VMware vSphere

After enabling "Virtualization Based Security" in Windows 2019 VM's it gives performance issues during group policy execution:

While the general performance hit is as low as 1% or 2% on new hardware, it stays very significant during computer group policy execution. Group policy components which require only milliseconds to execute when VBS is turned off, take multiple seconds or are giving a timeout on VM's with VBS enabled. Users notice login delays because of this.

We do not notice these group policy execution delays on Windows 2019 VM's running on Hyper-V hosts, only on ESX hosts. Group policies, enabled VBS features, and all other factors are the same. 

VMware ESXi, 7.0.3, VM version 19, CPU hardware virtualization/io mmu & secure boot enabled.

Is this expected behaviour with nested virtualization?

I was hoping to see some responses to this. Have you found a workaround? I have fully tested that VBS does indeed significantly increase the time to apply group policy on a Windows 10 machine. I have not tested Windows 11 fully yet, but doesn't seem to have the same impact in early testing. 

We very recently came across this issue and for us we have tracked it down to the VM CLUSTER configuration. Specifically, the EVC CPU Mode. In our cluster we found that a historical setting where EVC CPU MODE was "Intel Broadwall Generation" was set to maintain consistency across our cluster. HOWEVER - VBS requires "Intel Skylark Generation" to be set (or left as DISABLED) otherwise you will see a performance hit on the Windows VM. Maybe check that setting out on your vCentre Clusters?

https://www.vmware.com/docs/vsphere-esxi-vcenter-server-80-performance-best-practices

(See page 56)  If Hypervisor-Based Code Integrity will be activated in the guest OS, performance can be improved if the
underlying hardware has Mode-Based Execution (MBX), a feature introduced in Intel Kaby Lake and Sky
Lake processors.