News

Virtualization-Based Security Feature Adversely Affects Windows 11 Performance

With Windows 11, Microsoft has gone all out on the security front. Not only is TPM 2.0 a compulsory requirement, processors released before 2017 (roughly) are also unsupported on similar grounds. In fact, it has been discovered that some of the security features might be adversely affecting performance. 

As per testing conducted by 3DMark, a feature called Virtualization-based Security (VBS) is causing a performance drop in the pre-release Windows 11 builds. The developer hasn’t detailed the magnitude of the problem, but you can be sure that it’s a late single-figure percentage. VBS is enabled by default upon installing Windows 11 directly from the ISO, but not when upgrading from an existing Windows 10 build.

Update: Turns out that core isolation is a part of VBS and is available on Windows 10 as well without being detrimental to performance. HVCI is another part of VBS that has to be enabled separately and can adversely impact performance but needs to be enabled manually.

As a result, people with a clean install of Windows 11 will likely get higher benchmark scores than those upgrading from Windows 10 (depending on whether VBS is enabled). 3DMark is planning to add VBS detection to its benchmarking tools in a future update to rectify this.

Virtualization-based security, or VBS, uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. Windows can use this “virtual secure mode” to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.

One such example security solution is Hypervisor-Enforced Code Integrity (HVCI), commonly referred to as Memory integrity, which uses VBS to significantly strengthen code integrity policy enforcement. Kernel mode code integrity checks all kernel mode drivers and binaries before they’re started, and prevents unsigned drivers or system files from being loaded into system memory.

VBS uses the Windows hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and operating system resources, or to protect security assets such as authenticated user credentials. With the increased protections offered by VBS, even if malware gains access to the OS kernel the possible exploits can be greatly limited and contained, because the hypervisor can prevent the malware from executing code or accessing platform secrets.

Microsoft

Source: 3DMark (Via: Hardware-info)

Areej

Computer Engineering dropout (3 years), writer, journalist, and amateur poet. I started my first technology blog, Techquila while in college to address my hardware passion. Although largely successful, it was a classic example of too many people trying out multiple different things but getting nothing done. Left in late 2019 and been working on Hardware Times ever since.
Back to top button