Question Why most motherboards BIOS come with SVM (virtualization) disabled. Does it have a performance or security cost?

preguntonontrack

Distinguished
Nov 4, 2013
322
2
18,795
Hello, I own several MSI motherboards PCs and i noticed SVM is always off by default. Also, i was helping a friend to run a VM machine and noticed his MB also had virtualization off (another brand). I wondered why since it should a be a feature and started to speculate. Maybe because it come at a cost of performance or is a security issue?

Does enabling SVM affect in any way Windows performance, maybe hardware performance or booting performance? Maybe is a security concern? Maybe something minimal? or why?

Should i turn it off since i don't use it? I left it always on.
 

Math Geek

Titan
Ambassador
never thought about it but it is def true.

would be my guess as well. most people don't need it so the small portion of us that do have to turn it on. on a forum like this we probably have a much larger % that use it, but think about all the folks buying prebuilt pc's. can't imagine a very large portion of them ever needing it, much less even knowing what it is.
 
  • Like
Reactions: preguntonontrack
Hello, I own several MSI motherboards PCs and i noticed SVM is always off by default. Also, i was helping a friend to run a VM machine and noticed his MB also had virtualization off (another brand). I wondered why since it should a be a feature and started to speculate. Maybe because it come at a cost of performance or is a security issue?

Does enabling SVM affect in any way Windows performance, maybe hardware performance or booting performance? Maybe is a security concern? Maybe something minimal? or why?

Should i turn it off since i don't use it? I left it always on.
Apparently Microsoft thinks virtualization (SVM) has a security benefit since it pesters me to enable it for core isolation and memory integrity, needed for credential guard protection to function. It may be doing this only because I'm using Win11 Pro so I don't know if that's really all that beneficial for home users, but it seems to be a central to their steadily increasing focus on security features.
 
  • Like
Reactions: preguntonontrack

preguntonontrack

Distinguished
Nov 4, 2013
322
2
18,795
Apparently Microsoft thinks virtualization (SVM) has a security benefit since it pesters me to enable it for core isolation and memory integrity, needed for credential guard protection to function. It may be doing this only because I'm using Win11 Pro so I don't know if that's really all that beneficial for home users, but it seems to be a central to their steadily increasing focus on security features.
Interesting. So it definitely does not compromise security? But by isolating CPU cores and memory, does it limit/affect performance at any level?

that would make sense overall. i could see virtualizing various processes to specific cores and ram to isolate them for security purposes. no idea if it would work or whatever, but in a theory type argument i could nod along with the powerpoint presentation :)

On what we are discussing, does it mean it will only affect the system only if it doing some virtualization. For example lets say i am doing any kind of viertualization VM machine and then i do a clean format and dont add any VM program or do any virtual machines. Does it mean by having it on on the BIOS wont affect anything at all or it will still do some prework on Windows by having it on?
 
D

Deleted member 2947362

Guest
Interesting. So it definitely does not compromise security? But by isolating CPU cores and memory, does it limit/affect performance at any level?
In short no , performance you wouldn't notice much if any difference, even in gaming the FPS didn't change with it enabled from my testing

I decided the security benefits out way any minimal loss it may cause if any.
 
Interesting. So it definitely does not compromise security? But by isolating CPU cores and memory, does it limit/affect performance at any level?
...
To the extent Credential Guard (for instance) provides useful security benefits to you with your useage patterns I should think disabling SVM is a definite compromise to security.

The real question to be answered is: how much does Credential Guard actually help a home user's security?

A follow on to that question is: as these new security features Microsoft is pushing out become more commonplace, how many web service providers will be able to provide enhanced security for on-line transactions? I'm thinking of things like on-line banking, credit card transactions, etc. So even if not a benefit for home users today...does it become more so in the future? Or might it even lock you out of using those services if it's disabled?
 
Last edited:
  • Like
Reactions: preguntonontrack
D

Deleted member 2947362

Guest
To the extent Credential Guard (for instance) provides useful security benefits to you with your useage patterns I should think disabling SVM is a definite compromise to security.

The real question to be answered is: how much does Credential Guard actually help a home user's security?

A follow on to that question is: as these new security features Microsoft is pushing out become more commonplace, how many web service providers will be able to provide enhanced security for on-line transactions? I'm thinking of things like on-line banking, credit card transactions, etc. So even if not a benefit for home users today...does it become more so in the future? Or might it even lock you out of using those services if it's disabled?
It's worth it just for core isolation to me. (core isolation has nothing to do with CPU cores for those who don't know it isolates core parts of the O/S)

But if I enabled Force randomisation for images (Mandatory ASLR) in Exploit protection, that does cause issues with some games and software.

I'm fairly sure that's the reason Microsoft sets it to Use default (off) because it can cause problems if enabled

Although you could enable Force randomisation for images (Mandatory ASLR) for an extra layer of protection.

It's worth trying just to see if it does cause any problems for the software you use on your PC if it doesn't cause you issue then keep it enabled.

Like with all Security there can be a trade off with compatibility or usability you just have to weigh up the pros and cons of each and decide what is more important to you.
 
Last edited by a moderator:

preguntonontrack

Distinguished
Nov 4, 2013
322
2
18,795
It's worth it just for core isolation to me. (core isolation has nothing to do with CPU cores for those who don't know it isolates core parts of the O/S)

But if I enabled Force randomisation for images (Mandatory ASLR) in Exploit protection, that does cause issues with some games and software.

I'm fairly sure that's the reason Microsoft sets it to Use default (off) because it can cause problems if enabled

Although you could enable Force randomisation for images (Mandatory ASLR) for an extra layer of protection.

It's worth trying just to see if it does cause any problems for the software you use on your PC if it doesn't cause you issue then keep it enabled.

Like with all Security there can be a trade off with compatibility or usability you just have to weigh up the pros and cons of each and decide what is more important to you.

Thanks for the detailed answers. I am a gamer and i am a little picky, spent my savings on a 3090 Ti when they went cheap before the 4090 release along with all the parts to back it up. So to be clear:

  1. I shouldn't see any change in performance? With/without using these security features?
  2. Even if didnt have Windows 11, it doesnt compromise security in another way?
  3. I am windows pro 11 user. How do i benefit from these security SVM features. I am very anti Windows. I dont have an account signed with windows, i have all setting that send information to microsoft off. My FWall blocks everything. How this actually works?
 
D

Deleted member 2947362

Guest
If you mainly use your PC for gaming just use SVM for Core Isolation.

By the sound of it you have quite a powerful system and it should not effect your enjoyment of the games you play with the added bonus of giving your O/S an extra layer of security.

At worse enabling SVM to enable windows virtualisation, it might limit what some benchmark or diagnostic software can access, but that wont effect your enjoyment with gaming or normal everyday use.

This just from my experience of using SVM and Core Isolation, which I have always used ever since it's been a part of Windows.

So if anyone else knows anything more please do correct anything that I may have wrong.
 
Last edited by a moderator:
  • Like
Reactions: preguntonontrack

preguntonontrack

Distinguished
Nov 4, 2013
322
2
18,795
If you mainly use your PC for gaming just use SVM for Core Isolation.

By the sound of it you have quite a powerful system and it should not effect your enjoyment of the games you play with the added bonus of giving your O/S an extra layer of security.

At worse enabling SVM to enable windows virtualisation, it might limit what some benchmark or diagnostic software can access, but that wont effect your enjoyment with gaming or normal everyday use.

This just from my experience of using SVM and Core Isolation, which I have always used ever since it's been a part of Windows.

So if anyone else knows anything more please do correct anything that I may have wrong.
I am very grateful, thanks. Is there a way to avoid the core isolation even if i enable SVM?
 
D

Deleted member 2947362

Guest
yeah just don't enable it, enabling SVM in the Bios won't enable Core Isolation in windows.

Core Isolation is not enabled by default by windows, you would have to go in windows security/security dashboard/device security if you wanted to enable core isolation
 
Last edited by a moderator:
  • Like
Reactions: preguntonontrack

preguntonontrack

Distinguished
Nov 4, 2013
322
2
18,795
yeah just don't enable it, enabling SVM in the Bios won't enable Core Isolation in windows.

Core Isolation is not enabled by default by windows, you would have to go in windows security/security dashboard/device security if you wanted to enable core isolation
Thanks just i wanted to know. Does enabling memory integrity/core isolation it affects my security suit?
 
D

Deleted member 2947362

Guest
Core isolation shouldn't effect your own anti-virus software you may have installed, if it did your anti virus software would most likely advise you to turn it off.
 
D

Deleted member 2947362

Guest
Your best bet is to ask the people who makes the anti-virus your using, but to my knowledge it shouldn't effect it.