Forum Discussion

martinj's avatar
martinj
Brass Contributor
May 18, 2022

What is the roadmap for FIDO2 passthrough from Hyper-V host to VM?

Using FIDO2 devices physically attached to the Hyper-V host in a virtual machine is greatly needed, for instance for PAWs, where the user on his not-locked-down desktop/production-apps VM needs to do FIDO2 logins.

 

And now that Microsoft has commited to accellerate passwordless platforms , one would expect it to be a priority.

 

MS employees have said a year ago, that it was on the roadmap.

But when can we expect to see it coming?

  • KalimanneJ's avatar
    KalimanneJ
    Iron Contributor
    Has anyone heard anything on this?

    The PAW is supposed to be a physical machine; not a VM.
    Also, would using Yubikeys as smartcards instead of FIDO2 keys be an alternative for Hyper-V VMs until FIDO2 support is available?
    • Mypetr's avatar
      Mypetr
      Copper Contributor

      Interested in FIDO2 passthrough also, because of PAWs use.

      btw: Current Microsoft recommendation regarding PAWs/SAWs is to have both admin+user OSes as virtual machines

      • KalimanneJ's avatar
        KalimanneJ
        Iron Contributor
        Where are you seeing this “current” recommendation that a PAW should be a VM?
        I have only seen Microsoft recommending VMs for creating a lab environment for testing.
        They have always recommended that the PAW be on a locked down physical device and you run a VM or have a separate device for your non-admin use. They recommended that the PAW be physical so that a compromised VM host doesn’t compromise the virtualized PAW. They have always said to not sign-in to a higher privileged device from a lower privileged device.

Resources