Rapid7 is the organization behind Metasploit, and also maintains a series of vulnerable-by-design virtual machines – Metasploitable 1, 2 and now 3.The first two were nice Linux machines with lots of services and misconfigurations to exploit, but the third is a Windows machine.
This requires using Vagrant to provision (build and configure) a VM from a Windows evaluation ISO, which is a pretty slick way around licensing, but requires re-provisioning every so often. Check it out here:
https://github.com/rapid7/metasploitable3