Memory integrity in windows 11 pro guest OS / on or off?

Discussion in 'Windows Virtual Machine' started by FabianS7, Sep 7, 2022.

  1. TejK

    TejK Bit poster

    Messages:
    2
    Our recommendation remains that for the best protection people keep features on." Memory Integrity helps to ensure that drivers being installed onto the operating system are trustworthy and protects your system from attacks using malicious code, while VMP provides core virtual machine services.
     
    JoelH1 and NigelGB like this.
  2. NigelGB

    NigelGB Junior Member

    Messages:
    11
    TejK
    Sorry I don't understand what you mean by your reply. You're saying nothing. There's no suggested solution.
     
  3. OlivierS2

    OlivierS2 Bit poster

    Messages:
    7
    I can see in both screenshots that you don't have the nested virtualization option altogether. Maybe you're running on Apple Silicon (M1, M2) ? Or maybe on the ocntrary you have older hardware ?
     
  4. OlivierS2

    OlivierS2 Bit poster

    Messages:
    7
    Well, I switched to the Parallels Hypervisor, and memory integrity then turns on. However the performance is terrible, makes the VM barely usable. Turning off memory integrity under the Parallels Hypervisor solves the performance issue.

    I guess nested virtualization has too much of a negative performance impact, at least with my setup. Giving up at this point, not worh it for me.

    BTW for those out there running with Parallels Hypervisor : until one year ago I was using it on my MBP, and regularly I would open the laptop in the morning just to find the battery fully drained ; the computer would in fact wake up during sleep for no apparent reason (according to the logs) and not go to sleep again. Switching to the Apple hypervisor solved the issue.
     
  5. NigelGB

    NigelGB Junior Member

    Messages:
    11
    Hi OlivierS2,
    I already posted the details of my environment. Hardware details below. You can't get much newer Intel Silicon than that.
    Only a couple of years ago I was using Parallels Nested Virtualisation to test Ubuntu servers running Docker on my Macbook Pro 2013.
    System:
    - Macbook Pro 13" 2020 4 Thunderbolt 3 Ports
    - Processor: 2GHz Quad-Core Intel Core i5
    - Graphics: Intel Iris Plus Graphics 1536 MB
    - Memory: 16GB 3733 MHz LPDDR4X
     
  6. OlivierS2

    OlivierS2 Bit poster

    Messages:
    7
    Researching this issue a bit:
    - you need the pro or business edition of parallels (https://kb.parallels.com/116239)
    - yesteryear you would need to set the VM type properly (e.g. "Windows 11" in the general tab of the VM configuration), worth checking out (https://kb.parallels.com/123844)
    - I haven't been able to test with PD 17 as you have, I have PD 18, but I doubt this should have an impact
    At this stage I would open a case with Parallels' support.
     
  7. NigelGB

    NigelGB Junior Member

    Messages:
    11
    Well that sucks.
    I've always had the standard desktop version and I used to use nested virtualisation all of the time for my server testing.
    So they've removed functionality and made it only available in the more expensive versions.
    Completely inexcusable.
    Guess it's time to look at VMWare Fusion instead.

    Thanks for making that clear.
     
  8. OlivierS2

    OlivierS2 Bit poster

    Messages:
    7
    FYI I experienced terrible performance with nested virtualization, and I believe this should be the same even with other products. In other words, it's not useful for everyday use, only for testing / researching. So I would suggest to not spend any money for that unless you know you need it.
     
  9. FabianS7

    FabianS7 Junior Member

    Messages:
    13
    i've noticed if i use the parallels hypervisor and enable nested virtualization on my 2018 intel core i7 mac mini w/ 64gb ram and latest mac os ventura 13.0.1, parallels version 18.0.3 (53079), my vm's performance really degrades quite poorly. once i turn off nested virt, it runs MUCH better, as i'm accustomed to.

    whether i force cpu & memory settings to manual or auto doesn't seem to matter. neither does which hypervisor i use, in terms of perceived performance. but that nested virt option hammers my VM badly.
     
  10. DENNISC11

    DENNISC11 Bit poster

    Messages:
    4
    has anyone found a solution to this? Is it okay to keep Memory Integrity off since it won't stay on anyway?
     
  11. NigelGB

    NigelGB Junior Member

    Messages:
    11
    I would also like to turn on Memory Integrity since it's a recommended security setting in Windows 11.
    It really sucks that Parallels have removed the ability to use Nested Virtualisation from the standard version.
    The height of laziness to try and force users to upgrade to the Pro version by stripping features from the standard version instead of putting in the work to develop must have new features for the Pro version.
     
  12. DENNISC11

    DENNISC11 Bit poster

    Messages:
    4
    doesnt using nested virtualization degrade performance? i wonder if it's ok to leave it off. i contacted parallels and their solution was to remotely access my computer which i was not comfortable with.
     
  13. NigelGB

    NigelGB Junior Member

    Messages:
    11
    The short answer, is yes, but that's a bit like saying putting a load on your flatbed is going to degrade the performance of your truck. It totally depends how heavy the load is.
    When I was doing web server testing and demonstration, I used to happily run Ubuntu server VMs running the site components in multiple Docker containers (like mini VMs) inside them. Later when we added support for running the servers on Windows, I was running Windows Server VMs using Hyper-V to host the server components.
    Both performed absolutely fine for testing and demonstration purposes. I did that for 5 years on a 2013 MacBook Pro with only 8G of RAM. One of our customers even ran their production server in VirtualBox on a MacBook Air because they needed it to be portable.
    So it totally depends on how much extra processing is required if you turn on Memory Integrity.
    TBH I can't imagine that's huge or Microsoft wouldn't be recommending it as a setting and all those Windows 11 users would be filling the forums with complaints about it killing the performance of their systems.
     
  14. JoelH1

    JoelH1 Member

    Messages:
    27
    I am trying to enable Memory Integrity (core isolation) and it looks like the process is working, says reboot required. But when I reboot, memory integrity is still disabled. Do you know of a fix?
     
  15. NigelGB

    NigelGB Junior Member

    Messages:
    11
    Hi Joel,
    I have the same problem. Unfortunately Windows 11 Memory Integrity requires you to enable nested virtualisation. (Basically the ability to run a VM within your VM)

    Nested virtualisation is something I used to use all of the time in the standard version of Parallels, to test Docker containers in Linux VMs. Sadly it's been removed and is now only available in the Pro version. TBH I think it's pretty disgusting that Parallels should take an existing feature out of the standard version and force you to buy a commercial subscription if you want to continue to use it. Especially now, when it's required to run a secure Windows 11 VM.

    Anyway ... my understanding is you need:
    - A Mac with an Intel processor
    - A Parallels Pro subscription

    If you have both of these:
    Go to the VM settings > Hardware > CPU & Memory ... Click the Advanced button
    Select the Parallels Hypervisor then (if you have a pro subscription) there should be an option to enable nested virtualisation.
    If you enable it, you should then be able to enable Memory Integrity in your Windows 11 VM and the setting should stick.

    * I can't justify switching to a Pro subscription just for this feature so I have not tested this personally.
    ** Whether or not this will continue to work in the future, I don't know. My understanding is that in future versions of OSX the Parallels hypervisor will not be supported. You may have seen the warnings for it when you upgrade OSX or Parallels. Something like: "Software on your system loaded a system extension which will be incompatible with a future version of MacOS. Contact the developer for support."
     
  16. JasonK13

    JasonK13 Bit poster

    Messages:
    2
    Just to note "nested virtualization" works with the Apple hypervisor as well, at least in Ventura. I had to switch to the Parallels one first to get that checkbox to enable but after that I was able to switch back to Apple and performance seems to be OK again. The memory integrity setting was still activated.
     

Share This Page