Despite Microsoft's claims that "if you're a gamer, Windows 11 (opens in new tab) was made for you" you will need to watch out for future prebuilt PCs with the new OS factory installed. That's because the Big M is enabling more security features in PCs by default, and one in particular can seriously tank gaming performance.
In our testing, that can add up to as much as a 28% drop in average frame rates. And you thought the TPM 2.0 restrictions were a pain...
That sort of frame rate delta is like dropping down an entire tier of graphics card and, in these days where GPUs are so hard to come by, Microsoft gimping the performance of the chip in your newbuild machine would surely be hard for gamers to stomach.
The issue is Virtualization-Based Security (VBS), a setting introduced into Windows 10 which uses hardware and software virtualisation to enhance the security of your system. It basically creates an isolated subsystem that helps prevent malware from screwing your PC.
Microsoft explains (opens in new tab) it as follows: "VBS uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. Windows can use this 'virtual secure mode' to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections."
It's a feature mainly intended for enterprise customers to be able to lock down the corporate PCs they drop into their offices and make sure they don't get compromised.
And if you're upgrading from Windows 10 to Windows 11 then you don't have to worry about VBS being enabled, unless you were already running an enterprise version of the older OS, that is. The issue comes if you're receiving a machine which has had an OEM build of Windows 11 installed on it.
In a post from late August, the one which reintroduced the PC Health Check app for Windows 11 Insiders, Microsoft again talks up the enhanced security features of the new OS.
I expect you already know about the requirements for the Trusted Platform Module (TPM 2.0) (opens in new tab), but this post also talks about VBS, and the company's desire match the Department of Defense and its demands for Virtualization-Based Security enabled as standard.
"While we are not requiring VBS when upgrading to Windows 11," explains the post (opens in new tab), "we believe the security benefits it offers are so important that we wanted the minimum system requirements to ensure that every PC running Windows 11 can meet the same security the DoD relies on.
"In partnership with our OEM and silicon partners, we will be enabling VBS and HVCI on most new PCs over this next year. And we will continue to seek opportunities to expand VBS across more systems over time."
CPU: Intel Core i7 10700K
Motherboard: MSI MPG Z490 Gaming Carbon WiFi
Graphics card: Nvidia RTX 3060 Ti Founders Edition
Memory: 32GB Corsair Vengeance RGB Pro DDR4-3200|
SSD: 1TB SK Hynix Gold P31
Cooler: Corsair H100i RGB Pro XT
Chassis: DimasTech Mini V2
OS: Windows 11 Build 22000.194
We've tested a selection of games on the current release build of Windows 11, with VBS off and VBS enabled (though not actually running) and the impact is obvious.
Far Cry New Dawn is the outlier here, which barely shrugs at VBS, with just a 5% reduction in frame rate. But Horizon Zero Dawn drops by some 25%, Metro Exodus by 24%, and Shadow of the Tomb Raider by 28%. Interestingly, the 3DMark Time Spy score only dropped by 10%.
Why is that interesting? Because it was actually UL who brought this issue to our attention. When it updated us about Windows 11 support being baked into its full benchmarking suite of products, it made note about this performance-damaging security feature. And that's when I started benchmarking.
"In our testing with pre-release builds of Windows 11," UL tells us, "a feature called Virtualization-based Security (VBS) causes performance to drop. VBS is enabled by default after a clean install of Windows 11, but not when upgrading from Windows 10. This means the same system can get different benchmark scores depending on how Windows 11 was installed and whether VBS is enabled or not.
"We plan to add VBS detection to our benchmarks in a future update to help you compare scores fairly."
The enablement of VBS isn't having an impact on the actual speed of the hardware in the system, however. We've dug into what's happening over multiple benchmark runs of Metro Exodus and the CPU or graphics card aren't slowing down. The average frequency of the GPU and CPU actually barely changes.
What we have noticed, however, is that the power draw has dropped for both processor and graphics card. But the reason for the performance drop is surely coming from somewhere else.
The thing to note, though, is that VBS is not enabled by default for all clean installs of Windows 11. I downloaded the latest ISO version of the OS in order to check VBS out on our test rig, but had to do some registry editing, and BIOS tweaking, in order to actually enable it. So, it's nothing to be concerned about if you're just grabbing a Windows 11 download for a fresh install yourself.
But Windows 11 PCs, built by the biggest OEMs, such as Dell, HP, and Lenovo, are looking likely to come with VBS as standard. What we're not clear about, however, is whether those companies' gaming brands will also have VBS enabled. Or whether system builders will be exempt and can continue to ship gaming PCs without VBS.
My instinct says that gaming-focused brands should be able to circumvent any Microsoft request to have VBS on by default, but these are interesting times… You can quickly check whether it is on or off yourself by hitting the 'Win' key and typing 'MSInfo32', then down at the bottom of the system report it will show whether VBS is enabled.
Though it might take some registry work to disable if you do discover it lurking there.
We've reached out to Microsoft and certain OEMs for clarification about Windows 11 and VBS, and will update if we hear anything concrete from them. But one thing's for sure, this security feature is not making me feel secure about the gaming performance of tomorrow's PCs.