So I have a work laptop that my employer gives me quite a bit of leeway in terms of what I do with it (so long as I use some of their win programs, and get the work done). Its a 4th gen x1 thinkpad so I think it should work with Qubes but there are a few things I want to check.
First, would windows know it had been copied and is being used as an HVM? That is, would it give me issues like having to re-register? Also, my org has a few “security” and backup applications that I am required to run such as FortiClient and crashplan, would either of those give me issues?
Second, how would this be done? I thought I there was a post on this long time ago but I cant find it?
Since several identifiers such as the hardware used (either real or virtual) would change, there’s a possibility that the activation mechanisms may enforce another activation, although I’m unsure if that’s what will definitively happen. It just might as it was doing back in the old days.
I’m also unsure, if your company’s licensing of Windows allows transferring it to another ecosystem. I would consult them on that so there’s no chance of them getting in trouble.
When it comes to company’s applications, it depends. I can tell from experience that no matter what I was not able to configure IPSec to work, which is a common problem described here and here - no answers after all this time. That’s why I just RDP to a company’s computer with a monolithic system, where this works fine.
But since I’ve never used these applications I can’t guarantee anything.
If you want, I can post a plan, what I would do in this situation myself as my reply does provide some hints but not a clear yes-or-no answer.
Thanks for that answer.
The RDP’ing in is a thought, at the moment my work computer is my only laptop (that will be changing soon I hope) so when I travel i am usually traveling with my work laptop.
I was looking into tailscale recently, that would make things much simpler in terms of RDP’ing into something at home.
Another thing to consider is what tools will be being used on this laptop and how comfortable (if even possible) would it be to have them either on a bare-metal Windows installation or to RDP to a Windows machine with them during a travel.
Let me tell a story.
I utilize Vagrant and Red Hat Virt-Manager a lot. My company laptop is set up to run these since Xen does not support nested virtualization well.
When riding a train, I can to some extent SSH to a virtual machine when being connected via the company’s OpenVPN. I may lose connection and have to reconnect but it’s possible to do some work. On the other hand, graphical updates would be insanely laggy.
At this point I’m considering either doing some other tasks on my personal laptop with Qubes or carry the company laptop with me to enhance the comfort of doing this work.
This is what I wanted to write sooner but I didn’t know if I should post my personal opinions without permission. I may expand this answer even more if you want.
Personally I am fine with personal opinions so long as they are civil.
Yeah, I was wondering about the lag part. At home I actually do RDP into my work computer as I find my desktop MUCH more comfortable to work on than the work laptop, but occasionally had problems over wifi until I got a usb-ethernet jack, so over RDP might indeed be tricky. Nevertheless, I can do a fair amount of work via the browser (office365) and the rest I might be able to get by using RDP.
OK, so I’ll write my plan on what I would do in this situation.
First, I’d prototype, if these applications work at all in a Qubes environment. I’d grab a Windows ISO and evaluate the system with the applications - preferably their trial versions so the company license keys/activations wouldn’t get exhausted.
If they can be proven to work this way, I’d then ask the company staff that knows about licensing, whether the license they have allows to transfer their Windows installation to another hardware or to virtualize it. The same applies to the applications - for instance I’ve heard that some have a method that checks if a network adapter’s MAC address changes and they refuse once it does change.
If these have been satisfied, I’d look for a way to either transfer their installation or to recreate it in Qubes OS. Maybe it would be an even better way to deauthenticate the activations they did and allow you to reauthenticate the applications, once Windows has been installed in your TemplateVM.
I just thought about this recently and looked at it. I am not sure I ever thanked you for the plan, which is a very good idea and sounds like a logical way to go about it. I hope to try this sometime soon.