Hello,

I had memory integrity enabled in windows defender, and in benchmarks , i had lower performances.

Just to understand if i could improve performance somehow, i found interesting things like:


<<To have better performance and security require MBEC from intel and amd 7th generation.>>

Here are different articles, speaking about HVCI:

The potential performance Impact of Device Guard (HVCI)

http://borec.ch/the-potential-performance-impact-of-device-guard-hvci/

Borec/Borec's Legacy meets Modern Device Management Blog/ August 5 2018

<<the eureka moment came when turning of virtualization in the firmware. We now had a fast and responsive machine. In fact it was approximately 30-40% faster! (Based on a number of user scenario based tests, e.g file copy, application open, zip extraction, math calculations etc).
What could it be? Credential Guard just protects credentials and KMCI just checks that the drivers are signed?
Further investigation showed us that HVCI was to blame.
After an escalation to Microsoft we received a response to check if we had 7th gen CPUs together with a screen shot of the new features added by Intel and a comment along the lines of “Apparently you need this feature”. They were referring to MBEC.>>




What is Windows Defender Application Control?
https://www.petri.com/what-is-windows-defender-application-control

Petri ITknowledgeBase/ Russell Smith/ September 7, 2018


Why my 7-year old Windows 10 laptop became unbearably slow
https://www.ctrl.blog/entry/slow-windows-hvci.html

<<Turning off this feature immediately resolved all my performance and bluescreening problems. You can find the Off switch in the Windows Security app: Device Security: Core Isolation: Memory Integrity. Notably, if I try to turn Memory Integrity back on again I’m greeted with an error message that says:

“Memory integrity can’t be started. There may be an incompatibility on your device.”

It turns out that neither the Trusted Platform Module (TPM) or my processor meets the minimum feature requirements to run this feature. Then how, you may ask, was it enabled by default in the first place?>>

Daniel Aleksandersen/Ctrl.blog/2019-07-17


Microsoft Releases Standards for Highly Secure Windows 10 Devices
https://www.bleepingcomputer.com/news/security/microsoft-releases-standards-for-highly-secure-windows-10-devices/

BleepingComputers/Lawrence Abrams/ november 6 2017

<<For processor generation, Microsoft recommends that users use Intel & AMD 7th Generation processors. When questioning these requirements, Windows Offensive Security Team and Windows Device Security manager Dave Weston stated that the 7th generation CPUs contained Mode based execution control (MBEC), which provides further kernel security.>>

What microsoft forgot to tell us, is without MBEC from 7th gen processors,
Performance would decrease.

New windows 10 install if drivers are updated to allow HVCI to run, will have Memory Integrity on by default.

That is a good thing for a security purpose, but in my case, my 4670k already crippled by a very very small margin by spectre and meltdown patrch + bios i moded with ubu tools

If i enable memory integrity, it's hardware chaos, with dx12 games, taking long time to load ( bf5 and 1) requiring minutes and minutes waiting time.

Performance drop in benchmarks..

But i won't blame microsoft, as any security improvements are welcome.

Only angry position i have, is they don't tell us inside windows defender setting, you need 7Th gen cpu to have better performance, and potential security increase

That's a bit disgusting.

Thanks Microsoft for hidding this information under obscure docs, and scheme, users like me would never try to find or read.