Secure Windows To Go Drives
Applies To: Windows 8.1
When you deploy Windows To Go in your educational organization you can secure your deployment by using BitLocker, and you can configure BitLocker before or after distribution.
A key security consideration for Windows To Go deployment is the use of BitLocker. BitLocker helps to protect the data within the workspace if the USB drive is lost. Using BitLocker can help protect students’ security and privacy in the event of a lost Windows To Go workspace.
As described earlier, BitLocker in a Windows To Go workspace does not use the TPM. The user instead is prompted for a password to unlock the drive. You can control the password policy through Group Policy; by default, passwords are eight characters in length.
When first inserted into the provisioning computer, the USB drive to be used for the workspace is considered a normal removable data drive. The drive must have one or more volumes already defined. In addition, you may need to change Group Policy settings related to BitLocker to use the Windows To Go Creator Wizard with BitLocker. These policies, which are found in Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption, include:
Control use of BitLocker on removable drives. Controls whether BitLocker can be used on removable drives. This policy must be enabled.
Configure use of smart cards on removable data drives. If this policy is enabled, sign in with your smart card prior to beginning the Windows To Go Creator Wizard.
Configure use of passwords for removable data drives. The computer on which you run the Windows To Go Creator Wizard must be able to connect to a domain controller when this setting, along with the Require password complexity option, are enabled.
Require additional authentication at startup. This setting, which you must also change, enables the use of passwords with an operating system drive so that BitLocker can be configured within the workspace. Enable the setting by selecting the Allow BitLocker without a compatible TPM option.
An option that enables easier management of BitLocker is Microsoft BitLocker Administration and Monitoring (MBAM). MBAM, which is part of the Microsoft Desktop Optimization Pack, is available with Microsoft Software Assurance licensing. For more information, visit MBAM.
Configuring BitLocker before distribution
You can configure BitLocker prior to distributing the Windows To Go workspace to users. Doing so reduces the amount of time necessary to enable BitLocker encryption on the drive. Importantly, it protects the drive and workspace immediately.
Another advantage to enabling BitLocker during provisioning is that the recovery keys are backed up to the provisioning computer account in Active Directory Domain Services (AD DS). In situations where AD DS is not used to store recovery keys, you can save the recovery keys to a file or print the keys. In addition, you must set the password for BitLocker encryption during provisioning and instruct the user to change the password on first boot. You do so by using Windows PowerShell cmdlets. See Deploy Windows To Go in Your Organization for more information, including scripts for enabling BitLocker. When BitLocker is enabled after provisioning, the recovery keys are stored with the workspace’s computer account.
Note
Do not pre-provision BitLocker if you will be using a USB drive duplicator to create multiple copies of Windows To Go workspaces.
Configuring BitLocker after distribution
You can also configure BitLocker after distribution. In this scenario, the user (with administrative rights on the workspace) enables BitLocker after boot. This means that you must grant administrative privileges to the user for the workspace; it also means that the drive and workspace are not protected by BitLocker until the user enables the protection.
MBAM provides an alternative: You can centrally enforce BitLocker policies that you define in Group Policy. Additionally, standard user accounts can encrypt their drives, and MBAM provides a self-service recovery portal that can help users quickly recover their drives if they forget their passwords.
A potential disadvantage of configuring BitLocker after distribution is that you must obtain recovery keys from the user if the keys are not stored in AD DS (although you can use MBAM for this purpose, as well). In addition, the user can store recovery keys in a file, by printing them, or on OneDrive. You can also define BitLocker policies that require AD DS storage of recovery keys, which ensures that BitLocker does not encrypt a drive unless it can backup recovery keys to AD DS.