When Windows 11 was first announced, there was a lot of annoyance surrounding it as Microsoft introduced stringent system requirements for it. Only modern microprocessors from AMD and Intel were supported as they were said to possess enhanced security support compared to previous generation CPUs, namely Intel 7th Gen "Kaby Lake" and AMD Zen (Ryzen 1000) or older.
However, Microsoft has found that there are issues on the supported CPUs which come with Vectorized AES (VAES) instruction. The company notes that such Windows 11 and Windows Server 2022 devices are "susceptible to data damage" as the Advanced Encryption Standard (AES) instruction is meant to accelerate data encryption and any bugs in this are bound to adversely impact device data.
Here is how Microsoft describes the issue:
Windows devices that support the newest Vector Advanced Encryption Standard (AES) (VAES) instruction set might be susceptible to data damage. The affected Windows devices use one of the following on new hardware:
- AES XEX-based tweaked-codebook mode with ciphertext stealing (AES-XTS)
- AES with Galois/Counter Mode (GCM) (AES-GCM)
The good news is that Microsoft has resolved the issue via previous Windows Updates KB5014746 and KB5014019. Users are expected to have performance impact on BitLocker, TLS, and also disk throughput upon installing the workaround updates. The company says that users can expect up to a two times (2x) slow down in AES performance.
To prevent further data damage, we addressed this issue in the May 24, 2022 preview release and the June 14, 2022 security release. After applying those updates, you might notice slower performance for almost one month after you install them on Windows Server 2022 and Windows 11 (original release). The scenarios that might have performance degradation include:
- BitLocker
- Transport Layer Security (TLS) (specifically load balancers)
- Disk throughput, especially for enterprise customers
Symptoms
- AES-based operations might be two times (2x) slower after installing the Windows update for the May 24, 2022 preview release or the June 14, 2022 security release.
You can find more details on Microsoft's official website where the issue is described under support article KB5017259.
Microsoft has not provided an official list of CPUs that are affected, so we did a bit of digging around for our own. The VAES instruction was introduced in 2018, which means all the Windows 11-supported processor models are certainly impacted by this issue.
From deep within the interwebs, we discovered that Intel CPUs starting from the 10th Gen Ice Lake 10nm mobile chips are affected as they introduced the VAES instructions for the first time with their new Sunny Cove design. This was a big move from Intel as it was finally moving over from the 2015's Skylake architecture and its iterations. Over on the AMD side, the Zen 3-based Ryzen 5000 series desktop SKUs as well as Ryzen 5000 mobile parts are hit.
Interestingly, this isn't the first time that users have faced performance issues with supported Windows 11 processors. Last year, it was revealed that Virtualization-based Security (VBS) was causing a crippling impact in games even on supported chips.
Update: Added more CPU families impacted by the issue:
- You can navigate through all the impacted Ice Lake CPUs on using this tag here.
- Likewise you can also find the other Zen 3-based CPUs using this tag here.
- Zen CPUs with 3D V-cache are also affected. These include the Ryzen 7 5800X3D and the EPYC Milan-X CPUs.
19 Comments - Add comment