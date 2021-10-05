Microsoft is taking yet more backlash over its Windows 11 launch, as recent reports indicate that buyers of new pre-built systems could purportedly lose up to 28% of their gaming performance due to frame-rate-crushing security measures. That has gamers up in arms, so we did several rounds of testing in our labs with several of the best CPUs for gaming from Intel and AMD.

We found that the security mechanisms do reduce gaming performance, with the average impact on an 11th-gen Intel chip being in the 5% range (7% peak in one title). That may not seem like much to the untrained eye, but that's roughly an Intel CPU generation's worth of disappearing performance. We recorded a slightly smaller impact on AMD Ryzen systems, with a 4% average for a Ryzen 5000 chip (and an outlier 8% loss in one title). We also tested a range of desktop PC applications too, which you can see below.

The performance impact we measured wasn't nearly as severe as we've seen reported by other outlets. Still, we don't like to compromise, and taking a step back on gaming performance isn't acceptable if you don't need the added security — especially when this is an optional feature that OEMs can simply opt out of.



Luckily for enthusiasts, these security mechanisms won't be enabled by default if you update your own system from Windows 10 to Windows 11, or if you do a clean install. However, Microsoft does suggest that OEMs enable these features on some new pre-built systems. However, after some digging, it's clear that Microsoft explicitly does not recommend one of the security settings for gaming PCs, while the status of another remains unclear. Here's the rundown.

What is VBS and HVCI?

The issue begins with Microsoft's Virtualization-Based Security (VBS) feature, which enables an umbrella of different security services. This feature uses hardware virtualization to create a secure area in memory for use by other security features, like Trusted Platform Modules (TPM) and Hypervisor-Protected Code Integrity (HVCI). Think of VBS as a platform that enables other security features. As you'll see below, both VBS and HVCI can result in reduced performance in gaming and many common PC applications.

Microsoft has suggested shipping Windows with VBS enabled by default on OEM systems that support the feature since Windows 10 version 1903 9D in October 2019. However, Microsoft has bulked up its security features in Windows 11 and now suggests that OEMs also enable HVCI by default on some systems. This feature adds additional protections for kernel memory allocations, thus improving malware resistance.



HVCI (commonly known as Memory Integrity) has a bigger performance impact than VBS, but Mode Based Execution Control (MBEC) steps in to reduce it. MBEC requires hardware support, and it is baked into all processors starting with 7th-gen Intel and AMD's Zen 2. Without this feature, HVCI's performance impact can be quite severe. MBEC basically blunts the blow on newer hardware, so you'll see a smaller impact. Our tests imply that MBEC support reduces the impact of HVCI to nearly the same level as VBS alone.

The requirements for default HVCI enablement are simple from a CPU perspective; you'll need an Intel 11th-gen, AMD Zen 2, or Qualcomm Snapdragon 8180 chip (or newer), a minimum of 8GB of RAM and 64GB of SSD storage, along with HVCI-compatible drivers.



Microsoft acknowledges HVCI's performance reduction, and OEMs can opt-out of HVCI for certain types of machines:

"Some devices that are especially sensitive to performance (e.g. gaming PCs) may choose to ship with HVCI disabled. Given the impact to the overall device security, we recommend you thoroughly test these scenarios before doing so." - Microsoft.

We're still digging up the details of whether or not OEMs can opt out of VBS enablement for gaming laptops and PCs, but MSI tells us that it doesn't enable HVCI on its gaming systems. We'll follow up with more information as we learn more.



You can do a quick check to see if VBS is enabled by checking the summary in your System Information pane. The "Virtualization Based Security" entry will tell you if the service is running. Head here for a deeper explanation of how to enable or disable VBS and HVCI.

Also, be aware that we're testing with CPUs that support MBEC, which seems to reduce the overall impact of HVCI. That means older chips will suffer more from this added level of protection than you'll see below.

Microsoft Windows 11 VBS and HVCI Impact on Intel and AMD Gaming (Geomean) Baseline = VBS and HVCI Off Core i7-11700K Core i7-10700K Ryzen 7 5800X Ryzen 7 3800X VBS -4.9% -5% -4% -4.1% HVCI -5.6% -5.7% -3.3% -4.1%

Here's a quick summary of the overall geometric mean of our gaming tests. We have far more in-depth testing and analysis below.

Windows 11: Security Impact on Intel Gaming Performance

You'll find more detailed test notes at the end of the article. We tested five different game titles, two of them with different APIs, with both the Core i7-11700K and i7-10700K. We then used those results to generate a geometric mean of gaming performance for the Intel and AMD platforms. As always, performance deltas vary by title, with some showing little impact from VBS/HVCI, while others suffer more. Be sure to check out the full tests for the breakdown.

We tested with Windows 11 Pro 23000.194 (the version Microsoft provided for review) and the Windows 11-compatible Nvidia 472.12 graphics driver. As always for CPU testing, we used an Nvidia GeForce RTX 3090 to minimize the graphics bottleneck. We also stuck with the 1920x1080 resolution, so be aware that the impact of VBS and HVCI will vary with higher resolutions and lesser graphics cards.

VBS Off - Virtualization-Based Security (VBS) Disabled

- Virtualization-Based Security (VBS) Disabled VBS On - Virtualization-Based Security (VBS) Enabled

- Virtualization-Based Security (VBS) Enabled VBS On HVCI - Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) Enabled

With VBS enabled and running, the Core i7-11700K was 4.9% slower in the geometric mean of our test suite, while the i7-10700K was 5.7% slower. It's pretty easy to see that enabling VBS causes the newer 11700K to fall below its prior-gen counterpart, which definitely isn't encouraging.

Enabling HVCI results in a slight decline in performance below the 'VBS On' results, but performance will vary based on the game title tested. Also, even though we tested for it, Microsoft doesn't recommend enabling HVCI by default on the 10th-gen processors. The album below has the test results for all of our Intel gaming testing, and we also have a table that shows the percentage decrease in performance for both the Intel and AMD systems a bit further below.

Due to Intel's small gaming performance increase as it moved from its 10th-gen to 11th-gen chips, we had to separate the Core i7-11700K and 10700K slides - the two chips often overlap, and these charts can be confusing due to the similar chip naming and configurations.

We cycled through DX11, DX12 and Vulkan APIs where applicable to see if they impact performance with the security features. Vulkan was faster than DX12 in Red Dead Redemption 2 after enabling VBS. Red Dead Redemption 2 was 7.3% slower with DX12 and VBS, while Vulkan reduced that to 4.4%. We only tested one title with Vulkan, so this delta is likely due to the game engine rather than a specific Vulkan/VBS tendency.

Shadow of the Tomb Raider has been cited as suffering the most from VBS (to the tune of a whopping 28%), but our results were far more muted, with the biggest slowdown measuring -7.2% with DX12 on the Core i7-10700K. We also tested DX11 with both Core i7 chips, and almost all of the tests (see table below) suffered an average ~6% slowdown.

Grand Theft Auto V seems mostly immune to VBS, as it only lost roughly 1% of its performance after activating the feature.

Windows 11: Security Impact on AMD Gaming Performance

We recorded slightly smaller performance reductions with the AMD processors than we did with the Intel models, but the delta is so slight between the chips as to be inconsequential. You certainly shouldn't base an AMD vs Intel buying decision on a chips' ability to handle VBS/HVCI — at least for the last two generations.

Based on our geometric mean, the Ryzen 7 5800X was 4% slower after we enabled VBS. Compared to the 'VBS On' configuration, the HVCI result falls within the standard variance we expect in our benchmarks. That means we see no real noticeable difference between the 'VBS On' and 'VBS+HVCI' configurations.

The Ryzen 7 3800X is 4.1% slower after we turn on the security features. The 3800X also provides essentially the same level of performance with either the 'VBS On' or 'VBS+HVCI' configurations.

Unlike Intel's small jump from its 10th to 11th-gen chips, AMD's transition from Zen 2 to Zen 3 resulted in dramatically higher gaming performance. That means the impact of the Windows 11 security feature isn't enough to drop you a generation's worth of performance as we see with the Intel Core i7-11700K.

Three game titles (listed below) suffered less than a 2% performance reduction with VBS enabled on the Ryzen 7 5800X, while Project Cars 3 suffered the highest performance loss at 8.1%. Notably, Shadow of the Tomb Raider lost 4.3% with DX12 and 1.9% with DX11.

The Ryzen 7 3800X had a scattered showing, with an overall 4.1% slowdown that varies widely by title.

UL Benchmarks first issued a warning to the press about the VBS feature, so we included three of the company's benchmarks. The 3DMark tests show little variance, but the VRMark benchmark takes a 3% haircut with the 11700K, and loses 7.5% with the 10700K.

Overall VBS Impact on Gaming Performance for AMD and Intel

FPS With VBS Active Baseline = VBS Off i7-11700K i7-10700K Ryzen 7 5800X Ryzen 7 3800X Shadow of the Tomb Raider - DX11 -6.2% -6.1% -1.9% -4.5% Shadow of the Tomb Raider - DX12 -6.1% -7.2% -4.3% -3.7% Project Cars 3 - DX11 -5.7% -6.4% -8.1% -0.8% Far Cry 5 - DX11 -4.6% -4.9% -1.1% -6.4% Grand Theft Auto V - DX11 -0.9% -1.1% -1.6% -0.1% Red Dead Redemption 2 - DX12 -7.3% -5.4% -5.6% -8.6% Red Dead Redemption 2 - Vulkan -4.4% -4.4% -2.6% -4.6%

Here's a quick look at the differences we recorded in each title after we enabled VBS. Naturally, this could be a few percent slower with HVCI also active, but it varies drastically by title. Be aware that anything within a 2% delta can simply be chalked up to run-to-run variability.

Windows 11: Security Impact on Intel Desktop PC Application Performance

Microsoft Windows 11 VBS and HVCI Impact on Intel and AMD Application Benchmarks (Geomean) Baseline = VBS and HVCI Off Core i7-11700K Core i7-10700K Ryzen 7 5800X Ryzen 7 3800X VBS Single/Multi-threaded -0.4% / -0.6% -2.2% / -4% Even / -0.6% -1% / -3.8% HVCI Single/Multi-threaded -0.4% / -0.6% -2.4% / -4.1% Even / -0.8% -0.5% / -3.2%

Of course, decreases in gaming performance will grab all of the attention, but the impact on desktop PC applications is arguably more important, as productivity-focused devices are the most likely to see these security features fully enabled by default. We'll provide a brief rundown here, but there are plenty of benchmarks to chew over below if you're looking for more fine-grained details of the impact in specific types of work.

The geometric mean of the most indicative desktop PC application benchmarks (listed in the chart) gives us a good overall measure of the impact to single- and multi-threaded performance.

Here we can see that the 11700K's single-threaded performance is largely unaffected by VBS/HVCI, while the Core i7-10700K loses 2.2%.

The Core i7-11700K takes a ~1% haircut in threaded work, while the 10700K loses a more appreciable 4%. However, this average value doesn't include all of the benchmarks below, so you should thumb through the album to see other differences.

We recorded a fairly large 14% reduction in the Corona benchmark for the 10700K in this series of tests, but that threaded workload isn't included in our geometric mean in the prior section. We also saw a ~5% loss in the threaded POV-Ray and Cinebench tests, along with a 6% loss in the Blender classroom render. We also see a big drop for both processors in UL Benchmark's PCMark 10 application startup test.

Overall, it's clear that the security features impact the 10700K far more than the 11700K in both single- and multi-threaded applications.

Windows 11: Security Impact on AMD Desktop PC Application Performance

Here we can see that the Ryzen 7 5800X's single-threaded performance is largely unaffected by VBS/HVCI, while the 3800X loses a mere 1%. That means the difference probably isn't noticeable in most single-threaded work.

The Ryzen 7 5800X takes a ~1% haircut in threaded work, while the 3800X takes a more noticeable 3.2% to 3.8% loss. Again, this average measurement doesn't include all of the benchmarks in the album below.

Wrapping Up

Microsoft's decision to leave millions of older systems off the Windows 11 upgrade list has earned plenty of criticism, and much of that decision hinged on the performance impact of these types of security features. As a byproduct of targeted hardware-level optimizations, like MBEC, newer chips can handle these types of security measures without as much of a performance loss.



However, our tests show that you will still see an impact in both gaming and application performance due to the heightened security, and that's even with the newer chips. Now, the performance hit we've seen surely isn't as profound as the ~25% numbers we've seen bandied about, but losing 5% of your gaming performance isn't acceptable if you don't need the added security. Especially when that represents a full CPU generation's worth of performance improvement.



Luckily, these measures aren't employed by default with clean installs or upgrades. Instead, they'll only be in effect with newer systems purchased directly from OEMs, and savvy users can simply switch the feature off with a minimum of fuss.

We know that HVCI is specifically not recommended for gaming machines, but we're still digging for more information on Microsoft's policy for VBS enablement. Our tests show that the impact of enabling HVCI is roughly the equivalent of simply enabling VBS, at least with newer processors. We'll update as we learn more.

