The Privileged Path

Physical PAWs

Dedicated hardware for privileged administration — the highest isolation approach and when it makes sense.

Overview

A physical PAW is a dedicated hardware device — typically a laptop or desktop — that is used exclusively for privileged administration. It runs a hardened OS image, is managed through a separate device management pipeline, and is not used for any general-purpose computing.

This is the original PAW concept and remains the highest-assurance approach to isolating privileged access.

When physical PAWs make sense

Physical PAWs are most appropriate when:

  • The organisation has Tier 0 administrative responsibilities that justify dedicated hardware
  • Regulatory requirements demand demonstrable physical isolation
  • The threat model includes sophisticated adversaries targeting admin endpoints
  • On-premises infrastructure still requires local administrative access (e.g., domain controllers, ADFS)
  • Cloud-only solutions are not viable due to connectivity or latency constraints

Design considerations

Hardware

  • Dedicated device, not shared with any user workloads
  • TPM 2.0 and Secure Boot enabled
  • Hardware-backed credential protection (Windows Hello for Business, FIDO2)
  • USB restrictions and peripheral control

Operating system

  • Clean, hardened Windows image
  • Application control (WDAC / AppLocker)
  • No email client, browser (except for admin portals), or productivity applications
  • Managed via a dedicated Intune profile or SCCM collection

Identity

  • Admin account only — no daily-use identity signed in
  • Conditional Access policies enforcing device compliance for admin portals
  • Device filters in Conditional Access to scope admin access to PAW devices

Network

  • Consider dedicated admin VLAN or network segmentation
  • Restrict outbound access to only required admin endpoints
  • Block general internet browsing at the network level

Trade-offs

Strengths:

  • Highest isolation assurance
  • No dependency on cloud infrastructure for the device itself
  • Clear physical boundary between admin and user contexts

Challenges:

  • Hardware cost and logistics
  • Two-device carry for mobile administrators
  • Device lifecycle management for a small fleet
  • Harder to scale across distributed teams

Practical reality

Physical PAWs are the gold standard but not always practical. Many organisations are moving to cloud-hosted alternatives (Windows 365, AVD) that provide strong isolation with better user experience and lower operational overhead.

The right approach depends on your risk posture. If you manage Tier 0 on-premises infrastructure, physical PAWs may still be the best option.