|
| 1 | +--- |
| 2 | +title: How to block users from running Hyper-V and VMware virtual machines on workstation-class computers |
| 3 | +description: Describes how to block users from installing Hyper-V or other virtualization software on specified computers. |
| 4 | +ms.date: 08/15/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika |
| 9 | +ms.custom: |
| 10 | +- sap:virtualization and hyper-v\installation and configuration of hyper-v |
| 11 | +- pcy:WinComm Storage High Avail |
| 12 | +--- |
| 13 | + |
| 14 | +# How to block users from running Hyper-V and VMware virtual machines on workstation-class computers |
| 15 | + |
| 16 | +This article provides guidance on how to use Windows PowerShell or Group Policy to block users from running virtualization software, such as Hyper-V and VMware, on workstation-class computers. These procedures apply to scenarios in which the you want to prevent such software from running, regardless of a user's administrative rights, on both domain-joined and non-domain-joined computers. |
| 17 | + |
| 18 | +*Applies to:* Hyper-V Server 2019 |
| 19 | + |
| 20 | +## How to block virtualization services |
| 21 | + |
| 22 | +> [!IMPORTANT] |
| 23 | +> |
| 24 | +> - Before you make these changes in a production environment, test them in a lab environment. This step helps assure that the changes (especially Group Policy changes) produce the intended results and don't introduce operational issues. |
| 25 | +> - Make sure that you have Administrator permissions on the workstation computers. |
| 26 | +
|
| 27 | +### How to block the Hyper-V feature on a single computer |
| 28 | + |
| 29 | +1. On the computer, open an administrative Windows PowerShell window. |
| 30 | +1. Run the following cmdlets in sequence: |
| 31 | + |
| 32 | + ```powershell |
| 33 | + Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All |
| 34 | + bcdedit /set hypervisorlaunchtype off |
| 35 | + ``` |
| 36 | + |
| 37 | + The first cmdlet removes Hyper-V from the set of available optional features, and the second cmdlet prevents Hyper-V from running. |
| 38 | + |
| 39 | +### How to use Group Policy to block Hyper-V services on multiple computers |
| 40 | + |
| 41 | +To configure an appropriate policy, follow these steps: |
| 42 | + |
| 43 | +1. In the Group Policy Management Console (GPMC), navigate to or create a policy object that applies to the affected computers. |
| 44 | +1. Right-click the policy, and then select **Edit**. In the Group Policy Editor, select **Computer Configuration** > **Windows Settings** > **Security Settings** > **System Services**. |
| 45 | +1. Configure each service that's related to Hyper-V (for example, Hyper-V Virtual Machine Management). For each of these services, follow these steps: |
| 46 | + 1. Right-click the service, and then select **Properties**. |
| 47 | + 1. In the service **Properties** dialog box, select **Define this policy setting**, select **Disabled**, and then select **OK**. |
| 48 | +1. To propagate the policy change, restart all of the target computers. |
| 49 | + |
| 50 | +For more information about how to use Group Policy, see [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/). |
| 51 | + |
| 52 | +## How to use Group Policy to block VMware Workstation services |
| 53 | + |
| 54 | +To configure an appropriate policy, follow these steps: |
| 55 | + |
| 56 | +1. In the Group Policy Management Console (GPMC), navigate to or create a policy object that applies to the affected computers. |
| 57 | +1. Right-click the policy, and then select **Edit**. In the Group Policy Editor, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **System Services**. |
| 58 | +To block users from running VMware Workstation, follow these steps: |
| 59 | + |
| 60 | +1. **Create a new path rule in Software Restriction Policies**: |
| 61 | + |
| 62 | + 1. Open the Group Policy Management Console (GPMC), and go to **Computer Configuration** > **Policies** > **Policies** > **Windows Settings** > **Software Restriction Policies**. |
| 63 | + |
| 64 | + 1. If there aren't any software restriction policies, right-click **Software Restriction Policies**, and then select **New Software Restriction Policies**. |
| 65 | + 1. Right-click **Additional Rules**, and then select **New path rule**. |
| 66 | + 1. In the **Path** box, pecify the path to the VMware executable files (for example, type *C:\\Program Files (x86)\\VMware\\*, or type the path to specific .exe files). |
| 67 | + 1. Select **Security level**, and then select **Disallowed**. |
| 68 | + 1. Select **OK**. |
| 69 | +1. To propagate the policy change, restart all of the target computers. |
| 70 | + |
| 71 | +For more information about how to use Group Policy, see [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/). |
0 commit comments