CPU virtualization on home PCs, enable it or not on BIOS settings?

[Nhonho]

Correct me if I wrote something wrong...

I read on the Internet that "CPU virtualization is usually disabled by default because it protects computers from security risks and improves the overall performance of the PC".

As far as I know, many new software security technologies, such as Windows 11 VBS (Virtualization-based Security) and browsers' security features, need CPU virtualization to be enabled in the BIOS settings to work. Some virtual machines, such as Windows Sandbox, also need CPU virtualization enabled.

Now, with the new security features of new software requiring CPU virtualization enabled, wouldn't it be better to enable CPU virtualization before installing the operating system?

About Windows 11 VBS:

Virtualization-based Security (VBS)

Provides guidance on what an OEM should do to enable VBS

learn.microsoft.com

 

[chrcoluk]

Windows 10 and 11 both have virtualisation security features, 10 even has VBS as well, its just that 11 enables VBS by default.

 

[Solaris17]

virtualization in BIOS and virtualized security settings are not the same thing. One uses the other.

I always enable hardware virtualization in the BIOS.

Though it should be noted for the most part, it is enabled by default on many systems now. In the past it may be availible and disabled, and maybe even the CPU at the time couldnt do it. but we are really past that now. Modern processors support virtulization.

We arent including some types like VT-D/x etc but for the sake of this conversation and consumer CPUs it holds.

 

[rbgc]

For one PC for everything always enable. For business PC always enable. For max performance where virtualization (VM) and features based on virtualization (VBS, Sandbox (temporary VM), ...) not needed disable.

Before or after installation is not important. You can enable or disable it any time.

 

[eidairaman1]

If not using it at all turn it off, no sense in using more resources.

 

[Nhonho]

Windows 10 and 11 both have virtualisation security features, 10 even has VBS as well, its just that 11 enables VBS by default.

I know it. It's that VBS gained more importance and visibility with Windows 11.

For one PC for everything always enable. For business PC always enable. For max performance where virtualization (VM) and features based on virtualization (VBS, Sandbox (temporary VM), ...) not needed disable.

Before or after installation is not important. You can enable or disable it any time.

OK, for now. I think with Windows 12 CPU virtualization should be a requirement for OS install.

 

[eidairaman1]

I know it. It's that VBS gained more importance and visibility with Windows 11.



OK, for now. I think with Windows 12 CPU virtualization should be a requirement for OS install.

I disagree

 

[sLowEnd]

There are security features that use virtualization, but virtualization also has its own vulnerabilities. I personally keep it on because it's vital for the emulators I use, not because I have any particular interest in VBS.

 

[Mussels]

Correct me if I wrote something wrong...

I read on the Internet that "CPU virtualization is usually disabled by default because it protects computers from security risks and improves the overall performance of the PC".

As far as I know, many new software security technologies, such as Windows 11 VBS (Virtualization-based Security) and browsers' security features, need CPU virtualization to be enabled in the BIOS settings to work. Some virtual machines, such as Windows Sandbox, also need CPU virtualization enabled.

Now, with the new security features of new software requiring CPU virtualization enabled, wouldn't it be better to enable CPU virtualization before installing the operating system?

About Windows 11 VBS:

Virtualization-based Security (VBS)

Provides guidance on what an OEM should do to enable VBS

learn.microsoft.com

Good question to ask, because it has a complex answer that varies depending on the PC in use.

Some security features rely on it, but it can also very slightly harm performance.
Microsoft have a guide to disabling the security features from running virtualization - so even if you want to run VM's, you dont need to have these features enabled.


In my experience:
AMD systems since AM4 support it but have it disabled by default in the BIOS.
Not all Intel CPU's support it fully in the past. The support level varied strangely.

Going back to intels 4th gen because i'm familiar with it and it was easier to google: They all supported VT-X but only non-K i5's and i7's supported the superior VT-D

VT-d offers better virtualization performance by allowing the VMs to get direct I/O access to the host machine's hardware

On a CPU that only had partial support, these features have more and more of a performance impact. 6th gen onwards seem to all have full support.


The security features work because it allows applications to be sandboxed while they're ran, preventing them peeking at nearby data - but they still have to be put into that box by software so it's not some magical feature that makes you immune to malware - it's more designed to prevent programs in a VM, from sneaking data from the host machine

Personally It comes down to the same old question: What do you use your PC for?

If its for business and important documents are stored on it, yes, enable it.
For a gaming PC that doesnt run any VMs and doesnt have anything of really high value - why waste the resources? You already have an antivirus.

 

[claylomax]

How much is the performance hit having virtualisation on in the BIOS?

 

[Vya Domus]

How much is the performance hit having virtualisation on in the BIOS?

Zero. The only thing it does is speed up performance if you are running virtual machines, should have no impact whatsoever outside of that.

 

[Mussels]

How much is the performance hit having virtualisation on in the BIOS?

0 For enabling it
There is a performance cost to have the security features enabled (such as core isolation in windows 11), but that varies per CPU, per application, etc. Generally it's small.

Quick google had an AM5 result, and it's around 0.008% to 0.019%

It exists, but it's not large. Older CPU's might have a bigger loss, but it's still quite small.

 

[P4-630]

It's also needed for "Core isolation"

 

[rbgc]

There are security features that use virtualization, but virtualization also has its own vulnerabilities.

Yes, everything has vulnerabilities, OS, CPU. Therefore we install OS updates. And CPU vulnerabilities are are patched using microcode delivered by BIOS updates, sometimes also using OS patch.

 

[unwind-protect]

I don't think there is ever a downside to enabling virtualization in the BIOS. If you don't install software that actually uses virtualization support it is just sitting there in the CPU doing nothing.

On the other hand, you need some virtualization hardware to protect you even if you don't use virtual machines. For example, Thunderbolt drivers uses VT-d to protect against DMA attacks.

 

[Solaris17]

Zero. The only thing it does is speed up performance if you are running virtual machines, should have no impact whatsoever outside of that.

This

virtualization in BIOS and virtualized security settings are not the same thing. One uses the other.

virtualization in bios does not impact performance at all until you utilize it.

 

[chrcoluk]

How much is the performance hit having virtualisation on in the BIOS?

I was doing testing with Vesperia, I disabled VT-x and I also tested with TPM off. In my testing there was no difference. Only certain things are virtualized, games e.g. are not virtualized. i was analysing CPU usage and other metrics, there is on my rig absolutely no regression, however I am on Windows 10 which by default doesnt enable memory integrity and doesnt enable VBS. So its virtualisation is a lot less intensive than 11 out of the box.

In my opinion things like CFG and a/v software have the impact.

As has been said simply enabling in itself in the bios will have no impact, its rather what software uses that virtualization.

 

[Mussels]

virtualization in bios does not impact performance at all until you utilize it.

The partial exception to this is that W10 and W11 now default those security features to enabled, if virtualization is enabled.

But for the tiny performance difference, you can definitely just turn those security features off and leave it enabled if you run VMs or ignore them entirely

 

[rbgc]

0 For enabling it
There is a performance cost to have the security features enabled (such as core isolation in windows 11), but that varies per CPU, per application, etc. Generally it's small.

Quick google had an AM5 result, and it's around 0.008% to 0.019%

It exists, but it's not large. Older CPU's might have a bigger loss, but it's still quite small.
View attachment 294003

0 is always 0

 

[Solaris17]

The partial exception to this is that W10 and W11 now default those security features to enabled, if virtualization is enabled.

That is true, but I thought OP was speaking in the context of his OS already being installed. In which case I do not think they will auto enable as the configuration has already been made.

 

[Mussels]

That is true, but I thought OP was speaking in the context of his OS already being installed. In which case I do not think they will auto enable as the configuration has already been made.

It's more like the default is on, but inactive while its disabled in the BIOS


If you manually disabled it in windows and flipped the BIOS setting on and off, it'd remember you had it off - but the default is on

 

[Solaris17]

but inactive while its disabled in the BIOS

Is there documentation for that? because you cant use virtualization features without virtualization enabled. Unless they are doing some kind of software.

Lets take a look.

Virtualization-based Security (VBS)

Provides guidance on what an OEM should do to enable VBS

learn.microsoft.com

Doesnt look like it. Since enabling virt in the BIOS is what is exposing those flags for use in the CPU registers.

Lets check the integrity enablment

Memory integrity enablement

Memory integrity enablement

learn.microsoft.com

BIOS	Virtualization must be enabled

Also appears to be the case for application guard

Microsoft Defender Application Guard hardware requirements

Provides guidance on what an OEM should do to enable Application Guard

learn.microsoft.com

CPU virtualization extensions

Extended page tables, also called Second Level Address Translation (SLAT) and one of the following virtualization extensions for VBS: VT-x (Intel) -OR- AMD-V

With that said you can burn the image to include the enable bit by default (making it controlled by BIOS enablment) but that doesnt appear to be default behavior according to the docs. Only that the option can be set in OEM images. (image builders)

 

[Mussels]

Is there documentation for that? because you cant use virtualization features without virtualization enabled. Unless they are doing some kind of software.

Lets take a look.

Virtualization-based Security (VBS)

Provides guidance on what an OEM should do to enable VBS

learn.microsoft.com

Doesnt look like it. Since enabling virt in the BIOS is what is exposing those flags for use in the CPU registers.

Lets check the integrity enablment

Memory integrity enablement

Memory integrity enablement

learn.microsoft.com

BIOS	Virtualization must be enabled

Also appears to be the case for application guard

Microsoft Defender Application Guard hardware requirements

Provides guidance on what an OEM should do to enable Application Guard

learn.microsoft.com

CPU virtualization extensions

Extended page tables, also called Second Level Address Translation (SLAT) and one of the following virtualization extensions for VBS: VT-x (Intel) -OR- AMD-V

With that said you can burn the image to include the enable bit by default (making it controlled by BIOS enablment) but that doesnt appear to be default behavior according to the docs. Only that the option can be set in OEM images. (image builders)

The features like core isolation vanish while in the OS, and if you search for them you get messages stating they can't be activated due to lack of hardware support


You can run some VM software in purely software modes, and some work with partial support like VT-x vs VT-D - but these security features require them or the settings dont appear at all

What I meant in my post is that it's got an on/off setting (registry, i assume) that still exists without hardware support, so toggling the BIOS features to on remembers whatever that was previously set to - so users could have a different viewpoint on "does enabling the BIOS setting, enable the windows security setting" because a default install will be yes, but a user who previously disabled it, would be no

 

[Nhonho]

I think we are going through a moment of transition these days. It could be that Microsoft requires CPU virtualization enabled for future Windows to be installed in order for security tools like VBS to work.

I don't think there is ever a downside to enabling virtualization in the BIOS. If you don't install software that actually uses virtualization support it is just sitting there in the CPU doing nothing.

On the other hand, you need some virtualization hardware to protect you even if you don't use virtual machines. For example, Thunderbolt drivers uses VT-d to protect against DMA attacks.

I heard about a guy who understands a lot about computers that the browsers that people use daily (Chrome, IE, Edge, Firefox, etc.), since Windows Vista's IE, use virtualization to increase security against malicious websites that install malware on the user's PC.

 

[unwind-protect]

I heard about a guy who understands a lot about computers that the browsers that people use daily (Chrome, IE, Edge, Firefox, etc.), since Windows Vista's IE, use virtualization to increase security against malicious websites that install malware on the user's PC.

No. They compartmentalize into different processes and drop privileges, but that requires none of the virtualization hardware.