With the increasing support of MFA using security keys to authenticate in services like GitHub, M365, Google, AWS, Salesforce, and many others, coupled with the prevalent use of VMware desktop virtualization for development and testing, it is more and more of a need to get YubiKeys to passthrough to a Guest VM. This process does NOT require disabling OTP+U2F, as some have suggested. I’ve tested this thoroughly on VMware Workstation 17 (Windows/Linux) and VMware Fusion 13 (Mac).
Host Configuration – Windows/Linux/Mac
Close VMware Workstation/Fusion completely and locate the config file.
On a Linux host the default location is:/etc/vmware/config
On a Windows host the default location is: %PROGRAMDATA%\VMware\VMware Workstation\config.ini
On a Mac host the default location is:/Library/Preferences/VMware Fusion
Note: it is likely that the config file does not exist by default on Mac and will need to be created. This can be done easily by running sudo touch config from the terminal in the above location.
In addition to finding/creating the VMware config file, you also need to verify the PID of your YubiKey. 0x1050 is Yubico’s Vendor ID (VID) and will be the same for all YubiKey’s. The PID will vary by model. Yubico has a page that lists all the possible PID’s here. To accurately identify your PID use Terminal on Linux/Mac or PowerShell on Windows.
On Linux:lsusb
On Mac:system_profiler SPUSBDataType
On Windows:Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB\\VID_1050' } | Format-List
Once you have located the config file and gathered your VID:PID, add the following line to the end of the config file and save the changes:usb.quirks.device0 = "0x1050:0x0407 allow"
In this example, I used the PID for the YubiKey 5c NFC which is 0x0407, substitute your PID as necessary.
This tells VMware to allow the HID matching the YubiKeys VID:PID to be attached to a VM.
Reopen Workstation/Fusion. In some cases, this is enough for the YubiKey to be accessible to the Guest, but I have found it to be inconsistent and unreliable. Following the next few steps for the Guest VM makes it much more stable and reliable.
Guest Configuration
An unencrypted Guest is very easy to configure for YubiKeys and can safely be modified after OS installation, but an encrypted VM or a Windows 10/11 Guests with VBS or TPMs create a few extra steps that need to be done before installing the Virtual Machine. I’ll cover this scenario separately as it’s more complex than a Guest without VBS or Encryption.
Unencrypted Guest VM
Close the file in Workstation/Fusion to release the lock file.
Open the directory containing the files for the virtual machine. On Linux and Windows, this is straightforward. On Mac, for a VM created by Fusion, the files are bundled into a package so that you will need to right-click/control-click on the .vmwarevm file and choose to “Show Package Contents”.
Edit the .vmx file and add the following two lines at the end:usb.generic.allowHID = "TRUE"usb.generic.allowLastHID = "TRUE"
Open the VM and power it on, you can now connect your YubiKey to the VM. It should appear as “Yubico.com YubiKey OTP+FIDO+CCID” or similar. In some cases, you will see an additional device listed as “Shared Yubico YubiKey”, do NOT connect this device as it will not work properly. Note that I’ve had a couple occasions where the first time I connected the YubiKey caused the VM to run very sluggishly until after I rebooted the host and all systems worked fine after that.
Encrypted Guest or Windows 11 Guest (With VBS and/or TPM with Encryption Enabled)
The steps for any encrypted Guest VM and Windows 11 VMs are very similar, so I will describe the process for Windows 11, but be aware that the overall settings may vary slightly based on your need. The key part is that encryption must be removed to add the lines to the .vmx file and this may cause difficulty with an already established VM.
2. Create your Windows Guest VM using Custom settings and choosing “I will install the operating system later” so that you don’t run the risk of powering on the VM before you’re ready. With Windows 11, Workstation 17 automatically adds the TPM and requires encryption, this is fine during the creation of the VM. Make sure you set the encryption password to something you know, you’ll need it in a moment.
3. Once the VM is created, edit the virtual machine settings. Under Hardware, remove the TPM device and save the settings. Reopen the VM settings and under the Options tab, select Access Control, Remove Encryption and save again. Close the VM to remove the lock file.
4. In a Terminal window, go to the location of the VM .vmx file. This is usually going to be in the vmware directory in your Home directory. For example, /home/<username>/vmware/Windows 11 x64. Add the following lines to the end of the .vmx file:usb.generic.allowHID = "TRUE"usb.generic.allowLastHID = "TRUE"
5. Once that’s saved, return to Workstation and open the VM but don’t power on yet. Edit the VM settings and switch to the Options tab. Under Advanced, you can now enable VBS if it’s supported by your physical machine hardware as well as UEFI and Secure Boot. Go up to Access Control and Encrypt the VM once again. You can choose either option for the level of encryption. Move over to the Hardware tab and you can now re-add the TPM. Save your settings.
6. Power on your VM to begin the installation process and you will be able to see your YubiKey in the Removable Devices to connect. It should appear as “Yubico.com YubiKey OTP+FIDO+CCID” or similar. In some cases, you will see an additional device listed as “Shared Yubico YubiKey”, do NOT connect this device as it will not work properly. Note that I’ve had a couple occasions where the first time I connected the YubiKey caused the VM to run very sluggishly until after I rebooted the host and all systems worked fine after that.
Congratulations, you should now be able to use your YubiKey’s with your VMs.
Bite Size Bytes 
Leave a comment