Windows 11’s performance-stealing security feature is now on by default
Posted: Wed Sep 21, 2022 9:40 am
Microsoft’s latest Windows 11 feature update, the Windows 11 2022 Update (22H2), turns on the operating system’s core isolation memory integrity protection by default. This change in Windows 11’s security policy trades increased security for a small (though significant) loss of performance in earlier tests.
At Windows 11’s launch, Microsoft left core isolation off by default. Now, the company is concerned that users are secure “out of the box,” with other scenarios — including gaming, where turning on these functions has hurt performance — taking a back seat. Microsoft also believes that its engineering teams have been able to overcome or partially overcome the performance hit that turning on those memory integrity features entails.
“Core Isolation will be on by default for fresh installations and new PCs, so devices are secure as possible,” Microsoft said in an emailed statement after this story had initially published.
The new security feature will be on by default for new PCs, but not for those who are upgrading to the Windows 11 2022 Update. Representatives also said that the core isolation feature can be turned off. (One of our test PCs, a Microsoft Surface Laptop Studio, does not allow this feature to be turned off, however.)
What is core isolation?
In Windows 10 and 11, supported hardware uses a form of virtualization to protect the operating system and your PC from malicious code, isolating certain processes in the PC’s memory. Certain hardware features are required to enable the feature, including a TPM 2.0, secure boot, and Data Execution Prevention. In part, the increased priority on security pushed Microsoft to require PCs with processors that supported these features as a requirement for Windows 11. But core isolation has been supported for several processor generations (and across AMD and Qualcomm) even if PCs haven’t necessarily used it.
You can typically check whether these features are on or off inside the Windows Security app, specifically the Device Security section (Settings > Privacy & security > Windows Security > Device Security > Core Isolation). Certain PCs — for example, Microsoft’s Surface Laptop Studio — shipped with memory integrity on by default, with no option to turn it off. Other laptops may have different settings.
The change that Microsoft says that it is making, though, is to make this memory integrity setting more like the Surface Laptop Studio’s: on by default, protecting your PC. Again, though, if you’ve switched this feature off, Microsoft says it will not be switched on again.
“For users who are upgrading their OS and Core Isolation is turned off, it will remain off,” Microsoft said in a statement. “The user will see a warning in the Windows Security app informing them that this feature is currently turned off so that action can be taken by the user to turn it on so that their device is as secure as possible against malicious attacks.”
What effect does this have on your PC?
The significance of Microsoft’s decision depends on your perspective. To be fair, Microsoft’s decision trades off providing increased confidence in your PC’s security versus a slight dip in your PC’s performance, which you may or may not notice.
Both PCWorld and Tom’s Hardware tested the effects of the core isolation / memory integrity feature earlier this year. PCWorld’s tests focused on the impact on general productivity — and turning it on has less than 5 percent performance penalty for processors dating back to Intel’s 6th-generation Core chips. PCMark tests, which measure general productivity, were similar. Going back to Intel’s relatively ancient 6th-generation Core chip generates a performance drop of more than 10 percent.
In gaming, however, Tom’s Hardware found that even recent processors like the Core i7-11700K showed 7 percent drops in popular games like Red Dead Redemption 2 — about a processor generation’s worth of performance. That’s fairly significant, especially for those systems already hovering around the margins of playable frame rates.
Both tests were performed in October 2021, about a year ago, however. Microsoft believes that at least some of those performance drops have been overcome by engineering work since then. By how much? We don’t know yet.
If you’re an average PC user, Microsoft’s decision probably benefits you. Gamers, though, should probably consider switching this feature off when they begin gaming. Or use Windows 10 instead.
Microsoft shipped the Windows 11 2022 Update on Tuesday, with additional security features like Smart App Control. Our review of the Windows 11 2022 Update notes that Microsoft has focused more on behind-the-scenes features like accessibility and security, rather than more popular features like the Taskbar.At Windows 11’s launch, Microsoft left core isolation off by default. Now, the company is concerned that users are secure “out of the box,” with other scenarios — including gaming, where turning on these functions has hurt performance — taking a back seat. Microsoft also believes that its engineering teams have been able to overcome or partially overcome the performance hit that turning on those memory integrity features entails.
“Core Isolation will be on by default for fresh installations and new PCs, so devices are secure as possible,” Microsoft said in an emailed statement after this story had initially published.
The new security feature will be on by default for new PCs, but not for those who are upgrading to the Windows 11 2022 Update. Representatives also said that the core isolation feature can be turned off. (One of our test PCs, a Microsoft Surface Laptop Studio, does not allow this feature to be turned off, however.)
What is core isolation?
In Windows 10 and 11, supported hardware uses a form of virtualization to protect the operating system and your PC from malicious code, isolating certain processes in the PC’s memory. Certain hardware features are required to enable the feature, including a TPM 2.0, secure boot, and Data Execution Prevention. In part, the increased priority on security pushed Microsoft to require PCs with processors that supported these features as a requirement for Windows 11. But core isolation has been supported for several processor generations (and across AMD and Qualcomm) even if PCs haven’t necessarily used it.
You can typically check whether these features are on or off inside the Windows Security app, specifically the Device Security section (Settings > Privacy & security > Windows Security > Device Security > Core Isolation). Certain PCs — for example, Microsoft’s Surface Laptop Studio — shipped with memory integrity on by default, with no option to turn it off. Other laptops may have different settings.
The change that Microsoft says that it is making, though, is to make this memory integrity setting more like the Surface Laptop Studio’s: on by default, protecting your PC. Again, though, if you’ve switched this feature off, Microsoft says it will not be switched on again.
“For users who are upgrading their OS and Core Isolation is turned off, it will remain off,” Microsoft said in a statement. “The user will see a warning in the Windows Security app informing them that this feature is currently turned off so that action can be taken by the user to turn it on so that their device is as secure as possible against malicious attacks.”
What effect does this have on your PC?
The significance of Microsoft’s decision depends on your perspective. To be fair, Microsoft’s decision trades off providing increased confidence in your PC’s security versus a slight dip in your PC’s performance, which you may or may not notice.
Both PCWorld and Tom’s Hardware tested the effects of the core isolation / memory integrity feature earlier this year. PCWorld’s tests focused on the impact on general productivity — and turning it on has less than 5 percent performance penalty for processors dating back to Intel’s 6th-generation Core chips. PCMark tests, which measure general productivity, were similar. Going back to Intel’s relatively ancient 6th-generation Core chip generates a performance drop of more than 10 percent.
In gaming, however, Tom’s Hardware found that even recent processors like the Core i7-11700K showed 7 percent drops in popular games like Red Dead Redemption 2 — about a processor generation’s worth of performance. That’s fairly significant, especially for those systems already hovering around the margins of playable frame rates.
Both tests were performed in October 2021, about a year ago, however. Microsoft believes that at least some of those performance drops have been overcome by engineering work since then. By how much? We don’t know yet.
If you’re an average PC user, Microsoft’s decision probably benefits you. Gamers, though, should probably consider switching this feature off when they begin gaming. Or use Windows 10 instead.