Comparison reviews

Benchmarked: Do Windows 11’s Security Features Really Hobble Gaming Performance?

Microsoft is taking yet more backlash over its Windows 11 launch, as recent reports indicate that buyers of new pre-built systems could purportedly lose up to 28% of their gaming performance due to frame-rate-crushing security measures. That has gamers up in arms, so we did several rounds of testing in our labs with some of the best CPUs for gaming from Intel and AMD.

We found that the security mechanisms do reduce gaming performance, with the average impact on an 11th-gen Intel chip being in the 5% range (7% peak in one title). That may not seem like much to the untrained eye, but that’s roughly an Intel CPU generation’s worth of disappearing performance. We recorded a slightly smaller impact on AMD Ryzen systems, with a 4% average for a Ryzen 5000 chip (and an outlier 8% loss in one title). We also have tons of other gaming and desktop PC applications benchmarks, which you can see below.

The performance impact we measured wasn’t nearly as severe as we’ve seen reported by other outlets. Still, we don’t like to compromise, and taking a step back on gaming performance isn’t acceptable if you don’t need the added security — especially when this is an optional feature that OEMs can simply opt out of.

Luckily for enthusiasts, these security mechanisms won’t be enabled by default if you update your own system from Windows 10 to Windows 11, or if you do a clean install. However, Microsoft does suggest that OEMs enable these features on some new pre-built systems. After some digging, it’s clear that Microsoft explicitly does not recommend one of the security settings for gaming PCs, while the status of another remains unclear. Here’s the rundown.

What is VBS and HVCI?

The issue begins with Microsoft’s Virtualization-Based Security (VBS) feature, which enables an umbrella of different security services. This feature uses hardware virtualization to create a secure area in memory for use by other security features, like Trusted Platform Modules (TPM) and Hypervisor-Protected Code Integrity (HVCI). Think of VBS as a platform that enables other security features. As you’ll see below, both VBS and HVCI can result in reduced performance in gaming and many common PC applications.

Microsoft has suggested shipping Windows with VBS enabled by default on OEM systems that support the feature since Windows 10 version 1903 9D in October 2019. However, Microsoft has bulked up its security features in Windows 11 and now suggests that OEMs also enable HVCI by default on some systems. This feature adds additional protections for kernel memory allocations, thus improving malware resistance.

HVCI (commonly known as Memory Integrity) has a bigger performance impact than VBS, but Mode Based Execution Control (MBEC) steps in to reduce it. MBEC requires hardware support, and it is baked into all processors starting with 7th-gen Intel and AMD’s Zen 2. Without this feature, HVCI’s performance impact can be quite severe. MBEC basically blunts the blow on newer hardware, so you’ll see a smaller impact. Our tests imply that MBEC support reduces the impact of HVCI to nearly the same level as VBS alone.

The requirements for default HVCI enablement are simple from a CPU perspective: You’ll need an Intel 11th-gen, AMD Zen 2, or Qualcomm Snapdragon 8180 chip (or newer), a minimum of 8GB of RAM and 64GB of SSD storage, along with HVCI-compatible drivers. Microsoft acknowledges HVCI’s performance reduction, and OEMs can opt-out of HVCI for certain types of machines:

Some devices that are especially sensitive to performance (e.g. gaming PCs) may choose to ship with HVCI disabled. Given the impact to the overall device security, we recommend you thoroughly test these scenarios before doing so.” –Microsoft

We’re still digging up the details of whether or not OEMs can opt out of VBS enablement for gaming laptops and PCs, but MSI tells us that it doesn’t enable HVCI on its gaming systems. We’ll follow up with more information as we learn more.

You can do a quick check to see if VBS is enabled by checking the summary in your System Information pane. The “Virtualization Based Security” entry will tell you if the service is running. Head here for a deeper explanation of how to enable or disable VBS and HVCI.

Also, be aware that we’re testing with CPUs that support MBEC, which seems to reduce the overall impact of HVCI. That means older chips will suffer more from this added level of protection than you’ll see below. 

Microsoft Windows 11 VBS and HVCI Impact on Intel and AMD Gaming (Geomean)
Baseline = VBS and HVCI Off Core i7-11700K Core i7-10700K Ryzen 7 5800X Ryzen 7 3800X
VBS -4.9% -5% -4% -4.1%
HVCI -5.6% -5.7% -3.3% -4.1%

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button