Fix Hyper-V guest detection for DPAPI fallback on bastions/VDI#154
Merged
Conversation
The VM detection excludes "Microsoft Hv" as a CPUID vendor to avoid false positives on physical hardware running Windows VBS. However, Hyper-V guests (Azure VMs, on-prem bastions, VDI) also report "Microsoft Hv" and need the DPAPI fallback when TPM is unavailable. Distinguish them by registry manufacturer: physical machines with VBS show their real OEM (Dell, Lenovo, HP, etc.), while Hyper-V guests show "Microsoft Corporation". When CPUID reports "Microsoft Hv" and the already-computed registry string contains "Microsoft Corporation", treat the machine as a VM and allow the DPAPI fallback. Note: Surface devices are Microsoft hardware but have working TPMs, so they never reach this fallback path.
jgowdy-godaddy
force-pushed
the
fix/hyper-v-vm-detection
branch
from
9c43665 to
f462c76
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Microsoft Hvas the CPUID hypervisor vendor, which is explicitly excluded to protect physical Windows VBS machines from silently downgradingMicrosoft Hv, additionally check the registry manufacturer. Physical machines with VBS show their real OEM (Dell Inc.,LENOVO,HP, etc.); Hyper-V guests showMicrosoft Corporation. Allow the DPAPI fallback in the latter case.Test plan
hyper_v_guest_detected_via_microsoft_corporation_manufacturertest covers the new logicvbs_on_physical_oem_hardware_not_treated_as_vmconfirms physical OEM machines are unaffectedvm_string_classifier_does_not_treat_vbs_hypervisor_vendor_as_vmstill passes