A customer observed that PVS target device boot statistics, viewed in status tray tool, showed low throughput and a long boot time on existing target devices. Testing a new vdisk, minimal install with just PVS target device software and not domain joined, showed much quicker boot time and higher throughput.

Machines without secure boot enabled, removing the RunAsPPL registry key is sufficient to disable the feature.

Machines with UEFI secure boot enabled, in addition to removing the RunAsPPL registry key, also requires additional work completed on each machine, to opt out at the firmware level of the machine, using the Local Security Authority (LSA) Protected Process Opt-out tool to delete the UEFI variable

Problem Cause

The source of the behaviour was found to be a registry key which configured additional LSA protection.
HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Lsa
DWORD named RunAsPPL.
Value data set to 1
 

With the key configured, the feature enabled, windows at boot time will verify all system drivers at boot time.
This will increase the amount of data which needs to be streamed to the target device during the boot stage, and also delay booting while this data is read and drivers verified.

As PVS vdisk are readonly the additional boot time integrity checking creates additional overhead at boot time without benefit (as boot to boot there will be no change in PVS vdisk)