ0011, "Windows 10 Control Flow Guard Internals"