Windows 11 & 10: Benchmarks for VBS performance loss including HVCI

Post a Comment

The system requirements of Windows 11, which have been significantly increased by Microsoft, are intended, in particular, to increase the security of the new operating system. In addition to the required TPM, this is also ensured by the virtualization-based security (VBS) integrated in Windows. UL Benchmarks sees performance losses, ComputerBase has measured it.

VBS from Windows 10 becomes an issue in Windows 11

Virtualization-based Security (VBS) is already integrated in Windows 10, but deactivated there by default. With Windows 11, Microsoft now officially wants to work with OEMs to ensure that VBS is activated ex works.

According to UL benchmarks, the developers behind 3DMark or PCMark, VBS is also active when Windows 11 is not installed as an update from Windows 10, but on an empty drive – and this would also affect many enthusiasts.

The editors have now checked this in the course of a comprehensive test of Windows 11. UL benchmarks statement is only applicable if all requirements for VBS are met on the system. Then VBS was still missing in Windows 10 and it remains with the update, but is activated when Windows 11 is reinstalled – at least in part. And what are the requirements and what is that part?

The requirements for active VBS

Microsoft’s own information on the prerequisites for activating VBS are once again contradicting: To one place is spoken of TPM 2.0 and active Secure Boot another TPM 2.0 is explicitly mentioned as optional and Secure Boot is not mentioned at all. Required are:

  • Active Secure Boot (in BIOS)
  • Active CPU virtualization (in BIOS: AMD AMD-V / SMV / Intel: VT-x)
  • Windows installation as UEFI, not Legacy (in BIOS)
  • No Windows driver should speak against it

VBS is not just VBS

In addition to the so-called “core isolation”, VBS also includes the function “memory integrity” (“Hypervisor-Protected Code Integrity” (HVCI)). If all requirements are met, only core isolation is active in Windows 11 during a new installation. HVCI still has to be activated manually in Windows 11, this is done via the Settings, data protection and security, Windows security, device security and there the point core isolation (core isolation). HVCI is only active after a restart. There is a reason for this: HVCI potentially costs performance.

  • Memory Integrity HVCI still has to be activated manually

    Memory Integrity HVCI still has to be activated manually

  • Image 1 of 2

    That “memory integrity” on CPUs that do not have Mode-based Execution Control (MBEC) support, even significantly cost performance, Microsoft has moved to explicitly mention CPUs that are officially compatible with Windows 11. VBS basically also works on older CPUs and Windows 11 can also be installed on them using the USB stick. It is possible that UL Benchmarks used VBS and VBS synonymously with additionally active HVCI in the press release. In any case, it is wrong that VBS is automatically activated with HVCI.

  • VBS can be used including memory integrity (secure boot on, CPU virtualization on, UEFI boot), but only the core isolation aspect is automatically active

    VBS can be used including memory integrity (secure boot on, CPU virtualization on, UEFI boot), but only the core isolation aspect is automatically active

  • Image 1 of 2

    Microsoft only plans to make VBS including HVCI the standard for OEMs from next year. Active Secure Boot, a basic requirement, has been required by Microsoft from OEMs since 2013.

    UL Benchmarks speaks of loss of performance due to VBS

    Even with the mentioned performance loss in its own benchmarks, UL Benchmarks remains vague, only speaks of performance drops observed in its own benchmarks on the basis of the current Insider Preview when VBS was active on the system. It therefore remains unclear whether the developers only focus on VBS with HVCI on CPUs without MBEC, on which Windows 11 can also be easily installed using the USB stick installation, or whether they generally see an issue.

    In our testing with pre-release builds of Windows 11, a feature called Virtualization-based Security (VBS) causes performance to drop. VBS is enabled by default after a clean install of Windows 11, but not when upgrading from Windows 10. This means the same system can get different benchmark scores depending on how Windows 11 was installed and whether VBS is enabled or not.

    UL benchmarks

    UL Benchmarks plans to equip its own benchmarks such as PCMark or 3DMark with a routine that recognizes whether VBS is active or inactive and informs the user about this.

    The editors will try to get to the bottom of the subject in the coming days. Feedback from the community is always welcome.

    Update 09/30/2021 10:38 p.m.

    The editors have created a few initial benchmarks on the topic. The test was carried out with Windows 11 Build 22463 (Insider Preview) on a Ryzen Threadripper 3970X with GeForce RTX 3080 Ti both with deactivated VBS and with activated VBS (core isolation and core isolation plus memory integrity (HVCI)). The GeForce 472.12 provided by Nvidia for the final build of Windows 11 was used as the driver. The Ryzen Threadripper 3000 supports MBEC, so, like all CPUs officially released by Microsoft for Windows 11, it should lose comparatively little performance when using HCVI.

    Nonetheless, when HVCI was added, there were sometimes significant differences in performance in the games and applications examined. The 3DMark Time Spy is clearly out of the ordinary with a 30 percent drop in performance (reproducible), in the games it is a maximum of six percent in the FPS – in the frame times it is a maximum of 8 percent. The behavior of 3DMark is likely to be the cause of the press release from UL Benchmarks.

    The PCMark from UL Benchmarks does not show such a penalty on the test system, but the performance in the multi-core render benchmark is reproducibly slightly behind.

    Application performance

      • Windows 10, VBS from

      • Windows 11, VBS from

      • Windows 11, VBS on

      • Windows 10, VBS including HVCI

      • Windows 11, VBS incl. HVCI

      Unit: points

      • Windows 10, VBS from

      • Windows 10, VBS including HVCI

      • Windows 11, VBS on

      • Windows 11, VBS from

      • Windows 11, VBS incl. HVCI

      Unit: points

      • Windows 10, VBS from

      • Windows 10, VBS including HVCI

      • Windows 11, VBS on

      • Windows 11, VBS from

      • Windows 11, VBS incl. HVCI

      Unit: seconds

      • Windows 10, VBS from

      • Windows 10, VBS including HVCI

      • Windows 11, VBS from

      • Windows 11, VBS on

      • Windows 11, VBS incl. HVCI

      Unit: points

    The performance of the fast NVMe SSD Seagate FireCuda 530 (test), which served as the system drive, is also not unimpressed by HVCI: The performance drops by around 15 percent with random access (4K) via a thread.

    VBS off VBS off Windows 11: VBS on Windows 11: VBS on Windows 11: VBS incl HVCI on Windows 11: VBS incl HVCI on

    Windows 10 also shows the same behavior, but the loss of performance when HCVI is switched on is not that great there.

    Windows 10: VBS on Windows 10: VBS on Windows 10: VBS incl HVCI on Windows 10: VBS incl HVCI on

    A tentative start

    The editors’ benchmarks on a computer that is anything but everyday, but available directly with Windows 11 on Thursday evening, is nothing more than a prelude to the VBS topic, which Microsoft is focusing more on in Windows 11, and its effects on the To explore performance in more detail. In addition to other benchmarks from the editorial team, benchmarks from the community can also contribute. Any benchmark is welcome. How VBS including HCVI can be activated under Windows 11 can be found in the article above.

    For players of a more theoretical nature

    VBS requires active Secure Boot and this is not mandatory for Windows 11, only OEMs have been obliged by Microsoft to do this ex works since 2013. Neither VBS nor the only optional HVCI (memory integrity) have to be used by private end users for operation. Nonetheless, the performance impact analysis is interesting.

    Thanks to community members cvzone for help with the setup – his advice has already flowed into the article above.

    Update 10/01/2021 2:20 p.m.

    The editors have added measurement results to the benchmarks with Windows 10, once without active VBS and once with active VBS including HVCI. The test system was the same. In this case, too, there are performance losses with activated memory integrity, the scenarios in which Windows 11 loses the most are the same in Windows 10.

    Measured values ​​from Windows 10 and Windows 11 directly compared, however, show something else: Windows 11 is somewhat slower in the applications on the Ryzen Threadripper 3970X with GeForce RTX 3080 Ti than under Windows 10, in the games there is a close exchange of blows in four of the six titles . In Mafia: Definitive Edition (-60 percent) and F1 2020 (-40 percent), however, the difference in performance in the 1 percent percentile frame times is glaring – something is still stuck with Windows 11 there. The result was reproducible, even after a fresh Windows 11 installation.

    ComputerBase will look at the performance of Windows 11 in more detail in the coming week, measurements on a Core i5 and a Ryzen 9 have not yet shown such serious behavior.

    Related Posts

    Post a Comment

    Subscribe Our Newsletter