Windows to Go: Ironkey gets it right

Back in 2012 I spent a lot of time talking (and writing) about Windows to Go (WTG).  This was Microsoft’s newest feature that allowed you to install Windows 8 on a USB key.  In theory I loved it, in practice… well, most of the USB keys that I tried it on (the certified ones, and not just the ones that I got for free at trade shows) worked… they just didn’t work very well.  They were… flimsy is probably the right word.  I had finally built my key just right, and one day I was demonstrating it to a group in Tokyo and… it just stopped.  It turned out, after hours of troubleshooting, that the connectors were not connecting properly.  After speaking with the company (who made me follow a less-abridged version of the troubleshooting steps I had already taken) offered to replace the key for me under warranty.  A few months later we had the same conversation on the replacement device.

So when I walked into the Ironkey booth at MS Ignite in Chicago this past May, I was intrigued by two promises they made: They told me that they are  MilSpec (Military Specifications, which means they should be nearly indestructible), and they promised it was full lengths faster than the competition.  I told them that I wanted to see that for myself, and they obliged by sending me two devices: An Ironkey W300, which is a heavy-duty 64GB key, and an Ironkey W500, which is just as heavy-duty, but includes hardware encryption.

I want to start by saying that I have nothing bad to say about either device.  However there are only so many hours in a day, and if I am going to get any work done (you do realize that I have an actual day job, one where they expect me to accomplish things) I could spend a little while testing both devices, but I was only going to focus on one of them.  Since the W500 is hardware encrypted, I made that my own, and only ran some cursory tests on the W300 before handing it off to an associate.

I should mention that there was another reason that I handed the W300 off… My colleague James is a Mac user, and the hardware encryption of the W500 is not compatible with the Mac.  For that reason the W300 was perfect for him.  However let me be clear: if I hadn’t been extremely satisfied by the performance of the hardware-encrypted W500 I would have kept the W300 for myself.  Yes, there is a difference between the two; it is less of a difference than you would notice if you switched out your solid-state drive (SSD) with a 15k rpm hard drive though.  That is to say that although the actual speed tests that I ran do show a marked difference between the performance of the two, to the naked eye for what I do on a daily basis there is very little difference.

At First Glance

There are some hoops to jump through in order to create the W500 as a Windows To Go (WTG) device.  Because it is natively encrypted you have to download the Administration Toolkit from their website, so that your Windows OS can recognize and build the key.  Okay, I am willing to live with that… after all, it is still easier than taking off my shoes and emptying my pocket at the airport.  You also have to download the Customization Toolkit, which modifies the install.wim file that you are going to use to build the key.  No problem, it took a few minutes and it was done.

If you are a normal user and are willing to RTFM then the process is fairly simple.  If you are like me and figure it will just work the way you think it will work, then it might cause a bit of frustration.  However once you realize that you don’t know everything and read the instructions, things go very smoothly.

W500So here’s what I did: I unlocked the device, I modified my ISO, I put the device into Configuration Mode, I created my Windows to Go (that was the same Windows wizard I already knew), and then I put the key back into Deployment Mode.  All in all it might have taken half an hour or so.  No big deal. 

When you put the device back into Deployment Mode it asks if you want to modify your hardware so that it will boot from USB before any other device.  If you are using the same computer for both (or even just for testing) then this is a good idea.  However my primary use case for WTG is work from anywhere on any device.  Make sure you know what key allows you to select the boot device before you boot it up… on HP it’s F9.

So we were off to the races… I built the key on a Lenovo T420s that I have at the office, and it seemed so simple to just reboot that device into my WTG environment.  Ok fine.  As it was booting I got the Windows 8 logo… and then an unfamiliar screen.  I arrived at the Ironkey Pre-boot environment, prompting me for my password.  Password entered, it rebooted into Windows for me.

**Note: At this point I should mention that I started these tests on the key with Windows 8.1.  On July 29 I downloaded the ISO for Windows 10 Enterprise and rebuilt the key.  So please note that while I may say one or the other edition at any point, the experience was quite similar, so interchangeable.

My Windows 10 environment loaded up on the Lenovo very quickly, despite booting from a USB key.  While I had the option to join it to my corporate domain, I opted to configure it with my Azure Active Directory ( because I would be using it for both business and personal.  I did add the VPN client for my corporate domain though, because I wanted to make sure I could use the key the way I originally intended it, and the way I hope my users will use it when we deploy across the company.

So I knew what Windows to Go could do because I worked with it before; the proof of the pudding is in the tasting though, and I wanted to see how this device would really feel from the user’s perspective.

In a word… seamless.  Once you are in Windows I notice no difference between using WTG and not… and that was always my concern with the other USB environments I had previously sampled.  This key showed the potential to be more than the ‘when all else fails’ alternative… it wants to be (and can be) a first class device that its competition never could be.  It is fast, it is solid, and it is reliable (a major area of contention with previous devices, as mentioned earlier).  While I didn’t perform the drop-test while inserted in a USB port (more out of fear of damaging the computer than the USB key), I did do a drop test.  I was listening to a podcast earlier and they talked about the standard four-foot drop test.  That’s nice of course, but if you have a USB key that can’t survive 4’ then you didn’t get your money’s worth.  No, I dropped this USB key from the second floor balcony of the cigar lounge where I am currently sitting, then walked down, picked it up off the concrete floor, then came back up and booted back into it.  No problem!

Two of the other devices I had tested either came apart or just stopped working reliably after a couple of weeks in my pocket (with my keys and coins).  Ironkey’s W500 laughed at that test… not even a scratch. 

Until recently I had the key connected to my keychain.  It made for a heavier and more unwieldy keychain to be sure, but I was fine with it… and it was only when my girlfriend borrowed my car for a day that the lanyard wire connecting the key to the keychain came open and got lost.  I suppose a woman’s purse may be no match for the pairing… but the Ironkey worked fine.

So my T420s worked great, but how about switching to another device?  I plugged it into my Surface Pro 3 and booted up.  I had to install device drivers, but it worked great.  But these are two pretty modern, corporate devices that are lovingly maintained by myself and the IT department at Kobo.  What about something less… modern and well-maintained?

In my girlfriend’s living room there is a computer that I would not want to spend a lot of time working on.  She readily admits it is ready to go to the corner – although she is wrong… it just needs a new hard drive.  Until recently she used it to watch Netflix and… that’s it.  It wasn’t good for anything else, seeing as it took 20 minutes to boot.  It’s old (the Windows sticker on the bottom says Windows Vista), but it is still an HP Pavillion… it shouldn’t be too bad.  It doesn’t have USB 3.0, so I wouldn’t expect much from it.  Once I installed the device drivers onto the Ironkey W500 Windows this 10 year old laptop purred like a kitten… I mean it really worked flawlessly!  It still popped up warnings that hard drive 0:0 was dying, but that did not affect how well the device worked.  It just.. worked!

That use made me think once again of all of the possible use cases for Windows To Go… I could now go into any Internet cafe, any hotel business centre, any mother-in-law’s place in the country, any airport lounge; No matter how poorly they maintain their computers, I can boot into my own hard drive on their ragged virus-ridden hardware and still be productive.  That rocks, because I do get to those places on a surprisingly regular basis!

W300So knowing how happy I was with the W500, I went back and borrowed the W300 from my colleague. Yes, I promise you will get it back… just let me see how well it works next to the W500.

Honestly I was surprised… while it is definitely faster, I didn’t feel like I was getting out of a Ferrari and into a Trabant… more like I was getting out of a Toyota Camry and into a Corolla.  Yes, the Camry is faster… but the Corolla is very close.  I spent a day working on it before giving it back, and when I went back to the W500 I was not at all disappointed by the very minor speed difference… I am happy to make the allowance for the security…

…and that is not to say that the W300 is not secure… it fully supports BitLocker drive encryption, which is absolutely solid and more than most people would need in an encryption layer. 

Both devices are the same size by the way… 81mm x 21mm – that is to say, about 3.2” x .9”.  They have not blocked the adjacent ports on any computer that I have tried them on.  They also (surprisingly, since Microsoft told me this would not work) both booted just fine when connected via a USB 2.0 hub.  That means that even on my Surface Pro 3 I don’t have to sacrifice my only USB port in order to use it.

In this day and age of terabyte hard drives it is hard to imagine that I could be satisfied living off a 64gb USB key… but remembering that most of my files are on-line anyways, this worked just fine for me.  What it did do was make me think do I really need this… every time I went to install another application.  I also considered disabling my Outlook Cached Mode, but then I wouldn’t have access to my e-mail off-line, so I decided to set the cache to a week instead of a month.

But what if it gets stolen?

I have said many times before that if someone steals my computer then I don’t care if they have a new device for themselves… as long as they cannot access my data.  I can always buy a new computer, but my data is not only irreplaceable, but in someone else’s hands it can be disastrous.  So the W500 has two different modes, that I call Self-Destruct and Soft-Destruct.  The default behaviour is simple… if you type the password in wrong ten times, the key self-destructs.  The circuits inside the key fry.  By the way, that is also what happens if someone tries to pry the device open (and Ironkey has made that extremely unlikely).  Soft-destruct is less… terminal.  After 10 wrong password attempts it wipes your device back to clean… I tried this before, and that is exactly what happened.  I was able to rebuild it as a new key, but there was no data left on it… not even traces.


If you need a solid and reliable device for Windows to Go, then there is nothing to think about… this is the only device for you.  Oh and if you are running an IT department and concerned that deploying dozens or more of these keys will be cumbersome, rest assured that Ironkey will provide you with the tools to deploy as many at a time as you have USB ports.  They also have a great tool for managing the hardware… if you want more information I’ll introduce you to them.

If you are worried (dare I say… paranoid?) about security, then this is also the device for you.  Whether you want to use it as an individual, or centrally manage hundreds or thousands for your organization, you will not be disappointed.

I definitely give the device two big thumbs up.  By the way, the majority of this article was written on a patio in Burlington, Ontario… with a cigar lit, and my Surface Pro 3 running my Windows To Go environment.

Thanks Ironkey!


3 thoughts on “Windows to Go: Ironkey gets it right

  1. Although the hardware encryption sounds nice in theory, if you ever wanted to connect it to an environment with mandatory bitlocker encryption, you would be in trouble. A h/w vs. bitlocker encryption speed test would be interesting.

  2. Great article. I have just bought the w700 windows to go one and i have a problem booting from my Lenovo ideapad z510. It always loads the preboot menu although i set it up manually a lot of times. Thanks

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s