Win 11 on VM

[jogold]

Maybe this is a stupid question but I'll ask it anyways.

Why can't I just leave my Win 10 unsupported machine as is and just intall Win 11 on a VM that is virtually supported?
The Win 10 machine wont need to connect to the net, other then to get VM software updates. So it should be safe.

Thx
Jo

 

[HCHTech]

I think you left out a couple of steps in your plan. What does the existence of a separate Win11 VM have to do with a Win10 physical machine? Are you talking about installing virtual box or something? The VM would share the NIC of the physical machine, so there's no way to remove the physical machine's connection to the internet without also affecting the VM's ability to connect to the internet.

I think, anyway. Need more details.

If you're going to do this, then put Linux on the physical box along with whatever hypervisor works there (Virtualbox has a linux version, for example), and then use your Win11 VM like normal.

 

[jogold]

"The VM would share the NIC of the physical machine"
Incorrect. You can add a USB WiFi stick and the VM will connect to the internet even when the WIn 10 nic is disconnected.

Since my Win 10 machine hardware doesn't have TPM and the VM shows that it does. So Win 11 will install on the VM while on the Win 10 I would need to do a work-around.

The problem with using a Linux box is that the only thing I know about Linux is that it's spelled with an X and not CKS.

 

[Sky-Knight]

If the host cannot run Windows 11, the guest won't be able to do it either.

How are you passing through a non-existent TPM module?

Then there's licensing concerns, and support issues because Windows 11 is not a supported guest on Windows 10 based hosts via Hyper-V.

And finally, if all of that wasn't enough...

The sandbox is vulnerable, malware on the guest will penetrate the host because the host isn't patched.

Running out of support software in production is always, ALWAYS a bad idea. It can be something that must be done in certain circumstances, but it's to be avoided if at all possible.

 

[jogold]

I'm using VM Ware 17.

I am running a VM machine with Win 11 and the VM has a virtual TPM in it's settings.

It's activated with a ser that I bought from one of the questionable resellers. (Since the was a test run I figured that I'm not going to pay for the real thing, if it's the solution then I will)

Why will malware from the host get to the virtual machine? There's no connection between them. And if the Win 10 host is kept offline how will it get infected?

I don't see why this can't be a solution for those who can't or don't want to shell out another couple of hundreds of dollars to fund the WinTell conspiracy. Up the software and make us spend more on hardware.

 

[britechguy]

I don't see why this can't be a solution for those who can't or don't want to shell out another couple of hundreds of dollars to fund the WinTell conspiracy

If you, or anyone else, considers jumping through these kinds of hoops, and the long term maintenance nightmares that go with it, to be "a solution" then have at it. I sure don't, and would never think of setting up what amounts to a quicksand trap.

It's seldom that @Sky-Knight and I are in perfect agreement, but with this observation, we are: "Running out of support software in production is always, ALWAYS a bad idea. It can be something that must be done in certain circumstances, but it's to be avoided if at all possible."

And the idea that increasing security measures is a conspiracy is just as stupid as the idea that "Windows is spying on you," because it (like so many other OSes, including many Linux distros) employs telemetry.

Things change, and must change, in the world of computing. Everyone who is part of these forums should know that at a bone-deep level. It's no conspiracy of any kind that this is so. Some of those changes have always involved arbitrary shifts. Lather, rinse, repeat.

 

[Sky-Knight]

Why will malware from the host get to the virtual machine? There's no connection between them. And if the Win 10 host is kept offline how will it get infected?

I don't see why this can't be a solution for those who can't or don't want to shell out another couple of hundreds of dollars to fund the WinTell conspiracy. Up the software and make us spend more on hardware.

Two things, and I'm addressing the 2nd point first.

The fact that you see a required hardware upgrade on a CPU level as a "WinTell" conspiracy, already indicates fundamental failures in critical thinking. It says volumes about what you know about this industry, and it's not flattering. The changes in Windows that drove the need to make a new hardware requirement set for Windows, was entirely based on Microsoft security telemetry, since they are the largest cybersecurity company in the world and the source of most of our defenses when it comes to keeping hostile actors out of our systems. The information they provided that drove this decision was backed up by other groups. So when you make this claim, you're coming off as an anti-science whackjob.

Now the first thing, the tech thing.

Anything hosted on a Type 2 hypervisor has by nature a link between the kernel hosted, and the kernel running on the hardware. The sandbox cannot be perfect, and in this case is clearly illustrated by the fact that Broadcom Workstation (using the brand on purpose, more later) is forced to utilize the API calls within the hosting kernel to do the things it needs to do. And yes, we have malware out there explicitly looking for and exploiting weaknesses in this construct, this is how malware of today is constructed in the hopes of breaching virtual fabrics. These things have been found to get into Azure, AWS, and GWS services! They will eat your little quirky unpatched desktop mess for lunch. These vulnerabilities are existing in Type 1 Hypervisors, Type 2 are by design less secure, as they are less separated from the host platform.

Circling back, VMWare? Really? Broadcom has basically destroyed that poor company, they aren't responding to security updates themselves while the jack prices up for no good reason. The product is horrifically poorly supported these days. To make the "WinTel" claim, and then left turn to Broadcom is yet another level of ignorance showing. But if that wasn't sufficient, users that do not maintain their systems are going to update VMWare when? Finally, one of the good things about Broadcom is they have a history of only supporting supported systems. So your VMWare hack will die on the vine when Broadcom kills Windows 10 support within the product, which will happen about a year after sunset if they stick to their establish patterns as that's about how long they supported Windows 7. But hey, the current product does still technically support running on Windows 8 too, so perhaps I'm in the weeds.

I'll also stay out of the paid bits if you're commerical using, which lays on top of all of this.

All of this just screams, I deserve to be sued for selling snake oil, but probably wont because my customers are too small to afford a legal response.

One more thing, System Requirements for VMWare Workstation Pro: https://knowledge.broadcom.com/external/article/315616/vmware-workstation-17x-pro-sales-licensi.html

System Requirements

• A compatible 64-bit x86/AMD64 CPU launched in 2011 or later
• 1.3GHz or faster core speed
• AMD CPU requires AMD-V. Intel CPU requires VT-x
• 2GB RAM minimum/ 4GB RAM or more recommended
• VMware Workstation Pro and Player run on most 64-bit Windows or Linux host operating systems:
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows 8
  • Ubuntu
  • Red Hat Enterprise Linux
  • CentOS
  • Oracle Linux
  • openSUSE
  • SUSE Linux Enterprise Server

Note: Windows 7 hosts are no longer supported, Workstation 17 will not function on them.

Why run an unsupported host OS when several solid Linux options are staring you in the face? Boot Win10 for Ubuntu, PROBLEM SOLVED!

It will have higher support costs, but it is SUPPORTED!

Beware, the mitigations in the Linux kernel to compensate for a lack of hardware security will cause HUGE performance issues on top of the additional support costs associated with Ubuntu LTS in general. Again, Microsoft didn't make the call they made lightly. They just chose to not support all that old stuff and focus on the future.

 

[jogold]

Ouch.
But I get the point.

 

[Sky-Knight]

Ouch.
But I get the point.

I'm sorry if I come off strong.

But, welcome to my day job. I'm the Sr. Solutions Architect for a firm that is both an MSP and MSSP. We're 100% blue team (security model, not Microsoft / IBM / Intel) focused.

As such I work with the sales team, communicating with stake holders on security, service, how the two intersect, interact, reinforce as well as compete with each other. And if that wasn't enough I'm ALSO the guy they pull in for strategic alignment of all of the technology.

Basically, I'm a vCTO / vCISO in a pinch for whomever, whenever, and I have to pivot at the speed of meeting request.

So super short version, I've had this conversation before, many times. That's why I bombed you, I didn't have the write the above, it's basically a prerecorded message in my head at this point. You asked, and it all sort of fell out... What I did was not intended to be any sort of personal attack, but I don't have the time to be nice in this format AND, I fully appreciate if you could return fire on any of my own misconceptions you find. That's how I learn!

And, if you're curious... yes... I've had a very similar conversation with Microsoft and Broadcom leadership on the phone.

No, Broadcom does NOT like me! XD Microsoft however, at least for now does.