Applies to: Windows 8, Windows 8.1
Windows To Go is not a late-night drive-through offering at the local Microsoft Store. Rather, it’s a feature in the Windows 8 Enterprise operating system that allows you to start a Windows 8 image (a Windows To Go workspace) from an external USB drive. You can start a Windows To Go workspace on most computers that meet the Windows 7 or Windows 8 certification requirements, regardless of the operating system currently running on them.
In this article, we will take a look at how Windows To Go can help you by looking at the life of a typical IT pro named Mark who works for Contoso, Ltd. As with most IT pros, Mark has a challenge (well, maybe more than one). Many of the Contoso employees and contractors have their own devices and want to use them to perform their day-to-day tasks at Contoso.
Contoso management has heard about Bring Your Own Device (BYOD) initiatives and wants to take advantage of the willingness of employees and users to use their own devices. Because the users already own the devices, Mark and Contoso management do not want to invest additional funds to provide these users with Contoso-owned devices or deploy a Virtual Desktop Infrastructure (VDI) solution. These users need to work while they are at Contoso, at their own office (for the contractors), at home, or at public hot spots. Therefore, Mark needs to provide them with secure desktop environments that they can take with them and use anywhere-at any time in any place.
First on Mark’s to-do list is determining the requirements for Windows To Go. Mark discovers that Windows To Go is a feature of Windows 8 Enterprise. He also finds out that Windows To Go has the same basic system resource requirements as Windows 8 or Windows 7. All of the user-owned devices meet those requirements, and Contoso already owns the necessary Windows 8 Enterprise licenses, so he is ready on that front.
One item of interest that Mark discovers during his research is that there are Windows To Go–certified drives, which he reviewed in the section, “Hardware considerations for Windows To Go,” in the Windows To Go: Feature Overview. Mark finds out that he can help ensure the success of his Windows To Go deployment project by selecting a certified drive instead of a generic one.
After reading that section, he finds that the drives have different capacities (32 GB to 500 GB). Further, some vendors provide hardware encryption, while others provide centralized management tools. Mark selects a 128‑GB USB 3.0 flash drive that does not have any hardware encryption or centralized management tools. (He will use BitLocker Drive Encryption for encryption and the existing Contoso management tools to manage the Windows To Go workspaces and user experience.)
Mark finds out that he can build Windows To Go workspaces using:
The Windows To Go Creator Wizard is typically used to create only a single Windows To Go drive. Therefore, Mark decides to use the command-line method to create the Windows To Go drives for all users by means of a repeatable process to help ensure consistency and reduce manual effort.
Mark is able to use the scripts on the web pages as samples for creating a complete provisioning solution, and then runs his scripts to create a few Windows To Go drives. He tests the drives in his test environment and determines that his scripts are working correctly, so he uses his scripts to create the remainder of the Windows To Go drives. The first step in Mark’s Windows To Go project is simple and painless.
As the next step in Mark’s Windows To Go project, he distributes the Windows To Go drives to the Contoso users. He made certain the Windows To Go workspaces were members of the Contoso Active Directory Domain Services domain, because the users will access Contoso resources and require domain authentication. Mark also wants to make certain that he can use the existing Contoso management tools (which require that the devices be domain members) to manage the Windows To Go workspaces.
Mark uses the offline domain join feature in Windows 8 to join the Windows To Go workspaces to the Contoso domain. He learned about this feature by reading the article Offline Domain Join (Djoin.exe) Step-by-Step Guide. The feature allows Mark to join the workspaces to the domain without the devices being connected to the Contoso intranet. For devices on the Contoso intranet, Mark could have used the normal domain join process. But because each user may initially try to use Windows To Go in different environments, he decided that the offline domain join process would provide the best user experience and reduce the number of phone calls he would receive.
To ensure that users have a good experience, Mark decides to help the first batch of users as they start Windows To Go for the first time. Some of these users have Windows 8 devices, while others are still using Windows 7 devices.
The host computers must be configured to start from a USB drive before the device boots from an internal drive. Mark reads the article Tips for configuring your BIOS settings to work with Windows To Go and discovers that on Windows 7 devices, he must change the BIOS to enable starting first from a USB drive. However, for Windows 8 devices, Mark finds he can enable the device to start the Windows To Go workspace automatically without changing the BIOS by using a built-in Windows 8 setting (as shown in the figure below). He can also configure the startup options using the “Windows To Go Default Startup Options” Group Policy setting.
Figure 1. Windows To Go Startup Options
The user inserts the Windows To Go drive into a USB port and starts the host computer, which then starts the Windows To Go workspace from the USB drive. Although Windows To Go performance is good with USB 2.0, users can achieve better performance if they plug the USB drive into an integrated USB 3.0 port (if available) on the device. (Adding on USB 3.0 cards will not work, because they are not automatically enumerated by the device firmware.)
Users already running Windows 8 on their devices notice few differences when they start using Windows To Go. The Windows To Go experience is just like their typical Windows 8 experience. Of course, the Windows 7 users notice the user interface differences with Windows 8 but are able to run their applications and perform their normal job tasks within a short period of time.
One user tells Mark that he is unable to access his files. Mark investigates and determines that the user is trying to access files on an internal drive in his device. Mark does some research and reads the section Differences between Windows To Go and a typical installation of Windows. He finds that by default, the Windows To Go workspace disables access to internal drives in devices—separating personal from work data. He also reads about the other differences, most of which do not affect his users.
The user is able to access his files in a Microsoft SharePoint Online document library synchronized with a local SharePoint workspace on the device’s internal drive. Mark makes a note to instruct users to store their data only on network shared folders or SharePoint so that they can be accessed from any location and any device.
While helping the first batch of users, Mark discovers the section Best Practice Recommendations for Windows To Go. He notes these best practice recommendations (such as always shutting down the computer before removing the Windows To Go USB drive or not inserting a Windows To Go USB drive in a running computer) and incorporates them for future batches of users.
Mark gets a phone call from a panicked user: The inevitable has happened! He lost the USB drive containing his Windows To Go workspace. Does Mark also panic? Not at all. He’s not worried for two reasons: First, one reason Mark selected the USB drives is because of their relatively low cost, so the financial impact for a lost USB drive versus a lost computer is minimized. Second—and most important—Mark made the decision to encrypt the Windows To Go workspace using BitLocker. He enabled BitLocker as a part of his provisioning scripts, which you can see in the section
To enable BitLocker during provisioning.
Because the Windows To Go workspace can be used on multiple devices, BitLocker for Windows To Go cannot use the Trusted Platform Module. Instead, BitLocker uses a password protector with a minimum default length of eight characters. Users enter a password generated as part of Mark’s provision script and provided to them when they receive the Windows To Go USB drive. Without this password, anyone who finds the Windows To Go USB drive will be unable to start from the drive or access any of its files.
Mark runs his provisioning script and generates a new USB drive for the user who lost his device. The user is able to use the new USB drive just like the original drive. After Mark sees how easy it is to replace a lost drive, he realizes that Windows To Go could be a great backup solution for many of his other users. He is thinking continuance of operations here.
Some of the Contoso users work in remote locations and never connect to the Contoso intranet. Some travel frequently and often need to access resources on the Contoso intranet. Most of these users are not technically savvy, and traditional virtual private network (VPN) connectivity might prove challenging for them and frustrating for Mark.
Fortunately, Mark has already deployed the necessary network infrastructure on the Contoso intranet to support the Microsoft DirectAccess feature in Windows 8 Enterprise and Windows Server 2012. Mark was able to easily enable DirectAccess in the Window To Go workspace as a part of his provisioning scripts (see the section Configure Windows To Go workspace for remote access).
Although Mark could have used a VPN solution, DirectAccess provides transparent access to resources on the Contoso intranet. When users log on to the workspace using their Contoso domain credentials, they can access the Contoso resources as if they were directly connected to the Contoso intranet. By choosing the DirectAccess solution, Mark has made life much easier for his users and himself.
Because of his foresight, Mark has provided remote access to his users regardless of where they are or how they connect by using DirectAccess. However, after a few months of using Windows To Go, Mark has found out that users do not have the same user experience as when they are using a Windows 8 computer on the Contoso intranet compared to their Windows To Go workspace.
In some scenarios, users’ Windows settings are not the same. In other cases, the device they are using might not have the necessary applications installed. In still other instances, users might not be able to access files that they have saved in their Documents folder on other devices.
The users need consistent access to their applications, documents, and Windows settings, regardless of the device they use. How does Mark solve this problem? Fortunately, he has several methods at his disposal to help ensure that users have a consistent user experience. Table 1 describes the choices Mark made to help solve these problems.
Table 1. Providing Consistent Access to Apps, Documents and Settings
|Microsoft User Experience Virtualization (UE-V)||UE-V helps Mark centrally store application and operating system user experience and roam it across computers running Windows 7 or Windows 8. UE-V works with the physical or virtual devices a user accesses, including desktop computers, portable computers, tablets, VDI sessions, and (of course) Windows To Go workspaces.|
UE-V synchronizes Windows and Office settings. Mark can customize the experiences that UE-V synchronizes.
After researching UE-V, Mark decides to deploy it at Contoso to help reduce the effort required to maintain a consistent user experience for the application and operating system settings.
|Folder Redirection||Folder Redirection is a Windows feature that allows users to store files that reside in the local user profile (under the Users folder) in another location, such as a network shared folder. Mark reads about the
Folder Redirection feature and determines that it’s a great complement to UE-V.|
With Folder Redirection, when a Contoso user modifies a document on one device, the file will be saved to the redirected folder on a server is if it were on a local drive. When the user moves to another device or location, he or she will be able to access the file on the redirected folder on the same server, providing consistent access to it. Through their DirectAccess connection, users will always have access to the servers on the Contoso intranet, so Mark now has a solution for this problem.
|Microsoft Application Virtualization (App-V)||App-V allows applications to be deployed in real time (streamed) to almost any device from an App-V server. App-V eliminates the need for traditional local installation of the applications. The App-V client is installed on client computers, and applications are stored on the App-V server. The virtualized applications are streamed on demand when they are first used or can be preinstalled in a local cache on the device.|
App-V allows Mark to deploy applications to user devices on demand and ensure that users always have the applications they need, regardless of the device they use. After reading about App-V and evaluating it in his test environment, Mark decided to use App-V as a part of his solution. Because Mark also has a Microsoft System Center 2012 Configuration Manager with Service Pack 1 (SP1) infrastructure, he is able to take advantage of the integration between App-V and System Center 2012 Configuration Manager.
Over the course of the past few weeks, Mark has deployed hundreds of Windows To Go workspaces on USB drives. As you found out before, users are employing Windows To Go from a wide variety of locations and connectivity options. How does Mark manage all the Windows To Go workspaces? The answer: just like he manages all his other devices.
Mark uses Group Policy to control device and user configuration settings. Group Policy works with Windows To Go just as with traditional installations of Windows 8 and Windows 7. As you found out earlier, Contoso has a System Center 2012 Configuration Manager with SP1 infrastructure. Just as with Group Policy, Mark is able to use System Center 2012 Configuration Manager to manage the Windows To Go workspaces just as he does with the other Windows 8 and Windows 7 devices. Mark finds more information about using Windows To Go with System Center 2012 Configuration Manager in the topic, How to Provision Windows To Go in Configuration Manager.
And guess what? Remember when Mark deployed UE-V, Folder Redirection, and App-V to help him manage the user experience in Windows To Go workspaces? He has discovered that in addition to helping him provide a consistent user experience in Windows To Go workspaces, that investment has helped him do the same on other Windows 8 and Windows 7 devices.
Mark has found that he can use existing Contoso management solutions to manage all his users and their devices. He also knows that in the future, he can purchase other management tools that will work for Windows 8 and use them to manage his Windows To Go workspaces.
After Windows To Go has been deployed at Contoso for a while, Mark finds that Windows To Go has helped him solve other user scenarios, including the following:
You’ve seen how Mark has been able to easily solve some complex scenarios by using Windows To Go and yet have manageable solutions. Mark not only solved his original challenges but was able to solve other user scenarios by using Windows To Go.
Now it’s your turn to create your own success story. You can download the Windows 8 Enterprise Evaluation from the TechNet Evaluation Center and create our own Windows To Go workspace using the Windows To Go Creator Wizard or Windows PowerShell and other command-line tools. Find out more about how Windows To Go can help solve complex solutions in the Windows To Go: Feature Overview.
Oh, and while making that late-night run to the local Microsoft Store drive-through window, pick up a Surface device with a blue Touch Cover!