Windows To Go: Disk Behaviour

BitLocker Drive Encryption

BitLocker Drive Encryption (Photo credit: Wikipedia)

Recently I was explaining Windows To Go at a client site.  We had a few interesting discussions about the power as well as the limitations of the security features.

One attendee asked a couple of good questions:

1) Is there any way to block the ‘on-lining’ of your Windows To Go key in other installations of Windows?

2) Is there a way to block users from bringing local disks on-line from within Windows To Go?

While I did not have the answers off the top of my head, after some consideration they are actually quite simple.

1) Windows To Go is the equivalent of any hard drive.  Because the machines that you are meant to use them on will be unmanaged, it is impossible to prevent this.  However Microsoft does provide several different levels of protection:

  • The WTG drive is off-line by default;
  • When building the WTG key you can enable BitLocker
  • Although BitLocker on the WTG key cannot be tied to a TPM chip, it will have a password associated.

In other words, in order to compromise the key from another installation of Windows, you would have to bring the WTG key on-line, unlock it, and provide a password.  In other words, if you trust the person to whom you gave the key.  If you don’t, he probably should not be on your systems in the first place.

The second answer is probably a happier one.  Because Windows to Go is (or can be) a managed environment (including domain membership, Group Policy, and even System Center management) the key can be locked down as you see fit.  How you would do it depends on which of the tools you have at your disposal… but yes, this can be done.

I hope this helps you to make your environment more secure using Windows To Go!

Can I use Windows To Go?

I have been getting a lot of questions from people about my recent Windows To Go (WTG) articles.  I need to clarify, that this is a tool meant for business; as such it is only availably in the Windows 8 Enterprise version.  It cannot be created from any other SKU.  If you are not able to create, that is probably the problem.

SNAGHTML5b7e991

If you are using the TechNet retail version (or any other non-Enterprise SKU) then you are out of luck.

On the other hand, for those of you who have never been able to sell your SMB customers on VLs and the Enterprise SKU, this might be just the selling feature you are looking for!

Windows to Go: Better (and easier!) in the RTM!

A couple of months ago I posted an article on Windows To Go (Windows To Go: This is going to be a game changer!) outlining the benefits and use cases for Windows to Go, as well as the steps to build your WTG key.  In the RTM release of Windows 8 it has gotten easier to build… no command line required!  Here’s what you do:

  1. SNAGHTML7498dFrom the Start screen type Windows to Go.  Make sure the context is set to Settings.
  2. Click on Windows to Go.
  3. Insert the USB 3.0 key that you will use for Windows to Go.  It should appear in the Create a Windows To Go workspace screen.  Select it and click Next.
  4. On the next screen you are asked to point to a Windows 8 image.  If you are using an ISO image rather than physical media make sure you mount it in Windows, and then navigate to the proper location.  Click Next.
  5. On the next screen you are asked if you want to set a BitLocker password.  Because it is assumed you will be using the Windows To Go key on multiple computers it used the same password technology as BitLocker to Go, rather than tying it to a TPM chip.  You can either check the option to Use BitLocker with my Windows To Go workspace, or click Skip.

image

The next screen is the Ready to create your Windows To Go workspace screen.  When you click Create Windows will start building your key.  Depending on the speed of your key and your USB ports (USB 3.0 is highly recommended, but not necessarily available) it can take between five and twenty minutes.  Be patient, when the progress bar is complete, you will have your very own Windows To Go key ready to go!

It really is easy… and when you are done you will be able to take all of your applications, data, and preferences with you to any computer you use… even older Windows 7 (or even Windows XP!) systems!

Remember that I mentioned that one of the advantages to using Windows To Go is the ability to use unsecured computers safely.  For that reason, when you boot into your Windows To Go key the local hard drives will be off-line.  Likewise, if you insert your Windows To Go key into a computer running another installation of Windows, your USB key will be off-line.

I said it before and I’ll say it again; Windows To Go is a real game changer.  It is one of my favourite features of Windows 8, and one that I expect will have a lot of corporations looking at the new operating system, especially for road warriors, remote workers, and other employees who need to work away from the office.

By the way, remember that you may still need to install hardware drivers for different computer systems, the way you do on traditional Windows installations.  If you are planning on using the WTG key on multiple systems you might need to plan for that.  Recently I did a demonstration of the Windows To Go technology at HP Canada, and had to download the driver for their 42” touch screen.  It was worth it though… Windows 8 on a huge touch screen ROCKS!

When your Windows To Go key is completed you will be prompted to either save and reboot, or reboot later.  If you are building an individual key then you may want to reboot in order to install device drivers.

SNAGHTML8c8374

For Bonus Points: Using the Microsoft Deployment Toolkit you can build your own image of Windows 8 which will include your applications, drivers, and domain settings.  If you are building Windows To Go keys for your organization this might be a better alternative!

Windows To Go: This is going to be a game changer!

Image representing Windows as depicted in Crun...

I have said before that I am not sure that Windows 8 is going to have the adoption rates that Windows 7 has had, and that it is more likely that Windows 7 will remain the dominant operating system in the enterprise.  If companies are going to be convinced to switch, it will be by new features such as Windows To Go (WTG), which allows us to install Windows 8 on a USB key, configure that key with our applications and security requirements (including domain join, group policy, Direct Access, and more), and then boot from that USB key on any computer in the world.

Cool!

So imagine you are visiting your in-laws in Podunk, and they have their trusty old Windows XP Home machine, and you can pop in your USB key, boot from it, do all of your work with all of your applications while connected to your corporate network, all the while without affecting their XP Home setup with their own games and stuff.

Requirements:

  • You have to build this USB key from a system running Windows 8.
  • You have to have a USB 3.0 port on that system (which is a requirement to build, but not to use Windows to Go).
  • You have to have the source media for Windows 8, which can be either an ISO or a DVD (or any media with the original install.wim file on it.
  • You have to have a USB stick that is compatible with Windows to Go.  Sorry folks, just any USB key that you get from a trade show giveaway will not work.  I use the Kingston DT Ultimate G2 16GB, which cost me a little under $70 on Amazon.com.  I hope that Microsoft will make a comprehensive list available soon, but nothing so far.

Step by Step: Create your Windows to Go key!

  1. Open a command prompt with Administrative credentials.  You are going to use the single most destructive tool within Windows, and you need to Run As Administrator to use it.
  2. Open the Disk Partition Tool (diskpart.exe).
  3. Type list disk (expert tip: you can save time by typing the first three letters of any command in diskpart, so lis dis would work just as well).
  4. Once you see the list of disks in your system, insert your new USB 3.0 key into an appropriate port.  Wait a few seconds, then type lis dis again.  Note the number of the new drive.
  5. Type select disk # .  Make sure that # is the number of the new drive or bad things will happen!
  6. Type Clean.  This command will destroy everything on the drive – files, partitions, all gone.  See why I call it destructive?  There is no Undo command.
  7. Type create partition primary (cre par pri).  This creates a new partition on the key.
  8. Format the new partition by typing format fs=ntfs quick.  It will only take a few seconds (hence the QUICK command switch).
  9. To make it a bootable disk type Active.
  10. Assign a drive letter to it by typing assign.
  11. Exit the Disk Partition Tool by typing exit.
  12. Mount the Windows 8 media (if you have an ISO) or insert the disk into the drive.
  13. At this point you have to check the drive letter for both the USB key and the Windows 8 media.  These will be different for each machine, but for my example we will say that the USB key is F: and the Windows 8 media is G:.
  14. Now we have to apply the Windows 8 image to the key.  Navigate to the Windows 8 media and type:

dism /apply-image /imagefile=g:\sources\install.wim /index:1 /applydir:f:\ 

You should receive output that looks like this:

Applying image

[===============40.0% ]

The above line is your progress bar, and when it reaches 100% the image will be completed.  You then have to type the following command to create the Boot Configuration Data file which allows your computer to select an operating system:

bcdboot.exe f:\Windows /s f: /f ALL

That should do it… try booting from the key (many systems need for you to press F9 or F12 to select the boot menu when turning on the system, and will not see the USB key unless it was booted plugged in.  Select the key, and if it boots from the key then you are now the proud owner of a Windows to Go key!