Presentation Post: Creating a Windows to Go Workspace!
I do presentations a lot. But of course not everyone can be there in person to attend so I wanted to try a little experiment I'm calling Presentation Post. What I'm going to try and do is post presentations to my blog with the key details of what I talked about during the presentation itself. Sure I could share the slides online through something like Slideshare but I thought more details other than slides is more meaningful to you guys. I may still do that as well but wanted to try this out first. So my first topic is a new feature in Windows 8 called Windows To Go. Let me know what you think of this idea.
What is Windows To Go?
Technology innovation is occurring more rapidly than we have seen in a long time, this wave of innovation is delivering new devices with new form factors. They interact with software in ways that was not previously possible and generate excitement among users. This excitement translates to new ways of working that is redefining workforce mobility.
In the quest to embrace user excitement businesses are looking for ways to address the following needs that current mobility solutions can solve but are costly and in some cases require high bandwidth connectivity.
- Cost effective and lightweight solution that enables staff to get their work done anywhere.
- Provide right level of mobility to help users pursue their unique work styles.
- Enable employees to bring their own PCs to work while minimizing IT spend to support.
- Efficient and secure way to provision corporate environment to contingent staff.
- Give users access to their workspace even when they share PCs outside physical corporate walls.
As organizations embrace the growing trend of Consumerization, they want to empower employees to work from anywhere anytime whether online or offline (example work from home, while travelling) to provide them the flexibility they need to be more productive. Today the "next-gen" worker needs the choice and flexibility to select their own PCs for work and use it to get both their business and personal stuff done, they don't want to get confined to a standard set of PCs that their employers want them to use. As a result organizations now want to pursue Bring Your Own PC programs for all or some class of users without compromising corporate security. The next-gen user today asks for more mobility by not having to carry a single or multiple corporate laptops/slates everywhere for work like employees bikingto work, sales support consultants with multiple windows environments for demo and training or employees on holidays who need access to corporate environment in case of a fire drill at work. And in some scenarios like army personals who change their location frequently, travelling lightis more of a requirement and not a just a need. Today contractors or contingent staff make up for a large percentage of any organization's workforce. These contractors demand the same level of agility like full time employees to get their work done but organizations want to do that in the most efficient and secure manner, they want to provide them access to the corporate environment while controlling the cost of hardware and backend infrastructure.
- Device proliferation, with users having broad access to consumer devices at home, leads to higher user expectations of technology at work.
- According to the recent IDC study, the affluent user around the world ($98K annual income) owns on average 4.8 devices, while in the US, there are 6.6 devices owned by the affluent user. Overall, there are estimated 700M personal computing devices WW in 2010, this expected to double by 2014 to 1.47B personal computing devices.
Challenges with current mobility offerings:
Consumerization of IT is driving changes in the work style and devices that today's users need to get their work done most effectively. Existing mobility solutions, while effective, can be costly to provision to all users and can have connectivity requirements which in today's environment can be a road block for some organizations to get on the consumerization movement.
It can be capital intensive to provision a dedicated laptop or slate to "semi-mobile" employees and desk workers who need access to corporate environment outside work but not that frequently.Similarly giving out a dedicated PC to each contractor so that they can be provisioned with the corporate environment can escalate hardware spend even further. Other technologies like server hosted virtual desktops which are great for centralized computing and securing corporate data require a backend infrastructure that can drive up costs of the desktop environment and can require users to be online on a good network bandwidth, thus limiting its usage when users are offline but still need to get their work done. Server hosted desktops are the primary enabler of BYOD programs, work from an unmanaged device and contractors today to provide users with secure access to the corporate environment, but not all organizations can incur the infrastructure costs to give users a good user experience from a server hosted desktop.
With Windows 8 we have tried to redefine workforce mobility by introducing a new feature called Windows To Go thatenables enterprises to provide users a managed corporate environment on a USB drive that they can operate from multiple managed or unmanaged PCs.
Windows 8 supports ultra-mobile work styles of users through a bootable USB that turns almost any PC into a secure Windows 8 corporate PC.
- Windows To Go provides full fidelity of a desktop that includes support for the touch first Windows 8 experience, virtualization technologies such as App-V, RDS, user state virtualization (folder redirection, offline files, roaming user profile), secure connection via DirectAccess, Data encryption with BitLocker, and the same management tools like System Center that organizations will use to deploy and manage Windows 8.
In a standard PC – users boot from the PCs' internal hard drive, they log into their Windows environment and are provisioned with corporate applications as physical apps or virtual apps (with technologies like App-V). Users can store the data locally on the internal hard drive or IT can centralize it with User State virtualization technologies like Folder Redirection.
With Windows To Go, now IT gets a new deployment model for corporate environment to users, IT can provide a managed corporate image on a bootable USB drive that users can boot from any compatible PC ( * Any PC with Windows 7 logo or higher). Users can get their applications, data and personalized Windows environment the same way as a standard PC.
Users can work across multiple PCs – whether managed or unmanaged making them more mobile and productive. They get a familiar, consistent and rich Windows 8 experience even when they are operating from an external USB drive. They can work from their USB drive just like a standard PC – even when not connected to a network. Windows To Go is easy to use as it doesn't require the user to have any special skills to operate the USB drive. Local data on the drive is secure as Windows To Go supports drive encryption with Windows BitLocker; and it separates itself from the host PC's internal hard drive to avoid any accidental data disclosure. The organization can use the same tools (like System Center) to deploy and manage Windows To Go as they will use for Windows 8.
Windows To Go Capabilities
Windows To Go provides drive encryption with Windows BitLocker and uses Windows 8'snative Windows encryption technology – BitLocker, which provides data encryption for Windows To Go; thus allowing IT to maintain security requirements.
In Windows 8, BitLocker added support for a password key protector for OS volumes. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace. When using BitLocker Drive Encryption a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
Other Windows 8 security feature like Trusted Boot protect the Windows boot process, while anti-malware software protects Windows To Go just like standard Windows 8 PCs.
Windows To Go prevents accidental data leakage through separation from the host PCs internal hard drive:It provides OS separation by making the host PC's internal hard drive unavailable when booted into the Windows To Go workspace, reducing the risk of accidental data disclosure.
Windows 8 makes any storage devices offline that are internal to the machine. If the computer was booted from an external drive, then external storage drives are accessible and internal storage drives are not accessible. To ensure data isn't accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go.
We recommend that you use the NoDefaultDriveLetter attribute on the USB drive to help prevent accidental data leakage. NoDefaultDriveLetter will prevent the internal operating system from assigning a drive letter when a user inserts it into the computer. This means the drive will not appear in Windows Explorer and an AutoPlay prompt will not be displayed to the user.
Windows 8 has introduced a new SAN policy that by default makes any storage devices offline that are internal to the machine. An IT Pro can effectively control it by group policy - There are 3 options:
- Online the host when booted into WTG
- Offline the host (recommended) when booted into WTG
- Offline all host storage even drives plugged in after WTG boots up
If the user has admin rights then they can override any of the above. So you may want to consider this when you deploy Windows to Go to your users.
Setting up Windows To Go
Enable Windows 8 PCs to boot from USB easily: "The Windows To Go Startup Options" in Windows 8 allows host Windows 8 PCs to recognize that a Windows To Go workspace is connected to the PC at boot time, thus automatically booting from the USB when present rather than the host's main hard drive.
With Windows 8 installed on the host computer:
From the start menu, user can search for "Windows To Go startup options" and select "Yes, to boot from Windows To Go when it is present". This will cause the host PC to always boot from USB drive first before looking for the internal hard drive. If users want to use the Windows To Go workspace, they can simply shut down the computer, plug in the Windows To Go drive and turn on the computer. To boot to the host operating system, user can shut down the Windows To Go operating system, unplug the Windows To Go drive and turn on the computer.
The Windows To Go start up options is only available on PCs with Windows 8 installed on the host computer. With other PCs (example Windows 7 or Windows Vista) – users would need to enable their PCs to boot from USB.
With Windows 7 or other Operating System installed on the host computer:
Early during boot time (usually when you see the manufacturer's logo), user needs to go into the firmware/BIOS setup utility (this differs from machine to machine but is usually with one of the function keys, e.g. F12, F2, F1, Esc, etc. Once user have entered firmware setup check that boot from USB is enabled. Then change the boot order to boot from USB drives first (Bring the USB option to 1 in the priority order). Alternatively, if computer supports it, user can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis. Many PC's have this option.
Many folks have asked me what the experience is like using a Windows To Go environment. I find it surprisingly useful and really don't notice too much difference for day to day tasks like checking email and browsing the web. Even watching videos works well. The trick is the drive you use. It needs to be a USB 3.0 drive for optimal performance. A list of recommended USB drives/SKUs is available on TechNet: http://technet.microsoft.com/library/hh831833.aspx#wtg_hardware I personally use the Kingston Data Traveller Workspace in 32GB capacity.
The size constraints are the same as a full Windows Environment. To ensure that users have enough space for Windows, data, and applications, we recommend USB drives that at least are 32 GB in size.
Additional drive details: The controller is the storage controller and communicates between the bridge and the flash, it also dictates how data is written to the flash device. The Bridge is another controller which communicates between the storage controller and USB device. For WTG, the storage controller dictates drive performance and the bridge dictates boot compatibility. We are working with the bridge vendors to update their firmware to ensure a great boot experience across a large variety of hardware.
Flash usually refers to the type of memory. Inexpensive USB drives have flash memory that you can store data to and don't usually have a storage controller in them, they may also have inexpensive memory. WTG is running on a USB SSD (solid state drive), requiring a fixed bit. If the fixed bit isn't set the drive cannot be partitioned. Windows requires 2 partitions for setup/installation.
High Performance and Endurance
Performance necessary for running Windows 8 - For WTG the most important performance characteristic is Random write speed and the latency requirement – no IO can be more than 1/2 second.
High endurance under typical Windows workloads –WTG drive will be warrantied for 2 years under normal usage. We don't want the drive to burn out under normal usage.
What about unintentional removal of the Windows to Go USB stick? Windows To Go is Resilient to resume user state in case of unintended removal of the USB device from the host PC. Windows To Go identifies when the USB has been removed from the host computer and automatically resumes the workspace state when the USB is put back in within 60 seconds.
If the Windows To Go workspace is removed when its running, the system will freeze and the user will have 60 seconds to put the USB drive back into the same port on the host computer; once reinserted Windows To Go will resume from where it was left off, otherwise the computer will turn off after 60 seconds.
Windows to go can be deployed in one of two ways. Either centrally managed through the IT department or using User Self Provisioning with SCCM 2012 SP1.
The other option is to allow authorized employees to self-provision a single instance of the Windows 8 Enterprise image of Windows To Go. The creator tool can be pointed to a custom WIM file or standard media provided by IT to the user to create a Windows To Go drive. With few simple steps users can get up and running with the corporate environment on a compatible USB drive.
Now I created my own Windows to Go workspace using this tool. It's pretty simple and I captured the various stages along the way.
- Open Control panel the click on the Windows To Go creator tool.
- Select the drive you want to use.
- Select the image you want to use for your Windows To Go workspace. In this case I'm using an internal IT created image for my workspace.
- Set a Bitlocker password for the drive. This is optional but highly recommended.
- Now we ready to create the drive. Once you click create the will format the drive and set it up for Windows to go. This should take a half hour or so depending on the speed of the speed of the machine you are using to create the workspace.
- Preparing the drive.
- Applying custom WIM file.
- Finishing up workspace creation.
- The last step in the process is to choose your boot option. I would normally have chosen yes on my Windows 8 host but at the time I was dual booting between Windows Server 2012 and Windows 8 so wanted to control the boot process using F12 options on my machine.
Summary of how Windows To Go works –
- IT provisions corporate environment (using standard Windows 8 deployment tools) to users on a compatible USB drive. Alternatively authorized users can use self-provisioning tools like creator tool for creation of a single instance drive.
- IT manages Windows To Go like a traditional desktop using standard Windows enterprise software distributions tools like System Center Configuration Manager or third party.
- IT activates Windows To Go through volume activation (KMS server/ Ad based activation). KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis (typically 6 months)
- User are now ready to operate Windows To Go from multiple managed or unmanaged PCs.