Topic: A graphical lesson on why W11 has processor requirements @ AskWoody

A graphical lesson on why W11 has processor requirements
Home » Forums » AskWoody support » Windows » Windows 11 » Hardware questions relating to Windows 11 » A graphical lesson on why W11 has processor requirements
- This topic has 11 replies, 5 voices, and was last updated 3 years, 6 months ago.
Tags: VBS Virtualization Based Security (VBS) Windows 10 Windows 11
Author

Topic
New Reply
RetiredGeek
AskWoody_MVP

October 13, 2021 at 7:58 pm #2395795

Hey Y’all,

So after watching a Video from MS about VBS (Virtualization-based security) I decided to try it on my not ready for prime time Windows 10 main driver.

Specs:

Item Value ---- ----- Manufacturer Dell Inc. Model XPS 8920 System Type x64-based PC Enclosure Desktop BIOS Serial No 2Z5PHH2 Name 1.0.23 Version 1.0.23 Date 6/10/2020 20:00 Manufacturer Dell Inc. Creator American Megatrends Firmware Type UEFI Secure Boot UEFI Enabled Trusted Platform Module Present Item Value ------ ----- Processor Name Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz Code Name Kaby Lake Info Intel64 Family 6 Model 158 Stepping 9 Maker GenuineIntel ID BFEBFBFF000906E9 Max CPU Speed 3.6 GHz Physical CPUs 1 Physical Cores 4 Logical Cores 8 Address Width 64 HyperThreading Enabled VM Firmware Disabled Socket U3E1 Memory Information: Bank Data Size MB Slot Bank Pos Type Speed Width / GB Manufacturer Serial No. -------- ---- ---- ---- ----- ----- ----- ------------ ---------- ChannelA-DIMM1 1 DDR4 2400 64 8.00 SK Hynix 2878875B ChannelB-DIMM1 2 DDR4 2400 64 8.00 SK Hynix 28788735

So here’s my machine at idle with the only program running being the Snipping Tool and Task Manager.

So with the baseline established I enable VBS using Microsoft’s DG Readiness Tool Version 3.6 and then reboot and load the same two programs and wait 10 minutes for things to settle down.

Note: that 10% CPU usage is the average! It did get as low as 6% momentarily and as high as 20% for longer periods. Again this is at IDLE!

So No Windows 11 for this machine EVER! YMMV!

HTH

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

TechTango, doriel

Reply | Quote
Viewing 5 reply threads
Author

Replies
- joep517
  AskWoody MVP
  
  October 14, 2021 at 10:10 am #2395922
  
  With the .NET optimization service taking 9.2% of the 10% I’d say there is some serious transient processing going on. The .NET optimization is generally run when new or updated modules are installed to optimize for your setup. I’d be a little surprised if VBS was .NET based. In my experience .NET optimization often takes longer than I expect. I’d walk away from the machine for quite a while and then check it again.
  
  --Joe
  
  Reply | Quote
- RetiredGeek
  AskWoody_MVP
  
  October 14, 2021 at 10:42 am #2395927
  
  Joe,
  
  Thanks for the insight. I’ve uninstalled VBS and was surprised by the prompts I got when the machine rebooted, before actually getting into windows, to make sure I wanted to disable several features. This worried me as maybe some of these settings were in effect before I enabled VBS so I restored my EFI and Boot (C:) partitions from my recent images just in case.
  
  When I get a block of time I may retry VBS and give it more time to “settle in” as you say.
  
  May the Forces of good computing be with you!
  
  RG
  
  PowerShell & VBA Rule!
  Computer Specs
  
  Reply | Quote
- bbearren
  AskWoody MVP
  
  October 14, 2021 at 12:56 pm #2395950
  
  @RetiredGeek, you piqued my curiosity. Admittedly this is an apples-to-oranges type comparison, as I have neither Secure Boot enabled nor my TPM 1.2 enabled, which may or may not make a difference, since there are differing levels of VBS based on such things.
  
  I noticed in your Specs that your VM Firmware is disabled, and I was curious. Your motherboard is an Intel-based Dell board, and mine is an Intel motherboard, which also may invoke some differences. Nevertheless, I went into UEFI and enabled Virtualization. My 4 core i5-4670 is not capable of HyperThreading, another vector for differing results.
  
  I enabled VBS (without Secure Boot or TPM enabled) and rebooted. It took a bit over 3 minutes for CPU usage to settle down to idle on that first reboot. A second reboot allowed idle to be reached in less time. With Malwarebytes, Firefox, Snipping Tool and Task Manager running, I get this at idle:
  
  It also drops to 2%, and idles mainly at 2% to 3%. Antimalware Service Executable (Microsoft Defender Antivirus Service) and Antimalware Service Executable Content Process are the CPU’s heavy hitters on startup, but settle down nicely in a reasonable amount of time. The desktop is visible almost immediately after logon and apps/programs launch readily.
  
  I’ll let it run for a day or three to see if there are any hiccups, but it doesn’t appear at the moment to cause a noticeable performance hit on my system.
  
  Always create a fresh drive image before making system changes/Windows updates; you may need to start over!
  We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.
  We were all once "Average Users".
  Computer Specs
  
  Reply | Quote
- bbearren
  AskWoody MVP
  
  October 16, 2021 at 9:56 am #2396172
  
  @RetiredGeek, I’m still running VBS, still idling 2%~3% CPU. The only noticeable effects have been the time it takes to logoff has increased, and it sucks up a good bit of RAM. Logon is still snappy.
  
  .
  
  Kernel DMA protection is off, since that requires Secure Boot, and I still have Secure Boot disabled.
  
  Always create a fresh drive image before making system changes/Windows updates; you may need to start over!
  We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.
  We were all once "Average Users".
  Computer Specs
  
  Reply | Quote
- bbearren
  AskWoody MVP
  
  October 17, 2021 at 12:40 pm #2396332
  
  I ran VBS until a few minutes ago, and I haven’t noticed any performance hits in the three or so days I had it running. A few minutes ago I disabled it, rebooted to make sure it was disabled (System Information), then booted into UEFI to disable Intel’s virtualization.
  
  I disabled it in the registry (which was how I enabled it in the beginning), and didn’t see any prompts/warnings at all on reboot. Then again, I ran it at the lowest level without Secure Boot and TPM 1.2 disabled.
  
  I don’t see a need for it, and even though it doesn’t seem to have any adverse effects (on my system), I have no reason to use it.
  
  Always create a fresh drive image before making system changes/Windows updates; you may need to start over!
  We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.
  We were all once "Average Users".
  Computer Specs
  
  Reply | Quote
- RetiredGeek
  AskWoody_MVP
  
  October 18, 2021 at 7:52 pm #2396617
  
  Hey Y’all,
  
  Well I’ve been down the “Rabbit Hole” for the last couple of days trying to figure out this whole VBS (Virtualization Based Security) thing and here’s what I’ve found out so far and I’ve just scratched the surface.
  
  Thanks to JoeP & bbarren I found out that you do have to wait a while for the system to “settle down” after enabling VBS.
  
  My main machine before installing VBS:
  
  Next I enabled my Virtualization Hardware and Hyper-V (Windows Optional Componets)
  Installed VBS via Powershell command:
  & ‘ComputerMentor2CMSharedNAS-DownloadsUseful-UtilitiesDG Readiness Tooldgreadiness_v3.6dgreadiness_v3.6DG_Readiness_Tool_v3.6.ps1’ -enable
  
  Output from the PS command:
  
  Directory: C: Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 10/16/2021 3:41 PM DGLogs ########################################################################### Readiness Tool Version 3.4 Release. Tool to check if your device is capable to run Device Guard and Credential Guard. ########################################################################### ########################################################################### OS and Hardware requirements for enabling Device Guard and Credential Guard 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home 2. Hardware: Recent hardware that supports virtualization extension with SLAT To learn more please visit: https://aka.ms/dgwhcr ########################################################################### Enabling Device Guard and Credential Guard Setting RegKeys to enable DG/CG Enabling Hyper-V and IOMMU Enabling Hyper-V and IOMMU successful Please reboot the machine, for settings to be applied.
  
  My main machine with VBS Installed:
  
  Here are the relative boot times before and after VBS installation measured with my Restart-Timer.ps1 program to take the user element out of the timing.
  
  Before Installing VBS DELLXPS8920's System is Compacted: False 2:21:07 PM 2:21:52 PM Elapsed Reboot Time: 00:00:45.9748014 After Installing VBS DELLXPS8920's System is Compacted: False 7:19:24 PM 7:20:16 PM Elapsed Reboot Time: 00:00:52.0512680
  
  About a 6 second penalty, no biggie!
  ————————————————-
  Now I also did this on my vintage Dell XPS 13 Laptop and got this on reboot:
  
  The computer stilled worked but it would not let me active display #2! So I restored from my image and all is well.
  Note: I did update the Intel Display driver from the Dell website, unfortunately with the same result so this machine won’t be running VBS!
  ————————————————-
  Back to my main machine.
  
  Next I did some research and wrote a little Powershell to report VBS Status:
  
  Key Value --- ----- HyperVisorPresent True BaseVirtualizationSupport Enabled SecureBoot Enabled CredentialGuard Enabled HypervisorEnforcedCodeIntegrity Enabled CodeIntegrityPolicyEnforcementStatus EnforcementMode UserModeCodeIntegrityPolicyEnforcementStatus EnforcementMode
  
  Upon more research I found some Group Policy settings I could use to configure VBS:
  Administrative Templates
  System
  Device Guard
  Turn On Virtualization Based Security
  
  After Enabling this policy as shown above, I reran my Powershell program and much to my surprise the settings for the last two items changed from EnforcementMode to AuditMode. This means that rules are logged if failed but the code can still run, used for reference in creating rules for exceptions. I did a lot of googling but no answers ensued that would work on Win Pro, all for Enterprise. So I reverted to the chang setting, reboot, rise wash repeat method.
  Luckily, I hit it on the first try and found it was the check mark in the “Require UEFI Memory Attributes Table” setting. Unchecking and rebooting returned me to EnforcementMode.
  
  So I’ve still got a lot of work to do but here’s my current output from my Powershell program.
  
  Key Value --- ----- HyperVisorPresent True BaseVirtualizationSupport Enabled SecureBoot Enabled CredentialGuard Enabled HypervisorEnforcedCodeIntegrity Enabled CodeIntegrityPolicyEnforcementStatus EnforcementMode UserModeCodeIntegrityPolicyEnforcementStatus EnforcementMode VBS Status VBS is ENABLED and RUNNING
  
  The above program draws information from:
  
  $CompInfo = Get-ComputerInfo $GCIArgs = @{ClassName = "Win32_DeviceGuard" Namespace = "rootMicrosoftWindowsDeviceGuard" } $VBS = Get-CimInstance @GCIArgs
  
  HTH
  
  May the Forces of good computing be with you!
  
  RG
  
  PowerShell & VBA Rule!
  Computer Specs
  
  2 users thanked author for this post.
  
  wavy, bbearren
  
  Reply | Quote
- RetiredGeek
  AskWoody_MVP
  
  October 21, 2021 at 11:37 am #2397105
  
  And the story continues!
  
  Today I noticed that I had no Sound! A friend sent me a video and I couldn’t get any sound. Then I noticed that the usual white x next to my speaker icon in the Notifications Area was surrounded in a red circle! So off to settings.
  
  What do you mean no Sound Devices?
  Well let’s see what has changed…VBS of course. Although I hadn’t gotten any notices of the audio drivers not loading, like I did on my laptop, I figured that this was where the problem was so I downloaded the latest driver from Dell figuring it would be compatible with VBS of course no luck here. I even disabled VBS, which brought back my video after a reboot,
  
  and then reinstalled the new audio driver and then reenabled VBS that nasty x in the red circle reappeared.
  
  I tried selectively turning off features of VBS all to no avail. So I’m now back to not having VBS running so I have sound. FYI: I also searched for a newer driver w/o success.
  
  VBS Enabled:
  
  CM's Get-VBSSettings.ps1 Ver: 1.1 Key Value --- ----- Computer DellXPS8920 Trusted Platform Module Present Firmware Type UEFI Secure Boot UEFI Enabled HyperVisorPresent True BaseVirtualizationSupport Enabled CredentialGuard Enabled HypervisorEnforcedCodeIntegrity Enabled CodeIntegrityPolicyEnforcementStatus EnforcementMode UserModeCodeIntegrityPolicyEnforcementStatus Off VBS Status VBS is ENABLED and RUNNING
  
  VBS Disabled:
  
  CM's Get-VBSSettings.ps1 Ver: 1.1 Key Value --- ----- Computer DellXPS8920 Trusted Platform Module Present Firmware Type UEFI Secure Boot UEFI Enabled HyperVisorPresent False BaseVirtualizationSupport Enabled CredentialGuard Enabled HypervisorEnforcedCodeIntegrity Enabled CodeIntegrityPolicyEnforcementStatus N/A UserModeCodeIntegrityPolicyEnforcementStatus N/A VBS Status VBS is ENABLED but NOT running
  
  Ideas anyone? I have to admit I’m at a loss.
  
  May the Forces of good computing be with you!
  
  RG
  
  PowerShell & VBA Rule!
  Computer Specs
  
  Reply | Quote
- PKCano
  Manager
  
  October 21, 2021 at 12:17 pm #2397111
  
  RetiredGeek wrote:
  
  Ideas anyone? I have to admit I’m at a loss.
  
  Reinstall Win10, and wait until Win11 is a finished product? ;_0
  
  1 user thanked author for this post.
  
  wavy
  
  Reply | Quote
  
  b
  AskWoody_MVP
  
  October 21, 2021 at 12:35 pm #2397115
  
  I think this is Win10.
  
  Reply | Quote
  
  PKCano
  Manager
  
  October 21, 2021 at 1:19 pm #2397123
  
  Granted, but it shill applies to the situation at hand. So many are attempting to force the issue while having unqualified specs for Win11.
  Reminds me of those that kept trying to install Win7 on machines with newer CPUs that MS had blocked. What did that accomplish? Are they still running Win7 on newer CPUs?
  
  I still say “Reinstall Win10 and wait!”
  
  Reply | Quote
  
  RetiredGeek
  AskWoody_MVP
  
  October 21, 2021 at 7:43 pm #2397204
  
  No need to reinstall W10 as I just restored the image from before I started tinkering.
  
  I had no intention to even try to install W11 on any of my 3 machines as none of them meet the requirement.
  
  I was merely trying to see if I could get VBS to work on my W10 main box for the added security. That said with my current security setup (Defender, Malwarebytes Premium, Router Firewall, all kinks of addon’s to Chrome, regular Images using Macrium Reflect, and of course using the device between my ears I’ve never had any kind of security event and that goes a long way back way before a lot of the mentioned products existed.
  
  After W11 is through a couple of update cycles I may try it on my wife’s laptop as it meets all the requirements, but that will have to wait until she’s gone for a day or two so I can tinker!
  
  May the Forces of good computing be with you!
  
  RG
  
  PowerShell & VBA Rule!
  Computer Specs
  
  Reply | Quote
Viewing 5 reply threads

Reply To: A graphical lesson on why W11 has processor requirements
You can use BBCodes to format your content.
Your account can't use all available BBCodes, they will be stripped before saving.

Your information:
Name (required):

Mail (will not be published) (required):

Website:

Cancel

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.

Welcome to our unique respite from the madness.

It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.