Windows To GoA deployment guide for education

January 2014

Table of contents

1 Understanding Windows To Go1 Windows To Go for IT2 Windows To Go for faculty2 Windows To Go for students

4 Preparing to use Windows To Go4 Windows To Go limitations5 Roaming with Windows To Go5 Determine user setting storage6 Determine remote access requirements6 Determine host computer requirements7 Select the USB drive for Windows To Go7 Understand Windows To Go image creation

9 Creating a Windows To Go drive9 Using the Windows To Go Creator Wizard10 Using Windows PowerShell cmdlets

12 Starting a Windows To Go drive

13 Enabling the Windows Store

14 Activating Windows To Go workspaces

15 Managing Windows To Go

15 Group Policy settings related to the Windows To Go workspace

17 Group Policy settings related to the host computer

18 Storing user data and settings19 UE-V with Folder Redirection19 Cloud storage

21 Configuring Windows To Go for remote access

22 Securing Windows To Go drives23 ConfiguringBitLockerbeforedistribution23 ConfiguringBitLockerafterdistribution

25 Building multiple Windows To Go drives

26 Talking about Windows To Go

27 Conclusion

1WINDOWS TO GO

Windows To GoA deployment guide for education

Windows To Go is a feature of the Windows 8.1 Enterprise operating system that enables the operating system to run from a USB drive. Using Windows To Go in an education environment provides numerous benefits to faculty and students alike. It enables faculty and students to use a personalized copy of Windows 8.1 on virtually any PC, at almost any location. This guide provides an overview of Windows To Go deployment for schools. It is for IT pros and discusses the benefits, limitations, and processes involved in deploying Windows To Go.

Understanding Windows To GoWindowsToGocreatesabootableWindows8.1imageonaUSBdrive.ThismeansthatthestandardizedWindowsimagealreadyusedoninstitution-owneddevicesnowbecomesavailablewithgreatlyincreasedportabilityandconvenience.UsersdonotneedtolugaroundalaptoporotherdevicetohavetheirWindowsdesktopavailable:ThatdesktopisnowavailableonaUSBdrive,andtheycanrunitonanyPCthatiscompatiblewithWindows7,Windows8,orWindows8.1.

Windows To Go for IT

WindowsToGohelpsITinseveralways:

• Portability WindowsToGoenablesITtooffertheflexibilityoffreeseating.FacultyandstudentscanusetheirownWindowsdesktopfromalmostanyPCintheschool.

• Cost savings ITdoesnotneedtodeployindividualcomputersbutrathercandeploytheWindowsToGoworkspaceonUSBdrivestoprovideaconsistent,personalizedWindows8.1experience.Itiseasytosetupandconfigure,anddistributionissimple.

• Management Today’sITinfrastructureusesGroupPolicyandtechnologieslikeBitLockerDrive Encryption, Microsoft BranchCache, Application Virtualization, DirectAccess, and other

2WINDOWS TO GO

advancedtechnologiestoensurehighlyreliableandsecureservicestousers.WindowsToGosupportsallofthosetechnologiesandmore.YoudonotneedtochangeyourITprocessesandmanagementtoolstoaddWindowsToGotoyourITinfrastructure.

Windows To Go for faculty

WindowsToGogivesfacultyaconsistentWindows8.1experiencefromalmostanywhere.Isseatingavailableinacomputerlab?Needtomovetoanotherclassroom?Theeducator’spersonalWindows8.1desktopisavailableatalloftheselocationsbybootingintotheWindowsToGoworkspace.

Facultymembersusenumeroustoolstoprovidethebestlearningexperiencefortheclassroom,suchasMicrosoftOfficeandthespecializedLearningManagementSystem(LMS).Atthesametime, computers with that specialized software are typically shared among two or more educators, makingitdifficulttofindatimetogetclassroom-relatedadministrativeworkdone.

WithaWindowsToGoworkspace,sharingacomputerbecomesathingofthepast.WithWindowsToGo,anycompatiblecomputer,regardlessoftheoperatingsysteminstalledonit,canbeused.ThismeansthatfacultymemberscanuseaWindowsToGoworkspaceatwork,fromhome,orfromanoff-campuslocation,providingthesameexperienceregardlessoflocation.Facultyarenolongertetheredtoaspecificcomputer,room,orbuilding.

Windows To Go for students

Likefaculty,studentscanbenefitfromtheWindowsToGoexperience.StudentscanuseaWindowsToGoworkspacetobootintotheirownWindowsworkspacefromhomeorfromafreeseatinschool.TheycanhavethesamepersonalWindows8.1experienceineachclassroom.

Students can also use Windows To Go workspaces to get their homework done and perform research-relatedtasksbyusingspecializedsoftwarewithoutneedingtoinstallthatsoftwareontheirowndevice.AlltheyneedisacompatiblecomputerandUSBdrive,andtheworkspaceisupandrunning.

YoucancustomizeWindowsToGoworkspacesforparticularcurriculums,gradelevels,andsoon,thendistributethemtostudents.Doingsohelpstofacilitatethelearningexperiencewhileminimizingthetimeinvestedinconfiguringthetechnology.

WindowsToGoworkspaceshavelowreplacementcost.IfastudentlosestheUSBdrivewiththeworkspaceonitorifthedrivebecomesdamaged,itcanbereplacedatamuchlowercostthanaPC.

3WINDOWS TO GO

Additionalresources:

• “Windows8EnterpriseinYourPocket”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/devices/windowstogo.aspx

• “WindowsToGo:FrequentlyAskedQuestions”athttp://technet.microsoft.com/en-us/library/jj592680.aspx

4WINDOWS TO GO

Preparing to use Windows To GoThissectiondescribestheinfrastructure-relateditemsthatyoumustconsiderforaWindowsToGodeploymentandalsoprovidesconsiderationsforthatpreparation.Inadditiontotheconsiderationsthatthefollowingsectionsdescribe,seeWindows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682 for considerations affectinganyWindows8.1deploymentinaneducationalinstitution.

Windows To Go limitations

AlthoughWindowsToGoissimilartoatypicalWindows8.1EnterpriseinstallationonaPC,somedifferencesexist:

• No access to internal disks Bydefault,thehostcomputer’sdisksarenotaccessiblebya Windows To Go installation, and a USB drive with a Windows To Go workspace is not accessiblebytheWindowsoperatingsysteminstalledonthecomputer.YoucaneliminatebothoftheselimitationsbyusingGroupPolicy.However,theserestrictionsareinplacetoprotect the security and privacy of the Windows To Go workspace, and to help prevent end-userconfusion.

• Recovery options are limited TheWindowsRecoveryEnvironment(WindowsRE)isnotavailableinWindowsToGo,norarerefreshandresetoptions.Youshouldre-provisiontheWindows To Go workspace onto the USB drive in the event a Windows To Go workspace becomesunrecoverable.Becauserecoveryoptionsarelimited,MicrosoftdoesnotrecommendstoringuserdataontheWindowsToGoUSBdrive.Instead,useanetwork-orcloud-basedsolutionlikeFolderRedirectionorSkyDrive.

• Trusted Platform Module (TPM) is not used TheTPMistiedtoaspecificphysicalcomputer.Therefore,becauseWindowsToGoworkspacesmoveamongcomputers,theTPMisnotusedinaWindowsToGoworkspace.Initsplace,apasswordisrequiredforBitLockeronaWindowsToGoworkspace.

• Windows Store is disabled (Windows 8 only) InWindows8,theWindowsStoreisdisabledbydefault,becauseappsaretiedtothecomputeritself.YoucanuseGroupPolicytoenabletheWindowsStore.InWindows8.1,thislimitationisgone,andtheWindowsStoreisenabledbydefault.RegardlessoftheWindowsStorestatus,youcanstillsideloadappsforwhichyouhaveinstallationfiles.FormoreinformationaboutsideloadingWindowsStoreapps,see Windows Store apps: A deployment guide for education at http://www.microsoft.com/download/details.aspx?id=39685.

5WINDOWS TO GO

• Hibernate is disabled Hibernationexpectstofindthesamehardwarewhentheoperatingsystemresumes.BecauseWindowsToGoworkspaceswilllikelyroamamongcomputers,hibernationisdisabled.LiketheWindowsStore,youcanre-enablehibernate,butonlyenablehibernationifyouarecertainthatthedevicewillonlybeusedonthesamephysicalcomputer.

Roaming with Windows To Go

Duringthebootprocess,WindowsToGoexaminesthehostcomputer’shardwareandinstallsthenecessarydevicedrivers.Thisprocessgenerallyworkswell,especiallyifpeoplewillbeusingWindowsToGoonhostcomputerswithsimilarhardwareconfigurations.However,iftheworkspacewillbeusedondifferenthardwarewithdifferentdeviceconfigurations,thenyoumightneedtoinjectadditionaldriversintotheimage.TestingtheimageonthehardwareisakeysteptoensurecompatibilityforthedevicestobeusedwithWindowsToGo.

Someapplicationscanbindtospecifichardware.Forexample,anapplicationmighttieitslicensingoractivationtothecomputer’shardware.IftheWindowsToGoworkspacewillbeusedonmultiplehostcomputerswithdifferenthardwareconfigurations,theapplicationsmightnotroam.Ensure that each application you are installing in a Windows To Go workspace supports roaming or provide for an alternate method of using those applications, such as Windows Server 2012 R2 RemoteApp.

Studentsandfacultyarenotusuallyawareofwhichtypeoffirmwaretheircomputershave,andsotheywilllikelyboottheirworkspacesondifferenttypes.TheycanbootWindowsToGooncomputerswithdifferenttypesoffirmware.ComputerscertifiedforWindows8.1haveUnifiedExtensibleFirmwareInterface(UEFI),whileWindows7computersusethelegacyBIOSfirmware.Ratherthancreatingseparateworkspacesfordifferentfirmwaretypes,WindowsToGocanbootoneitherfirmwaretype.

Determine user setting storage

Users need access to their data and settings within the Windows To Go workspace in addition totheirusualdevice.Determinehowbesttoprovidethisaccess,whetherthroughauserstatevirtualization(USV)technologyorthroughothermeans.Optionsincludelocalstorage,MicrosoftUserExperienceVirtualization(UE-V)withFolderRedirectionandOfflineFiles,SkyDrive,MicrosoftOffice365,andothercloud-basedstoragesolutions.Windows8.1alsoenableslogonwithaMicrosoftaccount,whichincludestheoptionofroamingformanyusersettings.ThisaspectofWindows To Go is discussed in the section “Storinguserdataandsettings”onpage18 in this guide.

6WINDOWS TO GO

Determine remote access requirements

IfWindowsToGoworkspaceswillbeusedfromoff-campuslocations,thenyoumightprovideamethodforremoteaccess.YoucandosobyusingDirectAccessorbyusinganexistingvirtualprivatenetwork(VPN)solution.Moredetailonremoteaccessisgivenin“ConfiguringWindowsToGoforremoteaccess”onpage21.

Determine host computer requirements

WindowsToGosupportsmanydifferenttypesofhardware.ThissupportenablesuserstorunWindowsToGoworkspacesonhardwarecertifiedforWindows8.1,Windows8,andWindows7alike.Notethefollowinghostcomputerrequirements:

• Booting ThecomputermustbecapableofbootingfromaUSBdrive,andthedrivemustbedirectlyconnected;USBhubsarenotsupported.

• Firmware ThecomputercanuseUEFIorBIOS.

• Graphics The computer should have Microsoft DirectX 9 with WindowsDisplayDriverModel1.2orlaterdriver.

• Processor Thecomputershouldhavea1GHzorfasterprocessor,andthearchitecturecanbe32or64bit,asdiscussedlaterinthisguide.

• RAM The computer should have at least 2 GB of physical memory.

• USB port ThecomputershouldhaveatleastoneUSB2.0or3.0port.

Whenconsideringtheprocessorarchitecture,thefirmwareisanimportantconsideration.Table1onpage7describestheprocessorarchitectureconsiderationsforWindowsToGo.

NOTE

Windows To Go workspaces are not supported on Windows RT orAppleplatforms.

7WINDOWS TO GO

Host firmware Host processor arcHitecture

windows to Go arcHitecture

BIOS 32-bit 32-bitonly

BIOS 64-bit 32-bitand64-bit

UEFI 32-bit 32-bitonly

UEFI 64-bit 64-bitonly

Select the USB drive for Windows To Go

TheUSBdriveusedforWindowsToGomustbeWindowsToGocertified.WindowsToGo–certifieddrivesareoptimizedfortherateofI/OoperationsnecessaryforWindows.TheyarecapableofbootingonhardwarecertifiedforWindows7,Windows8,andWindows8.1.ThedriveshavemanufacturerwarrantiesandaremeanttobeusedtosupportatypicalWindowsworkload.Severalhardwarevendorsofferthesedrivesinavarietyofsizes.See“WindowsToGoOverview”at http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_hardwareforalistofcurrentlysupporteddrives.

NOTE AWindowsToGoimagerunningWindows8.1canbootfromadrivethatcontainsabuilt-insmartcard.Thesecompositedrivescombineamassstoragedriveandsmartcardinonedevice.Windows8.1canenumeratethesmartcardwhenbootingfromtheWindowsToGodriveorbyconnectingthedevicetoanotherhostmachine.Formoreinformation,see“What’sNewinSmartCards”athttp://technet.microsoft.com/library/hh849637.aspx.

Understand Windows To Go image creation

EaseofdeploymentisakeyfeatureofWindowsToGo.AWindows8.1releasetomanufacturing(RTM)imageisallthatisneededtobegintheWindowsToGoimage-creationprocess.Alternately,youcanfully

TABlE 1 Processor Architecture and Windows To Go

NOTE

YoucanalsouseMicrosoftSystem Center 2012 R2 ConfigurationManagertodistributeworkspaces.SeetheMicrosoftTechNetarticle“HowtoProvisionWindows To Go in ConfigurationManager”at http://technet.microsoft.com/en-us/library/jj651035.aspx for moreinformation.

8WINDOWS TO GO

customizetheimagetoincludeapplicationsandothersettingsspecifictothedeployment.UserswithlocaladministratorprivilegesandaWindows8.1Enterpriseimage(anunlikelyscenarioinaneducationsetting)canalsocreatetheirownWindowsToGoworkspace.Therefore,schoolITproswillbethelikelysolecreatorsofWindowsToGoworkspaces.

If you do not customize the image, then you will need to provide for the resulting Windows To Go workspacetobejoinedtothedomainandforapplicationstobeinstalledintheworkspace.Youcan use Group Policy to manage the workspace, and you may want to customize certain settings foryourenvironment.Seethesection“ManagingWindowsToGo”onpage15 or the section “Imagedeploymentanddriveprovisioningconsiderations”intheTechNetarticle“DeploymentConsiderationsforWindowsToGo”athttp://technet.microsoft.com/en-us/library/jj592685.aspx#wtg_imagedep for more information on these Group Policy settings and Windows To Go deployment.

YoucancreateaWindowsToGoworkspacebyusingtheWindowsToGoCreatorWizardorWindowsPowerShellcmdlets.AfteryouhaveprovisionedtheworkspaceontoaUSBdrive,youcanduplicatetheworkspaceontootherUSBdrives(assumingthattheworkspacehasnotyetbeenstartedforthefirsttime).SeetheTechNetarticle“WindowsDeploymentOptions”athttp://technet.microsoft.com/en-us/library/hh825230.aspx for more information on Windows DeploymentOptionsandthetopic“WindowsPowerShellequivalentcommands”in“DeployWindowsToGoinYourOrganization”athttp://technet.microsoft.com/en-us/library/jj721578.aspx#BKMK_manualwtgimageformoreinformationonmanualWindowsToGoimagecreation.

Additionalresources:

• “DeploymentConsiderationforWindowsToGo”athttp://technet.microsoft.com/en-us/library/jj592685.aspx

• “WindowsToGo:FeatureOverview”athttp://technet.microsoft.com/library/hh831833.aspx

• “TipsforconfiguringyourBIOSsettingstoworkwithWindowsToGo”athttp://social.technet.microsoft.com/wiki/contents/articles/12911.tips-for-configuring-your-bios-settings-to-work-with-windows-to-go.aspx

9WINDOWS TO GO

Creating a Windows To Go driveYoucanuseeitheroftwoprimarymethodstocreateaWindowsToGodrive:

• The Windows To Go Creator Wizard

• Windows PowerShell cmdlets

The method you use depends largely on the goals of the deployment andtheskillsavailableforthedeployment.Regardlessofwhichmethod you employ, the result is a USB drive with a Windows To Go workspaceonit.

Table2 provides considerations to help you decide which method of WindowsToGoworkspacecreationisrightforyou.

windows to Go creator wizard

windows powersHell

Number of workspaces needed

• Few

• USB duplicator

• Many workspaces with potentially unique configurationsforeach

Customizations needed

• None

• Customized image

• Custom provisioning (e.g.,offlinedomainjoin,partitioning,BitLocker)required

Skills • IT generalist • IT pro with Windows PowerShellexperience

Using the Windows To Go Creator Wizard

The Windows To Go Creator Wizard is a simple way to create a WindowsToGoworkspacequickly.Thewizardcreatesafullyfunctionalworkspacewithjustafewmouseclicks.UsingtheWindowsTo Go Creator Wizard involves selecting the USB drive along with the Windowsimagetobeusedforthedeployment.Tousethewizard,youmusthave:

TABlE 2 Choosing a Windows To Go Creation Strategy

10WINDOWS TO GO

• AWindowsToGo–certifiedUSBdriveconnectedtothecomputer prior to starting the wizard

• AWindows8.1Enterpriseimage,eithertheRTMimageoracustomizedimagethathasbeengeneralizedwiththeMicrosoftSystemPreparationTool(Sysprep)

• Localadministratorprivileges

YoucanenableBitLockerduringtheWindowsToGoCreatorWizard.Ifyouwillbeusingadriveduplicatortomakecopiesoftheworkspace,however,donotenableBitLockerfromthewizardbutratherafterdeployment.Seethetopic“EnableBitLockerprotectionforyourWindowsToGodrive”intheTechNetarticle“DeployWindowsToGoinYourOrganization”athttp://technet.microsoft.com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for more informationonenablingBitLocker.

The overall process for workspace creation involves the following tasks:

1. Select the USB drive on which to create the Windows To Go workspace.

2.Select the Windows image to use as an installation source for the workspace.

3.Optionally,enableBitLockerontheworkspaceimmediately.

The process of workspace creation takes 20 to 30 minutes, and the resultisthatyouhaveaWindowsToGoworkspaceontheUSBdrive.Fromthatpoint,youcaneitherboottheworkspaceorduplicateittootherUSBdrives.

Using Windows PowerShell cmdlets

Use Windows PowerShell cmdlets to create Windows To Go workspaceswhenyouneedadditionalflexibility.WindowsPowerShellenablesyoutocreateacustom,scriptedsolutionforlarge-scaleWindowsToGoworkspacecreation.

NOTE

Always safely eject the USB drive when the provisioning process is complete.Removingthe drive in an unsafe manner can result in an unbootableWindowsToGoworkspace.

11WINDOWS TO GO

The tools used to create a Windows To Go workspace are essentially the same tools you use to manuallyprovisionanddeployWindowsimages.Theyinclude:

• Disk partitioning cmdlets such as Clear-Disk, Initialize-Disk, New-Partition, Format-Volume, and so on

• DeploymentImageServicingandManagement(DISM)

• Bcdboot

YouusethesetoolstoperformthesamestepsmanuallythattheWindowsToGoCreatorWizardperforms.Theprocessincludesthefollowingtasks:

1. PartitiontheUSBdrive,includingFAT32-andNTFSfilesystem–formattedpartitions.

2.UseDISMtoapplytheWindowsimage.

3.Use BcdboottoenablethesystemtostartonUEFIandBIOSsystems.

4.UseDISMtoapplyastorageareanetworkpolicytopreventtheinternaldisksfrombeingused.

5.CreateananswerfiletodisableWindowsRE.

LiketheWindowsToGoCreatorWizard,theresultwhenusingWindowsPowerShellisthatyouhaveaWindowsToGoworkspaceontheUSBdrive.See“DeployWindowsToGoinYourOrganization”athttp://technet.microsoft.com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for moreinformationaboutscriptingWindowsToGoprovisioningbyusingWindowsPowerShell.

Additionalresources:

• “DeployWindowsToGoInYourOrganization”athttp://technet.microsoft.com/en-us/library/jj721578.aspx

• “GettingStartedwithWindowsPowerShell”athttp://technet.microsoft.com/en-us/library/hh857337.aspx

• Windows PowerShell User’s Guide at http://technet.microsoft.com/en-us/library/cc196356.aspx

12WINDOWS TO GO

Starting a Windows To Go driveUsersofWindowsToGoneedtoconfigurethehostcomputertobootfromUSB.FordevicesrunninganearlierversionoftheWindowsoperatingsystem,theUSBbootoptioncanbeenabledinthedevice’sfirmware,suchastheBIOS.ForcomputersrunningWindows8orWindows8.1,theWindowsToGoworkspacecanalsobeconfiguredtostartusingWindowsToGoStartupOptions.OntheStartscreen,press the Windows logo key + W, and then search for Windows To Go startup optionstoconfigurethecomputertobootfromaUSBdrive.Changingthissettingrequiresadministratorprivileges.YoucanalsosettheoptiontobootfromaUSBdrivebyusingGroupPolicyforWindows8andWindows8.1.

Regardless of whether you are using a Windows 7 host computer or aWindows8.1hostcomputer,usecautionwhenenablingbootfromUSBdevices.DoingsomayopenanattackvectorifthecomputerisbootedfromaUSBdrivecontainingmalware.

WhenpreparingacomputertobootintoaWindowsToGoworkspace, make sure the computer is not currently in a sleep state.TheUSBdrivewiththeWindowsToGoworkspaceshouldbeconnected directly to a USB port on the computer, not through a USB hub.

Additionalresources:

• “DeploymentConsiderationsforWindowsToGo”athttp://technet.microsoft.com/en-us/library/jj592685.aspx

NOTE

Additional considerations existwhenusingacomputer running Windows 7 as a host computer.See“TipsforconfiguringyourBIOSsettings to work with WindowsToGo”athttp://social.technet.microsoft.com/wiki/contents/articles/12911.tips-for-configuring-your-bios-settings-to-work-with-windows-to-go.aspx for moreinformation.

13WINDOWS TO GO

Enabling the Windows StoreTheWindowsStoreisenabledbydefaultonWindowsToGodrivesrunningWindows8.1.Userscanstartthedriveonanynumberofhostcomputers,accesstheWindowsStore,andruntheirapps.

InWindows8,theWindowsStoreisdisabledinaWindowsToGoworkspacebydefault,becauseappspurchasedthroughtheWindowsStorearetiedtothedevice’shardwareandcanbeinstalledonasmanyasfivedevices.ThismeansthattheappwillnotruniftheWindowsToGoworkspaceisbootedfrommorethanfivedifferentdevices.

YoucanenabletheWindowsStorebyusingtheAllow Store to install apps on Windows To Go workspaces GroupPolicysettingfoundat\ComputerConfiguration\AdministrativeTemplates\WindowsComponents\Store.Usethispolicysettingwhentheworkspacewillbebootedfromthesameoralimitednumberofcomputers.

IftheWindowsStorewillremaindisabled,MicrosoftrecommendsthatyouremovethedefaultWindowsStore–relatedapps,suchasSportsorNews,fromtheWindowsToGoworkspaceimage.TheseappsareupdatedthroughtheWindowsStoreandthereforecannotbeupdatedwiththeWindowsStoredisabled.Educationalappsthatyousideloadareunaffectedbythispolicyandcanstillbeloaded,run,andmanagedthroughnormalappmanagementprocesses.

Additionalresources:

• Windows Store apps: A deployment guide for education at http://www.microsoft.com/download/details.aspx?id=39685

• “ManagementofWindowsToGousingGroupPolicy”athttp://technet.microsoft.com/en-us/library/c598d28c-5829-42ce-8d43-a7a5a4382537#BKMK_wtggp

• “HowtoAddandRemoveApps”at http://technet.microsoft.com/en-us/library/hh852635.aspx

• “ManagingClientAccesstotheWindowsStore”athttp://technet.microsoft.com/en-us/library/hh832040.aspx

• “PrepareYourOrganizationforWindowsToGo”at http://technet.microsoft.com/en-us/library/0fd52a81-c871-4567-aaaf-bd29c2ee65d4

14WINDOWS TO GO

Activating Windows To Go workspacesWindowsToGocanuseActiveDirectory-BasedActivation(ADBA)andKeyManagementService(KMS)activation,similartoatypicalinstallationofWindows8.1.However,WindowsToGocannotuseMultipleActivationKey(MAK)activation,asMAKactivationbindstothehostcomputer’shardware.WindowsToGousesastandardWindowslicenseandcountsasaninstallationforapplicablelicensingagreements.

TheWindowsToGoworkspaceneedstorenewitsactivationevery180days.Itdoesthiswhenevertheworkspaceisbootedwithintheschool’snetworkorwhenusingaremoteconnectionlikeDirectAccessoraVPN.Ifworkspacesarenotusedwithinthe180-dayperiod,youwillneedtoreactivatethembyconnectingthemtothenetworkcontainingtheADBAorKMSservices.

Applicationstobeusedwithintheworkspacemightalsoneedtobeactivated.Office2013usesthesameactivationmethodsasWindowsToGo,butsoftwarefromothervendors,suchasLMSsandothereducationalapplications,mighthavedifferentlicensing.VerifytheWindowsToGousagescenariowiththeappropriatevendorstoensurelicensingcompliance.

Additionalresources:

• “PlanforVolumeActivation”athttp://technet.microsoft.com/library/jj134042.aspx

• “UnderstandingKMS”athttp://technet.microsoft.com/en-us/library/ff793434.aspx

• “ActiveDirectory-BasedActivationOverview”athttp://technet.microsoft.com/en-us/library/hh852637.aspx

• “VolumeactivationofOffice2013”athttp://technet.microsoft.com/en-US/library/ee705504.aspx

15WINDOWS TO GO

Managing Windows To GoYoucanusethesameWindowsmanagementtoolswithwhichyouarealreadyfamiliartomanageWindowsToGodrives.YoudonotneedtolearnanynewtoolstomanageWindowsToGowithinyourinstitution.Forexample,youcanmanageWindowsToGoworkspacesbyusing:

• Group Policy See“GroupPolicy”athttp://technet.microsoft.com/windowsserver/bb310732.aspxformoreinformation.

• Windows Intune See“WindowsIntune”athttp://technet.microsoft.com/windows/intune.aspxformoreinformation.

• System Center 2012 Configuration Manager See“SystemCenterConfigurationManager”at http://technet.microsoft.com/systemcenter/bb507744.aspxformoreinformation.

YoucanalsouseGroupPolicytomanageWindowsToGo,andMicrosoftrecommendsthatyoucreateaseparateorganizationalunit(OU)fortheWindowsToGoworkspacesandoneforhostcomputers.YoucanusetheOUforWindowsToGoworkspaceto:

• Change settings for the Windows Store

• Changestandbysleepstates

• Changehibernatesettings

YoucanusetheOUforhostcomputerstoprovidegranularcontrolovertheWindowsToGoStartupOptionssothatonlycertaincomputerswillbeconfiguredtobootfromtheUSBdrive.

Group Policy settings related to the Windows To Go workspace

ThesettingsinthefollowinglistareparticulartoWindowsToGoworkspaces:

• Allow hibernate (S4) when started from a Windows To Go workspace This policy setting specifieswhetherthePCcanusethehibernationsleepstate(S4)whenstartedfromaWindowsToGoworkspace.Bydefault,hibernationisdisabledwhenusingWindowsToGoworkspaces,soenablingthissettingexplicitlyturnstheabilitybackon.Whenacomputerentershibernation,thecontentsofmemoryarewrittentodisk.Whenthediskisresumed,itisimportantthatthehardwareattachedtothesystemaswellasthediskitselfareunchanged.ThisisinherentlyincompatiblewithroamingbetweenPChosts.HibernationshouldonlybeusedwhentheWindowsToGoworkspaceisnotbeingusedtoroambetweenhostPCs.

16WINDOWS TO GO

• Disallow standby sleep states (S1–S3) when starting from a Windows To Go workspace ThispolicysettingspecifieswhetherthePCcanusestandbysleepstates(S1–S3)whenstartedfromaWindowsToGoworkspace.ThesleepstatealsopresentsauniquechallengetoWindowsToGousers.Whenacomputergoestosleep,itappearsasifitwereshutdown.ItwouldbeeasyforausertothinkthataWindowsToGoworkspace in sleep mode were actually shut down, and the usercouldremovetheWindowsToGodriveandtakeithome.Removing the drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or thecorruptionofthedrive.

Moreover,iftheusernowbootsthedriveonanotherPCandbringsitbacktothefirstPC,whichstillhappenstobeinthesleepstate,itwillleadtoanarbitrarycrash,andeventuallycorruptionofthedriveresultsintheworkspacebeingunusable.Ifyouenablethispolicysetting,theWindowsToGoworkspacecannotusethestandbystatestocausethePCtoentersleepmode.Ifyoudisableordonotconfigurethispolicysetting,theWindowsToGoworkspacecanplacethePCinsleepmode.

• Allow Store to install apps on Windows To Go workspaces This policy setting allows or denies access to the Store application from a Windows To Go workspace runningWindows8.(ThispolicydoesnotapplytodevicesrunningWindows8.1.)Ifyouenablethissetting,accesstothe Store application is allowed from the Windows To Go workspace.EnablethispolicysettingonlywhentheWindowsToGoworkspacewillbeusedwithasinglePC.WhenroamingWindows To Go devices to multiple PCs, installing applications fromtheWindowsStoreisnotasupportedscenario.However,sideloaded Windows Store apps can run in Windows To Go workspacesevenwhenroamedamongmultiplePCs.Ifyoudisableordonotconfigurethispolicysetting,accesstotheWindows Store application is denied on the Windows To Go workspace.

NOTE

For the host PC to resume correctlywhenhibernationisenabled,theWindowsTo Go workspace must continue to use the same USBport.

17WINDOWS TO GO

Group Policy settings related to the host computer

The Windows To Go Default Startup Options policy setting controlswhetherthehostcomputerbootstoWindowsToGoifaUSB device containing a Windows To Go workspace is connected and controls whether users can make changes using the Windows To Go Startup Options settingsdialogbox.Ifyouenablethispolicysetting,bootingtoWindowsToGowhenaUSBdeviceisconnectedwillbeenabled,anduserswillnotbeabletomakechangesusingtheWindows To Go Startup Options settingsdialogbox.Ifyoudisablethispolicysetting,bootingtoWindowsToGowhenaUSBdeviceisconnectedwillnotbeenabledunlessauserconfigurestheoptionmanuallyinthefirmware.Ifyoudonotconfigurethispolicysetting,userswhoaremembersofthelocalAdministratorsgroupcanenableordisablebootingfromUSBbyusingtheWindows To Go Startup Options settingsdialogbox.

Additionalresources:

• “PrepareYourOrganizationforWindowsToGo”athttp://technet.microsoft.com/en-us/library/jj592678.aspx

• “DeploymentConsiderationsforWindowsToGo”athttp://technet.microsoft.com/en-us/library/jj592685.aspx

NOTE

Enablingthispolicysetting causes PCs running Windows8.1toattempttobootfromanyUSBdevicethat is inserted into the PC beforeitisstarted.

18WINDOWS TO GO

Storing user data and settingsInatypicalWindowsinstallation,userdataandsettingsarestoredonthecomputer’sinternaldisk.However,withWindowsToGo,accesstotheinternaldiskisdisabled.DataandsettingsareinsteadstoredwithintheworkspaceitselfontheUSBdrive.Microsoftdoesnotrecommendthisscenario.TheUSBdrivewiththeWindowsToGoworkspacecontainsnorecoveryoptions;therefore,ifthedriveislostordamaged,theuserwilllosetheirdataandsettings.Withthisinmind,usersneedamethod to access their data and settings from multiple locations when using the Windows To Go workspace.

MultipleoptionsareavailableforaccesstodataandsettingsfromwithinaWindowsToGoworkspace.Forexample,UE-VwithFolderRedirectionandOfflineFilesisanexcellentwaytoseparatedataandsettingsfromtheworkspaceandenablethemtoroam.Thesetechnologiesrequirelittleinfrastructureandareveryeasytoconfigure.

Iftheinfrastructureorexpertiseisnotavailableforthesetechnologies,SkyDriveisalsoanoption.SkyDrivecanbeusedtosynchronizebothdataandsomeWindows8.1settings(e.g.,InternetExplorerFavorites,desktopwallpaper,andsoon)whenloggingontotheWindowsToGoworkspacewithaMicrosoftaccount.

Table3describestheoptionsfordataandsettingstorage.

TABlE 3 Options for Data and Setting Storage in Windows To Go

local storaGe in tHe windows to Go

workspace

ue-V witH folder redirection

skydriVe

Configuration Requires no additional configuration

Requires agent installation in the

workspace and Group Policy infrastructure

Requires minimal configuration;must

log on with a Microsoft account for settings to besynchronized

IT expertise None IT pro End user

Backup NoneUsesbackupmethodsalready in place in the

infrastructure

Cloud-basedservicethatisbackedupinthe

datacenter

Data and settings roaming None Yes

Yes,aslongasaMicrosoft account is

used

Bandwidth used None Intranet Internet

19WINDOWS TO GO

UE-V with Folder Redirection

UE-V with Folder Redirection provides access to data and settings for a consistent desktop experiencenomatterwheretheuserlogson.ItistherecommendedmethodforprovidingaccesstodataandsettingswithWindowsToGo,becauseitprovidesthebestcombinationofflexibilityandmanageabilityformostinfrastructures.

UE-VwithFolderRedirectionconsistsofseveralcomponentsthatcombinetoprovideaseamlessvirtualizedexperience:

• UE-V UE-Vsynchronizesusers’settingswithasimplenetworkfileshare.ChangesmadetoWindowsandapplicationsettingswillbesynchronizedwiththefileshareandavailablewhenuserslogontotheirWindowsToGoworkspaceoranydomain-joinedPC.

• Folder Redirection Folder Redirection stores user data and application-related data on a filesharesothatusercanaccessthedataregardlessoflogonlocation.

• Offline Files OfflineFilesensurethatfilesandfoldersareaccessibleevenifthedeviceiscurrentlydisconnectedfromthenetwork.ThisincludestheUE-Vsettingsstoreandanyredirectedfolders.ConfiguringOfflineFilesisessentialifstudentsareallowedtotaketheirWindowsToGoworkspaceshomewiththem.

Cloud storage

CloudstorageisaviableoptionforkeepinguserdatainaWindowsToGodeployment.Whenconsideringcloudstorage,SkyDriveandOffice365providemanyoptions.

AnyonecanobtainSkyDrivestorage,andMicrosoftprovidesupto7GBofspaceatnocost.Userscanpurchaseadditionalspace,ifnecessary.Visithttp://windows.microsoft.com/en-US/skydrive/ formoreinformationonSkyDrive.SkyDriverequiresaMicrosoftaccount,andstudentsundertheageof13requireparentauthorization.Formoreinformation,seeWindows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682.

Office365alsooffersafullversionofOffice,withstorageavailableinthecloud.ThisisaviableoptionifOfficewillbetheprimarytoolusedintheWindowsToGodeployment.Office365offerseducationalinstitutionplans,includingafreetierforstudentsandfaculty.

WithSkyDrive,bothdataandsettingscanbestoredinthecloud.ThesesettingscanincludethingslikeInternetExplorerfavorites,desktop,andothersettings.IfSkyDriveisdisabledthroughGroupPolicy,itwouldalsobedisabledforbothdataandsettingsstorage.However,ifyoucreateanewOUfortheWindowsToGodrives,thenSkyDrivecouldbeenabledforthatOUspecifically.

20WINDOWS TO GO

Additionalresources:

• Windows User State Virtualization at http://technet.microsoft.com/en-us/library/ff877478.aspx

• “UserExperienceVirtualization”athttp://technet.microsoft.com/en-us/windows/hh943107.aspx

• SkyDrivewebsiteathttp://windows.microsoft.com/en-US/skydrive/

• “Office365Deployment”athttp://technet.microsoft.com/en-us/library/hh852466.aspx

• “SecurityandDataProtectionConsiderationsforWindowsToGo”athttp://technet.microsoft.com/en-us/library/jj592679.aspx

• “SupportingInformationWorkerswithReliableFileServicesandStorage”athttp://technet.microsoft.com/en-us/library/hh831495

• “FolderRedirection,OfflineFiles,andRoamingUserProfilesOverview”athttp://technet.microsoft.com/library/hh848267

• “OverviewofuserandroamingsettingsforOffice2013”athttp://technet.microsoft.com/en-us/library/jj733593.aspx

21WINDOWS TO GO

Configuring Windows To Go for remote accessEnablinguserstoaccessnetworkresourcesfromoff-campuslocationssuchasathomeisanimportantaspectoftheWindowsToGousagescenario.Toprovideaccesstonetworkresources,youmightdeployaremoteaccesssolution.WindowsToGocanusesuchalready-supportedremoteaccesssolutionsas:

• DirectAccess DirectAccessprovidesanadvancedremoteaccesssolutionthatenablesbuilt-insecurity,monitoring,andintegrationwithotherMicrosoftenterpriseservices.

• Traditional VPN-based solution AVPNisalsosupportedasameanstoenableremoteaccessfromWindowsToGo.Windows8.1addssupportforawidervarietyofVPNclients.

• Auto-triggered VPN UseanapporresourcethatneedsaccessthroughtheinboxVPN(e.g.,acompany’sintranetsite)andWindows8.1automaticallypromptstosigninwithoneclick.ThisfeatureisavailablewithMicrosoftandthird-partyinboxVPNclients.

Seethesection“ConfigureWindowsToGoworkspaceforremoteaccess”intheDeploy Windows To Go in Your Organization guide at http://technet.microsoft.com/en-us/library/jj721578.aspx for moreinformation,includingWindowsPowerShellscriptsrelatedtotheremoteaccessdeployment.

Additionalresources:

• “RemoteAccess(DirectAccess,RoutingandRemoteAccess)Overview”athttp://technet.microsoft.com/library/hh831416

• “DeployWindowsToGoinYourOrganization”athttp://technet.microsoft.com/en-us/library/jj721578.aspx

• Offline Domain Join (Djoin.exe) Step-by-Step Guide at http://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx

• “What’sNewinRemoteAccessinWindowsServer2012R2”athttp://technet.microsoft.com/en-us/library/dn383589.aspx

22WINDOWS TO GO

Securing Windows To Go drivesAkeysecurityconsiderationforWindowsToGodeploymentistheuseofBitLocker.BitLockerhelpstoprotectthedatawithintheworkspaceiftheUSBdriveislost.UsingBitLockercanhelpprotectstudents’securityandprivacyintheeventofalostWindowsToGoworkspace.

Asdescribedearlier,BitLockerinaWindowsToGoworkspacedoesnotusetheTPM.Theuserinsteadispromptedforapasswordtounlockthedrive.YoucancontrolthepasswordpolicythroughGroupPolicy;bydefault,passwordsareeightcharactersinlength.

Whenfirstinsertedintotheprovisioningcomputer,theUSBdrivetobeusedfortheworkspaceisconsideredanormalremovabledatadrive.Thedrivemusthaveoneormorevolumesalreadydefined.Inaddition,youmayneedtochangeGroupPolicysettingsrelatedtoBitLockertousetheWindowsToGoCreatorWizardwithBitLocker.Thesepolicies,whicharefoundinComputerConfiguration\Policies\AdministrativeTemplates\WindowsComponents\BitLockerDriveEncryption,include:

• Control use of BitLocker on removable drives ControlswhetherBitLockercanbeusedonremovabledrives.Thispolicymustbeenabled.

• Configure use of smart cards on removable data drives Ifthispolicyisenabled,signinwithyoursmartcardpriortobeginningtheWindowsToGoCreatorWizard.

• Configure use of passwords for removable data drives The computer on which you run theWindowsToGoCreatorWizardmustbeabletoconnecttoadomaincontrollerwhenthissetting, along with the Require password complexityoption,areenabled.

• Require additional authentication at startup This setting, which you must also change, enablestheuseofpasswordswithanoperatingsystemdrivesothatBitLockercanbeconfiguredwithintheworkspace.EnablethesettingbyselectingtheAllow BitLocker without a compatible TPMoption.

AnoptionthatenableseasiermanagementofBitLockerisMicrosoftBitLockerAdministrationandMonitoring(MBAM).MBAM,whichispartoftheMicrosoftDesktopOptimizationPack,isavailablewithMicrosoftSoftwareAssurancelicensing.Visithttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspxformoreinformationonMBAM.

23WINDOWS TO GO

Configuring BitLocker before distribution

YoucanconfigureBitLockerpriortodistributingtheWindowsToGoworkspacetousers.DoingsoreducestheamountoftimenecessarytoenableBitLockerencryptiononthedrive.Importantly,itprotectsthedriveandworkspaceimmediately.

AnotheradvantagetoenablingBitLockerduringprovisioningisthattherecoverykeysarebackeduptotheprovisioningcomputeraccountinActiveDirectoryDomainServices(ADDS).Insituationswhere AD DS is not used to store recovery keys, you can save the recoverykeystoafileorprintthekeys.Inaddition,youmustsetthepasswordforBitLockerencryptionduringprovisioningandinstructtheusertochangethepasswordonfirstboot.YoudosobyusingWindowsPowerShellcmdlets.See“DeployWindowsToGoinYourOrganization”athttp://technet.microsoft.com/en-us/library/jj721578.aspxformoreinformation,includingscriptsforenablingBitLocker.WhenBitLockerisenabledafterprovisioning,therecoverykeysarestoredwiththeworkspace’scomputeraccount.

Configuring BitLocker after distribution

YoucanalsoconfigureBitLockerafterdistribution.Inthisscenario,theuser(withadministrativerightsontheworkspace)enablesBitLockerafterboot.Thismeansthatyoumustgrantadministrativeprivilegestotheuserfortheworkspace;italsomeansthatthedriveandworkspacearenotprotectedbyBitLockeruntiltheuserenablestheprotection.

MBAMprovidesanalternative:YoucancentrallyenforceBitLockerpoliciesthatyoudefineinGroupPolicy.Additionally,standarduseraccounts can encrypt their drives, and MBAM provides a self-service recovery portal that can help users quickly recover their drives if they forgettheirpasswords.

ApotentialdisadvantageofconfiguringBitLockerafterdistributionisthatyoumustobtainrecoverykeysfromtheuserifthekeysarenotstoredinADDS(althoughyoucanuseMBAMforthispurpose,aswell).Inaddition,theusercanstorerecoverykeysinafile,byprintingthem,oronSkyDrive.YoucanalsodefineBitLockerpolicies

NOTE

Do not pre-provision BitLockerifyouwillbeusingaUSBdriveduplicator to create multiple copies of Windows To Go workspaces.

24WINDOWS TO GO

thatrequireADDSstorageofrecoverykeys,whichensuresthatBitLockerdoesnotencryptadriveunlessitcanbackuprecoverykeystoADDS.

Additionalresources:

• “SecurityandDataProtectionConsiderationsforWindowsToGo”athttp://technet.microsoft.com/en-us/library/jj592679.aspx

• “DeployWindowsToGoinYourOrganization”athttp://technet.microsoft.com/en-us/library/jj721578.aspx

• “Whycan’tIenableBitLockerfrom‘WindowsToGoCreator’?”athttp://technet.microsoft.com/en-us/library/636ac947-a781-4874-8fd0-7fc2ed2c17f6#wtg_faq_blfail

• “BitLockerOverview”athttp://technet.microsoft.com/en-us/library/hh831713.aspx

• “EnableBitLockerprotectionforyourWindowsToGodrive”athttp://technet.microsoft.com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy

• TheMBAMwebsiteathttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspx

25WINDOWS TO GO

Building multiple Windows To Go drivesWhenyouneedtodistributeaWindowsToGoworkspacetomorethanafewuserswithintheinstitution,youcanlooktobulkmethodstoduplicatetheworkspace.YoucanuseaUSBdriveduplicatortocreatealargenumberofcopiesofagivenworkspace.Thisscenarioisappropriatewhentheworkspacehasthesameapplicationsandtoolsandwillbedistributedtothesametypesofusers,suchasstudents;italsoenablesyoutocreatemultipleworkspaces,oneforstudentsandoneforfaculty.

Whenusingadriveduplicator,beawareofthefollowingcaveats:

• Donotbootthedrivepriortoduplication.

• DonotenableBitLockeronthedrive.

• Donotconfigureofflinedomainjoinintheworkspace.

Whether you need to create a single or many copies of a workspace, a Windows PowerShell cmdlet mightbeappropriate.See“Advanceddeploymentsamplescript”athttp://technet.microsoft.com/en-us/library/jj721578.aspx#wtg_adv_script for more information, including a sample script for creatingmultipledriveswithWindowsPowerShell.ByusingWindowsPowerShell,youcancreatecustomworkspaces(e.g.basedongrade,homeroom,andsoon).

Additionalresources:

• “DeployWindowsToGoinYourOrganization”athttp://technet.microsoft.com/en-us/library/jj721578.aspx

26WINDOWS TO GO

Talking about Windows To GoCommunicatewithstudentsandfacultywhenintroducingWindowsToGo.WindowsToGorequiresuserstochangetheirworkflows,andtheyshouldbeawareoflimitationsandchangesnecessarytomaketheiruseofWindowsToGosuccessful.Oneideawouldbetoprovidethisinformationinawikiorthroughahandout,asappropriate.Inparticular,educateusersto:

• Ensure that the host computer is not in a sleep state when inserting the Windows To Go drive

• EnsurethatthehostcomputerhasbeenfullyshutdownbeforeinsertingtheWindowsToGodrive

• InserttheWindowsToGodrivedirectlyintothecomputer,notintoaUSBhub

• AlwaysshutdownWindowsandwaitfortheshutdownprocesstofinishfullybeforeremovingthe Windows To Go drive

Also,considerhowWindowsToGowillbesupported.Iftrainingisnecessaryforhelpdeskstaff,planforthattraininginadvanceofthedeployment.

Additionalresources:

• “BestPracticeRecommendationsforWindowsToGo”athttp://technet.microsoft.com/en-us/library/jj592681.aspx

27WINDOWS TO GO

ConclusionWindowsToGoisanexcellentsolutionforeducationaldeployments.TheabilitytoprovideastandardizedWindowsexperiencethatrunsfromvirtuallyanywheremeansthatpeoplecangettheirworkdonefasterandmoreeasilythanbefore.YoucancreateWindowsToGoworkspacesandmanagethembyusingthesametoolsyoualreadyusewithinyourorganization.YoucancreateaWindowsToGoworkspacebyusingawizardorWindowsPowerShell,andyoucanmanageWindowsToGoworkspacesthroughGroupPolicy.TolearnaboutotherwaysyoucandeployWindows8.1inyourschool,seeWindows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682.

©2014MicrosoftCorporation.Allrightsreserved.

This document is for informational purposes only and isprovided“asis.”Viewsexpressedinthisdocument,includingURLandanyotherInternetWebsitereferences,maychangewithoutnotice.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISDOCUMENT.