Recently I was explaining Windows To Go at a client site. We had a few interesting discussions about the power as well as the limitations of the security features.
One attendee asked a couple of good questions:
1) Is there any way to block the ‘on-lining’ of your Windows To Go key in other installations of Windows?
2) Is there a way to block users from bringing local disks on-line from within Windows To Go?
While I did not have the answers off the top of my head, after some consideration they are actually quite simple.
1) Windows To Go is the equivalent of any hard drive. Because the machines that you are meant to use them on will be unmanaged, it is impossible to prevent this. However Microsoft does provide several different levels of protection:
- The WTG drive is off-line by default;
- When building the WTG key you can enable BitLocker
- Although BitLocker on the WTG key cannot be tied to a TPM chip, it will have a password associated.
In other words, in order to compromise the key from another installation of Windows, you would have to bring the WTG key on-line, unlock it, and provide a password. In other words, if you trust the person to whom you gave the key. If you don’t, he probably should not be on your systems in the first place.
The second answer is probably a happier one. Because Windows to Go is (or can be) a managed environment (including domain membership, Group Policy, and even System Center management) the key can be locked down as you see fit. How you would do it depends on which of the tools you have at your disposal… but yes, this can be done.
I hope this helps you to make your environment more secure using Windows To Go!