A Clean Windows Installation…

It happens twice every year… Microsoft releases a new version of Windows 10.  For most people, the new version will be installed for them automatically by whatever method they use for patch management… either Windows Update, or any of myriad enterprise deployment tools their organization uses to manage desktop operating systems.

Unfortunately, due to a Windows update limitation that I have never quite understood, for me it means that I will be redeploying my operating system from scratch twice per year.

While Windows works fine when installed on a USB key, you cannot do a major OS upgrade to it.  So, if you have Windows 10 Enterprise version 1903 (Spring 2019) on a USB key, despite newer versions being released (Autumn 2019 and Spring 2020), the USB installation would remain on v1903.

spyrus-wspFor the last couple of years, because I use a number of different hardware platforms, I have been maintaining a USB key installation of Windows (formerly known as Windows to Go) as my primary personal system.  I run it off a Spyrus Worksafe Pro 128GB, and I have never had an issue with it.  I love the portability of it, in addition to the speed, security, and reliability.  What I do not love is that if I want to stay current, I have to reinstall Windows every six months… from scratch.

I have to admit, the process of reinstalling Windows every six month (along with all of my applications) is a pain in the rear.  It is time consuming, and if I am not careful, it is easy to forget something.  Yes, all of my data is in the cloud… but there is always the possibility that things can get missed; you know, files on the desktop, whatever.

The process is a pain, but it is also cathartic.  It gives me the opportunity to start with a clean slate.  Older application versions will be removed, and the newer ones deployed in its place.  Applications I might have needed for a contract do not have to be reinstalled.  What was old is new again.  It truly feels like a spring cleaning of my desktop environment.

With modern technologies such as Windows Autopilot there are some great tools to make the process easier.  I don’t mind spending a bit of time refreshing the environment.  A couple of hours later, and things are as good as new.  Windows to Go may be gone, but mobile Windows is still the way I am going.  So if we cannot do major updates on Windows USB installations, I’ll go through it.  I’m just glad it’s not more often than every six months!

Let’s Go: Creating a Windows to Go Hybrid Device

WindowsToGoRecently I wrote a review of the Apricorn Aegis Secure Key 3z Flash Drive, a spectacular USB key with some great security features, including a unique keypad that requires you to unlock your device before connecting it to your computer.  The same day I received a comment.  Anthony asks:

Would you be able to provide a link with the exact steps to create the Image of WTG on the USB key?

Anthony, it will be my pleasure.

Firstly, I reviewed my archives.  It seems that I have written a couple of articles on the subject.  The first one, when Windows 8 was in beta testing, showed how to do it from the command prompt… before there were GUI tools.  That article is here.

A couple of months later I wrote about doing it in Windows 8 RTM, with the GUI tools.  That article is here.

With that said, both of these articles are now over five years old, and both pertain to Windows 8.  I figure it is time to update them.  So we are going to do a couple of things here:

  1. We are going to create a new Windows to Go key ;
  2. We are going to modify the key so that we have a 15GB data partition.

I will be honest, I was going to go through the process of creating the Windows to Go key using PowerShell, but the preferred method (from Microsoft) is to use the Windows to Go creation tool.  I would rather use that.  If you want to use PowerShell, there are some articles I can point you to… but they are all a lot more complicated than they need to be.

Create Windows To Go

I have mounted the Windows ISO file (Windows 10 Build 1709)  to my E:.  My USB key is clean and virginal and ready to go.

1. Launch the Windows to Go Control Panel from the Start menu (or Cortana… just type in Windows to Go and it will come up).

image

2. Select the drive you want to use (only drives that are compatible will be displayed), and click Next.

In the next screen, you should have the option of Windows 10 Enterprise. 

image

If your screen is blank, perform the following steps:

  1. Ensure your Windows 10 Enterprise image is mounted;
  2. Click on Add search location;
  3. Navigate to the location where your .wim file is located (in my case, it is e:\sources\)
  4. Click Select Folder.

You should now see your image… and others, if the .WIM file contains different images.  Please remember, while you can select any of these, only Windows 10 Enterprise Edition will work for Windows to Go.

image

Click Next.

3. Now you can enable BitLocker and set a password for it.  I am not going to enable BitLocker for now, because I plan to resize my partition later.  If I did not plan on resizing, I would do it here, then click Next.

image

The next screen is the ‘Ready to create your Windows To Go workspace’ screen.  It will reassure you that this is not a two second process, and should take some time.  It also warns you that the process will wipe out any information on the drive.  That is why I generally like to use new keys for Windows To Go… or, you know… back my stuff up first!

image

When the process is complete, you will have the option to have Windows change your boot order, so that your system tries to boot from USB first.  I do not generally choose this option if creating from my desktop, simply because it is not uncommon for me to have three or more USB drives connected to some of my computers… and most of them are not bootable.  However if I am creating a key from my laptop, I do prefer it.

image

Okay, my Windows To Go key has been created, and I am ready to go… but not quite.

Create Data Volume

Okay… according to Windows Explorer, I have a 59.2 GB drive with 44.4 GB free space.

image

As I mentioned, I want to use this device as a hybrid… part Windows To Go, part portable storage.  So I am going to shrink the size of my Windows drive by 15 GB, leaving me a respectable 29.4 GB free on my WTG drive, and a 15 GB data partition.

This is one of the steps that is easier in the GUI.  I played around a little bit in PowerShell, and the following cmdlet worked:

Resize-Partition -DriveLetter “F” -Size 44.28GB

The reason I say it is easier in the GUI is simply because you can reduce by a certain amount (15GB, for example), whereas in PowerShell you have to reduce to a certain amount (44.28GB in this case).  Either way, it works… and I have 15GB of unallocated space.

image

We can simply create the volume in Disk Manager, but I would rather do it in PowerShell.

Get-Disk

This shows us the number of the disk we are using. I determined it was Disk 2.  So:

New-Partition -DiskNumber 2 -UseMaximumSize –AssignDriveLetter

My new partition needs to be formatted, and I trust I don’t need to show you how to do that.

What’s Left?

Now that I have my hybrid key created, I want to remember to enable BitLocker on both partitions.  I want to set a strong password on both drives.  Remember, by definition, this is a portable device, and even though I may be using an Apricorn key with a numeric key code, I remember that Defense-In-Depth is how I sleep sound at night.

Conclusion

So… that’s it!  I know this article is a hybrid of GUI and PowerShell and such, but then… the word hybrid is right there in the title!  I hope it has helped, and that you will be able to go forward and create your own Windows To Go hybrid devices!

Corrections!

Earlier today I published my article called USB & Windows to Go: Key In! on this site.  Because of my eagerness to get the article out (recently I posted that I would be trying to post a lot more frequently), I have been informed that I made a number of minor errors.  Here are the corrections:

  1. The ASK3Z keys are available in sizes from 8GB to 128GB, and not 256GB as I had mentioned.  This has been corrected in the text.
  2. Apricorn offers larger capacity devices in their ASK3 line, including a 240GB and a 480GB model.  These devices run the identical firmware, and have all the same features as the ASK3Z.
  3. If the brute force is tripped, the drive will crypto erase the encryption key, so that the data cannot be accessed.  The drive itself is not actually wiped, but cannot be accessed.
  4. Because the key code is entered before the key is inserted into the computer, there is no possibility for a key-logger to steal the PIN.  (This is not a correction, but another point I should have mentioned because it is cool!)
  5. With regard to the rebooting, I am told that the Lock Override Mode is the best way to use the device as an OS host, so the Secure Key will disregard the Re-enumeration signal from the USB port while the system reboots.

Sorry for the misunderstandings, and thank you Craig for helping me out here!

M

USB and Windows to Go: Key in!

I have written in the past about several different Windows to Go (WTG) key options, and have leaned heavily toward the ones with Military Grade Security (MilSec).  They are all good, they all do just about the same thing.  Of course, there are differences with deployment methodology, as well as the tools that support them, but in the end, you plug a key in, you boot from it, you have Windows.

Recently I was introduced to a key that sets itself apart, and it is obvious from the first glance.  Just open the box of the Aegis Secure Key 3z Flash Drive from Apricorn Inc., and the first thing you will notice is that its top is covered with a numeric keypad, along with three lights.  The polymer-coated wear-resistant onboard keypad allows you to unlock your device with a numeric passcode before using it.  Wow.  This really does change things!

ApricornI had the opportunity to speak with Craig Christensen of Apricorn Inc. recently, and we discussed several of the features, as well as use cases, for the Aegis Secure Key 3z .  Some of the scenarios were obvious, but others really made a lot of sense.

It should be know that this key, available in sizes from 8GB to 128GB, was not designed special for Windows to Go.  In fact, according to Mr. Christensen, the vast majority of their users do not use WTG, and in fact the majority of customers who run a bootable operating system off the key are in fact using Linux.  Indeed, most of their customers are using the keys to store… well, data.

What sort of data?  Well, that would depend on the customer.  But with penetration into governments, military and defense contractors, aviation, banking, and many more, it is clear that the keys are in use by many serious people and companies for whom security breaches could mean more than a simple loss of competitive advantage.  Intellectual Property is certainly important to manufacturers, but when it comes to other sectors, the stakes get much higher indeed.

So let’s enumerate some of the unique benefits that these keys have over their competitors:

  • Separate administrator and user mode passcodes. as well as possible read-only passwords
  • Programmable individual key codes that can be unique to an individual, granting user-level access
  • Data recovery PINs in the event a PIN is forgotten… or in the event a user leaves the company on bad terms
  • Brute-force defense, wiping the device clean after a set number of wrong attempts
  • Unattended auto-lock automatically locks the device if not accessed for a pre-determined length of time
  • Self-destruct PINs allow a user under duress to enter a code that immediately and irretrievably wipes the device clean
  • Meets FIPS 140-2 Level 3 standards for IT and computer security
  • IP57 Certification means the device is tough, resilient, and hard to kill.  With its rugged, extruded aluminum crush-resistant casing, the Aegis Secure Key is tamper evident and well-protected against physical damage.

In short, this is a tough little device.

I decided to have a little bit of fun with the key this weekend.  The first thing I did was to create a WTG key.  Like my other WTG keys, I got the 64GB model, although they are available in much higher capacities.  So once Windows was installed, I was left with about 50GB of free space on the drive.  I have realized over time that unless I plan to use the key as my primary PC (I do not), that is more than plenty,  Yes, I will install Office 365 and Live Writer and SnagIt, as well as a dozen other applications I can’t live without, but I will still never need more than 35GB of that.  Possibilities…

Okay, Let’s shrink my Apricorn’s volume by 15GB.  It is now about a 45GB volume (formatted).  I then created another volume for my Data.  of course, I have both partitions Bitlocker encrypted, because Defense In Depth is important to me.  So now, the partition table on my key looks like this:

image

In short, I have my 350MB System volume, a 44GB Boot volume, and a 15GB data volume.  Why would I want that?  Remember when I said that the majority of customers use the Apricorn keys for data and not for Windows to Go?  Well, doing things this way, I can have the best of both worlds.  I can use the key to boot into my environment, but I can also use the 15GB MDG-Data  volume as a regular, highly encrypted and protected USB drive.

Of course, I had to test that theory.  I made sure I was able to take the key to another pre-booted installation of Windows, key in my code, plug the key in to that computer, enter my Bitlocker password, and use the key.  Yessir, it worked.  Woohoo!

So let’s see… My Apricorn key, which is rugged and not going to break, can boot into a secure Windows 10 environment; it can be used as a secure data thumb drive; it can be used as a combination of both.  Nice!

At USD$159, the 64-GB key is competitively priced.  Unlike many competitive devices, the prices are cited right on the web page, and you can even buy direct without having to set up an account and speaking with a salesperson.  If you are a company looking for volume discounts, you can also buy them from distributors such as Softchoice, TechData, Canada Computers, and many more.  For a clearer picture of where to buy from in your region, visit their Where to Buy page.

I have been working with the Apricorn drive as my primary workspace today, and there are only two very minor drawbacks that I have found:

  1. The drive does get hot.  This is no different from the other WTG keys I have discussed in the past.
  2. If your USB port loses power for a split second on reboot (most of them do), then you have to shut your computer down and unlock the key again.  However, if your USB port is persistently powered, this will not be an issue.

Whether you want it for Windows to Go, for data storage, or for a combination of both, the 256-bit AES XTS hardware-encrypted Aegis Secure Key 3z Flash Drive from Apricorn Inc. is certainly a must-have.  I know that going forward, this is a key that will always be in my pocket!

Windows to Go: Ironkey gets it right

Back in 2012 I spent a lot of time talking (and writing) about Windows to Go (WTG).  This was Microsoft’s newest feature that allowed you to install Windows 8 on a USB key.  In theory I loved it, in practice… well, most of the USB keys that I tried it on (the certified ones, and not just the ones that I got for free at trade shows) worked… they just didn’t work very well.  They were… flimsy is probably the right word.  I had finally built my key just right, and one day I was demonstrating it to a group in Tokyo and… it just stopped.  It turned out, after hours of troubleshooting, that the connectors were not connecting properly.  After speaking with the company (who made me follow a less-abridged version of the troubleshooting steps I had already taken) offered to replace the key for me under warranty.  A few months later we had the same conversation on the replacement device.

So when I walked into the Ironkey booth at MS Ignite in Chicago this past May, I was intrigued by two promises they made: They told me that they are  MilSpec (Military Specifications, which means they should be nearly indestructible), and they promised it was full lengths faster than the competition.  I told them that I wanted to see that for myself, and they obliged by sending me two devices: An Ironkey W300, which is a heavy-duty 64GB key, and an Ironkey W500, which is just as heavy-duty, but includes hardware encryption.

I want to start by saying that I have nothing bad to say about either device.  However there are only so many hours in a day, and if I am going to get any work done (you do realize that I have an actual day job, one where they expect me to accomplish things) I could spend a little while testing both devices, but I was only going to focus on one of them.  Since the W500 is hardware encrypted, I made that my own, and only ran some cursory tests on the W300 before handing it off to an associate.

I should mention that there was another reason that I handed the W300 off… My colleague James is a Mac user, and the hardware encryption of the W500 is not compatible with the Mac.  For that reason the W300 was perfect for him.  However let me be clear: if I hadn’t been extremely satisfied by the performance of the hardware-encrypted W500 I would have kept the W300 for myself.  Yes, there is a difference between the two; it is less of a difference than you would notice if you switched out your solid-state drive (SSD) with a 15k rpm hard drive though.  That is to say that although the actual speed tests that I ran do show a marked difference between the performance of the two, to the naked eye for what I do on a daily basis there is very little difference.

At First Glance

There are some hoops to jump through in order to create the W500 as a Windows To Go (WTG) device.  Because it is natively encrypted you have to download the Administration Toolkit from their website, so that your Windows OS can recognize and build the key.  Okay, I am willing to live with that… after all, it is still easier than taking off my shoes and emptying my pocket at the airport.  You also have to download the Customization Toolkit, which modifies the install.wim file that you are going to use to build the key.  No problem, it took a few minutes and it was done.

If you are a normal user and are willing to RTFM then the process is fairly simple.  If you are like me and figure it will just work the way you think it will work, then it might cause a bit of frustration.  However once you realize that you don’t know everything and read the instructions, things go very smoothly.

W500So here’s what I did: I unlocked the device, I modified my ISO, I put the device into Configuration Mode, I created my Windows to Go (that was the same Windows wizard I already knew), and then I put the key back into Deployment Mode.  All in all it might have taken half an hour or so.  No big deal. 

When you put the device back into Deployment Mode it asks if you want to modify your hardware so that it will boot from USB before any other device.  If you are using the same computer for both (or even just for testing) then this is a good idea.  However my primary use case for WTG is work from anywhere on any device.  Make sure you know what key allows you to select the boot device before you boot it up… on HP it’s F9.

So we were off to the races… I built the key on a Lenovo T420s that I have at the office, and it seemed so simple to just reboot that device into my WTG environment.  Ok fine.  As it was booting I got the Windows 8 logo… and then an unfamiliar screen.  I arrived at the Ironkey Pre-boot environment, prompting me for my password.  Password entered, it rebooted into Windows for me.

**Note: At this point I should mention that I started these tests on the key with Windows 8.1.  On July 29 I downloaded the ISO for Windows 10 Enterprise and rebuilt the key.  So please note that while I may say one or the other edition at any point, the experience was quite similar, so interchangeable.

My Windows 10 environment loaded up on the Lenovo very quickly, despite booting from a USB key.  While I had the option to join it to my corporate domain, I opted to configure it with my Azure Active Directory (garvis.ca) because I would be using it for both business and personal.  I did add the VPN client for my corporate domain though, because I wanted to make sure I could use the key the way I originally intended it, and the way I hope my users will use it when we deploy across the company.

So I knew what Windows to Go could do because I worked with it before; the proof of the pudding is in the tasting though, and I wanted to see how this device would really feel from the user’s perspective.

In a word… seamless.  Once you are in Windows I notice no difference between using WTG and not… and that was always my concern with the other USB environments I had previously sampled.  This key showed the potential to be more than the ‘when all else fails’ alternative… it wants to be (and can be) a first class device that its competition never could be.  It is fast, it is solid, and it is reliable (a major area of contention with previous devices, as mentioned earlier).  While I didn’t perform the drop-test while inserted in a USB port (more out of fear of damaging the computer than the USB key), I did do a drop test.  I was listening to a podcast earlier and they talked about the standard four-foot drop test.  That’s nice of course, but if you have a USB key that can’t survive 4’ then you didn’t get your money’s worth.  No, I dropped this USB key from the second floor balcony of the cigar lounge where I am currently sitting, then walked down, picked it up off the concrete floor, then came back up and booted back into it.  No problem!

Two of the other devices I had tested either came apart or just stopped working reliably after a couple of weeks in my pocket (with my keys and coins).  Ironkey’s W500 laughed at that test… not even a scratch. 

Until recently I had the key connected to my keychain.  It made for a heavier and more unwieldy keychain to be sure, but I was fine with it… and it was only when my girlfriend borrowed my car for a day that the lanyard wire connecting the key to the keychain came open and got lost.  I suppose a woman’s purse may be no match for the pairing… but the Ironkey worked fine.

So my T420s worked great, but how about switching to another device?  I plugged it into my Surface Pro 3 and booted up.  I had to install device drivers, but it worked great.  But these are two pretty modern, corporate devices that are lovingly maintained by myself and the IT department at Kobo.  What about something less… modern and well-maintained?

In my girlfriend’s living room there is a computer that I would not want to spend a lot of time working on.  She readily admits it is ready to go to the corner – although she is wrong… it just needs a new hard drive.  Until recently she used it to watch Netflix and… that’s it.  It wasn’t good for anything else, seeing as it took 20 minutes to boot.  It’s old (the Windows sticker on the bottom says Windows Vista), but it is still an HP Pavillion… it shouldn’t be too bad.  It doesn’t have USB 3.0, so I wouldn’t expect much from it.  Once I installed the device drivers onto the Ironkey W500 Windows this 10 year old laptop purred like a kitten… I mean it really worked flawlessly!  It still popped up warnings that hard drive 0:0 was dying, but that did not affect how well the device worked.  It just.. worked!

That use made me think once again of all of the possible use cases for Windows To Go… I could now go into any Internet cafe, any hotel business centre, any mother-in-law’s place in the country, any airport lounge; No matter how poorly they maintain their computers, I can boot into my own hard drive on their ragged virus-ridden hardware and still be productive.  That rocks, because I do get to those places on a surprisingly regular basis!

W300So knowing how happy I was with the W500, I went back and borrowed the W300 from my colleague. Yes, I promise you will get it back… just let me see how well it works next to the W500.

Honestly I was surprised… while it is definitely faster, I didn’t feel like I was getting out of a Ferrari and into a Trabant… more like I was getting out of a Toyota Camry and into a Corolla.  Yes, the Camry is faster… but the Corolla is very close.  I spent a day working on it before giving it back, and when I went back to the W500 I was not at all disappointed by the very minor speed difference… I am happy to make the allowance for the security…

…and that is not to say that the W300 is not secure… it fully supports BitLocker drive encryption, which is absolutely solid and more than most people would need in an encryption layer. 

Both devices are the same size by the way… 81mm x 21mm – that is to say, about 3.2” x .9”.  They have not blocked the adjacent ports on any computer that I have tried them on.  They also (surprisingly, since Microsoft told me this would not work) both booted just fine when connected via a USB 2.0 hub.  That means that even on my Surface Pro 3 I don’t have to sacrifice my only USB port in order to use it.

In this day and age of terabyte hard drives it is hard to imagine that I could be satisfied living off a 64gb USB key… but remembering that most of my files are on-line anyways, this worked just fine for me.  What it did do was make me think do I really need this… every time I went to install another application.  I also considered disabling my Outlook Cached Mode, but then I wouldn’t have access to my e-mail off-line, so I decided to set the cache to a week instead of a month.

But what if it gets stolen?

I have said many times before that if someone steals my computer then I don’t care if they have a new device for themselves… as long as they cannot access my data.  I can always buy a new computer, but my data is not only irreplaceable, but in someone else’s hands it can be disastrous.  So the W500 has two different modes, that I call Self-Destruct and Soft-Destruct.  The default behaviour is simple… if you type the password in wrong ten times, the key self-destructs.  The circuits inside the key fry.  By the way, that is also what happens if someone tries to pry the device open (and Ironkey has made that extremely unlikely).  Soft-destruct is less… terminal.  After 10 wrong password attempts it wipes your device back to clean… I tried this before, and that is exactly what happened.  I was able to rebuild it as a new key, but there was no data left on it… not even traces.

Conclusion

If you need a solid and reliable device for Windows to Go, then there is nothing to think about… this is the only device for you.  Oh and if you are running an IT department and concerned that deploying dozens or more of these keys will be cumbersome, rest assured that Ironkey will provide you with the tools to deploy as many at a time as you have USB ports.  They also have a great tool for managing the hardware… if you want more information I’ll introduce you to them.

If you are worried (dare I say… paranoid?) about security, then this is also the device for you.  Whether you want to use it as an individual, or centrally manage hundreds or thousands for your organization, you will not be disappointed.

I definitely give the device two big thumbs up.  By the way, the majority of this article was written on a patio in Burlington, Ontario… with a cigar lit, and my Surface Pro 3 running my Windows To Go environment.

Thanks Ironkey!

Making Your Windows 8 ISO work for You

English: A Sandisk-brand USB thumb drive, SanD...
English: A Sandisk-brand USB thumb drive, SanDisk Cruzer Micro, 4GB. (Photo credit: Wikipedia)

Tomorrow is the day that a huge number of you will be downloading and installing the final bits (RTM) of Windows 8.  You now have an ISO image of Windows, and you need to install it onto your computer.  In order to do that you have to put it onto media – DVD or in many cases USB sticks.

DVDs are easy… since the introduction of the technology people have been burning .iso files to CDs and DVDs, thanks to such tools as Alex Feinman’s ISO Recorder.  All you need is a DVD burner and a blank DVD.  In fact in Windows 8 if you click on an ISO file in Windows Explorer there is an option to either mount or burn the image file (as seen)

SNAGHTMLb575433

A lot of PCs these days – including but not limited to ultrabooks, tablets, and minis – do not have DVD players built in, and so USB keys (sticks, thumb drives) have become the preferred method of installation for many.  All you have to do is make it bootable and you are off to the races.  There are several ways to do that.

Because it has been available to us for so long, the method I use is tried and true – I use the Disk Partition Tool (diskpart.exe) in Windows.  Because DiskPart is so destructive it is a good idea to unplug any unneeded drives before proceeding, and then continuing with extreme caution.

  1. Open a Command Prompt (from the Start Menu type cmd.exe).
  2. From the command prompt type diskpart.exe and press Enter.  If you are using Windows Vista or later a UAC window will come up.  Click on Yes (or OK).
  3. SNAGHTMLb5dda52In the DiskPart tool type list disk to see a list of connected devices.  In this example you will see that I have three disks connected. – Disk 0 (238 GB) is my internal hard disk.  Disk 1 (14 GB) is an SD card that I plugged in to transfer pictures from my camera.  Disk 2 (3841 MB) is the 4GB USB key that I am using for my bootable Windows 8 key.
  4. Type select disk X (where X is the number assigned to your USB key)
  5. Type clean.  This will wipe everything off the disk, so be careful that you have selected the appropriate drive, and be sure there’s nothing important on it.image
  6. Type create partition primary.  This creates a primary partition on the key.
  7. Type assign.  Your blank partition now has a drive letter assigned to it.  You can check in Windows Explorer to see what letter it is.  The volume name will be NEW VOLUME.
  8. Format the disk.  The easiest way is to click on the NEW VOLUME in Windows Explorer and select the options for Quick Format.  You can also, should you wish, name the volume from the Format Disk window by entering the name (15 characters or less) in the Volume Label field.
  9. Type active.  This marks the partition as active.
  10. Type exit to close the DiskPart tool.
  11. Type exit.  This will close down your command prompt.

Our USB key is now bootable.  All that is left is to copy the contents of the ISO file (and not the ISO file itself) onto the key.  Use any tool that you like to mount the ISO file (such as Windows Explorer in Windows 8, or Magic ISO Maker in Windows 7) to mount the ISO file, and do a simple file copy from that drive to your thumb drive.  Depending on the speed of your disks it might take as long as 20 minutes on USB 2.0, but if you have USB 3.0 then it’s much quicker.

The next step is easy but often overlooked… when you boot your system there are two things you have to do:

  • Make sure the bootable USB key is plugged into the system before it POSTs.  If not it may not be considered a boot option.
  • If the USB device is not set first in the boot order (in your BIOS) then you have to select it manually.  Different PC makers make you press different keys (HP is F9, I think Dell is F12.  check your PC to be sure) to show you the Boot Device menu.  Most tablets will boot from USB first by default.

At this point you are ready to go… install Windows 8, and start playing.  It’s that simple.

Welcome to the world of 8… the luckiest number in Chinese, and the newest evolution on the desktop and tablet!

USB Drives: Easily lost, but easily encrypted!

Peter Wolchak (Editor, Backbone Magazine) pinged me this morning… furious. ‘How long does it take to encrypt a USB key?’  Not very long… why?

It turns out that Elections Canada is back in the news, and (again) not in a good way.  A couple of employees had confidential information about 2.4 Million voters on thumb drives… and lost them.  They weren’t encrypted.

Please read Peter’s article here.

Folks if you have Windows 7 or later (Enterprise or Ultimate), encryption is included for free… It’s called BitLocker.  Here’s what it looks like, and how to encrypt your drive:

image

 

 

 

 

 

 

 

 

 

 

 

The BitLocker Drive Encryption Tool is simple to use… in Windows 7 (or 8) type BitLocker into Search (for Windows 8 it is considered a setting… see my previous post here) and this screen pops up.  The drive I am choosing to encrypt is the I drive, a 4GB USB key that I got for free at a trade show recently.SNAGHTML2e7b874

Once I click on ‘Turn on BitLocker’ (by individual drive or volume) it asks me how I want to unlock it – in this case I don’t have a smart card, so I select the password option.

SNAGHTML2e8779e

The option to save your recovery key to a Microsoft account (new name for a Live ID) is new in Windows 8, and is very convenient.  However if you have several encrypted volumes remember to name them appropriately so that you will remember what is what!

SNAGHTML2e96e7a

You can either encrypt the used disk space or the entire drive… the first option is MUCH faster, but the second is comprehensive.

SNAGHTML2f01f32

You can watch the progress… for a 4GB USB key it can take from 10-20 minutes if you selected ‘Entire drive’.

SNAGHTML2fd3b1b

Once it’s done, you are set!  When you plug your newly encrypted USB key into a port it will be encrypted, so if someone steals it they have the key itself… but not the data.

I hope this helps!

Windows To Go: This is going to be a game changer!

Image representing Windows as depicted in Crun...

I have said before that I am not sure that Windows 8 is going to have the adoption rates that Windows 7 has had, and that it is more likely that Windows 7 will remain the dominant operating system in the enterprise.  If companies are going to be convinced to switch, it will be by new features such as Windows To Go (WTG), which allows us to install Windows 8 on a USB key, configure that key with our applications and security requirements (including domain join, group policy, Direct Access, and more), and then boot from that USB key on any computer in the world.

Cool!

So imagine you are visiting your in-laws in Podunk, and they have their trusty old Windows XP Home machine, and you can pop in your USB key, boot from it, do all of your work with all of your applications while connected to your corporate network, all the while without affecting their XP Home setup with their own games and stuff.

Requirements:

  • You have to build this USB key from a system running Windows 8.
  • You have to have a USB 3.0 port on that system (which is a requirement to build, but not to use Windows to Go).
  • You have to have the source media for Windows 8, which can be either an ISO or a DVD (or any media with the original install.wim file on it.
  • You have to have a USB stick that is compatible with Windows to Go.  Sorry folks, just any USB key that you get from a trade show giveaway will not work.  I use the Kingston DT Ultimate G2 16GB, which cost me a little under $70 on Amazon.com.  I hope that Microsoft will make a comprehensive list available soon, but nothing so far.

Step by Step: Create your Windows to Go key!

  1. Open a command prompt with Administrative credentials.  You are going to use the single most destructive tool within Windows, and you need to Run As Administrator to use it.
  2. Open the Disk Partition Tool (diskpart.exe).
  3. Type list disk (expert tip: you can save time by typing the first three letters of any command in diskpart, so lis dis would work just as well).
  4. Once you see the list of disks in your system, insert your new USB 3.0 key into an appropriate port.  Wait a few seconds, then type lis dis again.  Note the number of the new drive.
  5. Type select disk # .  Make sure that # is the number of the new drive or bad things will happen!
  6. Type Clean.  This command will destroy everything on the drive – files, partitions, all gone.  See why I call it destructive?  There is no Undo command.
  7. Type create partition primary (cre par pri).  This creates a new partition on the key.
  8. Format the new partition by typing format fs=ntfs quick.  It will only take a few seconds (hence the QUICK command switch).
  9. To make it a bootable disk type Active.
  10. Assign a drive letter to it by typing assign.
  11. Exit the Disk Partition Tool by typing exit.
  12. Mount the Windows 8 media (if you have an ISO) or insert the disk into the drive.
  13. At this point you have to check the drive letter for both the USB key and the Windows 8 media.  These will be different for each machine, but for my example we will say that the USB key is F: and the Windows 8 media is G:.
  14. Now we have to apply the Windows 8 image to the key.  Navigate to the Windows 8 media and type:

dism /apply-image /imagefile=g:\sources\install.wim /index:1 /applydir:f:\ 

You should receive output that looks like this:

Applying image

[===============40.0% ]

The above line is your progress bar, and when it reaches 100% the image will be completed.  You then have to type the following command to create the Boot Configuration Data file which allows your computer to select an operating system:

bcdboot.exe f:\Windows /s f: /f ALL

That should do it… try booting from the key (many systems need for you to press F9 or F12 to select the boot menu when turning on the system, and will not see the USB key unless it was booted plugged in.  Select the key, and if it boots from the key then you are now the proud owner of a Windows to Go key!

Creating a Bootable USB Key

It seems that some of my articles got chopped during the move to WordPress.  Doh!  Here are the simple instructions to create a bootable USB key:

  1. Open a Command Prompt session with Administrator privileges.
  2. Run the Disk Partition utility (diskpart.exe)
  3. Type List Disk to see a list of drives on your computer.  Determine which is your USB key and select it. (Select Disk 2)
  4. Type Clean.
  5. Type Create Partition Primary.
  6. Type assign.
  7. Format the disk… I usually suggest using Windows Explorer using the Quick Format option.
  8. (back in DiskPart) type Active.
  9. Exit DiskPart and the Command Prompt.

At this point your USB key is bootable, and you simply have to copy the proper files onto it.  I generally create a Media Deployment Point in Microsoft Deployment Toolkit, and then copy the contents of the proper directory (x:\Media\Content) onto the key.

Have fun!