SlideShare a Scribd company logo

Windows to go a guide for education

Heo Gòm
Heo Gòm

The document provides guidance on deploying Windows To Go in an education environment. It discusses how Windows To Go allows faculty and students to use a personalized Windows 8.1 workspace from any compatible computer via a USB drive. It covers preparing for deployment, creating Windows To Go images, configuring settings and security, and managing Windows To Go workspaces. The document is intended to help IT professionals understand the benefits and process of deploying Windows To Go in a school.

Technology
1 of 31
Download to read offline
Windows To Go A deployment guide for education January 2014
Table of contents 1 Understanding Windows To Go 1 Windows To Go for IT 2 Windows To Go for faculty 2 Windows To Go for students 4 Preparing to use Windows To Go 4 Windows To Go limitations 5 Roaming with Windows To Go 5 Determine user setting storage 6 Determine remote access requirements 6 Determine host computer requirements 7 Select the USB drive for Windows To Go 7 Understand Windows To Go image creation 9 Creating a Windows To Go drive 9 Using the Windows To Go Creator Wizard 10 Using Windows PowerShell cmdlets 12 Starting a Windows To Go drive 13 Enabling the Windows Store 14 Activating Windows To Go workspaces 15 Managing Windows To Go
15 Group Policy settings related to the Windows To Go workspace 17 Group Policy settings related to the host computer 18 Storing user data and settings 19 UE-V with Folder Redirection 19 Cloud storage 21 Configuring Windows To Go for remote access 22 Securing Windows To Go drives 23 Configuring BitLocker before distribution 23 Configuring BitLocker after distribution 25 Building multiple Windows To Go drives 26 Talking about Windows To Go 27 Conclusion
1WINDOWS TO GO Windows To Go A deployment guide for education Windows To Go is a feature of the Windows 8.1 Enterprise operating system that enables the operating system to run from a USB drive. Using Windows To Go in an education environment provides numerous benefits to faculty and students alike. It enables faculty and students to use a personalized copy of Windows 8.1 on virtually any PC, at almost any location. This guide provides an overview of Windows To Go deployment for schools. It is for IT pros and discusses the benefits, limitations, and processes involved in deploying Windows To Go. Understanding Windows To Go Windows To Go creates a bootable Windows 8.1 image on a USB drive. This means that the standardized Windows image already used on institution-owned devices now becomes available with greatly increased portability and convenience. Users do not need to lug around a laptop or other device to have their Windows desktop available: That desktop is now available on a USB drive, and they can run it on any PC that is compatible with Windows 7, Windows 8, or Windows 8.1. Windows To Go for IT Windows To Go helps IT in several ways: • Portability  Windows To Go enables IT to offer the flexibility of free seating. Faculty and students can use their own Windows desktop from almost any PC in the school. • Cost savings  IT does not need to deploy individual computers but rather can deploy the Windows To Go workspace on USB drives to provide a consistent, personalized Windows 8.1 experience. It is easy to setup and configure, and distribution is simple. • Management  Today’s IT infrastructure uses Group Policy and technologies like BitLocker Drive Encryption, Microsoft BranchCache, Application Virtualization, DirectAccess, and other
2WINDOWS TO GO advanced technologies to ensure highly reliable and secure services to users. Windows To Go supports all of those technologies and more. You do not need to change your IT processes and management tools to add Windows To Go to your IT infrastructure. Windows To Go for faculty Windows To Go gives faculty a consistent Windows 8.1 experience from almost anywhere. Is seating available in a computer lab? Need to move to another classroom? The educator’s personal Windows 8.1 desktop is available at all of these locations by booting into the Windows To Go workspace. Faculty members use numerous tools to provide the best learning experience for the classroom, such as Microsoft Office and the specialized Learning Management System (LMS). At the same time, computers with that specialized software are typically shared among two or more educators, making it difficult to find a time to get classroom-related administrative work done. With a Windows To Go workspace, sharing a computer becomes a thing of the past. With Windows To Go, any compatible computer, regardless of the operating system installed on it, can be used. This means that faculty members can use a Windows To Go workspace at work, from home, or from an off-campus location, providing the same experience regardless of location. Faculty are no longer tethered to a specific computer, room, or building. Windows To Go for students Like faculty, students can benefit from the Windows To Go experience. Students can use a Windows To Go workspace to boot into their own Windows workspace from home or from a free seat in school. They can have the same personal Windows 8.1 experience in each classroom. Students can also use Windows To Go workspaces to get their homework done and perform research-related tasks by using specialized software without needing to install that software on their own device. All they need is a compatible computer and USB drive, and the workspace is up and running. You can customize Windows To Go workspaces for particular curriculums, grade levels, and so on, then distribute them to students. Doing so helps to facilitate the learning experience while minimizing the time invested in configuring the technology. Windows To Go workspaces have low replacement cost. If a student loses the USB drive with the workspace on it or if the drive becomes damaged, it can be replaced at a much lower cost than a PC.
3WINDOWS TO GO Additional resources: • “Windows 8 Enterprise in Your Pocket” at http://www.microsoft.com/en-us/windows/ enterprise/products-and-technologies/devices/windowstogo.aspx • “Windows To Go: Frequently Asked Questions” at http://technet.microsoft.com/en-us/library/ jj592680.aspx
4WINDOWS TO GO Preparing to use Windows To Go This section describes the infrastructure-related items that you must consider for a Windows To Go deployment and also provides considerations for that preparation. In addition to the considerations that the following sections describe, see Windows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682 for considerations affecting any Windows 8.1 deployment in an educational institution. Windows To Go limitations Although Windows To Go is similar to a typical Windows 8.1 Enterprise installation on a PC, some differences exist: • No access to internal disks  By default, the host computer’s disks are not accessible by a Windows To Go installation, and a USB drive with a Windows To Go workspace is not accessible by the Windows operating system installed on the computer. You can eliminate both of these limitations by using Group Policy. However, these restrictions are in place to protect the security and privacy of the Windows To Go workspace, and to help prevent end- user confusion. • Recovery options are limited  The Windows Recovery Environment (Windows RE) is not available in Windows To Go, nor are refresh and reset options. You should re-provision the Windows To Go workspace onto the USB drive in the event a Windows To Go workspace becomes unrecoverable. Because recovery options are limited, Microsoft does not recommend storing user data on the Windows To Go USB drive. Instead, use a network- or cloud-based solution like Folder Redirection or SkyDrive. • Trusted Platform Module (TPM) is not used  The TPM is tied to a specific physical computer. Therefore, because Windows To Go workspaces move among computers, the TPM is not used in a Windows To Go workspace. In its place, a password is required for BitLocker on a Windows To Go workspace. • Windows Store is disabled (Windows 8 only)  In Windows 8, the Windows Store is disabled by default, because apps are tied to the computer itself. You can use Group Policy to enable the Windows Store. In Windows 8.1, this limitation is gone, and the Windows Store is enabled by default. Regardless of the Windows Store status, you can still sideload apps for which you have installation files. For more information about sideloading Windows Store apps, see Windows Store apps: A deployment guide for education at http://www.microsoft.com/ download/details.aspx?id=39685.
5WINDOWS TO GO • Hibernate is disabled  Hibernation expects to find the same hardware when the operating system resumes. Because Windows To Go workspaces will likely roam among computers, hibernation is disabled. Like the Windows Store, you can re-enable hibernate, but only enable hibernation if you are certain that the device will only be used on the same physical computer. Roaming with Windows To Go During the boot process, Windows To Go examines the host computer’s hardware and installs the necessary device drivers. This process generally works well, especially if people will be using Windows To Go on host computers with similar hardware configurations. However, if the workspace will be used on different hardware with different device configurations, then you might need to inject additional drivers into the image. Testing the image on the hardware is a key step to ensure compatibility for the devices to be used with Windows To Go. Some applications can bind to specific hardware. For example, an application might tie its licensing or activation to the computer’s hardware. If the Windows To Go workspace will be used on multiple host computers with different hardware configurations, the applications might not roam. Ensure that each application you are installing in a Windows To Go workspace supports roaming or provide for an alternate method of using those applications, such as Windows Server 2012 R2 RemoteApp. Students and faculty are not usually aware of which type of firmware their computers have, and so they will likely boot their workspaces on different types. They can boot Windows To Go on computers with different types of firmware. Computers certified for Windows 8.1 have Unified Extensible Firmware Interface (UEFI), while Windows 7 computers use the legacy BIOS firmware. Rather than creating separate workspaces for different firmware types, Windows To Go can boot on either firmware type. Determine user setting storage Users need access to their data and settings within the Windows To Go workspace in addition to their usual device. Determine how best to provide this access, whether through a user state virtualization (USV) technology or through other means. Options include local storage, Microsoft User Experience Virtualization (UE-V) with Folder Redirection and Offline Files, SkyDrive, Microsoft Office 365, and other cloud-based storage solutions. Windows 8.1 also enables logon with a Microsoft account, which includes the option of roaming for many user settings. This aspect of Windows To Go is discussed in the section “Storing user data and settings” on page 18 in this guide.
6WINDOWS TO GO Determine remote access requirements If Windows To Go workspaces will be used from off-campus locations, then you might provide a method for remote access. You can do so by using DirectAccess or by using an existing virtual private network (VPN) solution. More detail on remote access is given in “Configuring Windows To Go for remote access” on page 21. Determine host computer requirements Windows To Go supports many different types of hardware. This support enables users to run Windows To Go workspaces on hardware certified for Windows 8.1, Windows 8, and Windows 7 alike. Note the following host computer requirements: • Booting  The computer must be capable of booting from a USB drive, and the drive must be directly connected; USB hubs are not supported. • Firmware  The computer can use UEFI or BIOS. • Graphics  The computer should have Microsoft DirectX 9 with Windows Display Driver Model 1.2 or later driver. • Processor  The computer should have a 1 GHz or faster processor, and the architecture can be 32 or 64 bit, as discussed later in this guide. • RAM  The computer should have at least 2 GB of physical memory. • USB port  The computer should have at least one USB 2.0 or 3.0 port. When considering the processor architecture, the firmware is an important consideration. Table 1 on page 7 describes the processor architecture considerations for Windows To Go. NOTE Windows To Go workspaces are not supported on Windows RT or Apple platforms.
7WINDOWS TO GO Host firmware Host processor architecture Windows To Go architecture BIOS 32-bit 32-bit only BIOS 64-bit 32-bit and 64-bit UEFI 32-bit 32-bit only UEFI 64-bit 64-bit only Select the USB drive for Windows To Go The USB drive used for Windows To Go must be Windows To Go certified. Windows To Go–certified drives are optimized for the rate of I/O operations necessary for Windows. They are capable of booting on hardware certified for Windows 7, Windows 8, and Windows 8.1. The drives have manufacturer warranties and are meant to be used to support a typical Windows workload. Several hardware vendors offer these drives in a variety of sizes. See “Windows To Go Overview” at http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_ hardware for a list of currently supported drives. NOTE  A Windows To Go image running Windows 8.1 can boot from a drive that contains a built-in smart card. These composite drives combine a mass storage drive and smart card in one device. Windows 8.1 can enumerate the smart card when booting from the Windows To Go drive or by connecting the device to another host machine. For more information, see “What’s New in Smart Cards” at http://technet.microsoft.com/ library/hh849637.aspx. Understand Windows To Go image creation Ease of deployment is a key feature of Windows To Go. A Windows 8.1 release to manufacturing (RTM) image is all that is needed to begin the Windows To Go image-creation process. Alternately, you can fully Table 1  Processor Architecture and Windows To Go NOTE You can also use Microsoft System Center 2012 R2 Configuration Manager to distribute workspaces. See the Microsoft TechNet article “How to Provision Windows To Go in Configuration Manager” at http://technet. microsoft.com/en-us/ library/jj651035.aspx for more information.
8WINDOWS TO GO customize the image to include applications and other settings specific to the deployment. Users with local administrator privileges and a Windows 8.1 Enterprise image (an unlikely scenario in an education setting) can also create their own Windows To Go workspace. Therefore, school IT pros will be the likely sole creators of Windows To Go workspaces. If you do not customize the image, then you will need to provide for the resulting Windows To Go workspace to be joined to the domain and for applications to be installed in the workspace. You can use Group Policy to manage the workspace, and you may want to customize certain settings for your environment. See the section “Managing Windows To Go” on page 15 or the section “Image deployment and drive provisioning considerations” in the TechNet article “Deployment Considerations for Windows To Go” at http://technet.microsoft.com/en-us/library/jj592685. aspx#wtg_imagedep for more information on these Group Policy settings and Windows To Go deployment. You can create a Windows To Go workspace by using the Windows To Go Creator Wizard or Windows PowerShell cmdlets. After you have provisioned the workspace onto a USB drive, you can duplicate the workspace onto other USB drives (assuming that the workspace has not yet been started for the first time). See the TechNet article “Windows Deployment Options” at http://technet.microsoft.com/en-us/library/hh825230.aspx for more information on Windows Deployment Options and the topic “Windows PowerShell equivalent commands” in “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/jj721578. aspx#BKMK_manualwtgimage for more information on manual Windows To Go image creation. Additional resources: • “Deployment Consideration for Windows To Go” at http://technet.microsoft.com/en-us/ library/jj592685.aspx • “Windows To Go: Feature Overview” at http://technet.microsoft.com/library/hh831833.aspx • “Tips for configuring your BIOS settings to work with Windows To Go” at http://social.technet. microsoft.com/wiki/contents/articles/12911.tips-for-configuring-your-bios-settings-to-work- with-windows-to-go.aspx
9WINDOWS TO GO Creating a Windows To Go drive You can use either of two primary methods to create a Windows To Go drive: • The Windows To Go Creator Wizard • Windows PowerShell cmdlets The method you use depends largely on the goals of the deployment and the skills available for the deployment. Regardless of which method you employ, the result is a USB drive with a Windows To Go workspace on it. Table 2 provides considerations to help you decide which method of Windows To Go workspace creation is right for you. Windows To Go Creator Wizard Windows PowerShell Number of workspaces needed • Few • USB duplicator • Many workspaces with potentially unique configurations for each Customizations needed • None • Customized image • Custom provisioning (e.g., offline domain join, partitioning, BitLocker) required Skills • IT generalist • IT pro with Windows PowerShell experience Using the Windows To Go Creator Wizard The Windows To Go Creator Wizard is a simple way to create a Windows To Go workspace quickly. The wizard creates a fully functional workspace with just a few mouse clicks. Using the Windows To Go Creator Wizard involves selecting the USB drive along with the Windows image to be used for the deployment. To use the wizard, you must have: Table 2  Choosing a Windows To Go Creation Strategy
10WINDOWS TO GO • A Windows To Go–certified USB drive connected to the computer prior to starting the wizard • A Windows 8.1 Enterprise image, either the RTM image or a customized image that has been generalized with the Microsoft System Preparation Tool (Sysprep) • Local administrator privileges You can enable BitLocker during the Windows To Go Creator Wizard. If you will be using a drive duplicator to make copies of the workspace, however, do not enable BitLocker from the wizard but rather after deployment. See the topic “Enable BitLocker protection for your Windows To Go drive” in the TechNet article “Deploy Windows To Go in Your Organization” at http://technet.microsoft. com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for more information on enabling BitLocker. The overall process for workspace creation involves the following tasks: 1. Select the USB drive on which to create the Windows To Go workspace. 2. Select the Windows image to use as an installation source for the workspace. 3. Optionally, enable BitLocker on the workspace immediately. The process of workspace creation takes 20 to 30 minutes, and the result is that you have a Windows To Go workspace on the USB drive. From that point, you can either boot the workspace or duplicate it to other USB drives. Using Windows PowerShell cmdlets Use Windows PowerShell cmdlets to create Windows To Go workspaces when you need additional flexibility. Windows PowerShell enables you to create a custom, scripted solution for large-scale Windows To Go workspace creation. NOTE Always safely eject the USB drive when the provisioning process is complete. Removing the drive in an unsafe manner can result in an unbootable Windows To Go workspace.
11WINDOWS TO GO The tools used to create a Windows To Go workspace are essentially the same tools you use to manually provision and deploy Windows images. They include: • Disk partitioning cmdlets such as Clear-Disk, Initialize-Disk, New-Partition, Format- Volume, and so on • Deployment Image Servicing and Management (DISM) • Bcdboot You use these tools to perform the same steps manually that the Windows To Go Creator Wizard performs. The process includes the following tasks: 1. Partition the USB drive, including FAT32- and NTFS file system–formatted partitions. 2. Use DISM to apply the Windows image. 3. Use Bcdboot to enable the system to start on UEFI and BIOS systems. 4. Use DISM to apply a storage area network policy to prevent the internal disks from being used. 5. Create an answer file to disable Windows RE. Like the Windows To Go Creator Wizard, the result when using Windows PowerShell is that you have a Windows To Go workspace on the USB drive. See “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for more information about scripting Windows To Go provisioning by using Windows PowerShell. Additional resources: • “Deploy Windows To Go In Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx • “Getting Started with Windows PowerShell” at http://technet.microsoft.com/en-us/library/ hh857337.aspx • Windows PowerShell User’s Guide at http://technet.microsoft.com/en-us/library/cc196356. aspx
12WINDOWS TO GO Starting a Windows To Go drive Users of Windows To Go need to configure the host computer to boot from USB. For devices running an earlier version of the Windows operating system, the USB boot option can be enabled in the device’s firmware, such as the BIOS. For computers running Windows 8 or Windows 8.1, the Windows To Go workspace can also be configured to start using Windows To Go Startup Options. On the Start screen, press the Windows logo key + W, and then search for Windows To Go startup options to configure the computer to boot from a USB drive. Changing this setting requires administrator privileges. You can also set the option to boot from a USB drive by using Group Policy for Windows 8 and Windows 8.1. Regardless of whether you are using a Windows 7 host computer or a Windows 8.1 host computer, use caution when enabling boot from USB devices. Doing so may open an attack vector if the computer is booted from a USB drive containing malware. When preparing a computer to boot into a Windows To Go workspace, make sure the computer is not currently in a sleep state. The USB drive with the Windows To Go workspace should be connected directly to a USB port on the computer, not through a USB hub. Additional resources: • “Deployment Considerations for Windows To Go” at http:// technet.microsoft.com/en-us/library/jj592685.aspx NOTE Additional considerations exist when using a computer running Windows 7 as a host computer. See “Tips for configuring your BIOS settings to work with Windows To Go” at http:// social.technet.microsoft. com/wiki/contents/ articles/12911.tips-for- configuring-your-bios- settings-to-work-with- windows-to-go.aspx for more information.
13WINDOWS TO GO Enabling the Windows Store The Windows Store is enabled by default on Windows To Go drives running Windows 8.1. Users can start the drive on any number of host computers, access the Windows Store, and run their apps. In Windows 8, the Windows Store is disabled in a Windows To Go workspace by default, because apps purchased through the Windows Store are tied to the device’s hardware and can be installed on as many as five devices. This means that the app will not run if the Windows To Go workspace is booted from more than five different devices. You can enable the Windows Store by using the Allow Store to install apps on Windows To Go workspaces Group Policy setting found at Computer ConfigurationAdministrative Templates Windows ComponentsStore. Use this policy setting when the workspace will be booted from the same or a limited number of computers. If the Windows Store will remain disabled, Microsoft recommends that you remove the default Windows Store–related apps, such as Sports or News, from the Windows To Go workspace image. These apps are updated through the Windows Store and therefore cannot be updated with the Windows Store disabled. Educational apps that you sideload are unaffected by this policy and can still be loaded, run, and managed through normal app management processes. Additional resources: • Windows Store apps: A deployment guide for education at http://www.microsoft.com/ download/details.aspx?id=39685 • “Management of Windows To Go using Group Policy” at http://technet.microsoft.com/en-us/ library/c598d28c-5829-42ce-8d43-a7a5a4382537#BKMK_wtggp • “How to Add and Remove Apps” at http://technet.microsoft.com/en-us/library/hh852635. aspx • “Managing Client Access to the Windows Store” at http://technet.microsoft.com/en-us/ library/hh832040.aspx • “Prepare Your Organization for Windows To Go” at http://technet.microsoft.com/en-us/ library/0fd52a81-c871-4567-aaaf-bd29c2ee65d4
14WINDOWS TO GO Activating Windows To Go workspaces Windows To Go can use Active Directory-Based Activation (ADBA) and Key Management Service (KMS) activation, similar to a typical installation of Windows 8.1. However, Windows To Go cannot use Multiple Activation Key (MAK) activation, as MAK activation binds to the host computer’s hardware. Windows To Go uses a standard Windows license and counts as an installation for applicable licensing agreements. The Windows To Go workspace needs to renew its activation every 180 days. It does this whenever the workspace is booted within the school’s network or when using a remote connection like DirectAccess or a VPN. If workspaces are not used within the 180-day period, you will need to reactivate them by connecting them to the network containing the ADBA or KMS services. Applications to be used within the workspace might also need to be activated. Office 2013 uses the same activation methods as Windows To Go, but software from other vendors, such as LMSs and other educational applications, might have different licensing. Verify the Windows To Go usage scenario with the appropriate vendors to ensure licensing compliance. Additional resources: • “Plan for Volume Activation” at http://technet.microsoft.com/library/jj134042.aspx • “Understanding KMS” at http://technet.microsoft.com/en-us/library/ff793434.aspx • “Active Directory-Based Activation Overview” at http://technet.microsoft.com/en-us/library/ hh852637.aspx • “Volume activation of Office 2013” at http://technet.microsoft.com/en-US/library/ee705504. aspx
15WINDOWS TO GO Managing Windows To Go You can use the same Windows management tools with which you are already familiar to manage Windows To Go drives. You do not need to learn any new tools to manage Windows To Go within your institution. For example, you can manage Windows To Go workspaces by using: • Group Policy  See “Group Policy” at http://technet.microsoft.com/windowsserver/bb310732. aspx for more information. • Windows Intune  See “Windows Intune” at http://technet.microsoft.com/windows/intune. aspx for more information. • System Center 2012 Configuration Manager  See “System Center Configuration Manager” at http://technet.microsoft.com/systemcenter/bb507744.aspx for more information. You can also use Group Policy to manage Windows To Go, and Microsoft recommends that you create a separate organizational unit (OU) for the Windows To Go workspaces and one for host computers. You can use the OU for Windows To Go workspace to: • Change settings for the Windows Store • Change standby sleep states • Change hibernate settings You can use the OU for host computers to provide granular control over the Windows To Go Startup Options so that only certain computers will be configured to boot from the USB drive. Group Policy settings related to the Windows To Go workspace The settings in the following list are particular to Windows To Go workspaces: • Allow hibernate (S4) when started from a Windows To Go workspace  This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspaces, so enabling this setting explicitly turns the ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system as well as the disk itself are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs.
16WINDOWS TO GO • Disallow standby sleep states (S1–S3) when starting from a Windows To Go workspace  This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it were shut down. It would be easy for a user to think that a Windows To Go workspace in sleep mode were actually shut down, and the user could remove the Windows To Go drive and take it home. Removing the drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption of the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash, and eventually corruption of the drive results in the workspace being unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode. • Allow Store to install apps on Windows To Go workspaces  This policy setting allows or denies access to the Store application from a Windows To Go workspace running Windows 8. (This policy does not apply to devices running Windows 8.1.) If you enable this setting, access to the Store application is allowed from the Windows To Go workspace. Enable this policy setting only when the Windows To Go workspace will be used with a single PC. When roaming Windows To Go devices to multiple PCs, installing applications from the Windows Store is not a supported scenario. However, sideloaded Windows Store apps can run in Windows To Go workspaces even when roamed among multiple PCs. If you disable or do not configure this policy setting, access to the Windows Store application is denied on the Windows To Go workspace. NOTE For the host PC to resume correctly when hibernation is enabled, the Windows To Go workspace must continue to use the same USB port.
17WINDOWS TO GO Group Policy settings related to the host computer The Windows To Go Default Startup Options policy setting controls whether the host computer boots to Windows To Go if a USB device containing a Windows To Go workspace is connected and controls whether users can make changes using the Windows To Go Startup Options settings dialog box. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options settings dialog box. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB by using the Windows To Go Startup Options settings dialog box. Additional resources: • “Prepare Your Organization for Windows To Go” at http:// technet.microsoft.com/en-us/library/jj592678.aspx • “Deployment Considerations for Windows To Go” at http:// technet.microsoft.com/en-us/library/jj592685.aspx NOTE Enabling this policy setting causes PCs running Windows 8.1 to attempt to boot from any USB device that is inserted into the PC before it is started.
18WINDOWS TO GO Storing user data and settings In a typical Windows installation, user data and settings are stored on the computer’s internal disk. However, with Windows To Go, access to the internal disk is disabled. Data and settings are instead stored within the workspace itself on the USB drive. Microsoft does not recommend this scenario. The USB drive with the Windows To Go workspace contains no recovery options; therefore, if the drive is lost or damaged, the user will lose their data and settings. With this in mind, users need a method to access their data and settings from multiple locations when using the Windows To Go workspace. Multiple options are available for access to data and settings from within a Windows To Go workspace. For example, UE-V with Folder Redirection and Offline Files is an excellent way to separate data and settings from the workspace and enable them to roam. These technologies require little infrastructure and are very easy to configure. If the infrastructure or expertise is not available for these technologies, SkyDrive is also an option. SkyDrive can be used to synchronize both data and some Windows 8.1 settings (e.g., Internet Explorer Favorites, desktop wallpaper, and so on) when logging on to the Windows To Go workspace with a Microsoft account. Table 3 describes the options for data and setting storage. Table 3  Options for Data and Setting Storage in Windows To Go Local storage in the Windows To Go workspace UE-V with Folder Redirection SkyDrive Configuration Requires no additional configuration Requires agent installation in the workspace and Group Policy infrastructure Requires minimal configuration; must log on with a Microsoft account for settings to be synchronized IT expertise None IT pro End user Backup None Uses backup methods already in place in the infrastructure Cloud-based service that is backed up in the datacenter Data and settings roaming None Yes Yes, as long as a Microsoft account is used Bandwidth used None Intranet Internet
19WINDOWS TO GO UE-V with Folder Redirection UE-V with Folder Redirection provides access to data and settings for a consistent desktop experience no matter where the user logs on. It is the recommended method for providing access to data and settings with Windows To Go, because it provides the best combination of flexibility and manageability for most infrastructures. UE-V with Folder Redirection consists of several components that combine to provide a seamless virtualized experience: • UE-V  UE-V synchronizes users’ settings with a simple network file share. Changes made to Windows and application settings will be synchronized with the file share and available when users log onto their Windows To Go workspace or any domain-joined PC. • Folder Redirection  Folder Redirection stores user data and application-related data on a file share so that user can access the data regardless of logon location. • Offline Files  Offline Files ensure that files and folders are accessible even if the device is currently disconnected from the network. This includes the UE-V settings store and any redirected folders. Configuring Offline Files is essential if students are allowed to take their Windows To Go workspaces home with them. Cloud storage Cloud storage is a viable option for keeping user data in a Windows To Go deployment. When considering cloud storage, SkyDrive and Office 365 provide many options. Anyone can obtain SkyDrive storage, and Microsoft provides up to 7 GB of space at no cost. Users can purchase additional space, if necessary. Visit http://windows.microsoft.com/en-US/skydrive/ for more information on SkyDrive. SkyDrive requires a Microsoft account, and students under the age of 13 require parent authorization. For more information, see Windows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682. Office 365 also offers a full version of Office, with storage available in the cloud. This is a viable option if Office will be the primary tool used in the Windows To Go deployment. Office 365 offers educational institution plans, including a free tier for students and faculty. With SkyDrive, both data and settings can be stored in the cloud. These settings can include things like Internet Explorer favorites, desktop, and other settings. If SkyDrive is disabled through Group Policy, it would also be disabled for both data and settings storage. However, if you create a new OU for the Windows To Go drives, then SkyDrive could be enabled for that OU specifically.
20WINDOWS TO GO Additional resources: • Windows User State Virtualization at http://technet.microsoft.com/en-us/library/ff877478. aspx • “User Experience Virtualization” at http://technet.microsoft.com/en-us/windows/hh943107. aspx • SkyDrive website at http://windows.microsoft.com/en-US/skydrive/ • “Office 365 Deployment” at http://technet.microsoft.com/en-us/library/hh852466.aspx • “Security and Data Protection Considerations for Windows To Go” at http://technet.microsoft. com/en-us/library/jj592679.aspx • “Supporting Information Workers with Reliable File Services and Storage” at http://technet. microsoft.com/en-us/library/hh831495 • “Folder Redirection, Offline Files, and Roaming User Profiles Overview” at http://technet. microsoft.com/library/hh848267 • “Overview of user and roaming settings for Office 2013” at http://technet.microsoft.com/en- us/library/jj733593.aspx
21WINDOWS TO GO Configuring Windows To Go for remote access Enabling users to access network resources from off-campus locations such as at home is an important aspect of the Windows To Go usage scenario. To provide access to network resources, you might deploy a remote access solution. Windows To Go can use such already-supported remote access solutions as: • DirectAccess  DirectAccess provides an advanced remote access solution that enables built- in security, monitoring, and integration with other Microsoft enterprise services. • Traditional VPN-based solution  A VPN is also supported as a means to enable remote access from Windows To Go. Windows 8.1 adds support for a wider variety of VPN clients. • Auto-triggered VPN  Use an app or resource that needs access through the inbox VPN (e.g., a company’s intranet site) and Windows 8.1 automatically prompts to sign in with one click. This feature is available with Microsoft and third-party inbox VPN clients. See the section “Configure Windows To Go workspace for remote access” in the Deploy Windows To Go in Your Organization guide at http://technet.microsoft.com/en-us/library/jj721578.aspx for more information, including Windows PowerShell scripts related to the remote access deployment. Additional resources: • “Remote Access (DirectAccess, Routing and Remote Access) Overview” at http://technet. microsoft.com/library/hh831416 • “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx • Offline Domain Join (Djoin.exe) Step-by-Step Guide at http://technet.microsoft.com/en-us/ library/dd392267(WS.10).aspx • “What’s New in Remote Access in Windows Server 2012 R2” at http://technet.microsoft.com/ en-us/library/dn383589.aspx
22WINDOWS TO GO Securing Windows To Go drives A key security consideration for Windows To Go deployment is the use of BitLocker. BitLocker helps to protect the data within the workspace if the USB drive is lost. Using BitLocker can help protect students’ security and privacy in the event of a lost Windows To Go workspace. As described earlier, BitLocker in a Windows To Go workspace does not use the TPM. The user instead is prompted for a password to unlock the drive. You can control the password policy through Group Policy; by default, passwords are eight characters in length. When first inserted into the provisioning computer, the USB drive to be used for the workspace is considered a normal removable data drive. The drive must have one or more volumes already defined. In addition, you may need to change Group Policy settings related to BitLocker to use the Windows To Go Creator Wizard with BitLocker. These policies, which are found in Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption, include: • Control use of BitLocker on removable drives  Controls whether BitLocker can be used on removable drives. This policy must be enabled. • Configure use of smart cards on removable data drives  If this policy is enabled, sign in with your smart card prior to beginning the Windows To Go Creator Wizard. • Configure use of passwords for removable data drives  The computer on which you run the Windows To Go Creator Wizard must be able to connect to a domain controller when this setting, along with the Require password complexity option, are enabled. • Require additional authentication at startup  This setting, which you must also change, enables the use of passwords with an operating system drive so that BitLocker can be configured within the workspace. Enable the setting by selecting the Allow BitLocker without a compatible TPM option. An option that enables easier management of BitLocker is Microsoft BitLocker Administration and Monitoring (MBAM). MBAM, which is part of the Microsoft Desktop Optimization Pack, is available with Microsoft Software Assurance licensing. Visit http://www.microsoft.com/en-us/windows/ enterprise/products-and-technologies/mdop/mbam.aspx for more information on MBAM.
23WINDOWS TO GO Configuring BitLocker before distribution You can configure BitLocker prior to distributing the Windows To Go workspace to users. Doing so reduces the amount of time necessary to enable BitLocker encryption on the drive. Importantly, it protects the drive and workspace immediately. Another advantage to enabling BitLocker during provisioning is that the recovery keys are backed up to the provisioning computer account in Active Directory Domain Services (AD DS). In situations where AD DS is not used to store recovery keys, you can save the recovery keys to a file or print the keys. In addition, you must set the password for BitLocker encryption during provisioning and instruct the user to change the password on first boot. You do so by using Windows PowerShell cmdlets. See “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/jj721578. aspx for more information, including scripts for enabling BitLocker. When BitLocker is enabled after provisioning, the recovery keys are stored with the workspace’s computer account. Configuring BitLocker after distribution You can also configure BitLocker after distribution. In this scenario, the user (with administrative rights on the workspace) enables BitLocker after boot. This means that you must grant administrative privileges to the user for the workspace; it also means that the drive and workspace are not protected by BitLocker until the user enables the protection. MBAM provides an alternative: You can centrally enforce BitLocker policies that you define in Group Policy. Additionally, standard user accounts can encrypt their drives, and MBAM provides a self-service recovery portal that can help users quickly recover their drives if they forget their passwords. A potential disadvantage of configuring BitLocker after distribution is that you must obtain recovery keys from the user if the keys are not stored in AD DS (although you can use MBAM for this purpose, as well). In addition, the user can store recovery keys in a file, by printing them, or on SkyDrive. You can also define BitLocker policies NOTE Do not pre-provision BitLocker if you will be using a USB drive duplicator to create multiple copies of Windows To Go workspaces.
24WINDOWS TO GO that require AD DS storage of recovery keys, which ensures that BitLocker does not encrypt a drive unless it can backup recovery keys to AD DS. Additional resources: • “Security and Data Protection Considerations for Windows To Go” at http://technet.microsoft. com/en-us/library/jj592679.aspx • “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx • “Why can’t I enable BitLocker from ‘Windows To Go Creator’?” at http://technet.microsoft. com/en-us/library/636ac947-a781-4874-8fd0-7fc2ed2c17f6#wtg_faq_blfail • “BitLocker Overview” at http://technet.microsoft.com/en-us/library/hh831713.aspx • “Enable BitLocker protection for your Windows To Go drive” at http://technet.microsoft.com/ en-us/library/jj721578.aspx#BKMK_4wtgdeploy • The MBAM website at http://www.microsoft.com/en-us/windows/enterprise/products-and- technologies/mdop/mbam.aspx
25WINDOWS TO GO Building multiple Windows To Go drives When you need to distribute a Windows To Go workspace to more than a few users within the institution, you can look to bulk methods to duplicate the workspace. You can use a USB drive duplicator to create a large number of copies of a given workspace. This scenario is appropriate when the workspace has the same applications and tools and will be distributed to the same types of users, such as students; it also enables you to create multiple workspaces, one for students and one for faculty. When using a drive duplicator, be aware of the following caveats: • Do not boot the drive prior to duplication. • Do not enable BitLocker on the drive. • Do not configure offline domain join in the workspace. Whether you need to create a single or many copies of a workspace, a Windows PowerShell cmdlet might be appropriate. See “Advanced deployment sample script” at http://technet.microsoft.com/ en-us/library/jj721578.aspx#wtg_adv_script for more information, including a sample script for creating multiple drives with Windows PowerShell. By using Windows PowerShell, you can create custom workspaces (e.g. based on grade, homeroom, and so on). Additional resources: • “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx
26WINDOWS TO GO Talking about Windows To Go Communicate with students and faculty when introducing Windows To Go. Windows To Go requires users to change their workflows, and they should be aware of limitations and changes necessary to make their use of Windows To Go successful. One idea would be to provide this information in a wiki or through a handout, as appropriate. In particular, educate users to: • Ensure that the host computer is not in a sleep state when inserting the Windows To Go drive • Ensure that the host computer has been fully shut down before inserting the Windows To Go drive • Insert the Windows To Go drive directly into the computer, not into a USB hub • Always shut down Windows and wait for the shutdown process to finish fully before removing the Windows To Go drive Also, consider how Windows To Go will be supported. If training is necessary for help desk staff, plan for that training in advance of the deployment. Additional resources: • “Best Practice Recommendations for Windows To Go” at http://technet.microsoft.com/en-us/ library/jj592681.aspx
27WINDOWS TO GO Conclusion Windows To Go is an excellent solution for educational deployments. The ability to provide a standardized Windows experience that runs from virtually anywhere means that people can get their work done faster and more easily than before. You can create Windows To Go workspaces and manage them by using the same tools you already use within your organization. You can create a Windows To Go workspace by using a wizard or Windows PowerShell, and you can manage Windows To Go workspaces through Group Policy. To learn about other ways you can deploy Windows 8.1 in your school, see Windows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682.
© 2014 Microsoft Corporation. All rights reserved. This document is for informational purposes only and is provided “as is.” Views expressed in this document, including URL and any other Internet Web site references, may change without notice. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Recommended

Cloud ready+installation+instructions
Cloud ready+installation+instructionsCloud ready+installation+instructions
Cloud ready+installation+instructions
Vishrut Chhajer
 
Mac boot camp install-setup
Mac boot camp install-setupMac boot camp install-setup
Mac boot camp install-setup
Shrawan Kumar
 
Htg explains what is the windows page file and should you disable it
Htg explains what is the windows page file and should you disable it Htg explains what is the windows page file and should you disable it
Htg explains what is the windows page file and should you disable it
Trường Tiền
 
Guide to dual booting
Guide to dual bootingGuide to dual booting
Guide to dual booting
Mahfud Saja
 
W&s nghien cuu_cuoc_van_dong_nguoi_viet_nam_uu_tien_dung_hang_viet_nam_2013
W&s nghien cuu_cuoc_van_dong_nguoi_viet_nam_uu_tien_dung_hang_viet_nam_2013W&s nghien cuu_cuoc_van_dong_nguoi_viet_nam_uu_tien_dung_hang_viet_nam_2013
W&s nghien cuu_cuoc_van_dong_nguoi_viet_nam_uu_tien_dung_hang_viet_nam_2013
Heo Gòm
 
Office365 midsizebusinessquickdeploymentguide
Office365 midsizebusinessquickdeploymentguideOffice365 midsizebusinessquickdeploymentguide
Office365 midsizebusinessquickdeploymentguide
Heo Gòm
 
Discover share point
Discover share pointDiscover share point
Discover share point
Heo Gòm
 
2934 wsg win8_shortcut_keys_quickreferenceguide_external
2934 wsg win8_shortcut_keys_quickreferenceguide_external2934 wsg win8_shortcut_keys_quickreferenceguide_external
2934 wsg win8_shortcut_keys_quickreferenceguide_external
Heo Gòm
 

Recommended

Cloud ready+installation+instructions
Cloud ready+installation+instructionsCloud ready+installation+instructions
Cloud ready+installation+instructions
Vishrut Chhajer
 
Mac boot camp install-setup
Mac boot camp install-setupMac boot camp install-setup
Mac boot camp install-setup
Shrawan Kumar
 
Htg explains what is the windows page file and should you disable it
Htg explains what is the windows page file and should you disable it Htg explains what is the windows page file and should you disable it
Htg explains what is the windows page file and should you disable it
Trường Tiền
 
Guide to dual booting
Guide to dual bootingGuide to dual booting
Guide to dual booting
Mahfud Saja
 
W&s nghien cuu_cuoc_van_dong_nguoi_viet_nam_uu_tien_dung_hang_viet_nam_2013
W&s nghien cuu_cuoc_van_dong_nguoi_viet_nam_uu_tien_dung_hang_viet_nam_2013W&s nghien cuu_cuoc_van_dong_nguoi_viet_nam_uu_tien_dung_hang_viet_nam_2013
W&s nghien cuu_cuoc_van_dong_nguoi_viet_nam_uu_tien_dung_hang_viet_nam_2013
Heo Gòm
 
Office365 midsizebusinessquickdeploymentguide
Office365 midsizebusinessquickdeploymentguideOffice365 midsizebusinessquickdeploymentguide
Office365 midsizebusinessquickdeploymentguide
Heo Gòm
 
Discover share point
Discover share pointDiscover share point
Discover share point
Heo Gòm
 
2934 wsg win8_shortcut_keys_quickreferenceguide_external
2934 wsg win8_shortcut_keys_quickreferenceguide_external2934 wsg win8_shortcut_keys_quickreferenceguide_external
2934 wsg win8_shortcut_keys_quickreferenceguide_external
Heo Gòm
 
1. i web workflow overview en
1. i web workflow overview en1. i web workflow overview en
1. i web workflow overview en
Heo Gòm
 
Hd sd infopath 2010
Hd sd infopath 2010Hd sd infopath 2010
Hd sd infopath 2010
Heo Gòm
 
Getting to know_office_365
Getting to know_office_365Getting to know_office_365
Getting to know_office_365
Heo Gòm
 
Windows 8 1_power user guide
Windows 8 1_power user guideWindows 8 1_power user guide
Windows 8 1_power user guide
Heo Gòm
 
How to recover office doc
How to recover office docHow to recover office doc
How to recover office doc
Heo Gòm
 
Moodle andoffice365withadfs
Moodle andoffice365withadfsMoodle andoffice365withadfs
Moodle andoffice365withadfs
Heo Gòm
 
How to add a new font type
How to add a new font typeHow to add a new font type
How to add a new font type
Heo Gòm
 
Deployment guide-for-share point-2013
Deployment guide-for-share point-2013Deployment guide-for-share point-2013
Deployment guide-for-share point-2013
Heo Gòm
 
Windows 8.1 deployment planning a guide for education
Windows 8.1 deployment planning a guide for educationWindows 8.1 deployment planning a guide for education
Windows 8.1 deployment planning a guide for education
Heo Gòm
 
Moodle plugininstallguide v1
Moodle plugininstallguide v1Moodle plugininstallguide v1
Moodle plugininstallguide v1
Heo Gòm
 
Ielts9
Ielts9Ielts9
Ielts9
MsChi Ielts
 
3. how to manage products&catalogue
3. how to manage products&catalogue3. how to manage products&catalogue
3. how to manage products&catalogue
Heo Gòm
 
Win8 accessibility tutorials
Win8 accessibility tutorialsWin8 accessibility tutorials
Win8 accessibility tutorials
Heo Gòm
 
Power point 2010
Power point 2010Power point 2010
Power point 2010
nhatthai1969
 
Sat thu dau mung mu(full ban goc) pa ngoc
Sat thu dau mung mu(full ban goc) pa ngocSat thu dau mung mu(full ban goc) pa ngoc
Sat thu dau mung mu(full ban goc) pa ngoc
Heo Gòm
 
2. template files training en
2. template files training en2. template files training en
2. template files training en
Heo Gòm
 
Excel 2010
Excel 2010Excel 2010
Excel 2010
nhatthai1969
 
Explore share point-2013
Explore share point-2013Explore share point-2013
Explore share point-2013
Heo Gòm
 
Windows store apps a deployment guide for education
Windows store apps a deployment guide for educationWindows store apps a deployment guide for education
Windows store apps a deployment guide for education
Heo Gòm
 
Phương pháp luận triển khai phần mềm DMS
Phương pháp luận triển khai phần mềm DMSPhương pháp luận triển khai phần mềm DMS
Phương pháp luận triển khai phần mềm DMS
ctydms
 
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Intergen
 
Windows 8.1 deployment to p cs a guide for education
Windows 8.1 deployment to p cs a guide for educationWindows 8.1 deployment to p cs a guide for education
Windows 8.1 deployment to p cs a guide for education
Heo Gòm
 

More Related Content

Viewers also liked

1. i web workflow overview en
1. i web workflow overview en1. i web workflow overview en
1. i web workflow overview en
Heo Gòm
 
Hd sd infopath 2010
Hd sd infopath 2010Hd sd infopath 2010
Hd sd infopath 2010
Heo Gòm
 
How to add a new font type
How to add a new font typeHow to add a new font type
How to add a new font type
Heo Gòm
 
3. how to manage products&catalogue
3. how to manage products&catalogue3. how to manage products&catalogue
3. how to manage products&catalogue
Heo Gòm
 
Sat thu dau mung mu(full ban goc) pa ngoc
Sat thu dau mung mu(full ban goc) pa ngocSat thu dau mung mu(full ban goc) pa ngoc
Sat thu dau mung mu(full ban goc) pa ngoc
Heo Gòm
 
2. template files training en
2. template files training en2. template files training en
2. template files training en
Heo Gòm
 

Viewers also liked (20)

1. i web workflow overview en
1. i web workflow overview en1. i web workflow overview en
1. i web workflow overview en
 
Hd sd infopath 2010
Hd sd infopath 2010Hd sd infopath 2010
Hd sd infopath 2010
 
Getting to know_office_365
Getting to know_office_365Getting to know_office_365
Getting to know_office_365
 
Windows 8 1_power user guide
Windows 8 1_power user guideWindows 8 1_power user guide
Windows 8 1_power user guide
 
How to recover office doc
How to recover office docHow to recover office doc
How to recover office doc
 
Moodle andoffice365withadfs
Moodle andoffice365withadfsMoodle andoffice365withadfs
Moodle andoffice365withadfs
 
How to add a new font type
How to add a new font typeHow to add a new font type
How to add a new font type
 
Deployment guide-for-share point-2013
Deployment guide-for-share point-2013Deployment guide-for-share point-2013
Deployment guide-for-share point-2013
 
Windows 8.1 deployment planning a guide for education
Windows 8.1 deployment planning a guide for educationWindows 8.1 deployment planning a guide for education
Windows 8.1 deployment planning a guide for education
 
Moodle plugininstallguide v1
Moodle plugininstallguide v1Moodle plugininstallguide v1
Moodle plugininstallguide v1
 
Ielts9
Ielts9Ielts9
Ielts9
 
3. how to manage products&catalogue
3. how to manage products&catalogue3. how to manage products&catalogue
3. how to manage products&catalogue
 
Win8 accessibility tutorials
Win8 accessibility tutorialsWin8 accessibility tutorials
Win8 accessibility tutorials
 
Power point 2010
Power point 2010Power point 2010
Power point 2010
 
Sat thu dau mung mu(full ban goc) pa ngoc
Sat thu dau mung mu(full ban goc) pa ngocSat thu dau mung mu(full ban goc) pa ngoc
Sat thu dau mung mu(full ban goc) pa ngoc
 
2. template files training en
2. template files training en2. template files training en
2. template files training en
 
Excel 2010
Excel 2010Excel 2010
Excel 2010
 
Explore share point-2013
Explore share point-2013Explore share point-2013
Explore share point-2013
 
Windows store apps a deployment guide for education
Windows store apps a deployment guide for educationWindows store apps a deployment guide for education
Windows store apps a deployment guide for education
 
Phương pháp luận triển khai phần mềm DMS
Phương pháp luận triển khai phần mềm DMSPhương pháp luận triển khai phần mềm DMS
Phương pháp luận triển khai phần mềm DMS
 

Similar to Windows to go a guide for education

Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Intergen
 
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITProceed
 
6294 a planning and managing windows 7 desktop deployments and environments
6294 a planning and managing windows 7 desktop deployments and environments6294 a planning and managing windows 7 desktop deployments and environments
6294 a planning and managing windows 7 desktop deployments and environments
bestip
 
Khulood mohammed 200821758-005-draft2 project
Khulood mohammed 200821758-005-draft2 projectKhulood mohammed 200821758-005-draft2 project
Khulood mohammed 200821758-005-draft2 project
u2821758
 

Similar to Windows to go a guide for education (20)

Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
 
Windows 8.1 deployment to p cs a guide for education
Windows 8.1 deployment to p cs a guide for educationWindows 8.1 deployment to p cs a guide for education
Windows 8.1 deployment to p cs a guide for education
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?
 
Windows 7 At CIU
Windows 7 At CIUWindows 7 At CIU
Windows 7 At CIU
 
Windows 7 At CIU
Windows 7 At CIUWindows 7 At CIU
Windows 7 At CIU
 
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Give your Google Chrome OS users fast and simple access to Windows apps with ...
Give your Google Chrome OS users fast and simple access to Windows apps with ...Give your Google Chrome OS users fast and simple access to Windows apps with ...
Give your Google Chrome OS users fast and simple access to Windows apps with ...
 
6294 a planning and managing windows 7 desktop deployments and environments
6294 a planning and managing windows 7 desktop deployments and environments6294 a planning and managing windows 7 desktop deployments and environments
6294 a planning and managing windows 7 desktop deployments and environments
 
Windows 10 - tools-tools-tools
Windows 10 - tools-tools-toolsWindows 10 - tools-tools-tools
Windows 10 - tools-tools-tools
 
Windows10 tools-tools-tools
Windows10 tools-tools-toolsWindows10 tools-tools-tools
Windows10 tools-tools-tools
 
Hopedot VOS secure multimedia teaching solution
Hopedot VOS secure multimedia teaching solutionHopedot VOS secure multimedia teaching solution
Hopedot VOS secure multimedia teaching solution
 
Virtual desktop infrastructure a deployment guide for education
Virtual desktop infrastructure a deployment guide for educationVirtual desktop infrastructure a deployment guide for education
Virtual desktop infrastructure a deployment guide for education
 
Windows To Go: Microsoft Report
Windows To Go: Microsoft ReportWindows To Go: Microsoft Report
Windows To Go: Microsoft Report
 
Google drive
Google driveGoogle drive
Google drive
 
Deploying An Optimized Desktop - XP to 7 With P2V
Deploying An Optimized Desktop - XP to 7 With P2VDeploying An Optimized Desktop - XP to 7 With P2V
Deploying An Optimized Desktop - XP to 7 With P2V
 
Google drive
Google driveGoogle drive
Google drive
 
Khulood mohammed 200821758-005-draft2 project
Khulood mohammed 200821758-005-draft2 projectKhulood mohammed 200821758-005-draft2 project
Khulood mohammed 200821758-005-draft2 project
 
Windows Deployment Tools And Methodologies
Windows Deployment Tools And MethodologiesWindows Deployment Tools And Methodologies
Windows Deployment Tools And Methodologies
 

More from Heo Gòm

Adecco vietnam salary_guide_2014
Adecco vietnam salary_guide_2014Adecco vietnam salary_guide_2014
Adecco vietnam salary_guide_2014
Heo Gòm
 
En3502 customized material specifications
En3502 customized material specificationsEn3502 customized material specifications
En3502 customized material specifications
Heo Gòm
 
En3405 i web web manager user manual
En3405 i web web manager user manualEn3405 i web web manager user manual
En3405 i web web manager user manual
Heo Gòm
 
En3501 payment gateways supported
En3501 payment gateways supportedEn3501 payment gateways supported
En3501 payment gateways supported
Heo Gòm
 
En2502 album template editor user manual
En2502 album template editor user manualEn2502 album template editor user manual
En2502 album template editor user manual
Heo Gòm
 
En2501 composer template editor user manual
En2501 composer template editor user manualEn2501 composer template editor user manual
En2501 composer template editor user manual
Heo Gòm
 

More from Heo Gòm (12)

Windows 8 1
Windows 8 1Windows 8 1
Windows 8 1
 
Windows 8 product guide business english
Windows 8 product guide business englishWindows 8 product guide business english
Windows 8 product guide business english
 
W8 brochure download
W8 brochure downloadW8 brochure download
W8 brochure download
 
Sharepoint adoption guide
Sharepoint adoption guideSharepoint adoption guide
Sharepoint adoption guide
 
Deployment guide-for-office-2013
Deployment guide-for-office-2013Deployment guide-for-office-2013
Deployment guide-for-office-2013
 
3671 explore windows-8.1_update_wsg_external
3671 explore windows-8.1_update_wsg_external3671 explore windows-8.1_update_wsg_external
3671 explore windows-8.1_update_wsg_external
 
Adecco vietnam salary_guide_2014
Adecco vietnam salary_guide_2014Adecco vietnam salary_guide_2014
Adecco vietnam salary_guide_2014
 
En3502 customized material specifications
En3502 customized material specificationsEn3502 customized material specifications
En3502 customized material specifications
 
En3405 i web web manager user manual
En3405 i web web manager user manualEn3405 i web web manager user manual
En3405 i web web manager user manual
 
En3501 payment gateways supported
En3501 payment gateways supportedEn3501 payment gateways supported
En3501 payment gateways supported
 
En2502 album template editor user manual
En2502 album template editor user manualEn2502 album template editor user manual
En2502 album template editor user manual
 
En2501 composer template editor user manual
En2501 composer template editor user manualEn2501 composer template editor user manual
En2501 composer template editor user manual
 

Recently uploaded

Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 

Recently uploaded (20)

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 

Windows to go a guide for education

  • 1. Windows To Go A deployment guide for education January 2014
  • 2. Table of contents 1 Understanding Windows To Go 1 Windows To Go for IT 2 Windows To Go for faculty 2 Windows To Go for students 4 Preparing to use Windows To Go 4 Windows To Go limitations 5 Roaming with Windows To Go 5 Determine user setting storage 6 Determine remote access requirements 6 Determine host computer requirements 7 Select the USB drive for Windows To Go 7 Understand Windows To Go image creation 9 Creating a Windows To Go drive 9 Using the Windows To Go Creator Wizard 10 Using Windows PowerShell cmdlets 12 Starting a Windows To Go drive 13 Enabling the Windows Store 14 Activating Windows To Go workspaces 15 Managing Windows To Go
  • 3. 15 Group Policy settings related to the Windows To Go workspace 17 Group Policy settings related to the host computer 18 Storing user data and settings 19 UE-V with Folder Redirection 19 Cloud storage 21 Configuring Windows To Go for remote access 22 Securing Windows To Go drives 23 Configuring BitLocker before distribution 23 Configuring BitLocker after distribution 25 Building multiple Windows To Go drives 26 Talking about Windows To Go 27 Conclusion
  • 4. 1WINDOWS TO GO Windows To Go A deployment guide for education Windows To Go is a feature of the Windows 8.1 Enterprise operating system that enables the operating system to run from a USB drive. Using Windows To Go in an education environment provides numerous benefits to faculty and students alike. It enables faculty and students to use a personalized copy of Windows 8.1 on virtually any PC, at almost any location. This guide provides an overview of Windows To Go deployment for schools. It is for IT pros and discusses the benefits, limitations, and processes involved in deploying Windows To Go. Understanding Windows To Go Windows To Go creates a bootable Windows 8.1 image on a USB drive. This means that the standardized Windows image already used on institution-owned devices now becomes available with greatly increased portability and convenience. Users do not need to lug around a laptop or other device to have their Windows desktop available: That desktop is now available on a USB drive, and they can run it on any PC that is compatible with Windows 7, Windows 8, or Windows 8.1. Windows To Go for IT Windows To Go helps IT in several ways: • Portability  Windows To Go enables IT to offer the flexibility of free seating. Faculty and students can use their own Windows desktop from almost any PC in the school. • Cost savings  IT does not need to deploy individual computers but rather can deploy the Windows To Go workspace on USB drives to provide a consistent, personalized Windows 8.1 experience. It is easy to setup and configure, and distribution is simple. • Management  Today’s IT infrastructure uses Group Policy and technologies like BitLocker Drive Encryption, Microsoft BranchCache, Application Virtualization, DirectAccess, and other
  • 5. 2WINDOWS TO GO advanced technologies to ensure highly reliable and secure services to users. Windows To Go supports all of those technologies and more. You do not need to change your IT processes and management tools to add Windows To Go to your IT infrastructure. Windows To Go for faculty Windows To Go gives faculty a consistent Windows 8.1 experience from almost anywhere. Is seating available in a computer lab? Need to move to another classroom? The educator’s personal Windows 8.1 desktop is available at all of these locations by booting into the Windows To Go workspace. Faculty members use numerous tools to provide the best learning experience for the classroom, such as Microsoft Office and the specialized Learning Management System (LMS). At the same time, computers with that specialized software are typically shared among two or more educators, making it difficult to find a time to get classroom-related administrative work done. With a Windows To Go workspace, sharing a computer becomes a thing of the past. With Windows To Go, any compatible computer, regardless of the operating system installed on it, can be used. This means that faculty members can use a Windows To Go workspace at work, from home, or from an off-campus location, providing the same experience regardless of location. Faculty are no longer tethered to a specific computer, room, or building. Windows To Go for students Like faculty, students can benefit from the Windows To Go experience. Students can use a Windows To Go workspace to boot into their own Windows workspace from home or from a free seat in school. They can have the same personal Windows 8.1 experience in each classroom. Students can also use Windows To Go workspaces to get their homework done and perform research-related tasks by using specialized software without needing to install that software on their own device. All they need is a compatible computer and USB drive, and the workspace is up and running. You can customize Windows To Go workspaces for particular curriculums, grade levels, and so on, then distribute them to students. Doing so helps to facilitate the learning experience while minimizing the time invested in configuring the technology. Windows To Go workspaces have low replacement cost. If a student loses the USB drive with the workspace on it or if the drive becomes damaged, it can be replaced at a much lower cost than a PC.
  • 6. 3WINDOWS TO GO Additional resources: • “Windows 8 Enterprise in Your Pocket” at http://www.microsoft.com/en-us/windows/ enterprise/products-and-technologies/devices/windowstogo.aspx • “Windows To Go: Frequently Asked Questions” at http://technet.microsoft.com/en-us/library/ jj592680.aspx
  • 7. 4WINDOWS TO GO Preparing to use Windows To Go This section describes the infrastructure-related items that you must consider for a Windows To Go deployment and also provides considerations for that preparation. In addition to the considerations that the following sections describe, see Windows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682 for considerations affecting any Windows 8.1 deployment in an educational institution. Windows To Go limitations Although Windows To Go is similar to a typical Windows 8.1 Enterprise installation on a PC, some differences exist: • No access to internal disks  By default, the host computer’s disks are not accessible by a Windows To Go installation, and a USB drive with a Windows To Go workspace is not accessible by the Windows operating system installed on the computer. You can eliminate both of these limitations by using Group Policy. However, these restrictions are in place to protect the security and privacy of the Windows To Go workspace, and to help prevent end- user confusion. • Recovery options are limited  The Windows Recovery Environment (Windows RE) is not available in Windows To Go, nor are refresh and reset options. You should re-provision the Windows To Go workspace onto the USB drive in the event a Windows To Go workspace becomes unrecoverable. Because recovery options are limited, Microsoft does not recommend storing user data on the Windows To Go USB drive. Instead, use a network- or cloud-based solution like Folder Redirection or SkyDrive. • Trusted Platform Module (TPM) is not used  The TPM is tied to a specific physical computer. Therefore, because Windows To Go workspaces move among computers, the TPM is not used in a Windows To Go workspace. In its place, a password is required for BitLocker on a Windows To Go workspace. • Windows Store is disabled (Windows 8 only)  In Windows 8, the Windows Store is disabled by default, because apps are tied to the computer itself. You can use Group Policy to enable the Windows Store. In Windows 8.1, this limitation is gone, and the Windows Store is enabled by default. Regardless of the Windows Store status, you can still sideload apps for which you have installation files. For more information about sideloading Windows Store apps, see Windows Store apps: A deployment guide for education at http://www.microsoft.com/ download/details.aspx?id=39685.
  • 8. 5WINDOWS TO GO • Hibernate is disabled  Hibernation expects to find the same hardware when the operating system resumes. Because Windows To Go workspaces will likely roam among computers, hibernation is disabled. Like the Windows Store, you can re-enable hibernate, but only enable hibernation if you are certain that the device will only be used on the same physical computer. Roaming with Windows To Go During the boot process, Windows To Go examines the host computer’s hardware and installs the necessary device drivers. This process generally works well, especially if people will be using Windows To Go on host computers with similar hardware configurations. However, if the workspace will be used on different hardware with different device configurations, then you might need to inject additional drivers into the image. Testing the image on the hardware is a key step to ensure compatibility for the devices to be used with Windows To Go. Some applications can bind to specific hardware. For example, an application might tie its licensing or activation to the computer’s hardware. If the Windows To Go workspace will be used on multiple host computers with different hardware configurations, the applications might not roam. Ensure that each application you are installing in a Windows To Go workspace supports roaming or provide for an alternate method of using those applications, such as Windows Server 2012 R2 RemoteApp. Students and faculty are not usually aware of which type of firmware their computers have, and so they will likely boot their workspaces on different types. They can boot Windows To Go on computers with different types of firmware. Computers certified for Windows 8.1 have Unified Extensible Firmware Interface (UEFI), while Windows 7 computers use the legacy BIOS firmware. Rather than creating separate workspaces for different firmware types, Windows To Go can boot on either firmware type. Determine user setting storage Users need access to their data and settings within the Windows To Go workspace in addition to their usual device. Determine how best to provide this access, whether through a user state virtualization (USV) technology or through other means. Options include local storage, Microsoft User Experience Virtualization (UE-V) with Folder Redirection and Offline Files, SkyDrive, Microsoft Office 365, and other cloud-based storage solutions. Windows 8.1 also enables logon with a Microsoft account, which includes the option of roaming for many user settings. This aspect of Windows To Go is discussed in the section “Storing user data and settings” on page 18 in this guide.
  • 9. 6WINDOWS TO GO Determine remote access requirements If Windows To Go workspaces will be used from off-campus locations, then you might provide a method for remote access. You can do so by using DirectAccess or by using an existing virtual private network (VPN) solution. More detail on remote access is given in “Configuring Windows To Go for remote access” on page 21. Determine host computer requirements Windows To Go supports many different types of hardware. This support enables users to run Windows To Go workspaces on hardware certified for Windows 8.1, Windows 8, and Windows 7 alike. Note the following host computer requirements: • Booting  The computer must be capable of booting from a USB drive, and the drive must be directly connected; USB hubs are not supported. • Firmware  The computer can use UEFI or BIOS. • Graphics  The computer should have Microsoft DirectX 9 with Windows Display Driver Model 1.2 or later driver. • Processor  The computer should have a 1 GHz or faster processor, and the architecture can be 32 or 64 bit, as discussed later in this guide. • RAM  The computer should have at least 2 GB of physical memory. • USB port  The computer should have at least one USB 2.0 or 3.0 port. When considering the processor architecture, the firmware is an important consideration. Table 1 on page 7 describes the processor architecture considerations for Windows To Go. NOTE Windows To Go workspaces are not supported on Windows RT or Apple platforms.
  • 10. 7WINDOWS TO GO Host firmware Host processor architecture Windows To Go architecture BIOS 32-bit 32-bit only BIOS 64-bit 32-bit and 64-bit UEFI 32-bit 32-bit only UEFI 64-bit 64-bit only Select the USB drive for Windows To Go The USB drive used for Windows To Go must be Windows To Go certified. Windows To Go–certified drives are optimized for the rate of I/O operations necessary for Windows. They are capable of booting on hardware certified for Windows 7, Windows 8, and Windows 8.1. The drives have manufacturer warranties and are meant to be used to support a typical Windows workload. Several hardware vendors offer these drives in a variety of sizes. See “Windows To Go Overview” at http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_ hardware for a list of currently supported drives. NOTE  A Windows To Go image running Windows 8.1 can boot from a drive that contains a built-in smart card. These composite drives combine a mass storage drive and smart card in one device. Windows 8.1 can enumerate the smart card when booting from the Windows To Go drive or by connecting the device to another host machine. For more information, see “What’s New in Smart Cards” at http://technet.microsoft.com/ library/hh849637.aspx. Understand Windows To Go image creation Ease of deployment is a key feature of Windows To Go. A Windows 8.1 release to manufacturing (RTM) image is all that is needed to begin the Windows To Go image-creation process. Alternately, you can fully Table 1  Processor Architecture and Windows To Go NOTE You can also use Microsoft System Center 2012 R2 Configuration Manager to distribute workspaces. See the Microsoft TechNet article “How to Provision Windows To Go in Configuration Manager” at http://technet. microsoft.com/en-us/ library/jj651035.aspx for more information.
  • 11. 8WINDOWS TO GO customize the image to include applications and other settings specific to the deployment. Users with local administrator privileges and a Windows 8.1 Enterprise image (an unlikely scenario in an education setting) can also create their own Windows To Go workspace. Therefore, school IT pros will be the likely sole creators of Windows To Go workspaces. If you do not customize the image, then you will need to provide for the resulting Windows To Go workspace to be joined to the domain and for applications to be installed in the workspace. You can use Group Policy to manage the workspace, and you may want to customize certain settings for your environment. See the section “Managing Windows To Go” on page 15 or the section “Image deployment and drive provisioning considerations” in the TechNet article “Deployment Considerations for Windows To Go” at http://technet.microsoft.com/en-us/library/jj592685. aspx#wtg_imagedep for more information on these Group Policy settings and Windows To Go deployment. You can create a Windows To Go workspace by using the Windows To Go Creator Wizard or Windows PowerShell cmdlets. After you have provisioned the workspace onto a USB drive, you can duplicate the workspace onto other USB drives (assuming that the workspace has not yet been started for the first time). See the TechNet article “Windows Deployment Options” at http://technet.microsoft.com/en-us/library/hh825230.aspx for more information on Windows Deployment Options and the topic “Windows PowerShell equivalent commands” in “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/jj721578. aspx#BKMK_manualwtgimage for more information on manual Windows To Go image creation. Additional resources: • “Deployment Consideration for Windows To Go” at http://technet.microsoft.com/en-us/ library/jj592685.aspx • “Windows To Go: Feature Overview” at http://technet.microsoft.com/library/hh831833.aspx • “Tips for configuring your BIOS settings to work with Windows To Go” at http://social.technet. microsoft.com/wiki/contents/articles/12911.tips-for-configuring-your-bios-settings-to-work- with-windows-to-go.aspx
  • 12. 9WINDOWS TO GO Creating a Windows To Go drive You can use either of two primary methods to create a Windows To Go drive: • The Windows To Go Creator Wizard • Windows PowerShell cmdlets The method you use depends largely on the goals of the deployment and the skills available for the deployment. Regardless of which method you employ, the result is a USB drive with a Windows To Go workspace on it. Table 2 provides considerations to help you decide which method of Windows To Go workspace creation is right for you. Windows To Go Creator Wizard Windows PowerShell Number of workspaces needed • Few • USB duplicator • Many workspaces with potentially unique configurations for each Customizations needed • None • Customized image • Custom provisioning (e.g., offline domain join, partitioning, BitLocker) required Skills • IT generalist • IT pro with Windows PowerShell experience Using the Windows To Go Creator Wizard The Windows To Go Creator Wizard is a simple way to create a Windows To Go workspace quickly. The wizard creates a fully functional workspace with just a few mouse clicks. Using the Windows To Go Creator Wizard involves selecting the USB drive along with the Windows image to be used for the deployment. To use the wizard, you must have: Table 2  Choosing a Windows To Go Creation Strategy
  • 13. 10WINDOWS TO GO • A Windows To Go–certified USB drive connected to the computer prior to starting the wizard • A Windows 8.1 Enterprise image, either the RTM image or a customized image that has been generalized with the Microsoft System Preparation Tool (Sysprep) • Local administrator privileges You can enable BitLocker during the Windows To Go Creator Wizard. If you will be using a drive duplicator to make copies of the workspace, however, do not enable BitLocker from the wizard but rather after deployment. See the topic “Enable BitLocker protection for your Windows To Go drive” in the TechNet article “Deploy Windows To Go in Your Organization” at http://technet.microsoft. com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for more information on enabling BitLocker. The overall process for workspace creation involves the following tasks: 1. Select the USB drive on which to create the Windows To Go workspace. 2. Select the Windows image to use as an installation source for the workspace. 3. Optionally, enable BitLocker on the workspace immediately. The process of workspace creation takes 20 to 30 minutes, and the result is that you have a Windows To Go workspace on the USB drive. From that point, you can either boot the workspace or duplicate it to other USB drives. Using Windows PowerShell cmdlets Use Windows PowerShell cmdlets to create Windows To Go workspaces when you need additional flexibility. Windows PowerShell enables you to create a custom, scripted solution for large-scale Windows To Go workspace creation. NOTE Always safely eject the USB drive when the provisioning process is complete. Removing the drive in an unsafe manner can result in an unbootable Windows To Go workspace.
  • 14. 11WINDOWS TO GO The tools used to create a Windows To Go workspace are essentially the same tools you use to manually provision and deploy Windows images. They include: • Disk partitioning cmdlets such as Clear-Disk, Initialize-Disk, New-Partition, Format- Volume, and so on • Deployment Image Servicing and Management (DISM) • Bcdboot You use these tools to perform the same steps manually that the Windows To Go Creator Wizard performs. The process includes the following tasks: 1. Partition the USB drive, including FAT32- and NTFS file system–formatted partitions. 2. Use DISM to apply the Windows image. 3. Use Bcdboot to enable the system to start on UEFI and BIOS systems. 4. Use DISM to apply a storage area network policy to prevent the internal disks from being used. 5. Create an answer file to disable Windows RE. Like the Windows To Go Creator Wizard, the result when using Windows PowerShell is that you have a Windows To Go workspace on the USB drive. See “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for more information about scripting Windows To Go provisioning by using Windows PowerShell. Additional resources: • “Deploy Windows To Go In Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx • “Getting Started with Windows PowerShell” at http://technet.microsoft.com/en-us/library/ hh857337.aspx • Windows PowerShell User’s Guide at http://technet.microsoft.com/en-us/library/cc196356. aspx
  • 15. 12WINDOWS TO GO Starting a Windows To Go drive Users of Windows To Go need to configure the host computer to boot from USB. For devices running an earlier version of the Windows operating system, the USB boot option can be enabled in the device’s firmware, such as the BIOS. For computers running Windows 8 or Windows 8.1, the Windows To Go workspace can also be configured to start using Windows To Go Startup Options. On the Start screen, press the Windows logo key + W, and then search for Windows To Go startup options to configure the computer to boot from a USB drive. Changing this setting requires administrator privileges. You can also set the option to boot from a USB drive by using Group Policy for Windows 8 and Windows 8.1. Regardless of whether you are using a Windows 7 host computer or a Windows 8.1 host computer, use caution when enabling boot from USB devices. Doing so may open an attack vector if the computer is booted from a USB drive containing malware. When preparing a computer to boot into a Windows To Go workspace, make sure the computer is not currently in a sleep state. The USB drive with the Windows To Go workspace should be connected directly to a USB port on the computer, not through a USB hub. Additional resources: • “Deployment Considerations for Windows To Go” at http:// technet.microsoft.com/en-us/library/jj592685.aspx NOTE Additional considerations exist when using a computer running Windows 7 as a host computer. See “Tips for configuring your BIOS settings to work with Windows To Go” at http:// social.technet.microsoft. com/wiki/contents/ articles/12911.tips-for- configuring-your-bios- settings-to-work-with- windows-to-go.aspx for more information.
  • 16. 13WINDOWS TO GO Enabling the Windows Store The Windows Store is enabled by default on Windows To Go drives running Windows 8.1. Users can start the drive on any number of host computers, access the Windows Store, and run their apps. In Windows 8, the Windows Store is disabled in a Windows To Go workspace by default, because apps purchased through the Windows Store are tied to the device’s hardware and can be installed on as many as five devices. This means that the app will not run if the Windows To Go workspace is booted from more than five different devices. You can enable the Windows Store by using the Allow Store to install apps on Windows To Go workspaces Group Policy setting found at Computer ConfigurationAdministrative Templates Windows ComponentsStore. Use this policy setting when the workspace will be booted from the same or a limited number of computers. If the Windows Store will remain disabled, Microsoft recommends that you remove the default Windows Store–related apps, such as Sports or News, from the Windows To Go workspace image. These apps are updated through the Windows Store and therefore cannot be updated with the Windows Store disabled. Educational apps that you sideload are unaffected by this policy and can still be loaded, run, and managed through normal app management processes. Additional resources: • Windows Store apps: A deployment guide for education at http://www.microsoft.com/ download/details.aspx?id=39685 • “Management of Windows To Go using Group Policy” at http://technet.microsoft.com/en-us/ library/c598d28c-5829-42ce-8d43-a7a5a4382537#BKMK_wtggp • “How to Add and Remove Apps” at http://technet.microsoft.com/en-us/library/hh852635. aspx • “Managing Client Access to the Windows Store” at http://technet.microsoft.com/en-us/ library/hh832040.aspx • “Prepare Your Organization for Windows To Go” at http://technet.microsoft.com/en-us/ library/0fd52a81-c871-4567-aaaf-bd29c2ee65d4
  • 17. 14WINDOWS TO GO Activating Windows To Go workspaces Windows To Go can use Active Directory-Based Activation (ADBA) and Key Management Service (KMS) activation, similar to a typical installation of Windows 8.1. However, Windows To Go cannot use Multiple Activation Key (MAK) activation, as MAK activation binds to the host computer’s hardware. Windows To Go uses a standard Windows license and counts as an installation for applicable licensing agreements. The Windows To Go workspace needs to renew its activation every 180 days. It does this whenever the workspace is booted within the school’s network or when using a remote connection like DirectAccess or a VPN. If workspaces are not used within the 180-day period, you will need to reactivate them by connecting them to the network containing the ADBA or KMS services. Applications to be used within the workspace might also need to be activated. Office 2013 uses the same activation methods as Windows To Go, but software from other vendors, such as LMSs and other educational applications, might have different licensing. Verify the Windows To Go usage scenario with the appropriate vendors to ensure licensing compliance. Additional resources: • “Plan for Volume Activation” at http://technet.microsoft.com/library/jj134042.aspx • “Understanding KMS” at http://technet.microsoft.com/en-us/library/ff793434.aspx • “Active Directory-Based Activation Overview” at http://technet.microsoft.com/en-us/library/ hh852637.aspx • “Volume activation of Office 2013” at http://technet.microsoft.com/en-US/library/ee705504. aspx
  • 18. 15WINDOWS TO GO Managing Windows To Go You can use the same Windows management tools with which you are already familiar to manage Windows To Go drives. You do not need to learn any new tools to manage Windows To Go within your institution. For example, you can manage Windows To Go workspaces by using: • Group Policy  See “Group Policy” at http://technet.microsoft.com/windowsserver/bb310732. aspx for more information. • Windows Intune  See “Windows Intune” at http://technet.microsoft.com/windows/intune. aspx for more information. • System Center 2012 Configuration Manager  See “System Center Configuration Manager” at http://technet.microsoft.com/systemcenter/bb507744.aspx for more information. You can also use Group Policy to manage Windows To Go, and Microsoft recommends that you create a separate organizational unit (OU) for the Windows To Go workspaces and one for host computers. You can use the OU for Windows To Go workspace to: • Change settings for the Windows Store • Change standby sleep states • Change hibernate settings You can use the OU for host computers to provide granular control over the Windows To Go Startup Options so that only certain computers will be configured to boot from the USB drive. Group Policy settings related to the Windows To Go workspace The settings in the following list are particular to Windows To Go workspaces: • Allow hibernate (S4) when started from a Windows To Go workspace  This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspaces, so enabling this setting explicitly turns the ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system as well as the disk itself are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs.
  • 19. 16WINDOWS TO GO • Disallow standby sleep states (S1–S3) when starting from a Windows To Go workspace  This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it were shut down. It would be easy for a user to think that a Windows To Go workspace in sleep mode were actually shut down, and the user could remove the Windows To Go drive and take it home. Removing the drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption of the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash, and eventually corruption of the drive results in the workspace being unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode. • Allow Store to install apps on Windows To Go workspaces  This policy setting allows or denies access to the Store application from a Windows To Go workspace running Windows 8. (This policy does not apply to devices running Windows 8.1.) If you enable this setting, access to the Store application is allowed from the Windows To Go workspace. Enable this policy setting only when the Windows To Go workspace will be used with a single PC. When roaming Windows To Go devices to multiple PCs, installing applications from the Windows Store is not a supported scenario. However, sideloaded Windows Store apps can run in Windows To Go workspaces even when roamed among multiple PCs. If you disable or do not configure this policy setting, access to the Windows Store application is denied on the Windows To Go workspace. NOTE For the host PC to resume correctly when hibernation is enabled, the Windows To Go workspace must continue to use the same USB port.
  • 20. 17WINDOWS TO GO Group Policy settings related to the host computer The Windows To Go Default Startup Options policy setting controls whether the host computer boots to Windows To Go if a USB device containing a Windows To Go workspace is connected and controls whether users can make changes using the Windows To Go Startup Options settings dialog box. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options settings dialog box. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB by using the Windows To Go Startup Options settings dialog box. Additional resources: • “Prepare Your Organization for Windows To Go” at http:// technet.microsoft.com/en-us/library/jj592678.aspx • “Deployment Considerations for Windows To Go” at http:// technet.microsoft.com/en-us/library/jj592685.aspx NOTE Enabling this policy setting causes PCs running Windows 8.1 to attempt to boot from any USB device that is inserted into the PC before it is started.
  • 21. 18WINDOWS TO GO Storing user data and settings In a typical Windows installation, user data and settings are stored on the computer’s internal disk. However, with Windows To Go, access to the internal disk is disabled. Data and settings are instead stored within the workspace itself on the USB drive. Microsoft does not recommend this scenario. The USB drive with the Windows To Go workspace contains no recovery options; therefore, if the drive is lost or damaged, the user will lose their data and settings. With this in mind, users need a method to access their data and settings from multiple locations when using the Windows To Go workspace. Multiple options are available for access to data and settings from within a Windows To Go workspace. For example, UE-V with Folder Redirection and Offline Files is an excellent way to separate data and settings from the workspace and enable them to roam. These technologies require little infrastructure and are very easy to configure. If the infrastructure or expertise is not available for these technologies, SkyDrive is also an option. SkyDrive can be used to synchronize both data and some Windows 8.1 settings (e.g., Internet Explorer Favorites, desktop wallpaper, and so on) when logging on to the Windows To Go workspace with a Microsoft account. Table 3 describes the options for data and setting storage. Table 3  Options for Data and Setting Storage in Windows To Go Local storage in the Windows To Go workspace UE-V with Folder Redirection SkyDrive Configuration Requires no additional configuration Requires agent installation in the workspace and Group Policy infrastructure Requires minimal configuration; must log on with a Microsoft account for settings to be synchronized IT expertise None IT pro End user Backup None Uses backup methods already in place in the infrastructure Cloud-based service that is backed up in the datacenter Data and settings roaming None Yes Yes, as long as a Microsoft account is used Bandwidth used None Intranet Internet
  • 22. 19WINDOWS TO GO UE-V with Folder Redirection UE-V with Folder Redirection provides access to data and settings for a consistent desktop experience no matter where the user logs on. It is the recommended method for providing access to data and settings with Windows To Go, because it provides the best combination of flexibility and manageability for most infrastructures. UE-V with Folder Redirection consists of several components that combine to provide a seamless virtualized experience: • UE-V  UE-V synchronizes users’ settings with a simple network file share. Changes made to Windows and application settings will be synchronized with the file share and available when users log onto their Windows To Go workspace or any domain-joined PC. • Folder Redirection  Folder Redirection stores user data and application-related data on a file share so that user can access the data regardless of logon location. • Offline Files  Offline Files ensure that files and folders are accessible even if the device is currently disconnected from the network. This includes the UE-V settings store and any redirected folders. Configuring Offline Files is essential if students are allowed to take their Windows To Go workspaces home with them. Cloud storage Cloud storage is a viable option for keeping user data in a Windows To Go deployment. When considering cloud storage, SkyDrive and Office 365 provide many options. Anyone can obtain SkyDrive storage, and Microsoft provides up to 7 GB of space at no cost. Users can purchase additional space, if necessary. Visit http://windows.microsoft.com/en-US/skydrive/ for more information on SkyDrive. SkyDrive requires a Microsoft account, and students under the age of 13 require parent authorization. For more information, see Windows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682. Office 365 also offers a full version of Office, with storage available in the cloud. This is a viable option if Office will be the primary tool used in the Windows To Go deployment. Office 365 offers educational institution plans, including a free tier for students and faculty. With SkyDrive, both data and settings can be stored in the cloud. These settings can include things like Internet Explorer favorites, desktop, and other settings. If SkyDrive is disabled through Group Policy, it would also be disabled for both data and settings storage. However, if you create a new OU for the Windows To Go drives, then SkyDrive could be enabled for that OU specifically.
  • 23. 20WINDOWS TO GO Additional resources: • Windows User State Virtualization at http://technet.microsoft.com/en-us/library/ff877478. aspx • “User Experience Virtualization” at http://technet.microsoft.com/en-us/windows/hh943107. aspx • SkyDrive website at http://windows.microsoft.com/en-US/skydrive/ • “Office 365 Deployment” at http://technet.microsoft.com/en-us/library/hh852466.aspx • “Security and Data Protection Considerations for Windows To Go” at http://technet.microsoft. com/en-us/library/jj592679.aspx • “Supporting Information Workers with Reliable File Services and Storage” at http://technet. microsoft.com/en-us/library/hh831495 • “Folder Redirection, Offline Files, and Roaming User Profiles Overview” at http://technet. microsoft.com/library/hh848267 • “Overview of user and roaming settings for Office 2013” at http://technet.microsoft.com/en- us/library/jj733593.aspx
  • 24. 21WINDOWS TO GO Configuring Windows To Go for remote access Enabling users to access network resources from off-campus locations such as at home is an important aspect of the Windows To Go usage scenario. To provide access to network resources, you might deploy a remote access solution. Windows To Go can use such already-supported remote access solutions as: • DirectAccess  DirectAccess provides an advanced remote access solution that enables built- in security, monitoring, and integration with other Microsoft enterprise services. • Traditional VPN-based solution  A VPN is also supported as a means to enable remote access from Windows To Go. Windows 8.1 adds support for a wider variety of VPN clients. • Auto-triggered VPN  Use an app or resource that needs access through the inbox VPN (e.g., a company’s intranet site) and Windows 8.1 automatically prompts to sign in with one click. This feature is available with Microsoft and third-party inbox VPN clients. See the section “Configure Windows To Go workspace for remote access” in the Deploy Windows To Go in Your Organization guide at http://technet.microsoft.com/en-us/library/jj721578.aspx for more information, including Windows PowerShell scripts related to the remote access deployment. Additional resources: • “Remote Access (DirectAccess, Routing and Remote Access) Overview” at http://technet. microsoft.com/library/hh831416 • “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx • Offline Domain Join (Djoin.exe) Step-by-Step Guide at http://technet.microsoft.com/en-us/ library/dd392267(WS.10).aspx • “What’s New in Remote Access in Windows Server 2012 R2” at http://technet.microsoft.com/ en-us/library/dn383589.aspx
  • 25. 22WINDOWS TO GO Securing Windows To Go drives A key security consideration for Windows To Go deployment is the use of BitLocker. BitLocker helps to protect the data within the workspace if the USB drive is lost. Using BitLocker can help protect students’ security and privacy in the event of a lost Windows To Go workspace. As described earlier, BitLocker in a Windows To Go workspace does not use the TPM. The user instead is prompted for a password to unlock the drive. You can control the password policy through Group Policy; by default, passwords are eight characters in length. When first inserted into the provisioning computer, the USB drive to be used for the workspace is considered a normal removable data drive. The drive must have one or more volumes already defined. In addition, you may need to change Group Policy settings related to BitLocker to use the Windows To Go Creator Wizard with BitLocker. These policies, which are found in Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption, include: • Control use of BitLocker on removable drives  Controls whether BitLocker can be used on removable drives. This policy must be enabled. • Configure use of smart cards on removable data drives  If this policy is enabled, sign in with your smart card prior to beginning the Windows To Go Creator Wizard. • Configure use of passwords for removable data drives  The computer on which you run the Windows To Go Creator Wizard must be able to connect to a domain controller when this setting, along with the Require password complexity option, are enabled. • Require additional authentication at startup  This setting, which you must also change, enables the use of passwords with an operating system drive so that BitLocker can be configured within the workspace. Enable the setting by selecting the Allow BitLocker without a compatible TPM option. An option that enables easier management of BitLocker is Microsoft BitLocker Administration and Monitoring (MBAM). MBAM, which is part of the Microsoft Desktop Optimization Pack, is available with Microsoft Software Assurance licensing. Visit http://www.microsoft.com/en-us/windows/ enterprise/products-and-technologies/mdop/mbam.aspx for more information on MBAM.
  • 26. 23WINDOWS TO GO Configuring BitLocker before distribution You can configure BitLocker prior to distributing the Windows To Go workspace to users. Doing so reduces the amount of time necessary to enable BitLocker encryption on the drive. Importantly, it protects the drive and workspace immediately. Another advantage to enabling BitLocker during provisioning is that the recovery keys are backed up to the provisioning computer account in Active Directory Domain Services (AD DS). In situations where AD DS is not used to store recovery keys, you can save the recovery keys to a file or print the keys. In addition, you must set the password for BitLocker encryption during provisioning and instruct the user to change the password on first boot. You do so by using Windows PowerShell cmdlets. See “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/jj721578. aspx for more information, including scripts for enabling BitLocker. When BitLocker is enabled after provisioning, the recovery keys are stored with the workspace’s computer account. Configuring BitLocker after distribution You can also configure BitLocker after distribution. In this scenario, the user (with administrative rights on the workspace) enables BitLocker after boot. This means that you must grant administrative privileges to the user for the workspace; it also means that the drive and workspace are not protected by BitLocker until the user enables the protection. MBAM provides an alternative: You can centrally enforce BitLocker policies that you define in Group Policy. Additionally, standard user accounts can encrypt their drives, and MBAM provides a self-service recovery portal that can help users quickly recover their drives if they forget their passwords. A potential disadvantage of configuring BitLocker after distribution is that you must obtain recovery keys from the user if the keys are not stored in AD DS (although you can use MBAM for this purpose, as well). In addition, the user can store recovery keys in a file, by printing them, or on SkyDrive. You can also define BitLocker policies NOTE Do not pre-provision BitLocker if you will be using a USB drive duplicator to create multiple copies of Windows To Go workspaces.
  • 27. 24WINDOWS TO GO that require AD DS storage of recovery keys, which ensures that BitLocker does not encrypt a drive unless it can backup recovery keys to AD DS. Additional resources: • “Security and Data Protection Considerations for Windows To Go” at http://technet.microsoft. com/en-us/library/jj592679.aspx • “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx • “Why can’t I enable BitLocker from ‘Windows To Go Creator’?” at http://technet.microsoft. com/en-us/library/636ac947-a781-4874-8fd0-7fc2ed2c17f6#wtg_faq_blfail • “BitLocker Overview” at http://technet.microsoft.com/en-us/library/hh831713.aspx • “Enable BitLocker protection for your Windows To Go drive” at http://technet.microsoft.com/ en-us/library/jj721578.aspx#BKMK_4wtgdeploy • The MBAM website at http://www.microsoft.com/en-us/windows/enterprise/products-and- technologies/mdop/mbam.aspx
  • 28. 25WINDOWS TO GO Building multiple Windows To Go drives When you need to distribute a Windows To Go workspace to more than a few users within the institution, you can look to bulk methods to duplicate the workspace. You can use a USB drive duplicator to create a large number of copies of a given workspace. This scenario is appropriate when the workspace has the same applications and tools and will be distributed to the same types of users, such as students; it also enables you to create multiple workspaces, one for students and one for faculty. When using a drive duplicator, be aware of the following caveats: • Do not boot the drive prior to duplication. • Do not enable BitLocker on the drive. • Do not configure offline domain join in the workspace. Whether you need to create a single or many copies of a workspace, a Windows PowerShell cmdlet might be appropriate. See “Advanced deployment sample script” at http://technet.microsoft.com/ en-us/library/jj721578.aspx#wtg_adv_script for more information, including a sample script for creating multiple drives with Windows PowerShell. By using Windows PowerShell, you can create custom workspaces (e.g. based on grade, homeroom, and so on). Additional resources: • “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx
  • 29. 26WINDOWS TO GO Talking about Windows To Go Communicate with students and faculty when introducing Windows To Go. Windows To Go requires users to change their workflows, and they should be aware of limitations and changes necessary to make their use of Windows To Go successful. One idea would be to provide this information in a wiki or through a handout, as appropriate. In particular, educate users to: • Ensure that the host computer is not in a sleep state when inserting the Windows To Go drive • Ensure that the host computer has been fully shut down before inserting the Windows To Go drive • Insert the Windows To Go drive directly into the computer, not into a USB hub • Always shut down Windows and wait for the shutdown process to finish fully before removing the Windows To Go drive Also, consider how Windows To Go will be supported. If training is necessary for help desk staff, plan for that training in advance of the deployment. Additional resources: • “Best Practice Recommendations for Windows To Go” at http://technet.microsoft.com/en-us/ library/jj592681.aspx
  • 30. 27WINDOWS TO GO Conclusion Windows To Go is an excellent solution for educational deployments. The ability to provide a standardized Windows experience that runs from virtually anywhere means that people can get their work done faster and more easily than before. You can create Windows To Go workspaces and manage them by using the same tools you already use within your organization. You can create a Windows To Go workspace by using a wizard or Windows PowerShell, and you can manage Windows To Go workspaces through Group Policy. To learn about other ways you can deploy Windows 8.1 in your school, see Windows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682.
  • 31. © 2014 Microsoft Corporation. All rights reserved. This document is for informational purposes only and is provided “as is.” Views expressed in this document, including URL and any other Internet Web site references, may change without notice. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.