Windows Hyper-V

1. Requirements

1.1. Hardware

Note: If all listed Hyper-V requirements have a value of Yes, the system can run the Hyper-V role.

Logon as <User>.
Start Command Prompt.

Type systeminfo.exe and press Enter.

Hyper-V Requirements:   VM Monitor Mode Extensions: Yes
                        Virtualization Enabled In Firmware: Yes
                        Second Level Address Translation: Yes
                        Data Execution Prevention Available: Yes

Hyper-V Requirements:   A hypervisor has been detected.
                        Features required for Hyper-V will not be displayed.

Close Command Prompt.

2. Uninstallation

Logon as Administrator.
Start Windows Features (OptionalFeatures.exe).
Uncheck Hyper-V.
Uncheck Hyper-V > Hyper-V Management Tools.

Uncheck Hyper-V > Hyper-V Platform.

□ Hyper-V
    □ Hyper-V Management Tools
        □ Hyper-V GUI Management Tools
        □ Hyper-V Module for Windows PowerShell
    □ Hyper-V Platform
        □ Hyper-V Hypervisor
        □ Hyper-V Services

Click OK.
Click Don’t restart.
Optional: Close Windows Features.

See https://borncity.com/win/2024/10/15/windows-11-24h2-smb-read-write-transfer-rate-extremely-slow.

See https://www.reddit.com/r/virtualbox/comments/1ixyt16/virtualbox_on_windows_11_24h2.
See https://community.broadcom.com/discussion/how-to-disable-hyper-v-in-windows-11-24h2.
See https://forums.virtualbox.org/viewtopic.php?p=546150#p546150.
See https://forums.virtualbox.org/viewtopic.php?f=1&t=62339.
See https://community.broadcom.com/discussion/windows-11-24h2-hsot-how-to-disable-virtual-based-security.
- Restart the computer.
- Before the OS boots, a prompt appears notifying that UEFI was modified, and asking for confirmation. (Press F3 and press enter to continue).
See https://stackoverflow.com/questions/39858200/vmware-workstation-and-device-credential-guard-are-not-compatible.

See https://michlstechblog.info/blog/windows-disable-device-guard-virtualization-based-security.

Credential Guard Opt-out Tool
Do you want to disable Credential Guard?
Disabling this functionality can allow malware to read the password and other
credentials of all users signing on to Windows. For the correct action in your
organization, contact your administrator before disabling protection.
Press the Windows key or F3 to disable Credential Guard, ESC to skip this step.

Virtualization Based Security Opt-out Tool
Do you want to disable Virtualization Based Security?
Disabling this functionality changes the security configuration of Windows. For
the correct action in your organization, contact your administrator before
disabling.
Press the Windows key or F3 to disable protection, ESC to skip this step.

Credential Guard Opt-out Tool
Successfully chose to opt out of Credential Guard
Press any key to continue

PS 2025-05-06 01:11:31 Administrator@TBHFWS-IT01 C:\Users\Douwe\Downloads\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Disable


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        2025-05-06     01:11                DGLogs
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Disabling Device Guard and Credential Guard
Deleting RegKeys to disable DG/CG
ERROR: The system was unable to find the specified registry key or value.
ERROR: The system was unable to find the specified registry key or value.
del : Cannot find path 'C:\WINDOWS\System32\CodeIntegrity\SIPolicy.p7b' because it does not exist.
At line:1 char:1
+ del  "$env:windir\System32\CodeIntegrity\SIPolicy.p7b"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\WINDOWS\Syst...ty\SIPolicy.p7b:String) [Remove-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

Disabling Hyper-V and IOMMU
Disabling Hyper-V and IOMMU successful

Please reboot the machine, for settings to be applied.


PS 2025-05-06 01:11:48 Administrator@TBHFWS-IT01 C:\Users\Douwe\Downloads\dgreadiness_v3.6>

Open Settings with administrative privileges.
Select Privacy & security.
Select Windows Security.
Select Device security.
Select Core isolation details.
Disable Memory integrity.
Disable Local Security Authority protection.
Disable Microsoft Vulenerable Driver Blocklist.
Close Settings.
Enter the following commands at a Command Prompt with administrative privileges.
```
bcdedit
bcdedit /set hypervisorlaunchtype off
bcdedit
```
Restart the computer.

See https://www.anoopcnair.com/disable-virtualization-based-security-windows.

Try Setting these keys all to 0 first, if a failure then delete the keys

Enter the following commands at a Command Prompt with administrative privileges.

reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows" /v "RequireMicrosoftSignedBootChain" /t REG_DWORD /d 0 /f
REM Delete the key DeviceGuard
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "CachedDrtmAuthIndex" /t REG_DWORD /d 0 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequireMicrosoftSignedBootChain" /t REG_DWORD /d 0 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 0 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 0 /f

reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\WindowsHello" /v "Enable" /t REG_DWORD /d 0 /f

Next Disable credential guard from CMD.

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off
bcdedit /set hypervisorlaunchtype off
dism /online /disable-feature /featurename:Microsoft-hyper-v-all

2024-11-21 17:32:51 Administrator@TBHFWS-IT01 C:\Users\Administrator> bcdedit

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume4
path                    \EFI\Microsoft\Boot\bootmgfw.efi
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {11b2ea0a-a647-11ef-bc49-e454e864c232}
displayorder            {current}
bootsequence            {0cb3b571-2f2e-4343-a879-d86a476d7215}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \WINDOWS\system32\winload.efi
description             Windows 11
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {11b2ea0d-a647-11ef-bc49-e454e864c232}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {11b2ea0a-a647-11ef-bc49-e454e864c232}
nx                      OptIn
bootmenupolicy          Standard
hypervisorlaunchtype    Off
vsmlaunchtype           Off

Open File Explorer
Select the C:\Windows\System32\CodeIntegrity\CIPolicies\Active folder.

Close File Explorer

Open-TrustedInstaller
cd C:\Windows\System32\CodeIntegrity\CIPolicies\Active
dir
move {0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}.cip {0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}.cip.disabled
move {0939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip {0939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip.disabled
move {1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}.cip {1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}.cip.disabled
move {1678656C-05EF-481F-BC5B-EBD8C991502D}.cip {1678656C-05EF-481F-BC5B-EBD8C991502D}.cip.disabled
move {1939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip {1939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip.disabled
move {2678656C-05EF-481F-BC5B-EBD8C991502D}.cip {2678656C-05EF-481F-BC5B-EBD8C991502D}.cip.disabled
move {784C4414-79F4-4C32-A6A5-F0FB42A51D0D}.cip {784C4414-79F4-4C32-A6A5-F0FB42A51D0D}.cip.disabled
move {A072029F-588B-4B5E-B7F9-05AAD67DF687}.cip {A072029F-588B-4B5E-B7F9-05AAD67DF687}.cip.disabled
dir

See https://forums.virtualbox.org/viewtopic.php?t=112517&sid=c91e35e84d57853d2845098ef9ca5f53&start=15.
```
AMD     C:\Windows\System32\hvax64.exe
Intel   C:\Windows\System32\hvix64.exe
```
See https://forums.virtualbox.org/viewtopic.php?t=112871.
See https://stackoverflow.com/questions/62334630/translating-domain-username-into-a-sid.
Note: Moving the files will make "sfc.exe /scannow" detect they are missing and it will restore the files.
Note: Zeroing the files will make "sfc.exe /scannow" detect that the hashes don’t match and it will restore the files.

Note: Changing the permissions using icacls.exe doesn’t disable the files.

move C:\Windows\System32\hvix64.exe C:\Windows\System32\hvix64.org
move C:\Windows\System32\hvax64.exe C:\Windows\System32\hvax64.org

$Path = "C:\Windows\System32\hvix64.exe"
$ByteLength = [System.IO.File]::ReadAllBytes($Path).Length
[Byte[]] $EmptyBytes = 1..$ByteLength | ForEach-Object { 0x00000000 }
[System.IO.File]::WriteAllBytes($Path, $EmptyBytes)

$User = "ALL APPLICATION PACKAGES"
$NTAccount = New-Object -TypeName System.Security.Principal.NTAccount($User)
$Sid = $NTAccount.Translate([System.Security.Principal.SecurityIdentifier]).ToString()
$Sid    # S-1-15-2-1
$User = "ALL RESTRICTED APPLICATION PACKAGES"
$NTAccount = New-Object -TypeName System.Security.Principal.NTAccount($User)
$Sid = $NTAccount.Translate([System.Security.Principal.SecurityIdentifier]).ToString()
$Sid    # S-1-15-2-2

Open-TrustedInstaller
dir C:\Windows\System32\hv?x64.*
icacls.exe C:\Windows\System32\hv?x64.exe

C:\Windows\System32\hvax64.exe NT SERVICE\TrustedInstaller:(F)
                               BUILTIN\Administrators:(RX)
                               NT AUTHORITY\SYSTEM:(RX)
                               BUILTIN\Users:(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
C:\Windows\System32\hvix64.exe NT SERVICE\TrustedInstaller:(F)
                               BUILTIN\Administrators:(RX)
                               NT AUTHORITY\SYSTEM:(RX)
                               BUILTIN\Users:(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)

icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "NT SERVICE\TrustedInstaller":RW
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "BUILTIN\Administrators":R
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "NT AUTHORITY\SYSTEM":R
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "BUILTIN\Users":R
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "*S-1-15-2-1":R
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "*S-1-15-2-2":R

icacls.exe C:\Windows\System32\hv?x64.exe /remove:g "NT SERVICE\TrustedInstaller"
icacls.exe C:\Windows\System32\hv?x64.exe /remove:g "BUILTIN\Administrators"
icacls.exe C:\Windows\System32\hv?x64.exe /remove:g "NT AUTHORITY\SYSTEM"
icacls.exe C:\Windows\System32\hv?x64.exe /remove:g "BUILTIN\Users"
icacls.exe C:\Windows\System32\hv?x64.exe /remove:g "*S-1-15-2-1"
icacls.exe C:\Windows\System32\hv?x64.exe /remove:g "*S-1-15-2-2"

icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "BUILTIN\Administrators":W

icacls.exe C:\Windows\System32\hv?x64.exe /deny "NT SERVICE\TrustedInstaller":RX
icacls.exe C:\Windows\System32\hv?x64.exe /deny "BUILTIN\Administrators":RX
icacls.exe C:\Windows\System32\hv?x64.exe /deny "NT AUTHORITY\SYSTEM":RX
icacls.exe C:\Windows\System32\hv?x64.exe /deny "BUILTIN\Users":RX
icacls.exe C:\Windows\System32\hv?x64.exe /deny "*S-1-15-2-1":RX
icacls.exe C:\Windows\System32\hv?x64.exe /deny "*S-1-15-2-2":RX

# Restore to original permissions.
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "NT SERVICE\TrustedInstaller":F
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "BUILTIN\Administrators":RX
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "NT AUTHORITY\SYSTEM":RX
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "BUILTIN\Users":RX
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "*S-1-15-2-1":RX
icacls.exe C:\Windows\System32\hv?x64.exe /grant:r "*S-1-15-2-2":RX

icacls.exe C:\Windows\System32\hv?x64.exe

C:\Windows\System32\hvax64.exe NT SERVICE\TrustedInstaller:(R,W)
                               BUILTIN\Administrators:(R)
                               NT AUTHORITY\SYSTEM:(R)
                               BUILTIN\Users:(R)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(R)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(R)
C:\Windows\System32\hvix64.exe NT SERVICE\TrustedInstaller:(R,W)
                               BUILTIN\Administrators:(R)
                               NT AUTHORITY\SYSTEM:(R)
                               BUILTIN\Users:(R)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(R)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(R)

3. Installation

Logon as Administrator.
Start Windows Features (OptionalFeatures.exe).
Check Hyper-V.
Check Hyper-V > Hyper-V Management Tools.

Check Hyper-V > Hyper-V Platform.

■ Hyper-V
    ■ Hyper-V Management Tools
        ■ Hyper-V GUI Management Tools
        ■ Hyper-V Module for Windows PowerShell
    ■ Hyper-V Platform
        ■ Hyper-V Hypervisor
        ■ Hyper-V Services

Click OK.
Click Don’t restart.
Optional: Close Windows Features.
Restart the computer.

4. Configuration

Start Hyper-V Manager with administrative privileges.
Select Hyper-V Manager > <Computer Name>.
Select Action > Hyper-V Settings.
Select the Server > Virtual Hard Disks tab.
```
D:\Hyper-V
```
Optional: Click Apply.
Select the Server > Virtual Machines tab.
```
D:\Hyper-V
```
Click Apply.
Click OK.
Close Hyper-V Manager.

4.1. Virtual Switch

Note: If External Virtual Switch is created, the static IP address need to re configure for Hyper-V Virtual Ethernet Adapter.

See https://msdn.microsoft.com/virtualization/hyperv_on_windows/quick_start/walkthrough_virtual_switch.
Start Hyper-V Manager with administrative privileges.
Select Hyper-V Manager > <Computer Name>.
Select Action > Virtual Switch Manager.
Select Virtual Switches | New virtual network switch.
Select External.
Click Create Virtual Switch.
Type External Virtual Switch in Name field.
Choose External network.
Select the network adapter on the host system.
Check Allow management operating system to share this network adapter.
Click Apply.
Click Yes to continue.
Click OK.
Close Hyper-V Manager.

5. Remote Management

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

$Null = sc.exe config WinRM start= delayed-auto
Start-Service -DisplayName "Windows Remote Management (WS-Management)"
Enable-NetFirewallRule -Direction Inbound -DisplayGroup "Windows Remote Management"

6. Usage

6.1. Create Virtual Machine

See https://msdn.microsoft.com/virtualization/hyperv_on_windows/quick_start/walkthrough_create_vm.

Start Hyper-V Manager.
Select Hyper-V Manager > <Computer Name>.
Select Action > New > Virtual Machine.
Click Next.
Type <Name> in the Name field.
Check Store the virtual machine in a different location.
```
D:\Hyper-V\
```

Click Next.
Choose Generation 1.
Click Next.
Type 2048 in Startup memory: field.
Uncheck Use Dynamic Memory for this virtual machine.
Click Next.
Note: The External Virtual Switch is depend on what name you create an External Virtual Switch.
Select Connection: | External Virtual Switch.
Click Next.

Choose Create a virtual hard disk.

Name:           <Computer Name>.vhdx
Location:       D:\Hyper-V\<Computer Name>\Virtual Hard Disks
Size:           50 GB

Click Next.
Choose Install an operating system from a bootable CD/DVD-ROM.

Choose Image file (.iso):.

○ Install an operating system later
● Install an operating system from a bootable CD/DVD-ROM
  Media
  ○ Physical CD/DVD drive:
  ● Image file (.iso):          <Image>.iso

○ Install an operating system from a bootable floppy disk

○ Install an operating system from a network-based installation server

Click Next.
Click Finish.
Close Hyper-V Manager.

6.2. Edit Virtual Machine Settings

Start Hyper-V Manager.
Select Hyper-V Manager > <Computer Name>.
Select Virtual Machines | <Computer Name>.
Select Action > Settings.
Select Management > Automatic Start Action.
Choose Always start this virtual machine automatically.
Type 30 for in Startup delay field.
Close Hyper-V Manager.

6.3. Export Virtual Machine

Start Hyper-V Manager.
Select Hyper-V Manager > <Computer Name>.
Select Virtual Machines | <VM Name>.
Optional: Delete any Checkpoint.
- Right-click Checkpoints | Automatic Checkpoint and select Delete Checkpoint.
- Click Delete.
Select Action > Export.
```
Location:       C:\Tmp
```
Click Export.
Close Hyper-V Manager.

6.4. Import Virtual Machine

Start Hyper-V Manager.
Select Hyper-V Manager > <Computer Name>.
Select Action > Import Virtual Machine.
Uncheck Do not show this page again.
Click Next.
```
Folder:         C:\Tmp\<Computer Name>
```
Click Next.
Select <VM Name>.
Click Next.
Choose Copy the virtual machine (create a new unique ID).
Click Next.

Check Store the virtual machine in a different location.

Virtual machine configuration folder:   D:\Hyper-V\<Computer Name>
Checkpoint store:                       D:\Hyper-V\<Computer Name>\Snapshots
Smart Paging folder:                    D:\Hyper-V\<Computer Name>

Click Next.

Location:       D:\Hyper-V\<Computer Name>\Virtual Hard Disks

Click Next.
Note: If you get The following configuration errors were found for virtual machine 'TBHF-UNF-<Site>' message error, Copy the C:\Tmp\<Computer Name>\TBHF-UNF-<Site>.vhdx file to D:\Hyper-V\<Computer Name>\Virtual Hard Disks folder.
- Choose Use virtual hard disk.
```
D:\Hyper-V\TBHF-UNF-<Site>\Virtual Hard Disks\TBHF-UNF-<Site>.vhdx
```
- Click Next.
- Click Finish.
Click OK to ignore error massage Could not find Ethernet switch.
Select Connection: | External Virtual Switch.
Click Next.
Click Finish.

Close Hyper-V Manager.