I must use windows for some tools which are available just for this
(creepy) OS
I am in the same boat.
The question is, does it make sense to install qubes and windows
together without loosing the security of qubes?
Unless your tools require direct GPU access, I see no reason at all for
you to install Windows in parallel to Qubes. Rather I would strongly
recommend to install Windows inside a qube.
You can do this either manually or use this excellent script:
If you need to connect external devices via USB to your Windows install,
I found the easiest solution to buy another USB controller and assign it
exclusively to the Windows qube. This one works for me:
https://www.amazon.com/gp/product/B00BB7TVMO/
If you require Audio for your work in Windows, there is also a very
cheap solution that works for me:
https://www.amazon.com/gp/product/B07L56C28R/
In summary: I run a Windows 10 Enterprise install inside a qube, it is
hooked up to corporate VPN/domain and runs all the snake oil and
compliance stuff that makes IT happy. If I have to connect to Ethernet
in the office, I assign the respective controller directly to that
Windows qube. Bottom-line: for them this looks and feels exactly like
any other corporate install.
I use all kinds of exotic dongles, tracers, loggers and debuggers
directly connected to Windows through the extra USB controller. No issue
at all. And if I need to be on a Teams/WebEx conference with
screen-sharing I use the audio dongle mentioned above.
So you have all the advantages you could possibly hope to have by
running Windows bare metal in parallel, but you don’t actually do that.
It’s in a qube and has no way to access anything else stored on your
hard drive (happy thought – right?)
Also, you can tell the Windows qube to run fullscreen on a dedicated
workspace so you can switch between Windows and your Qubes world just by
switching the workspace.
Finally with Qubes Windows Tools installed you have the secure Qubes
clipboard and can send/receive files via the respective Qubes mechanism
(receiving requires that your user is named “user” … which might not
work out in a corporate setup … but I am sure there is a way to fix
that with a registry entry or something).