Hiding Virtual machine status from guest operating system

There are two things you need to do to hide the hypervisor from the guest OS:

  • Hide the hypervisor CPU feature flag.
  • Hide the hypervisor CPUID leaves.

Neither of these can be done entirely in virt-manager; you will have to edit the virtual machine XML.

By default the CPU is set to "Hypervisor default":

virt-manager CPU selection of Hypervisor default

This results in a "QEMU Virtual CPU version 2.5+"

Task Manager with QEMU virtual CPU

First, you will need to set a CPU type in virt-manager. The default QEMU virtual CPU cannot have its hypervisor flag removed within libvirt.

For best performance and functionality you should just select "Copy host CPU configuration" and "Apply". This will allow you to use nested virtualization, running 64-bit accelerated virtual machines inside this virtual machine.

virt-manager CPU setting Copy host CPU configuration

Now there will be a CPU section in the virtual machine XML that you can edit. Run sudo virsh edit <vmname>. The CPU section will look like this:

  <cpu mode='host-model' check='partial'>
    <model fallback='allow'/>

You need to add an element to remove the hypervisor CPU feature, causing it to look like this:

  <cpu mode='host-model' check='partial'>
    <model fallback='allow'/>
    <feature policy='disable' name='hypervisor'/>

Now you also need to disable the hypervisor CPUID leaves. This permits some other things like the NVIDIA drivers to work.

This is done by adding a new element inside the <features> element.

Just above:


You should add:

    <hidden state='on'/>

Now, shut down the VM and start it again (a reboot is not sufficient; a full shutdown is required).

At this point Task Manager shows:

Task Manager with Copy host model CPU

You can also run systeminfo in a PowerShell or command prompt. At the bottom, if all is well you will see all Yes answers in the Hyper-V section:

Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

Now you can do whatever it is you wanted to do.