The Privileged Path

Virtual PAWs

Using virtualisation to create isolated admin environments — Hyper-V, client VMs, and host-based isolation approaches.

Overview

A virtual PAW uses a virtual machine running on a managed host device to create an isolated admin environment. The host OS is used for general computing, while the VM is dedicated to privileged administration — or vice versa.

This approach provides a middle ground between physical PAWs and cloud-hosted options.

Architecture options

Admin VM on user host

The admin runs a hardened VM on their standard work device. The VM is used exclusively for privileged tasks.

  • Lower cost than a dedicated device
  • Isolation depends on hypervisor security
  • Risk: host compromise can affect the VM

User VM on admin host

The physical device is the PAW (hardened host), and a VM is used for general-purpose computing.

  • Better security posture — the admin environment is the trusted base
  • More complex to set up
  • Better isolation model: untrusted activity runs inside the VM, not on the host

Dedicated hypervisor host

A purpose-built device running a bare-metal hypervisor with separate VMs for admin and user workloads.

  • Highest isolation within a virtualisation approach
  • Significant complexity
  • Rarely practical outside large enterprises or high-security environments

Design considerations

  • Use Hyper-V with Credential Guard and Device Guard on the host
  • Apply application control policies to the admin VM
  • Restrict clipboard, drive sharing, and USB passthrough between host and VM
  • Manage the admin VM through a separate Intune or SCCM pipeline
  • Apply Conditional Access device compliance to the VM identity

Trade-offs

Strengths:

  • Single device for both admin and user work
  • Lower hardware cost than physical PAWs
  • Good isolation when properly configured

Challenges:

  • Hypervisor escape is a theoretical risk
  • Complex configuration and management
  • User experience can suffer with VM-based workflows
  • Requires endpoint hardware capable of running VMs efficiently

When virtual PAWs make sense

Virtual PAWs work well when:

  • Physical PAWs are not feasible due to cost or logistics
  • Cloud-hosted options are not viable
  • The admin team is small and manageable
  • The hypervisor platform is well-managed and patched

For most organisations today, cloud-hosted options (Windows 365, AVD) offer a better balance of isolation and usability. Virtual PAWs remain a valid option where cloud dependency is not acceptable.