Here's how you can disable VBS in Windows 11 for a performance boost

nanoguy

Posts: 978   +14
Staff member
Why it matters: With Windows 11, Microsoft wants all consumer PCs to have the same enterprise-grade security as corporate machines. If you've just bought a machine or did a fresh install of the new operating system, chances are you have this new functionality enabled by default, and performance will suffer a bit as a result. However, you can always turn it off and end up with the same level of security you've had on Windows 10, but also better performance.

Windows 11 is anything but perfect, and reviewers have mixed feelings about Microsoft's new operating system. If you've already upgraded or are planning to do so, it's worth noting that Windows 11 comes with enhanced security features that come at the cost of performance, even on relatively new hardware.

The culprit is a feature called Virtualization-based Security (VBS), which was first introduced in Windows 10 as an optional layer of security for corporate PCs. What VBS does is allows Windows 11 to make use of hardware virtualization features present in modern CPUs to isolate a secure region of memory and host security features such as Hypervisor-Enforced Code Integrity (HVCI).

VBS and HVCI can prevent hackers from running malicious code on your system alongside trusted applications and drivers because it would fail code integrity checks. All this sounds good on paper, but early testing has shown it can impact performance in certain scenarios, most notably gaming, by as much as 28 percent.

This sort of performance regression will mostly be experienced by users with 1st generation Ryzen CPUs or 10th generation Intel CPUs and older. For people with newer hardware, the performance impact is closer to five percent. Microsoft recommends OEMs enable VBS and HVCI by default on new PCs, but they're allowed to ship gaming PCs with the two features disabled.

If you've upgraded to Windows 11 from Windows 10, VBS will be off unless it was enabled before you started the upgrade process. However, it will be enabled on a new PC or after a fresh install on your existing device, so it's worth exploring how to check if it's on and how to disable it to gain that extra bit of performance.

First you need to open System Information. Under System Summary, check for a row that says "Virtualization-based security." If it says "Not Enabled," you don't need to do anything else. If it says "Running," read on.

There are two ways to disable VBS in Windows 11. The first is to open Settings, click on Privacy & Security on the left pane, and you'll be greeted by a list of security features, Windows permissions, and App permissions. Click on the top one that says "Windows Security," and then click on Device security from the list that appears after that. Then click on "Core isolation details," which should be colored. This leaves you with a toggle for "Memory Integrity," which you need to turn off and restart your PC for it to take effect.

The same can be achieved by searching for "Core isolation" from the Taskbar or the search box in the Settings app, which will take you to the same place described above.

Another method to disable VBS is to use the Registry Editor. You can open it by searching for its name from the Taskbar or by hitting Windows + R and entering regedit in the text box that will pop up -- click OK and you're ready to proceed.

On the window that appears, there's an address bar that you can use to navigate directly to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard." On the right pane you should see a DWORD value called "EnableVirtualizationBasedSecurity." Open that and set it to "0." As with the first method, you need to restart your PC for the change to take effect.

Permalink to story.

 

m4a4

Posts: 2,546   +3,038
TechSpot Elite
Heh, this sounds like the reason why they put such recent CPU requirements with W11.

If they're going to enable it by default, they should at least make it easier to turn off...
 

VitalyT

Posts: 5,947   +6,210
wnd.png

 

VitalyT

Posts: 5,947   +6,210
Another method to disable VBS is to use the Registry Editor
If VBS is anything but Vile BullShit, is there a registry key to downgrade Windows 11 to XP?
 

zamroni111

Posts: 213   +139
With each new version of Windows, there is more bloatware to remove, more stuff to fix, more crap to disable.
I wish MS would just release an OS that is just an OS. Not crap attached.

LTSC is nice, but it's harder to get for regular folks.
In windows pro, you can set windows update to postpone feature updates for a year without blocking security updates
 

Mr Majestyk

Posts: 869   +766
DRM infested OS. How long before M$ kills off this fix. TPM isn't for your benefit at all.

Could have waited another 6 months to polish this turd instead of releasing it half baked.
 

flipp3r

Posts: 27   +6
I just searched "core isolation". When I click the app it says "Page unavailable".
I looked in the registry and there is no "EnableVirtualizationBasedSecurity".
Is it because of the hardware?
Mainboard is MSI B450 TOMAHAWK MAX II with latest "Win11" compatible bios. Ryzen 5 5600G cpu.
Win 10 Home Clean install - No bypass required...
 

arrowflash

Posts: 474   +511
MS should have this disabled by default. 28 percent on older CPUs, 5 percent on newer hardware (though I'd bet it's closer to 28 percent or higher on a current-gen Celeron), is a huge performance impact.

Another reason W11 looks less appealing to me every new day. Who knows what else is there.

For me that is a bad abbreviation. For me VBS stands for Visual Basic Script. This had me wondering why someone would need to disable VBS.

When I saw the headline I thought, "Wait, so disabling VBScript support will speed up W11? Strange".
 

trgz

Posts: 360   +121
Is this not enabled by default in Windows 10? Only I see a Core Isolation entry in my settings which mentions 'Virtualization-based security' (and it's 'On')
 

enemys

Posts: 260   +288
TechSpot Elite

yukka

Posts: 992   +154
I upgraded from Windows 10 and I have Virtualization-based security showing as "running" but under core isolation the memory integrity setting is set to "Off" and I don't have the DWORD in my registry.
 
Heh, this sounds like the reason why they put such recent CPU requirements with W11.

If they're going to enable it by default, they should at least make it easier to turn off...
That's not the reason. The reason the CPU requirements are what they are is because of TPM.
 
Performance is just half of the problem, core isolation may also block some devices driver installation without any warnings at all, enen though they are signed, I had this problem it's really nasty.
 

cliffordcooley

Posts: 12,996   +6,315
Are you one of those people who managed to use windows me successfully
I never had dealings with ME. It was also a time before I started paying attention to an OS before they came out. I was already on XP before knowing anything of ME.
 

yukka

Posts: 992   +154
I never had dealings with ME. It was also a time before I started paying attention to an OS before they came out. I was already on XP before knowing anything of ME.
I think my Dad bought a OEM prebuilt PC and it came with ME on it. It was absolutely disastrous and after the second rebuild I think I put Windows 2000 on for him.
 

Darth Shiv

Posts: 2,223   +798
Are you one of those people who managed to use windows me successfully
Nobody successfully uses Windows ME. If you didn't have issues it's because you didn't use the features that were completely botched in the OS. Akin to saying "you managed to not step on any of the landmines". That doesn't mean the minefield was good.
 

scavengerspc

Posts: 1,674   +1,728
TechSpot Elite
Are you one of those people who managed to use windows me successfully
I am. I only had 9 PCs in my firm at the time, and the disasters of things like system restore was untouched. The biggest problem as I saw it was people trying to use ancient software with ME, even though MS made it clear that support for DOS mode was gone.

I had no love for ME, but in my opinion its biggest defect was the loose screws sitting in front of the monitor.
 

cliffordcooley

Posts: 12,996   +6,315
The biggest problem as I saw it was people trying to use ancient software with ME, even though MS made it clear that support for DOS mode was gone.
That would have been a deal breaker for me. I still spend a lot of time in command-line. During that time I was still booting to Dos for many things and manually loading Windows.