Windows 11 as a test lab host

Set up a test lab using Windows 11 as the host operating system It has become one of the most practical ways to learn, test enterprise deployments, and experiment with new tools without jeopardizing your real-world work environment. Whether you want to play around with virtual machines for penetration testing or your goal is to simulate a complete enterprise infrastructure with Active Directory, Intune, Configuration Manager, or Windows IoT, Windows 11 provides a very solid foundation for doing so. For practical guides on how to set up a home lab, you can consult [link to relevant guides]. set up a virtual lab at home.

The idea is simple: use Windows 11 as the host and build a virtual "mini data center" on top of it With domain controllers, clients, application servers, driver debugging labs, or Microsoft 365 environments ready to be broken without fear, you can create a remarkably comprehensive environment for studying, practicing, and experimenting. Starting with official Microsoft guides and lab kits, plus some extra techniques for bypassing certain hardware limitations on modest machines, you can build a truly comprehensive environment for studying, practicing, and experimenting.

Windows 11 as a lab host: approaches and available resources

When we talk about using Windows 11 as a test lab host We're essentially combining three main components: the host system itself, the hypervisor (Hyper-V, VMware, VirtualBox, etc.), and the templates or lab kits that we'll run within the virtual machines. Microsoft offers several powerful, pre-built environments designed precisely for this purpose.

One of the most comprehensive is the Windows 11 and Microsoft 365 Deployment Lab KitA package of several self-extracting files that automatically deploy a domain environment with workstations, a Configuration Manager server, and an internet gateway. It includes evaluation versions of:

• 11 Windows Enterprise (depending on the edition, 24H2, 25H2 or similar).
• Windows Server (2022 or 2025 in the most recent versions of the kits).
• Microsoft Configuration Manager in updated versions (such as 2203 or 2409).
• Windows ADK and PE for deployment testing.

This base lab is designed to easily connect to Microsoft 365 services In trial mode: E5 licenses, Microsoft 365 Apps for business, and Office 365 E5 with Enterprise Mobility + Security (EMS). The best part is that everything comes almost ready to use: domain, joined clients, internet gateway, and Configuration Manager already operational as a central management point.

Another important toolkit is the Microsoft Endpoint Manager assessment lab., focused on teaching how to use the unified management console (Intune + Configuration Manager) to manage Windows 11 and Microsoft 365 Apps. This environment is also based on Windows 11 Enterprise, a server with Configuration Manager and services ready to partner with Intune and Microsoft 365.

In addition to these corporate kits, there are more "technical" and low-level laboratories, such as the one dedicated to kernel-mode debugging with WinDbg and the KMDF Echo driver example. This type of lab is designed for driver developers or security engineers who want to understand what happens inside the Windows kernel, how IRQLs, call stacks, processes, threads, etc., work.

Scenarios you can set up on Windows 11 as a host

One of the advantages of using Windows 11 as a lab host The advantage is that you can set up several very different scenarios in parallel, without affecting your production environment. Based on the official kits and guides, the main practical areas covered are:

1. Planning and preparation of infrastructure for business environmentsThis is where you would enter the modern desktop infrastructure section. Among other things, you can practice:

• Cloud Management Gateway (CMG), to manage remote computers over the Internet without directly exposing your local Configuration Manager.
• Tenants' association and joint managementThat is, how to combine ConfigMgr and Intune to manage the same device.
• Connection point analysis (Endpoint Analytics), reviewing performance and user experience.
• Optimizing the distribution of Windows 11 updates, playing with Delivery Optimization and different policies.

2. Mass deployment of Windows 11Using the preconfigured environment, you can simulate typical deployments of an organization:

• Task sequences of OS implementation with Configuration Manager.
• Scenarios of Windows Autopilotfrom device registration to Azure AD registration and profile assignment.

3. System Maintenance Once Windows 11 is deployed, try different service methods:

• Updates via Group Policy (WSUS/GPO).
• Maintenance with Microsoft Intuneconfiguring update rings, timelines, and restart windows.
• Maintenance with Configuration Managermanaging collections, update groups, and monitoring.

4. Managing devices and applications with Intune, including:

• Windows 11 device management with configuration profiles, scripts, and policies.
• Dynamic management based on user and device attributes.
• Distribution of Win32 applications using Intune.
• Scenarios of remote assistance to users.

5. Deployment and maintenance of Microsoft 365 applications for businesses, both on domain-joined computers and on hybrid or non-classical AD devices:

• Implementations managed in the cloud from Intune.
• Implementations locally managed with Configuration Manager.
• Installations on devices not joined to AD but managed.
• Maintaining apps with both platforms.
• Distribution of Teams and line-of-business (LOB) applications.
• Use of allocation filters to segment deployments.

6. Microsoft Edge Administration in business environments:

• Controlled browser deployment and update.
• configuration Internet Explorer mode (IE mode) for legacy apps.
• Personalization of the corporate new tab page.

7. Security and compliancewhere things get interesting for red teams and defensive security teams:

• Configuration and testing of BitLocker.
• Chronic Disease Microsoft Defender Antivirus and its policies.
• Deployment of Windows Hello for business.
• Activation of Credential Guard and other credential protections.
• Product Microsoft Defender Application Guard, Application Control and protection against vulnerabilities.
• Integration with Microsoft Defender for endpoint in test environments.

Windows 11 Driver Debugging and Development Labs

Beyond the "corporate IT" sphere, Windows 11 as a host allows setting up kernel-mode debugging labs which are pure gold for driver developers and security analysts. A typical lab of this type is based on two Windows 11 machines: a host machine and a target machine, connected by an Ethernet network for the debugging session.

WinDbg sample lab for kernel debugging with a KMDF Echo driver It focuses on teaching, step by step, how to work with:

• Basic Windows debugger commands (WinDbg).
• Standard commands on call stacks, IRQLs, threads, and processes.
• Driver-specific advanced commands (commands of type !extensión).
• Correct use of symbols and PDB files.
• Establishment and management of real-time breakpoints.
• Visualization of Plug and Play device trees, loaded modules, etc.

To set up this environment, the minimum lab hardware includes:

• A host PC with Windows 11.
• A second destination PC (or VM) also running Windows 11.
• A simple switch or router and Ethernet cabling.
• Internet access to download symbols and tools.

At the software level on the host you need Visual Studio, the Windows 11 SDK, the WDK, and the Echo sample driver for Windows 11. With that, you can download the code from GitHub, compile it, sign it in test mode, and deploy it to the target machine, where you will then install it using tools like DevCon.

The typical workflow in this laboratory includes several phases very well explained in the guides:

• Configure kernel debugging over the network using KDNET, registering the host IP address and enabling debugging in the target machine's BCD.
• Start WinDbg on the host with the appropriate connection string (-k net:port=...,key=...), wait for the destination to restart and the connection to be established.
• Learn how to use the WinDbg command window, where commands are entered and the output is viewed.
• Try commands like vertarget, lm, lm v, x, !lmi, !dhetc., to inspect the system.
• Configure symbol paths with .symfix y .sympath+and recharge with .reload /f to have complete debugging information.

Once the Echo driver is installed on the target computer (preparing the system to accept test drivers, installing the certificate, using devcon install echo.inf root\ECHO (and verifying the device in Device Manager), then real debugging comes into play: setting breakpoints on functions such as EchoEvtDeviceAdd o EchoEvtIoWriteRun the test application EchoApp.exe and observe the execution flow in kernel mode. For low-level threat analysis techniques, it's advisable to review guides on how detect rootkits with RootkitRevealer.

The guide covers key aspects such as:

• Use of breakpoints bp, bu, bm and data breakpoints ba.
• Navigating the source code with source mode enabled and configuration of .srcpath.
• Visualization of local and global variables with dv and local environment windows.
• Call stack exploration with kb, kp o kn.
• Inspection of processes and threads with !process, !thread and change of context with .thread.
• IRQL verification with !irql and records with r.

Windows 11 on modest hardware: skipping lab tests

Not everyone has a server with 128 GB of RAM at home.And yet it's still possible to use Windows 11 as a lab host on much less powerful machines. On older computers or mini PCs with modest CPUs and limited memory, the Windows 11 installer may fail to meet requirements such as TPM, minimum RAM, or Secure Boot.

Some enthusiasts have dedicated themselves to tinkering precisely with that part, modifying the registry that the installer loads into memory when it boots from the USB to apply a series of "bypasses" to these checks:

• TPA Bypass (related to platform requirements).
• Bypass RAM Check, to reduce the minimum memory required.
• Bypass Secure Boot Check, overcoming the need for a safe start.

With these modifications, it is possible to install Windows 11 on fairly basic devices.such as older office hard drives or low-end laptops. Even so, there are clear warnings: do not use the same disk as your work system, limit these types of installations to educational and testing uses, and do not rely on this environment for critical tasks until it is properly licensed and patched. Furthermore, it is advisable to know how Configure Memory Integrity and other protections before putting any image into production.

For a lab with a Windows 11 host and multiple VMsIdeally, you'd want a computer with 16 GB of RAM or more, a decent SSD, and, if possible, hardware virtualization support enabled in the BIOS. From there, it's just a matter of allocating resources between the host and the virtual machines depending on what you're going to do.

Creating the lab: hypervisor, VMs and best practices

With Windows 11 as the host, you have several options for virtualization.Hyper-V (included in the Pro/Enterprise editions), VMware Workstation or Player, and Oracle VirtualBox. Each has its nuances, but the general approach is similar: one VM per role (DC, client, SQL server, etc.), and, if you want to simplify things, use the VMs that come pre-configured in Microsoft's lab kits.

In a typical “mixed” laboratory case with two VMs (one Windows and one Linux), the most sensible approach is to allocate a reasonable amount of RAM and CPU to the Windows 11 host to maintain smooth performance, and distribute the rest among the VMs. For example, on a machine with 32 GB of RAM, you could give 8-10 GB to the host and 10-12 GB to each VM, adjusting according to load. On multi-core processors, reserving 2-4 cores for the host and the rest for the virtual machines usually works quite well.

Regarding virtualization software for test labs with Windows 11:

• Hyper-V It's ideal if you want to get closer to what's used in many companies and follow Microsoft's guides to the letter, especially for Windows 11 + Microsoft 365 or Windows IoT Enterprise kits.
• VMware It remains very convenient for those who already know it and integrates well with snapshots and somewhat more advanced virtual networks.
• VirtualBox It's a very popular free option to get started and experiment, sufficient for most learning scenarios.

An interesting point is the installation sources for Windows VMsOn a host that comes with Windows 11 pre-installed, you can create a USB recovery drive, but this isn't always the best source for installing a VM. The cleanest approach is usually to download official evaluation or internal use ISO images (Windows 11, Windows Server, Windows 11 IoT Enterprise LTSC) from the Evaluation Center or licensing portals and use those ISOs directly as the installation media on the hypervisor.

For Windows IoT Enterprise, for example, the basic flow includes Prepare a technical PC with Windows 11, install the ADK and deployment tools, have the IoT Enterprise LTSC ISO on hand, and create installation media (USB or ISO associated with a reference VM). Then boot the reference device, perform a standard Windows installation, go through the OOBE phase, and enter audit mode. Ctrl+Shift+F3 to be able to customize the image with Sysprep.

If your thing is penetration testing or offensive securityWindows 11 as a host serves as a base to set up a Windows Server 2022/2025 domain, add one or more Windows 11 workstations to it, and then corrupt it "on purpose" with projects like BadBlood.

The idea is simple: first you set up a domain controller with Windows Server, you create the domain (for example, thehackerway.localThen you set up a virtual Windows 11 workstation that points to the DC's IP address as its DNS server. From that workstation:

• You rename the team with a clear name, like THW-WORKSTATION.
• You configure the network card to use the DC's IP address as the DNS.
• You use the "Join this device to a local Active Directory domain" wizard to add it to the domain.
• You check in “Active Directory Users and Computers” that the machine appears under the “Computers” container.

Once you have the domain and some clients up and runningEnter BadBlood, a PowerShell script that populates Active Directory with random objects (users, computers, OUs, groups, ACLs with insecure configurations, etc.) simulating a "real" business environment, but one riddled with bad practices. It's perfect for attack testing and detection.

The process, broadly speaking, consists of:

• Copy the script Invoke-BadBlood.ps1 to the domain controller.
• Open PowerShell as administrator, relax the execution policy with Set-ExecutionPolicy unrestricted.
• Run the script, accept the warnings, and write badblood upon request.
• Wait patiently while the domain is populated with hundreds of vulnerable objects and configurations.

It's important to note that BadBlood does not offer a mechanism to revert changes.Therefore, it's advisable to create a snapshot of the DC's virtual machine before running it. That way, you can revert to the previous state after completing your penetration testing or hardening procedures.

With this type of lab set up on Windows 11 as the hostYou can practice Kerberos attacks, AD privilege escalations, enumeration of unsafe objects, and, in parallel, test how defensive tools like Microsoft Defender for Endpoint, Intune security policies, execution restrictions, etc., respond.

Ultimately, we used Windows 11 as the host operating system for the lab. It allows you to replicate at home (or in a controlled environment) many of the scenarios you find in businesses: massive deployments with Configuration Manager and Autopilot, use of Microsoft 365 E5, managed Edge, Windows IoT, low-level driver development and debugging, and complete Active Directory domains ready to be attacked or hardened. With some decent hardware, a little patience, and Microsoft's lab kits, you can turn a simple Windows 11 PC into a true technical learning "factory."