One of Microsoft’s obsessions with its new version of Windows has to do with security and the goal of achieving a reliable computing environment, which is important in corporate and business environments where a large amount of sensitive and private data is handled. Specifically, they recommend that manufacturers and assemblers of new computers sell them with VBS activated by default, which prevents malicious code from being executed that fails the code integration checks due to the fact that they pose as reliable applications and drivers. .
Any extra security is always good, the problem comes when that extra security turns into a considerable loss of performance in the CPUs, especially if you use a first generation AMD Ryzen, the 1000 series, or an Intel Core 10 or earlier. If we have the case of using relatively modern hardware you can lose 5% of performance, but as we go further into the past we can see performance cuts by 28%.
Microsoft currently allows gaming PCs that ship with Windows 11 to be sold with VBS and HVCI disabled, but we may have purchased a pre-built computer not originally designed for gaming and converted for gaming or simply upgraded. from Windows 10.
What are VBS and HVCI?
In its simplest definition, what VBS does is use hardware virtualization capabilities to create a region within memory that is completely isolated from the rest of the system. In other words, it makes use of the capabilities that allow us to run other operating systems through a hypervisor, but not to run an entire system, but to run certain functions of Windows 10 and later in said isolated environment.
One way to break security is through hardware drivers, because they serve to communicate the programs with the different physical components of the computer, many of them have a much higher level of privileges than a normal program and a programmer with bad intentions it can take advantage of this and pass malicious applications as drivers.
In order to gain an additional level of security, use is made of the Hypervisor-Enforced Code Integrity or HVCI that makes use of Virtualization-based Security or VBS in Windows to check if the code is malicious or not. How? Well, in the same way that a gunner can explode a bomb in a controlled environment, the same is done here: the malicious driver is executed in a separate environment that cannot affect the rest of the system. Another feature is to assign the memory environment of the TPM module to store the key credentials for the use of certain sensitive actions such as the user’s personal and banking data.
Of course, this means having to run an additional environment that cuts resources to the processor that we are going to want to have available for our applications. Let’s see below how to disable this feature of Windows 11 and regain lost power.
How to know if VBS is enabled?
The first and most important thing is to know if the VBS is active in our installation of Windows 11 and here the answer is a depends on how we have done the installation. If, for example, we have updated from a Windows 10 installation then the VBS will be inactive, but if you have done an installation from scratch or it is a new device it will always be active, so we will first have to know if this technology is active or no.
To do this, you just have to follow the following steps:
- Type in the search box on the taskbar: system information. The system search should find a program with the same name that you will need to run.
- Without selecting anything, scroll down until you see the line that says virtualization-based security, there you will be able to know if VBS is enabled or not.
A hint: VBS requires a TPM 2.0 module (software or hardware) to work, so if you don’t have one then this feature cannot be activated. This is also a good way to check if your Windows 10 PC has a TPM module enabled and working.
How to disable VBS in Windows 11 on your PC
The first thing you have to keep in mind is that there are two ways to deactivate, or rather, to disable VBS in your Windows 11 installation, to do this, follow these steps:
- In the Windows taskbar search type: kernel isolation. This will find you a specific page of the system configuration which is the one you see below:
- Well, you just have to keep the “memory integrity” disabled to keep the VBS totally disabled, with this you will make your Intel or AMD CPU gain performance under Windows 11 in exchange for losing security. So we recommend it if you are going to do things like run a video game, render a scene with Blender or simply install a program whose decompression requires a great deal of processing.
Using the command prompt
The other option is to use the command prompt, to do this, follow these steps:
- Type cmd in the Windows taskbar search to find the command prompt, but do not run it as is, but right-click on the search and select run as administrator to be able to run it with all permissions, since they will be necessary to us.
- Then write the following:
becedit / set hypervisorlaunchtype off
- With this, the VBS will be deactivated immediately, in any case we do not need to tell you both in this case and in the previous one that it is totally advisable to restart the computer for the changes to take effect on the system.
We hope that this tutorial has been useful and that the lost performance of your CPU returns to the same after deactivating VBS, although if you work in an environment that requires data protection we do not recommend it. Putting your clients’ data at risk has criminal consequences in several countries, so if you are professionals in certain sectors, we recommend that you not carry out this operation because of what could happen to malicious programs.