I just finished a BYOD project based on Windows To Go technology for an italian customer.
Windows To Go is a technology that permit to run a Windows installation from an USB key.
The technical need was that the customer wanted to supply a standard and managed Windows build to External Consultant in order to be sure that every security constrains are met when a PC is plugged into the customer network.
The business need was that the customer wanted to avoid as much as possible the costs related with hardware supplied to External consultant.
In order to create a Windows To Go usb key you must first be sure that the usb key is certified
The creation process can use three different Technologies:
- The creator included in Windows 8 installation (it’s useful only if you need to create a few number of usb keys)
- The SCCM 2012 SP1 or higher version (it provides a self service capability)
- Use powershell script (custom procedures)
My customer asks to use powershell because he’s not using SCCM and he need to create 2500 usb Keys.
The operating system used was Windows 8 RTM (now they are testing 8.1) and the usb key used was supplied by Kingston http://www.kingston.com/wtg/)
We leverage the customer custom internal portal in order to provide an easy WTG creation wizard.
The steps that an user needs to perform in order to create his key are:
- Log into the internal portal and start the WTG creation wizard
- Answer about few questions related to which kind of products they need on top of the WTG istallation
- Insert the usb key into the pc connected to the portal
- Wait until the first part of creation has done
- Insert usb key into his own hardware and perform boot from the key
- Follow few more steps that will personalize the operating system (name, join to domain, bitlocker encryption)
The Windows 8 build used in a WTG context is not a “special” build… We used the same sysprepped .WIM file that we used to install Windows 8 to the internal hard drive of tablet and desktop machines.
The only difference is that during the deployment process a local policy named “SAN policy” is added.
This policy is useful to avoid the user, that is running the WTG environment, to view and access the phisical hard drive of his notebook. This is a best practice that wants to avoid accidental data leakage between Windows To Go and the host system and prevent problems with hibernation files.
More infromations about that: http://www.verboon.info/2012/12/how-to-access-data-from-the-local-disk-when-running-a-windows-to-go-workspace/
We didn’t had hardware to certify due the fact that every user was an External consultant with his own laptop. This was very problematic because we faced a lot of service ticket due to the lack of drivers (due the fact that the users were not local administrators of the machines, they were not able to install missing drivers by themself)
The other problem was about hardware requirements: Microsoft states that the minimum hardware requirement for Windows to go are a pc (Apple Mac not supported) that is certified for running Windows 7 or 8 and that has a BIOS that permit the boot from usb of an operating system.
Several External consultant used Mac and lot of others used old hardware not certified for Windows 7 or 8.
We had several tickets about users that were not able to boot the operating system from USB. This kind of tickets were all resolved installing a new version of BIOS.
We had only a problem with a PC that was certified for Windows 7 but the vendor didn’t provide a BIOS that permits to boot an operating system from USB.
We had several tickets about users that had lost the bitlocker pin and they asked to retrieve the recovery key (the customer chose to not implement MBAM or other Bitlocker management solutions so the answer was “reimage your USB key”… )
IMHO Windows To Go was not the best choice due to the impossibility to certify all the hardware machines.
It’s less expensive than a VDI solution and it can be used in a offline context but it doesn’t fit all scenarios.
IMHO in this context , Windows To Go was not the best choice due to the impossibility to certify all the hardware machines.
It’s less expensive than a VDI solution and it can be used offline but it doesn’t fit all scenarios.
It’s also important to understand that if an IT introduces a new service it must support it. The lack of Bitlocker support is not a good choice. MBAM is a simple product that provides also self service recovery. If you don’t want to use MBAM you can store the bitlocker recovery key in Active Directory for free… So why don’t do it?
BYOD needs to support the hardware and software owned by users or at least needs to provide a list of supported and certified hw/software in order to permit users to buy or install them.