A Clean Windows Installation…

It happens twice every year… Microsoft releases a new version of Windows 10.  For most people, the new version will be installed for them automatically by whatever method they use for patch management… either Windows Update, or any of myriad enterprise deployment tools their organization uses to manage desktop operating systems.

Unfortunately, due to a Windows update limitation that I have never quite understood, for me it means that I will be redeploying my operating system from scratch twice per year.

While Windows works fine when installed on a USB key, you cannot do a major OS upgrade to it.  So, if you have Windows 10 Enterprise version 1903 (Spring 2019) on a USB key, despite newer versions being released (Autumn 2019 and Spring 2020), the USB installation would remain on v1903.

spyrus-wspFor the last couple of years, because I use a number of different hardware platforms, I have been maintaining a USB key installation of Windows (formerly known as Windows to Go) as my primary personal system.  I run it off a Spyrus Worksafe Pro 128GB, and I have never had an issue with it.  I love the portability of it, in addition to the speed, security, and reliability.  What I do not love is that if I want to stay current, I have to reinstall Windows every six months… from scratch.

I have to admit, the process of reinstalling Windows every six month (along with all of my applications) is a pain in the rear.  It is time consuming, and if I am not careful, it is easy to forget something.  Yes, all of my data is in the cloud… but there is always the possibility that things can get missed; you know, files on the desktop, whatever.

The process is a pain, but it is also cathartic.  It gives me the opportunity to start with a clean slate.  Older application versions will be removed, and the newer ones deployed in its place.  Applications I might have needed for a contract do not have to be reinstalled.  What was old is new again.  It truly feels like a spring cleaning of my desktop environment.

With modern technologies such as Windows Autopilot there are some great tools to make the process easier.  I don’t mind spending a bit of time refreshing the environment.  A couple of hours later, and things are as good as new.  Windows to Go may be gone, but mobile Windows is still the way I am going.  So if we cannot do major updates on Windows USB installations, I’ll go through it.  I’m just glad it’s not more often than every six months!

Windows to Go Lives!

Sometimes the universe is talking to me.

This weekend, for reasons I cannot recall, I was thinking about the fact that Microsoft announced that it will be deprecating Windows to Go, and that sometime this fall I would be faced with the choice of either:

  • Keeping my supported Windows 10 v1903 Windows to Go key; or
  • Using a non-supported method of building a new Windows to Go key on Windows 10 v1909.

I was sitting on the patio enjoying a cigar when something occurred to me: when twice-yearly I rebuild my Windows to Go key (on my Spyrus Worksafe Pro 128) I do not use Microsoft’s Windows to Go Creator Tool, but rather a proprietary tool provided by Spyrus that handles their security encryption and all.  So, I wondered to myself, is my Spyrus tool really running Windows to Go, or is it simply Windows 10 installed on a USB device?  If so, might it continue to work with future versions of Windows 10?

It is not often that I am excited by a press release in my morning e-mail.  This morning I read about a scandal in Canada that won’t go away (and with good reason, but enough already!), another in Israel involving Sara Netanyahu, the Ukraine, and a piece of bread… and then there was one from Spyrus.

2019-08-20_9-25-30Last month I published an article called Windows to Go… Going Away.  Microsoft has announced that it is deprecating the Windows to Go functionality in future releases of Windows 10, which in theory meant that those of us who work with the tool would be stuck on Windows 10 v1903, the last version of the operating system to include the Windows to Go workspace creator tool (pwcreator.exe).

In my article last month I wrote that “There were ways of [installing Windows on a USB key] before Windows 8, and so there will be ways of doing it after Windows to Go is completely deprecated.”  I am happy that I am not going to have to rely on that.

On August 20, 2019 Spyrus announced that they are committed to securely supporting Windows to Go for the next decade, and that their solutions are to be the only secure USB device manufacturer certified by Microsoft.

Spyrus devices are certified FIPS 140-2 Level 3, offering the best security in the industry.  Because of their proprietary technology, they have always used their own creator tool.  As it does not rely on Microsoft’s continued development of WTG, Spyrus is able to continue to develop and support Windows to Go on all six Windows to Go devices, and thus continue to provide this functionality to their customers.

Spyrus

For those of us who use Windows to Go on a regular basis, this announcement was a welcome one.  I have confirmed with a company spokesperson that their Spyrus Widows to Go Creator Tool will continue to support bi-yearly releases as well as the Long Term Service Builds (LTSB) in the LTSC.  This is great news, and in honour of that I am planning on building a new tool with the LTSC release for a future article.

SpyrusHaving gone through several WTG devices over the last seven years, ranging from the cheapest to the most expensive, I decided last year that Spyrus was the device I was going to use – primarily if not exclusively – for my Windows to Go tools.  I have either met with or spoken to representatives (or agents) of a number of competing companies; I have not been able to reach any of them for comment.  I am glad to see that the device that I deemed over a year ago to be my favourite is not only still in the game, going forward they are going to be the only company still in it.

While Spyrus does offer solutions up to 1TB it is a little pricey, and with easily accessible wireless Internet and cloud storage solutions, it is likely that the smaller devices will fit the bill perfectly for most users.  I recently upgraded my primary device from the 64gb Worksafe Pro that I had since 2015 to the 128gb model that is identical in every way except capacity.  I understand the 512gb and 1TB versions are larger and while it would be great to have that terabyte at my disposal, by paying attention (e.g.: I do not synchronize my OneDrive, and I only maintain a week of e-mail) I find myself with 66GB of free space on the device.  I am so comfortable, in fact, that when I re-create the key with the Autumn release of Windows 10, I will likely expand my storage partition to accommodate larger files.

image

I don’t know why Microsoft decided that Windows to Go was not worth its continuing development; I suspect it has something to do with Azure VMs that will eventually run Windows 10, but that is not something I am privy to.  I am just glad at least that one company recognizes the value and importance of the technology, and will continue to provide WTG in a secure manner that is affordable and reliable.

…now if only they would deliver a tool to install Windows Server onto their keys! Smile

You can learn more about Spyrus and their solutions at www.spyrus.com.

Windows to Go… Going Away.

WTG.pngIn April of 2012 I was extremely excited as I walked to the stage at an event in Redmond, Washington and did my first ever presentation on Windows to Go.  I loved the idea of being able to take my installation of Windows – operating system version, applications, documents, the works – with me anywhere I went.  I have written myriad articles about it because I have had a real passion for it – not to mention the evolution of USB keys I have gone through that support it.

Windows to Go came with me to Japan twice, and allowed me to use my own hardware in lieu of selecting a corporate laptop.  It has come with me to many different sites, allowing me not only to use my own environment, but also to troubleshoot the hardware that friends and family have asked my help with.  It has traveled extensively with me, occasionally eliminating my need to bring a bulky laptop with me, where loaner hardware would be available.

The feature originally released with Windows 8 has not changed much through how many iterations (Windows 8, Windows 8.1, and 8 versions of Windows 10).  It is not a feature that Microsoft seems to have expended a lot of energy on following its release (the most current documentation lists a number of discontinued devices as available and certified (https://docs.microsoft.com/en-us/windows/deployment/planning/windows-to-go-overview).  Nonetheless it works, and has always worked very well – provided you use the appropriate hardware.  By this, I do not only mean a robust and hopefully certified USB key (I swear by my Spyrus Worksafe Pro, but have had several other keys as well).  I mean it is important that your USB port is not just a little loose, so that when your dog walks past his wagging tail jars your computer and forces a reboot (yes, that really happened to me).

Last month Microsoft announced that Windows to Go is no longer being developed, and that it will be removed from future versions of Windows.  I do not know if that means it will be gone in the Autumn 2019 release, but it is safe to say that it is heading out to pasture (See article).

I never understood people who continued to use older legacy operating systems and software, especially when the newer versions were better (or at least just as good) and available at no cost.  I remember a couple of years ago someone asked me for support on their Windows 8 device, and they really were running Windows 8; I had assumed that Windows 8.1 had replaced 100% of Windows 8 installations, but I was wrong… and when I asked why, he said to me ‘If it ain’t broke, don’t fix it! I like Windows 8, and I’m sticking with Windows 8.’  That was his choice and his right, even if I didn’t agree with him.

Now I sit wondering if I will be that guy in five years… “Hey, Mr. Garvis… why are you running Windows 10 v1903? Don’t you know how much better v2409 is?”  Maybe… but as long as my Spyrus Worksafe Pro is still spinning, this is my operating system and likely always will be.

.

.

.

.

.

Okay, who are we kidding here? There are several ways to put Windows 10 on a USB device without having to rely on Microsoft’s sanctioned and precious red-headed stepchild.  There were ways of doing it before Windows 8, and so there will be ways of doing it after Windows to Go is completely deprecated.  Stay tuned later this autumn… because if the next version of Windows 10 truly does not include the Windows to Go Creator Tool, I will be exploring my options, and I will be discussing them in this very space.  Until then? Stay safe and patch regularly!

Upping My On-the-Go Game

WTGIt has been seven years since my buddies Raymond and Erdal and I got on stage at a conference in Redmond and demonstrated – for the first time ever to a non-NDA crowd – the functionality of Windows to Go (WTG)… and nearly four years since I picked up my Spyrus Worksafe Pro 64GB key that I have been using as one of my WTG keys ever since. 

Two weeks ago Microsoft announced that they would no longer be developing Windows to Go… to be brutally honest, I thought they had stopped developing it years ago, and it was just another stagnant component that is extremely functional, but does not get a lot of love.

While I understand they will no longer be developing it I truly hope that they do not remove WTG from Windows, which would be a real shame.  I use Windows to Go almost every day, and working how I work, I cannot imagine being as productive without it.

SpyrusFar from calling it quits, I have doubled down on Windows to Go… somewhat literally.  This weekend I formatted and configured the environment on my new WTG device – my new Spyrus Worksafe Pro 128GB.  I am not quite sure how it is that I ran out of space on my 64GB drive (for someone who has been in computers since 180kb floppy drives were a really neat idea, it is hard to imagine we have come this far), but I did… and so I made the decision and picked up the new device… all of the functionality with twice the capacity.

The 128GB device looks exactly like the Worksafe Pro 64GB that I have had in my pocket since 2015; I still do not know if the sleeker feel of the actual metal is how my original key felt when it was new, or if they have changed it somewhat.  I suppose only time will tell. 

The Spyrus WTG Creator Tools software (stored on the unencrypted boot partition) has changed since I bought my original key, but not since I last downloaded the update from Spyrus in December.  I like the new graphical challenge screen the new software includes, but as I said, that is a function of the new software and not the new key.

Over the next few weeks I will run the device through its paces – I will run side-by-side speed comparisons between the old and the new, and I will test its reliability.  What I will not do (which I am told it would survive) is to run over it with my car.  I am all for putting new devices through their paces, but aside from reviewing it for my blog I also plan to use it for a long time – whether or not the next few versions of Windows 10 support it.

Thanks Spyrus… even if Microsoft doesn’t appreciate Windows to Go, I do… and I appreciate your dedication to the product!

Running Out of Room: A WTG Tip

windowstogo_thumb.jpgI have written and posted myriad articles over the years about Windows To Go (WTG); I have been running Windows off a USB device on-and-off since Windows 8 was in beta, but very consistently for the past three years.

While larger devices are available (at greater cost) I have been satisfied with my 64GB Spyrus Worksafe Pro for a few years, and I cannot imagine spending the money to upgrade.  Th 64GB device that I currently use costs $218.50; even upgrading to the next largest device (128GB for $427.50) would be a large expenditure for what I use the device for.  (In comparison, the 256GB version of the same device would cost $593.75, the 512GB version would cost $736.25, and the largest 1TB version would run you $1,187.50)

Spyrus-WSP.jpgThe bottom line is this: I do not want to spend the money to upgrade; with that said, I keep getting notifications that I am running out of drive space.  So what can I do to avoid these?

I should mention that I am not actually using the whole 64GB for my C: Drive… I have also allocated (along with the other system partitions that Windows creates) a 16GB data partition.  All of that leaves my C: Drive with a seemingly respectable 38.81GB of storage…

image

Unfortunately, from that space, the following is taken off the top:

c:\Windows: 22GB
c:\Program Files: 2.1GB
c:\Program Files (x86): 3.7GB
c:\ProgramData: 3.8GB
Pagefile.sys: ~4GB

While you may question if I actually need all of the applications I have installed on the device, let’s assume that I do… and if I am using the defaults for both Windows and Office, I am going to run out of free space very quickly.

So… what do I do to mitigate this issue?  I ran into the issue this weekend, and I was literally at 114MB free on the drive.  Here’s what I did:

1) There was a legacy profile on my device; I had the device running for a couple of months before I joined it to my Azure Active Directory, and switched from my Microsoft Account to my AzureAD account.  By deleting the legacy profile (which had several months of e-mail in it) the free space on the C: Drive climbed up to nearly 2GB… and then dropped in a big hurry.  Why?  I expected that, and was not concerned; that issue would be resolved in Step 2…

To delete unneeded user profiles, see this article.

2) Set your system’s paging file to a static size.  I use my WTG key on a few different computers, with RAM ranging from 3GB to 32GB.  There was a time that I recommended all computers have static paging files of 1.5x the system RAM… but those days are long gone, and if you do the quick math, that would be impossible on my 38GB system partition anyways.  For what I use the system for (chiefly as an Information Worker, but also for VPN and RDP), I have found that Windows works just fine with a 2GB paging file, and so that is what I use.

To resize your Paging File size, see this article.

3) I do not like to disable Cached Exchange Mode in Outlook… I like to have my e-mail available to me, even when I am not connected to the Internet.  By default, Outlook caches three months worth of e-mails (and calendar items, etc…) for each configured account.  On my WTG installation, I maintain two accounts, so that amounts to roughly 180 days of items (which not only includes important texts, but also PowerPoint presentations, videos, and family photos).  All in all, this weekend I discovered 625MB of Outlook items stored on my local device.  I went into my Account Settings in Outlook (for each account), and changed the cache to one week on one account and two weeks on the other.  This lowered the used space from 625MB to just over 200MB (which includes all of my contacts, which I want to maintain).

By performing these three simple steps I went from having 114MB free on my C: Drive to a very comfortable 6.7GB free.  While that would not be very much on one of my servers, for a device that I carry around in my pocket I am quite satisfied with it.

Corrections!

Earlier today I published my article called USB & Windows to Go: Key In! on this site.  Because of my eagerness to get the article out (recently I posted that I would be trying to post a lot more frequently), I have been informed that I made a number of minor errors.  Here are the corrections:

  1. The ASK3Z keys are available in sizes from 8GB to 128GB, and not 256GB as I had mentioned.  This has been corrected in the text.
  2. Apricorn offers larger capacity devices in their ASK3 line, including a 240GB and a 480GB model.  These devices run the identical firmware, and have all the same features as the ASK3Z.
  3. If the brute force is tripped, the drive will crypto erase the encryption key, so that the data cannot be accessed.  The drive itself is not actually wiped, but cannot be accessed.
  4. Because the key code is entered before the key is inserted into the computer, there is no possibility for a key-logger to steal the PIN.  (This is not a correction, but another point I should have mentioned because it is cool!)
  5. With regard to the rebooting, I am told that the Lock Override Mode is the best way to use the device as an OS host, so the Secure Key will disregard the Re-enumeration signal from the USB port while the system reboots.

Sorry for the misunderstandings, and thank you Craig for helping me out here!

M

USB and Windows to Go: Key in!

I have written in the past about several different Windows to Go (WTG) key options, and have leaned heavily toward the ones with Military Grade Security (MilSec).  They are all good, they all do just about the same thing.  Of course, there are differences with deployment methodology, as well as the tools that support them, but in the end, you plug a key in, you boot from it, you have Windows.

Recently I was introduced to a key that sets itself apart, and it is obvious from the first glance.  Just open the box of the Aegis Secure Key 3z Flash Drive from Apricorn Inc., and the first thing you will notice is that its top is covered with a numeric keypad, along with three lights.  The polymer-coated wear-resistant onboard keypad allows you to unlock your device with a numeric passcode before using it.  Wow.  This really does change things!

ApricornI had the opportunity to speak with Craig Christensen of Apricorn Inc. recently, and we discussed several of the features, as well as use cases, for the Aegis Secure Key 3z .  Some of the scenarios were obvious, but others really made a lot of sense.

It should be know that this key, available in sizes from 8GB to 128GB, was not designed special for Windows to Go.  In fact, according to Mr. Christensen, the vast majority of their users do not use WTG, and in fact the majority of customers who run a bootable operating system off the key are in fact using Linux.  Indeed, most of their customers are using the keys to store… well, data.

What sort of data?  Well, that would depend on the customer.  But with penetration into governments, military and defense contractors, aviation, banking, and many more, it is clear that the keys are in use by many serious people and companies for whom security breaches could mean more than a simple loss of competitive advantage.  Intellectual Property is certainly important to manufacturers, but when it comes to other sectors, the stakes get much higher indeed.

So let’s enumerate some of the unique benefits that these keys have over their competitors:

  • Separate administrator and user mode passcodes. as well as possible read-only passwords
  • Programmable individual key codes that can be unique to an individual, granting user-level access
  • Data recovery PINs in the event a PIN is forgotten… or in the event a user leaves the company on bad terms
  • Brute-force defense, wiping the device clean after a set number of wrong attempts
  • Unattended auto-lock automatically locks the device if not accessed for a pre-determined length of time
  • Self-destruct PINs allow a user under duress to enter a code that immediately and irretrievably wipes the device clean
  • Meets FIPS 140-2 Level 3 standards for IT and computer security
  • IP57 Certification means the device is tough, resilient, and hard to kill.  With its rugged, extruded aluminum crush-resistant casing, the Aegis Secure Key is tamper evident and well-protected against physical damage.

In short, this is a tough little device.

I decided to have a little bit of fun with the key this weekend.  The first thing I did was to create a WTG key.  Like my other WTG keys, I got the 64GB model, although they are available in much higher capacities.  So once Windows was installed, I was left with about 50GB of free space on the drive.  I have realized over time that unless I plan to use the key as my primary PC (I do not), that is more than plenty,  Yes, I will install Office 365 and Live Writer and SnagIt, as well as a dozen other applications I can’t live without, but I will still never need more than 35GB of that.  Possibilities…

Okay, Let’s shrink my Apricorn’s volume by 15GB.  It is now about a 45GB volume (formatted).  I then created another volume for my Data.  of course, I have both partitions Bitlocker encrypted, because Defense In Depth is important to me.  So now, the partition table on my key looks like this:

image

In short, I have my 350MB System volume, a 44GB Boot volume, and a 15GB data volume.  Why would I want that?  Remember when I said that the majority of customers use the Apricorn keys for data and not for Windows to Go?  Well, doing things this way, I can have the best of both worlds.  I can use the key to boot into my environment, but I can also use the 15GB MDG-Data  volume as a regular, highly encrypted and protected USB drive.

Of course, I had to test that theory.  I made sure I was able to take the key to another pre-booted installation of Windows, key in my code, plug the key in to that computer, enter my Bitlocker password, and use the key.  Yessir, it worked.  Woohoo!

So let’s see… My Apricorn key, which is rugged and not going to break, can boot into a secure Windows 10 environment; it can be used as a secure data thumb drive; it can be used as a combination of both.  Nice!

At USD$159, the 64-GB key is competitively priced.  Unlike many competitive devices, the prices are cited right on the web page, and you can even buy direct without having to set up an account and speaking with a salesperson.  If you are a company looking for volume discounts, you can also buy them from distributors such as Softchoice, TechData, Canada Computers, and many more.  For a clearer picture of where to buy from in your region, visit their Where to Buy page.

I have been working with the Apricorn drive as my primary workspace today, and there are only two very minor drawbacks that I have found:

  1. The drive does get hot.  This is no different from the other WTG keys I have discussed in the past.
  2. If your USB port loses power for a split second on reboot (most of them do), then you have to shut your computer down and unlock the key again.  However, if your USB port is persistently powered, this will not be an issue.

Whether you want it for Windows to Go, for data storage, or for a combination of both, the 256-bit AES XTS hardware-encrypted Aegis Secure Key 3z Flash Drive from Apricorn Inc. is certainly a must-have.  I know that going forward, this is a key that will always be in my pocket!