Security is key to Windows 11—and also one of the reasons it’s breaking with the long-held tradition of legacy hardware support and basically dumping every PC made before 2017 overboard.
Why? The reasons appear to run the gamut from stability to security and performance. But just how much of a performance hit will you actually see from Windows 11’s security features? Depending on what generation of CPU you’re running, it can be fairly sizeable. Our tests likely reveal one of the reasons Microsoft won’t let older PCs run Windows 11.
Since we didn’t have final code for Windows 11, we did the next best thing by turning on a now-mandatory Windows 11 feature that’s been available in Windows 10 for some time: Virtualization Based Security. You can do this on many Windows 10 PC’s by hitting the Windows button, typing Device Security, and clicking on the Core Isolation option (if your hardware supports it). From there you can flip on Memory Integrity, which enables or disables VBS. The machine will need drivers that support VBS to be installed, and for the hardware virtualization of the CPU to be enabled in the BIOS. If you flip on Memory Integrity, Windows will check for driver compliance and let you know what drivers are preventing you from flipping it on.
VBS does have a performance cost—especially on older machines—so we wanted to specifically look for impacts on older hardware that doesn’t support Mode Based Execution Control, which is one of the key hardware elements.
For our testing, we used an older 5th-gen “Skylake” Core i7-6500U laptop, which we used to flip Memory Integrity on and off. Our first tests use the popular Geekbench 5 and Cinebench R20 benchmarks. Cinebench is a CPU-focused rendering test. Geekbench 5 largely is as well, but it tests more than than a dozen different areas of processor performance areas. Surprise! The results were surprisingly close with Memory Integrity on or off.
We expected Cinebench R20 results to remain largely static, but we thought Geekbench and its shotgun selection of tests would show the impact from turning on VBS. It didn’t. That’s fine though, because we did finally stumble upon something that clearly shows performance ticking down by turning on VBS: Principled Technologies WebXPRT 3. This is web-based browser benchmark is available for anyone to run for free. As you can clearly see from the results below, we saw a 7 percent to 15 percent decrease in WebXPRT 3 performance with VBS on, and it didn’t matter what browser we used—although we saw less of a performance hit with Firefox, which is based on a different rendering engine than Edge and and Chrome.
It’s not just in browsing that we see a performance hit on the 5th-gen Skylake chip. We also ran PCMark 10 Application’s test. It uses Microsoft Word, Excel, PowerPoint and Edge to run through scripted tasks. We’ve been having problems getting an overall score from PCMark 10 Apps recently, as it often fails during the Edge portion of the test. But as you can see, the 6th-gen Skylake chip also suffers from turning on VBS in the three popular Office apps. Running in the more secure mode costs as pretty penny, in fact, with PowerPoint seeing a 16.4 percent hit, Excel almost 11 percent, and Word seeing a 14 percent drop in performance. Although 15 percent doesn’t sound like a big hit, you do have to remember that we’re talking about a chip used in 2015-era laptops, which aren’t exactly snappy by today’s standards.
You’re probably wondering just how much of a difference it makes when you switch on VBS / Core Isolation / Memory Isolation on other generations of Intel and AMD CPUs. We opted not to run PCMark 10 Applications as that takes considerably more time, but we did test everything from Intel’s latest 11th-gen Tiger Lake architecture all the way back to 10th-, 8th-, 7th-, 6th-, and 4th-gen Core chips in WebXprt 3, plus AMD’s Ryzen 5800U processor.
Intel originally implemented Mode Based Execution Control in its 7th-gen Kaby Lake CPUs, while AMD offers the equivalent in Zen 2 (Ryzen 2000)-and-up cores. Although MBEC and its equivalent isn’t the required hardware component in VBS, it seems like a fairly big part of how VBS performs. You can see that in our results, where the performance impact is almost within the margin of error at 2-3 percent on 7th-gen chips and up. It gets far uglier on the 6th-gen Skylake CPU, and even more so on the even older 4th-gen CPU.
A 15 to 10 percent performance haircut for those older parts may seem insignificant, but it’s not quite that insignificant. Sure, the machines are still usable, but remember that those older laptops aren’t exactly zinging along today, as you can see from the raw WebXprt 3 scores below. Even in what we’d consider to be a lightweight, browser-based benchmark, a 6th-gen Core Core i7 Skylake laptop offers half the performance of a modern day 11th-gen Core i7 Tiger Lake laptop or Ryzen 5000 laptop. Those newer machines don’t seem slowed down by turning on VBS either.
Is the VBS performance hit on older laptops enough to take them from slow to plodding? That’s up to the individual user, but we can certainly see why Microsoft might have qualms about offering Windows 11 to a 2015-era PC at least.
The elephant in the room is obviously Intel’s 7th-gen Kaby Lake CPUs which, in our testing, basically aren’t slowed down any more than an 8th-gen Kaby Lake R lake laptop. If the 8th-gen Kaby Lake R gets to run Windows 11 and VBS, why not the 7th-gen Kaby Lake chips? That really isn’t clear to us, but we do know Microsoft has indicated driver support and system stability also matters here, not just performance. So there’s likely more to this story.
For now, if you’re on a 6th-gen or older laptop, you probably wouldn’t want to run Windows 11 and all its security features anyway.