I have yet to see a system whose default configuration enables MMU and directed I/O virtualization. Often this necessitates rebooting and going into the BIOS to enable it if you want, e.g., 64-bit support on your VMs.
Is there some kind of substantial processor overhead that occurs if this is switched on and you're not using virtualization? If not, then what's the reason for it being off by default?
There were some proof-of-concept rootkits like Blue Pill a while back that could own a system with VT on. After this discovery, most vendors began shipping their units with VT disabled as a general security precaution.
All the server blades we buy have virtualization enabled by default. It may be because our vendor has made a commercial decision to do so to save on so many support calls.
It is not disabled because of a processor hit, but depending on what is it being used for. It may be off by default, because enabling these features may affect peripheral access.
Note that according to this other thread, it also seems to have some impact on performances https://superuser.com/questions/545101/why-does-hp-recommend-that-i-keep-hardware-virtualization-off
It seems relevant to me, since reduced set of instructions are more efficient. I just wouldn't have thought that changing a BIOS option could directly affect this.
I got no idea whether the impact is significant or not, but considering this and the security potential flaw, having such a rarely used feature disabled by default looks like a good choice to me.
another reason is most user kernel function (like gettimeofday) are moved in VDSO.
sometimes under virtualization this fast path cannot be enabled.
so the system cannot:
In addition to the security concerns raised in @MDMarra answer, you should consider two additional points:
any enabled, optional features has a small probability to have some nasty and unexpected interactions with other functionalities, requiring additional validation. PC vendors hate to spend resources on rarely used features, and client-side virtualization is one of them.
I strongly suspect that due to #1, Intel basic client firmware/BIOS blob has VT disabled. So any vendor shipping a VT-enabled client need to customize that option when preparing its firmware.
That said, we are now in 2019; I see more clients with VT enabled by default. Servers are an entirely different matter: I not only always found VT enabled, but VT-d is also often active.