With Windows 11, Microsoft wants all consumer PCS to have the same enterprise-level security as business devices. If you have just bought a new machine or installed a new operating system, you may have enabled VBS by default, and performance will suffer. However, you can turn it off at any time and end up with the same level of security as Windows 10, with better performance.
What is Virtualization-based security, aka VBS? Click Here.
Windows 11 isn’t perfect, and critics have given Microsoft’s new operating system mixed reviews. However, if you’ve upgraded or are planning to do so, it’s worth noting that Windows 11 comes with enhanced security features, but at the expense of performance, even on relatively new hardware.
The culprit is a virtualization-based Security (VBS) feature, which was first introduced in Windows 10 as an optional security layer for enterprise PCS. The VIRTUAL block System (VBS) allows Windows 11 to isolate memory security areas and host security functions by using the hardware virtualization function of modern CPUs, for example, Hypervisor-Enforced Code Integrity (HVCI).
VBS and HVCI prevent hackers from running malicious code with trusted applications and drivers on your system because it will fail code integrity checks. All of this sounds great on paper, but early testing showed that it affected performance in some cases, most notably in games, which discounted performance by up to 28% in scenarios where AMD used some processors.
Users with first-generation Ryzen CPUs or 10th generation Intel CPUs and above will experience this performance degradation. For people using newer hardware, the overall performance impact is closer to 5%. Therefore, Microsoft recommends that OEMs enable VBS and HVCI by default on new PCS, allowing them to be disabled by default on gaming PCS.
If you upgrade from Windows 10 to Windows 11, VBS will be turned off by default unless it is enabled before you start the upgrade process. However, it will be enabled on a new computer or re-installed on an existing device, so it’s worth exploring how to check if it’s on and disable it for extra performance.
First, you need to turn on the system information. Under “System Summary”, check for a line that says “virtualization-based security”. If it says “not enabled”, you don’t need to do anything else. If it says “running”, read on.
On Windows 11, you can disable VBS in two ways. The first is to open “Settings” and click “Privacy & Security” in the left pane to see a list of security features, Windows permissions, and application permissions. Next, click “Windows Security “above and click Device Security from the list that appears afterward. Then click on “Core Isolation Details”, and it should be in color. This leaves you with a “memory integrity” switch that you need to turn off and restart your computer for it to take effect.
The same can be done by searching for “Core Isolation” from the taskbar or from the Settings app’s search box, which will take you to the same place as above.
Another way to disable VBS is to use the registry editor. You can open it by searching for its name on the taskbar or by clicking Windows+R and typing regedit in the text box that pops up — click OK and continue:
In the window that appears, there is an address bar that you can use to navigate directly to “HKEY_LOCAL_MACHINE/System\CurrentControlSet\Control\DeviceGuard”. In the pane on the right, you should see a DWORD value called “EnableVirtualizationBasedSecurity”. Open it and set it to “0”. As with the first method, you need to restart your computer for the changes to take effect.
Reference resources:
Views: 15