none
Lock down Hyper-V on Windows 10 desktop

    Question

  • I'm interested in understanding if there's a way to lock down Hyper-V on a Windows 10 desktop platform. Especially, I want to know if there is a way to restrict access to the Hyper-V interface to just domain administrators, so that "normal" local administrators of the system cannot change Hyper-V configuration. Also, is there a way to lock down the Hyper-V configuration completely, so that only someone with a lockdown code, maybe some password or whatever, can unlock the configuration again. Basically I want to find a way to prevent a local administrator to modify Hyper-V settings. Is there a feasible way to do this? Many thanks for your thoughts.

    Thursday, September 13, 2018 1:51 PM

All replies

  • Hi,

    Thanks for your question.

    Generally, local "Administrators" group can have all the power of the "Hyper-V Administrators" to manager Hyper-V. We simply need to remove local administrator or other user you specifically restrict from “administrator” group on the Hyper-V host.


    Furthermore, regarding Hyper-v security, we can try the following articles to see if it helps.

    Virtualization Security Best Practices – How to Lockdown a Hyper-V Host

    https://blogs.technet.microsoft.com/tonyso/2008/05/28/virtualization-security-best-practices-how-to-lockdown-a-hyper-v-host/

    Security best practices for Microsoft Hyper-V installations

    https://searchwindowsserver.techtarget.com/tip/Security-best-practices-for-Microsoft-Hyper-V-installations

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, September 14, 2018 6:26 AM
  • Hi,

    Just want to confirm the current situations.

    Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, September 17, 2018 1:09 PM
  • Hi Michael,

    thanks for your reply. I think the issue is the following:

    1) I'm talking about Hyper-V on a desktop system (Windows 10) 

    2) I cannot simply remove the Administrator group since I still need it for "normal" administrative operations. I just want to remove the rights to control Hyper-V, but still keep all other administrator rights for particular users. Basically I want that users can remain administrator, but not be able to configure Hyper-V.

    It seems to be a tricky questions.

    20 hours 17 minutes ago
  • Yes, I've got your concern. Please try to remove administrators from security permission of Hyper-V location path to see if it can work. Also could remove the control permission of local admin for VMs you want to restrict with this method.

    Hope this helps. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael

       

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    4 hours 14 minutes ago
  • Hi Hyper-V Researcher,

    As stated in your other post:
    https://social.technet.microsoft.com/Forums/en-US/1f37bfcf-6538-401b-8923-b8085c070f94/lock-down-hyperv-on-windows-10-desktop?forum=winserverhyperv

    The users in the Hyper-V Administrators group, local Administrators group and Domain Administrator group will have the rights to manage Hyper-V, this cannot be changed. Unfortunately there is no possible way to lockdown Hyper-V the way you want it.

    Hope this information is useful.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    4 hours 8 minutes ago