Windows To Go (WTG) is a new feature in Windows 8 that allows the operating system to run from a USB 3.0 memory stick, giving IT administrators an easy way to deploy a protected Windows environment that users can work with on any device. WTG is useful not only for bring-your-own-device users, but also for temporary contractors and teleworkers who need to travel light without a notebook.
When you connect a USB stick loaded with WTG to a host device, Windows 8 boots straight from the stick, bypassing the OS that’s installed on the host’s internal hard drive. There’s no virtualization technology involved and no remote connection required, so Windows is always available and in many cases will run faster than a virtual machine (VM) hosted in a remote data center.
Microsoft recommends using folder redirection and offline file synchronization to ensure that user data is stored on a server but still accessible when not connected to the corporate network.
While most Windows applications and features run in WTG environments, there are a few important restrictions. The Windows Recovery Environment is not compatible with WTG, so if something goes awry you should be prepared to reprovision the stick. Applications that use hardware IDs and serial numbers to identify the device they’re running on (hardware binding) are not supported under WTG, including apps downloaded from the Windows Store.
USB 3.0 sticks loaded with WTG can be connected to USB 2.0 ports — although they don’t benefit from the extra speed USB 3.0 ports provide — and run on hardware that’s certified for Windows 7 and later versions. WTG might run on devices designed for Windows XP or Vista if they meet certain requirements, like the ability to boot from USB.
WTG can be protected using BitLocker, and encryption options can be set when creating a WTG USB stick using the Windows To Go Creator wizard. Alternatively, you can encrypt the stick after deployment using standard BitLocker tools.
If you plan to use WTG on a Windows 7 host that’s encrypted with BitLocker, you’ll need to exclude monitoring of boot devices to avoid mistakenly typing your BitLocker recovery key after using WTG. By default, Windows 7 BitLocker monitors the order of boot devices to prevent tampering. To resolve this problem, temporarily suspend BitLocker on the Windows 7 host and change the boot order in the system BIOS so the USB stick is first in line. Then reboot and re-enable BitLocker on the host. The default BitLocker profile in Windows 8 doesn’t monitor boot device order.
WTG can be compromised by processes that load before Windows boots, or if the USB stick is inserted into a running Windows computer that’s infected. Drives on the host device are not visible in WTG for security reasons, but this can be changed by modifying Windows’ storage area network (SAN) policy. Conversely, Windows hosts won’t see the WTG partition on the USB stick. Though not recommended, this can be changed by assigning the partition a drive letter using Disk Management.
WTG is available as part of Software Assurance (SA) subscription licensing, and as such the Windows To Go Creator wizard is only included in Windows 8 Enterprise edition. WTG can be used on any device licensed under SA and employees can use it on their home PCs. Also new is the Windows Companion Device License (CDL), which allows WTG to be used on noncompany devices.
WTG is activated in the same way as Windows 8 Enterprise edition, so it requires either a Key Management Service (KMS) server to be deployed in your organization or Active Directory (AD) volume activation. When using KMS, your WTG clients must activate once every 180 days. Whenever WTG is connected to the corporate network and has access to KMS, it will confirm its activation status.
Before running Windows To Go Creator in Windows 8 Enterprise edition, locate your Windows 8 volume license media or create a custom .wim image using the sysprep /generalize command. As long as you don’t boot into WTG or encrypt it using BitLocker, you can then use a USB duplicator to deploy the image to as many USB sticks as needed. If you have an existing image that you deploy to standard PCs, it can also be used for WTG.
Start the Windows To Go Creator wizard by pressing WIN+W — which takes you to the Search screen for Windows settings — and then search for Windows To Go. Make sure you have inserted a USB 3.0 stick, select it from the list of supported devices and click Next to complete the wizard. Having chosen a Windows image and set BitLocker options, click Create, and in around 30 minutes you should have a bootable USB stick complete with a WTG workspace.
Figure 1 – Windows To Go Creator wizard
To boot into your new WTG workspace, in Windows 8 press WIN+W and type Change Windows To Go startup options, select Yes (to automatically boot the PC to a Windows To Go workspace), click Save changes, and restart the machine to boot into WTG. On Windows 7 machines, you’ll need to set the boot order in the BIOS manually.
Figure 2 – Windows To Go Startup Options
With the increasing popularity of BYOD and telework, WTG will be a useful tool for IT, especially in companies that can’t afford or don’t need a full Virtual Desktop Infrastructure (VDI).
Despite the efforts to isolate WTG from the host computer, there are scenarios in which WTG could be compromised, so it’s not suitable for high-security environments. Nevertheless, WTG will provide a good balance between security and convenience for many organizations and is a better option than allowing users to work with sensitive files on unmanaged computers.
While there are some restrictions on how WTG can be used, it should run the majority of business applications. Performance will largely depend on the host’s USB bus configuration and the speed of flash memory in the USB stick. Microsoft is currently working with manufacturers to improve USB implementations and certify USB 3.0 sticks for WTG.