The diagram below depicts the ability of attackers to follow the control chain to the target object of interest with an Admin VM on a User Workstation and that it is difficult to create a path on the reverse configuration.The PAW architecture does not allow for hosting an admin VM on a user workstation, but a user VM with a standard corporate image can be hosted on a PAW host to provide personnel with a single PC for all responsibilities.
Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors.
This guidance has additional details on PAW usage at Microsoft in the section "How Microsoft uses admin workstations" For more detailed information on this high value asset environment approach, please refer to the article Protecting high-value assets with secure admin workstations.
This PAW guidance is intended to help you implement this capability for protecting high value accounts such as high-privileged IT administrators and high sensitivity business accounts.
The private key for credentials used by Microsoft Passport can be also be protected by Trusted Platform Module (TPM) hardware.
These are powerful mitigations, but workstations can still be vulnerable to certain attacks even if the credentials are protected by Credential Guard or Passport.