How to disable Hyper-V for Windows 11

What is Hyper-V?

Hyper-V is a hardware virtualization platform built into certain Windows editions, including Windows 11 Professional, Enterprise and Education. Hyper-V enables a Windows computer to host one or more virtual machines, with each VM running in its own virtual space. The platform is based on the Windows hypervisor, a type 1 hypervisor that runs directly on a computer's hardware, rather than a software-based type 2 hypervisor such as VMware Workstation or Oracle VirtualBox.

Hyper-V creates an abstraction layer on top of the computer's hardware, enabling multiple VMs to share the underlying CPU, memory, storage and networking resources. Each VM operates like its own computer, independent of the other VMs hosted on that machine. The VM runs a guest OS, such as Windows Server or Red Hat Enterprise Linux, along with applications that run on that OS.

Hyper-V also includes features such as dynamic memory allocation, software-defined networking for VM connectivity, saved checkpoints for easy rollback, and a graphical interface for creating and managing the VMs.

Although Hyper-V offers several advantages, the platform can sometimes interfere with other apps, as in the following situations:

• Third-party virtualization software, such as VMware Workstation and Oracle VirtualBox, might not work properly when Hyper-V is enabled because the hardware virtualization extensions are not designed to be shared.
• When virtualization is enabled, the host OS runs on top of the Hyper-V virtualization layer, much like the guest OSes running in the VMs. As a result, high-precision apps that require minimal latency might encounter performance issues when Hyper-V is enabled.
• Because the host OS runs on top of the virtualization layer, certain applications might not operate properly because they experience driver conflicts or require direct access to the hardware.
• Even if no VMs have been deployed, the Hyper-V platform still incurs overhead. Apps running on a Windows 11 computer might see performance gains if Hyper-V is not enabled.

If administrators encounter these issues, they might need to disable Hyper-V on Windows 11 computers. They might also need to disable Virtual Machine Platform and Windows Hypervisor Platform, two other virtualization technologies built into Windows 11.

In addition, administrators might need to disable security features that depend on Hyper-V, such as virtualization-based security (VBS), memory integrity, Device Guard and Credential Guard. For example, Microsoft recommends disabling Hyper-V, Device Guard and Credential Guard if you plan to run third-party virtualization software on Windows 11 computers.

Before disabling Hyper-V, however, administrators should be aware that certain security features depend on the hypervisor. Disabling Hyper-V could expose the computer to additional security risks. For this reason, they should disable Hyper-V on Windows 11 only after careful consideration and planning, to ensure the computers remain protected.

How to disable Hyper-V on Windows 11

Administrators have multiple options for disabling Hyper-V in Windows 11. They can disable it directly on the computer -- either doing it themselves or instructing their users to do so -- or use a centralized management platform to update multiple Windows 11 systems. The exact approach will depend on the specific circumstances, although administrators will generally choose from the following four options:

• Use Windows Features to disable Hyper-V.
• Run a PowerShell command or script to disable Hyper-V.
• Run a Deployment Image Servicing and Management (DISM) command or script to disable Hyper-V.
• Run a boot configuration data (BCD) edit command to disable Hyper-V. This approach is typically used as a temporary measure.

In situations where administrators need to disable Windows security features that rely on Hyper-V, they can do so by modifying Group Policy or Windows Registry settings or configure the necessary policies in Intune.

The following sections provide instructions for different methods administrators can use to disable Hyper-V on Windows 11. These instructions focus on disabling Hyper-V directly on a Windows 11 computer, although some of these concepts also apply to centralized management.

Use Windows features to disable Hyper-V

Administrators can disable Hyper-V directly in the Windows Features dialog box, along with Virtual Machine Platform and Windows Hypervisor Platform. End users can also disable these features if they are allowed to make such changes. The figure below shows the Windows Features dialog box with the three virtualization features outlined in red.

The following steps describe how to disable Hyper-V, Virtual Machine Platform and Windows Hypervisor Platform:

1. Open Control Panel and go to Programs > Turn Windows features on or off. You can also search for Windows Features.
2. In the Windows Features dialog box, clear the checkboxes associated with the following three options:
• Hyper-V, including all subcomponents.
• Virtual Machine Platform.
• Windows Hypervisor Platform.

It is not necessary to turn off all three features. Turning off only Hyper-V might be enough to support your applications.

3. Click OK.
4. Restart the computer.

This approach is often the most direct and easiest for end users, unless management policies prevent them from updating optional features themselves.

Use PowerShell to disable Hyper-V

Administrators can also use PowerShell to disable Hyper-V, Virtual Machine Platform and Windows Hypervisor Platform. For this, they should run a command that includes the Disable-WindowsOptionalFeature cmdlet, which is part of PowerShell's DISM module. The cmdlet lets administrators disable or remove optional features in a Windows image, whether online or offline.

A PowerShell command that uses the Disable-WindowsOptionalFeature cmdlet will generally include the following two parameters:

• -Online. This option should be included if running the command against a currently active Windows 11 computer. If updating an offline image, exclude this parameter and use the -Path parameter to specify the image's location.
• -FeatureName. The parameter is used to specify the names of one or more features to be disabled. If multiple features are specified, separate them with commas. To disable all three virtualization features, specify Microsoft-Hyper-V-All, HypervisorPlatform and VirtualMachinePlatform. Microsoft-Hyper-V-All includes all the Hyper-V subcomponents. You can also create three different PowerShell commands, one for each feature.

The following steps describe how to use PowerShell to disable the virtualization features:

1. Open PowerShell as an administrator.
2. Run the following command:

Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All, HypervisorPlatform, VirtualMachinePlatform

3. Restart the computer, whether or not you have been prompted for a restart.

To avoid being prompted for a restart, include the -NoRestart parameter in your PowerShell command.

Use the DISM command-line tool to disable Hyper-V

Administrators can also use the DISM command-line tool to disable Hyper-V, Virtual Machine Platform and Windows Hypervisor Platform. The tool is used to both prepare and update Windows 11 images, whether online or offline. To disable the virtualization features, administrators should run a DISM command that includes the following arguments:

• /Online. This argument should be included if running the command against a currently active Windows 11 computer. If updating an offline image, exclude this argument and instead use the /Image argument to specify the path to the image's location.
• /Disable-Feature. The argument indicates that the command is used to disable one or more features specified with the /FeatureName argument.
• /FeatureName. In this case, the argument is used three times, one for each of the virtualization features: Microsoft-Hyper-V-All, HypervisorPlatform and VirtualMachinePlatform. If you want to disable only Hyper-V, include only one instance of this argument and specify Microsoft-Hyper-V-All.

The following steps describe how to use the DISM tool to disable the virtualization features:

1. Open Command Prompt as an administrator.
2. Run the following command:

dism /Online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /FeatureName:HypervisorPlatform /FeatureName:VirtualMachinePlatform

3. Restart the computer, whether or not you have been prompted for a restart.

To avoid being prompted for a restart, include the /NoRestart argument in your DISM command.

Use the bcdedit command-line utility to disable Hyper-V

The bcdedit command-line utility enables administrators to manage BCD files on Windows computers. They can use the utility to prevent Hyper-V from loading at startup. The bcdedit command should include a /set argument that sets the hypervisorlaunchtype option to off, as described in the following steps:

1. Open Command Prompt as an administrator.
2. Run the following command:

bcdedit /set hypervisorlaunchtype off

3. Restart the computer.

This approach is typically used to temporarily disable Hyper-V. To re-enable it, you can run the following bcdedit command:

bcdedit /set hypervisorlaunchtype auto

Again, restart the computer after running this command.

Use Group Policy to disable Virtualization Based Security

In some cases, you might want to disable VBS along with the other virtualization features. One way to do this is to use Group Policy to disable the Turn on Virtualization Based Security setting. Disabling this setting also disables Credential Guard.

The following steps describe how to use Group Policy to disable VBS:

1. Open the Local Group Policy Editor using the gpedit.msc snap-in. 
2. In the left pane, navigate to Computer Configuration > Administrative Templates > System > Device Guard.
3. In the right pane, double-click the Turn on Virtualization Based Security setting, select the Disabled option and click OK.
4. Restart the computer.

The figure below shows the Device Guard policy path in the left pane and the Turn on Virtualization Based Security setting in the right pane, after the setting has been disabled.

If Credential Guard has been enabled with UEFI lock, refer to Microsoft's instructions to remove additional security functionality from the computer.

Use the Windows Registry to disable VBS or Credential Guard

Another option for disabling VBS is to edit the Windows registry, as described in the following steps:

1. Use regedit to open the Registry Editor.
2. In the left pane, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.
3. In the right pane, delete both the EnableVirtualizationBasedSecurity key and the RequirePlatformSecurityFeatures key.
4. Restart the computer.

If Credential Guard has been enabled with UEFI lock, follow the previous instructions to remove additional security functionality from the computer.

In some cases, you might want to disable Credential Guard in the registry, rather than VBS. For this, you can use the following steps:

1. Use regedit to open the Registry Editor.
2. In the left pane, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
3. In the right pane, double-click the LsaCfgFlags key, set its value to 0 and click OK.
4. In the left pane, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard.
5. In the right pane, double-click the LsaCfgFlags key, set its value to 0 and click OK.
6. Restart the computer.

Administrators should proceed cautiously if planning to disable VBS or Credential Guard in the registry. Registry settings evolve over time, and settings references in the documentation might no longer exist or might not be available on a particular system.

In addition, documentation about disabling the registry settings is often inconsistent. For example, some resources suggest setting the EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures keys to 0 rather than deleting them. Other resources suggest creating any of these settings that do not exist and setting their values to 0. Administrators should carefully review the latest information from Microsoft before updating the registry.

Disabling Hyper-V on multiple managed computers

The steps provided above describe how to disable virtualization features on individual Windows 11 computers, working directly with those computers. However, administrators might want to disable these features on multiple computers that they centrally manage.

To disable Hyper-V from a management platform, administrators will typically create a PowerShell script and then use a management platform to run that script on the managed devices. It is also possible to run a DISM command on the managed devices, but most administrators will likely want to use PowerShell because it offers more extensive scripting capabilities.

The PowerShell script should use the Disable-WindowsOptionalFeature cmdlet to disable the services, as described above. The script can also be used to disable Virtual Machine Platform and Windows Hypervisor Platform.

Administrators can then use Microsoft Configuration Manager or a mobile device management platform -- such as Microsoft Intune, ManageEngine Endpoint Central or Citrix Endpoint Management -- to run the script against the target computers. For organizations that use Active Directory (AD), it is also possible to create a Group Policy Object that includes a scheduled task for running the PowerShell script.

Administrators will need to take a different approach to disable VBS or Credential Guard, depending on how they manage their Windows 11 computers. For example, they might use AD to create a Group Policy Object that disables the Turn on Virtualization Based Security setting. If they are using Intune, they might create a Settings catalog policy that disables the Credential Guard setting in the Device Guard category, or they might create a custom policy based on the DeviceGuard Policy configuration service provider.

Some organizations, such as OEMs, create customized Windows 11 images and deploy them to multiple computers in bulk. In certain situations, they might want to disable Hyper-V on an image, as well as disable Virtual Machine Platform or Windows Hypervisor Platform. For this, they can use the DISM tool to disable specific features, as shown above. The DISM command should point to the location of the offline image, rather than an online computer.

Regardless of how administrators disable virtualization on their managed Windows 11 computers, they should first test the process in a test environment to ensure they achieve the expected results and that the modified OS supports their applications without compromising security.

Robert Sheldon is a freelance technology writer. He has written numerous books, articles and training materials on a wide range of topics, including big data, generative AI, 5D memory crystals, the dark web and the 11th dimension.