If a hypervisor wishes to remove the ability of a guest VM to utilize the RDRAND instruction, what steps must it take to achieve this
Yes, Intel VMX hardware virtualization has hardware support for making rdrand and rdseed to a VM exit.
For example, see discussion on the Linux kernel mailing list about patching KVM (the hypervisor built-in to Linux):
A guest may not be configured to support
RDSEED, even when the host does. If the guest does not supportRDSEED, intercept the instruction and synthesize #UD. Also clear the "allowed-1" bit forRDSEEDexiting in theIA32_VMX_PROCBASED_CTLS2MSR.
The relevant VMX ctrls are SECONDARY_EXEC_RDRAND_EXITING and SECONDARY_EXEC_RDSEED_EXITING. (See this patch that renamed them in the KVM source code to match what Intel calls them in their x86 Software Development Manuals (SDM), where you should find further details of how to program VMX to do what you want.)
I just used links to KVM stuff because it's what came up first on Google when I was checking to see if there was HW support for this at all.