This week on SysAdmin Weekly, Andy and Eric finally settle one of the most persistent questions in the Hyper-V world: Should your Hyper-V hosts be domain joined or live outside the domain? Spoiler: we have strong feelings.

Before the main event, we hit a few hot headlines:

- Microsoft is booting AV vendors out of the kernel (finally)

- CrowdStrike’s recent disaster knocked out 8.5 million devices

- Notepad++ had a nasty privilege escalation flaw in its installer

- And no, China did NOT break RSA encryption (at least, not the kind that matters)

Then, in Nerd Hour, Andy talks Debian 13 upgrade best practices, and Eric explores scripting virtual TPM keys in Hyper-V without going full-HGS.

In the main segment, we compare the tradeoffs of domain-joined vs workgroup-mode Hyper-V hosts, from security implications (Kerberos, pass-the-hash, curb roasting) to the operational challenges of backups, automation, and monitoring.

Got a spicy opinion? Want to challenge our take? Email us at contact@sysadminweekly.com

Episode Resources:

- Newsletter signup

- Project Runspace

- AndyOnTech

- Kerberoasting (MITRE ATT&CK technique T1558.003)

- Workgroup vs Domain

- Active Directory Security Best Practices

- Microsoft is moving antivirus providers out of the Windows kernel

- CrowdStrike’s faulty update crashed 8.5 million Windows devices

- CVE‑2025‑49144 – DLL planting privilege escalation in Notepad++ installer

- Chinese researchers break RSA encryption with a quantum computer (22‑bit only)

- Debian 13 (Trixie) release notes