Windows To Go

A deployment guide
for education

January 2014

Table of
contents
1

Understanding Windows To Go
1

Windows To Go for IT

2 Windows To Go for faculty

2 Windows To Go for students
4

Preparing to use Windows To Go

4 Windows To Go limitations
5 Roaming with Windows To Go
5 Determine user setting storage
6 Determine remote access requirements
6 Determine host computer requirements
7 Select the USB drive for Windows To Go
7 Understand Windows To Go image creation

Creating a Windows To Go drive

9 Using the Windows To Go Creator Wizard
10 Using Windows PowerShell cmdlets

12

Starting a Windows To Go drive

13

Enabling the Windows Store

14 Activating Windows To Go workspaces

15

Managing Windows To Go

15 Group Policy settings related to the

Windows To Go workspace
17 Group Policy settings related to the host computer
18

Storing user data and settings

19 UE-V with Folder Redirection
19 Cloud storage

21

Configuring Windows To Go for remote access

22 Securing Windows To Go drives

23 Configuring BitLocker before distribution
23 Configuring BitLocker after distribution
25 Building multiple Windows To Go drives
26 Talking about Windows To Go
27 Conclusion

Windows To Go

A deployment guide for education

Windows To Go is a feature of the Windows8.1 Enterprise operating system that
enables the operating system to run from a USB drive. Using Windows To Go in an
education environment provides numerous benefits to faculty and students alike. It
enables faculty and students to use a personalized copy of Windows8.1 on virtually
any PC, at almost any location. This guide provides an overview of Windows To Go
deployment for schools. It is for ITpros and discusses the benefits, limitations, and
processes involved in deploying Windows To Go.

Understanding Windows To Go
Windows To Go creates a bootable Windows8.1 image on a USB drive. This means that the
standardized Windows image already used on institution-owned devices now becomes available
with greatly increased portability and convenience. Users do not need to lug around a laptop
or other device to have their Windows desktop available: That desktop is now available on a
USB drive, and they can run it on any PC that is compatible with Windows 7, Windows 8, or
Windows8.1.

Windows To Go for IT
Windows To Go helps IT in several ways:
Portability Windows To Go enables IT to offer the flexibility of free seating. Faculty and
students can use their own Windows desktop from almost any PC in the school.
Cost savings IT does not need to deploy individual computers but rather can deploy the
Windows To Go workspace on USB drives to provide a consistent, personalized Windows8.1
experience. It is easy to setup and configure, and distribution is simple.
Management Todays IT infrastructure uses Group Policy and technologies like BitLocker
Drive Encryption, Microsoft BranchCache, Application Virtualization, DirectAccess, and other

WINDOWS TO GO

advanced technologies to ensure highly reliable and secure services to users. Windows To Go
supports all of those technologies and more. You do not need to change your IT processes
and management tools to add Windows To Go to your IT infrastructure.

Windows To Go for faculty

Windows To Go gives faculty a consistent Windows8.1 experience from almost anywhere. Is
seating available in a computer lab? Need to move to another classroom? The educators personal
Windows8.1 desktop is available at all of these locations by booting into the Windows To Go
workspace.
Faculty members use numerous tools to provide the best learning experience for the classroom,
such as Microsoft Office and the specialized Learning Management System (LMS). At the same
time, computers with that specialized software are typically shared among two or more educators,
making it difficult to find a time to get classroom-related administrative work done.
With a Windows To Go workspace, sharing a computer becomes a thing of the past. With Windows
To Go, any compatible computer, regardless of the operating system installed on it, can be used.
This means that faculty members can use a Windows To Go workspace at work, from home, or
from an off-campus location, providing the same experience regardless of location. Faculty are no
longer tethered to a specific computer, room, or building.

Windows To Go for students

Like faculty, students can benefit from the Windows To Go experience. Students can use a
Windows To Go workspace to boot into their own Windows workspace from home or from a free
seat in school. They can have the same personal Windows8.1 experience in each classroom.
Students can also use Windows To Go workspaces to get their homework done and perform
research-related tasks by using specialized software without needing to install that software on
their own device. All they need is a compatible computer and USB drive, and the workspace is up
and running.
You can customize Windows To Go workspaces for particular curriculums, grade levels, and so
on, then distribute them to students. Doing so helps to facilitate the learning experience while
minimizing the time invested in configuring the technology.
Windows To Go workspaces have low replacement cost. If a student loses the USB drive with the
workspace on it or if the drive becomes damaged, it can be replaced at a much lower cost than a
PC.

WINDOWS TO GO

Additional resources:
Windows8 Enterprise in Your Pocket at http://www.microsoft.com/en-us/windows/
enterprise/products-and-technologies/devices/windowstogo.aspx
Windows To Go: Frequently Asked Questions at http://technet.microsoft.com/en-us/library/
jj592680.aspx

WINDOWS TO GO

Preparing to use Windows To Go

This section describes the infrastructure-related items that you must consider for a Windows
To Go deployment and also provides considerations for that preparation. In addition to the
considerations that the following sections describe, see Windows8.1 deployment planning: A guide
for education at http://www.microsoft.com/download/details.aspx?id=39682 for considerations
affecting any Windows8.1 deployment in an educational institution.

Windows To Go limitations
Although Windows To Go is similar to a typical Windows8.1 Enterprise installation on a PC, some
differences exist:
No access to internal disks By default, the host computers disks are not accessible by
a Windows To Go installation, and a USB drive with a Windows To Go workspace is not
accessible by the Windows operating system installed on the computer. You can eliminate
both of these limitations by using Group Policy. However, these restrictions are in place to
protect the security and privacy of the Windows To Go workspace, and to help prevent enduser confusion.
Recovery options are limited The Windows Recovery Environment (WindowsRE) is not
available in Windows To Go, nor are refresh and reset options. You should re-provision the
Windows To Go workspace onto the USB drive in the event a Windows To Go workspace
becomes unrecoverable. Because recovery options are limited, Microsoft does not
recommend storing user data on the Windows To Go USB drive. Instead, use a network- or
cloud-based solution like Folder Redirection or SkyDrive.
Trusted Platform Module (TPM) is not used The TPM is tied to a specific physical
computer. Therefore, because Windows To Go workspaces move among computers, the TPM
is not used in a Windows To Go workspace. In its place, a password is required for BitLocker
on a Windows To Go workspace.
Windows Store is disabled (Windows 8 only) In Windows 8, the Windows Store is disabled
by default, because apps are tied to the computer itself. You can use Group Policy to enable
the Windows Store. In Windows 8.1, this limitation is gone, and the Windows Store is enabled
by default. Regardless of the Windows Store status, you can still sideload apps for which
you have installation files. For more information about sideloading Windows Store apps,
see Windows Store apps: A deployment guide for education at http://www.microsoft.com/
download/details.aspx?id=39685.

WINDOWS TO GO

 Hibernate is disabled Hibernation expects to find the same hardware when the operating
system resumes. Because Windows To Go workspaces will likely roam among computers,
hibernation is disabled. Like the Windows Store, you can re-enable hibernate, but only
enable hibernation if you are certain that the device will only be used on the same physical
computer.

Roaming with Windows To Go

During the boot process, Windows To Go examines the host computers hardware and installs
the necessary device drivers. This process generally works well, especially if people will be
using Windows To Go on host computers with similar hardware configurations. However, if the
workspace will be used on different hardware with different device configurations, then you might
need to inject additional drivers into the image. Testing the image on the hardware is a key step to
ensure compatibility for the devices to be used with Windows To Go.
Some applications can bind to specific hardware. For example, an application might tie its licensing
or activation to the computers hardware. If the Windows To Go workspace will be used on
multiple host computers with different hardware configurations, the applications might not roam.
Ensure that each application you are installing in a Windows To Go workspace supports roaming
or provide for an alternate method of using those applications, such as Windows Server 2012 R2
RemoteApp.
Students and faculty are not usually aware of which type of firmware their computers have, and
so they will likely boot their workspaces on different types. They can boot Windows To Go on
computers with different types of firmware. Computers certified for Windows8.1 have Unified
Extensible Firmware Interface (UEFI), while Windows7 computers use the legacy BIOS firmware.
Rather than creating separate workspaces for different firmware types, Windows To Go can boot
on either firmware type.

Determine user setting storage

Users need access to their data and settings within the Windows To Go workspace in addition
to their usual device. Determine how best to provide this access, whether through a user state
virtualization (USV) technology or through other means. Options include local storage, Microsoft
User Experience Virtualization (UE-V) with Folder Redirection and Offline Files, SkyDrive, Microsoft
Office365, and other cloud-based storage solutions. Windows8.1 also enables logon with a
Microsoft account, which includes the option of roaming for many user settings. This aspect of
Windows To Go is discussed in the section Storing user data and settings on page 18 in this
guide.

WINDOWS TO GO

Determine remote access requirements

If Windows To Go workspaces will be used from off-campus locations,
then you might provide a method for remote access. You can do so
by using DirectAccess or by using an existing virtual private network
(VPN) solution. More detail on remote access is given in Configuring
Windows To Go for remote access on page 21.

Determine host computer requirements

Windows To Go supports many different types of hardware. This
support enables users to run Windows To Go workspaces on
hardware certified for Windows 8.1, Windows 8, and Windows 7 alike.
Note the following host computer requirements:
Booting The computer must be capable of booting from a USB
drive, and the drive must be directly connected; USB hubs are
not supported.

NOTE
Windows To Go
workspaces are not
supported on WindowsRT
or Apple platforms.

Firmware The computer can use UEFI or BIOS.

Graphics The computer should have Microsoft DirectX9 with
Windows Display Driver Model1.2 or later driver.
Processor The computer should have a 1 GHz or faster
processor, and the architecture can be 32 or 64bit, as discussed
later in this guide.
RAM The computer should have at least 2GB of physical
memory.
USB port The computer should have at least one USB2.0 or
3.0 port.
When considering the processor architecture, the firmware is
an important consideration. Table 1 on page 7 describes the
processor architecture considerations for Windows To Go.

WINDOWS TO GO

Host firmware

Host processor

Windows To Go

architecture

architecture

BIOS

32-bit

32-bit only

BIOS

64-bit

32-bit and 64-bit

UEFI

32-bit

32-bit only

UEFI

64-bit

64-bit only

Table 1 Processor
Architecture and
Windows To Go

Select the USB drive for Windows To Go

The USB drive used for Windows To Go must be Windows To Go
certified. Windows To Gocertified drives are optimized for the rate of
I/O operations necessary for Windows. They are capable of booting
on hardware certified for Windows 7, Windows 8, and Windows 8.1.
The drives have manufacturer warranties and are meant to be used
to support a typical Windows workload. Several hardware vendors
offer these drives in a variety of sizes. See Windows To Go Overview
at http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_
hardware for a list of currently supported drives.

NOTE A Windows To Go image running Windows 8.1 can

boot from a drive that contains a built-in smart card. These

composite drives combine a mass storage drive and smart card
in one device. Windows 8.1 can enumerate the smart card when
booting from the Windows To Go drive or by connecting the
device to another host machine. For more information, see
Whats New in Smart Cards at http://technet.microsoft.com/
library/hh849637.aspx.

Understand Windows To Go image creation

Ease of deployment is a key feature of Windows To Go. A Windows8.1
release to manufacturing (RTM) image is all that is needed to begin
the Windows To Go image-creation process. Alternately, you can fully

WINDOWS TO GO

NOTE
You can also use Microsoft
System Center2012 R2
Configuration Manager
to distribute workspaces.
See the Microsoft TechNet
article How to Provision
Windows To Go in
Configuration Manager
at http://technet.
microsoft.com/en-us/
library/jj651035.aspx for
more information.

customize the image to include applications and other settings specific to the deployment. Users
with local administrator privileges and a Windows8.1 Enterprise image (an unlikely scenario in an
education setting) can also create their own Windows To Go workspace. Therefore, school ITpros
will be the likely sole creators of Windows To Go workspaces.
If you do not customize the image, then you will need to provide for the resulting Windows To Go
workspace to be joined to the domain and for applications to be installed in the workspace. You
can use Group Policy to manage the workspace, and you may want to customize certain settings
for your environment. See the section Managing Windows To Go on page 15 or the section
Image deployment and drive provisioning considerations in the TechNet article Deployment
Considerations for Windows To Go at http://technet.microsoft.com/en-us/library/jj592685.
aspx#wtg_imagedep for more information on these Group Policy settings and Windows To Go
deployment.
You can create a Windows To Go workspace by using the Windows To Go Creator Wizard or
Windows PowerShell cmdlets. After you have provisioned the workspace onto a USB drive,
you can duplicate the workspace onto other USB drives (assuming that the workspace has not
yet been started for the first time). See the TechNet article Windows Deployment Options at
http://technet.microsoft.com/en-us/library/hh825230.aspx for more information on Windows
Deployment Options and the topic Windows PowerShell equivalent commands in Deploy
Windows To Go in Your Organization at http://technet.microsoft.com/en-us/library/jj721578.
aspx#BKMK_manualwtgimage for more information on manual Windows To Go image creation.
Additional resources:
Deployment Consideration for Windows To Go at http://technet.microsoft.com/en-us/
library/jj592685.aspx
Windows To Go: Feature Overview at http://technet.microsoft.com/library/hh831833.aspx
Tips for configuring your BIOS settings to work with Windows To Go at http://social.technet.
microsoft.com/wiki/contents/articles/12911.tips-for-configuring-your-bios-settings-to-workwith-windows-to-go.aspx

WINDOWS TO GO

Creating a Windows To Go drive

You can use either of two primary methods to create a Windows To
Go drive:
The Windows To Go Creator Wizard
Windows PowerShell cmdlets
The method you use depends largely on the goals of the deployment
and the skills available for the deployment. Regardless of which
method you employ, the result is a USB drive with a Windows To Go
workspace on it.
Table 2 provides considerations to help you decide which method of
Windows To Go workspace creation is right for you.

Windows To Go
Creator Wizard

Windows PowerShell

Number of
workspaces needed

Few

Many workspaces with

potentially unique
configurations for each

Customizations
needed

None

Skills

IT generalist

USB duplicator

Customized
image

Table 2 Choosing a
Windows To Go Creation
Strategy

Custom provisioning
(e.g., offline domain join,
partitioning, BitLocker)
required
ITpro with Windows
PowerShell experience

Using the Windows To Go Creator Wizard

The Windows To Go Creator Wizard is a simple way to create a
Windows To Go workspace quickly. The wizard creates a fully
functional workspace with just a few mouse clicks. Using the Windows
To Go Creator Wizard involves selecting the USB drive along with the
Windows image to be used for the deployment. To use the wizard,
you must have:

WINDOWS TO GO

 A Windows To Gocertified USB drive connected to the

computer prior to starting the wizard
A Windows8.1 Enterprise image, either the RTM image or a
customized image that has been generalized with the Microsoft
System Preparation Tool (Sysprep)
Local administrator privileges
You can enable BitLocker during the Windows To Go Creator
Wizard. If you will be using a drive duplicator to make copies of the
workspace, however, do not enable BitLocker from the wizard but
rather after deployment. See the topic Enable BitLocker protection
for your Windows To Go drive in the TechNet article Deploy
Windows To Go in Your Organization at http://technet.microsoft.
com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for more
information on enabling BitLocker.
The overall process for workspace creation involves the following
tasks:
1. Select the USB drive on which to create the Windows To Go
workspace.
2. Select the Windows image to use as an installation source for the
workspace.
3. Optionally, enable BitLocker on the workspace immediately.
The process of workspace creation takes 20 to 30minutes, and the
result is that you have a Windows To Go workspace on the USB drive.
From that point, you can either boot the workspace or duplicate it to
other USB drives.

NOTE
Always safely eject the
USB drive when the
provisioning process is
complete. Removing
the drive in an unsafe
manner can result in an
unbootable Windows To
Go workspace.

Using Windows PowerShell cmdlets

Use Windows PowerShell cmdlets to create Windows To Go
workspaces when you need additional flexibility. Windows PowerShell
enables you to create a custom, scripted solution for large-scale
Windows To Go workspace creation.

WINDOWS TO GO

10

The tools used to create a Windows To Go workspace are essentially the same tools you use to
manually provision and deploy Windows images. They include:
Disk partitioning cmdlets such as Clear-Disk, Initialize-Disk, New-Partition, FormatVolume, and so on
Deployment Image Servicing and Management (DISM)
Bcdboot
You use these tools to perform the same steps manually that the Windows To Go Creator Wizard
performs. The process includes the following tasks:
1. Partition the USB drive, including FAT32- and NTFS file systemformatted partitions.
2. Use DISM to apply the Windows image.
3. Use Bcdboot to enable the system to start on UEFI and BIOS systems.
4. Use DISM to apply a storage area network policy to prevent the internal disks from being
used.
5. Create an answer file to disable WindowsRE.
Like the Windows To Go Creator Wizard, the result when using Windows PowerShell is that
you have a Windows To Go workspace on the USB drive. See Deploy Windows To Go in Your
Organization at http://technet.microsoft.com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for
more information about scripting Windows To Go provisioning by using Windows PowerShell.
Additional resources:
Deploy Windows To Go In Your Organization at http://technet.microsoft.com/en-us/library/
jj721578.aspx
Getting Started with Windows PowerShell at http://technet.microsoft.com/en-us/library/
hh857337.aspx
Windows PowerShell Users Guide at http://technet.microsoft.com/en-us/library/cc196356.
aspx

WINDOWS TO GO

11

Starting a Windows To Go drive

Users of Windows To Go need to configure the host computer to
boot from USB. For devices running an earlier version of the Windows
operating system, the USB boot option can be enabled in the devices
firmware, such as the BIOS. For computers running Windows 8 or
Windows 8.1, the Windows To Go workspace can also be configured
to start using Windows To Go Startup Options. On the Start screen,
press the Windows logo key + W, and then search for Windows To
Go startup options to configure the computer to boot from a USB
drive. Changing this setting requires administrator privileges. You can
also set the option to boot from a USB drive by using Group Policy for
Windows 8 and Windows 8.1.
Regardless of whether you are using a Windows7 host computer or
a Windows8.1 host computer, use caution when enabling boot from
USB devices. Doing so may open an attack vector if the computer is
booted from a USB drive containing malware.

NOTE
Additional considerations
exist when using a
computer running
Windows7 as a host
computer. See Tips for
configuring your BIOS
settings to work with
Windows To Go at http://
social.technet.microsoft.
com/wiki/contents/
articles/12911.tips-forconfiguring-your-biossettings-to-work-withwindows-to-go.aspx for
more information.

When preparing a computer to boot into a Windows To Go

workspace, make sure the computer is not currently in a sleep
state. The USB drive with the Windows To Go workspace should be
connected directly to a USB port on the computer, not through a USB
hub.
Additional resources:
Deployment Considerations for Windows To Go at http://
technet.microsoft.com/en-us/library/jj592685.aspx

WINDOWS TO GO

12

Enabling the Windows Store

The Windows Store is enabled by default on Windows To Go drives running Windows 8.1. Users can
start the drive on any number of host computers, access the Windows Store, and run their apps.
In Windows 8, the Windows Store is disabled in a Windows To Go workspace by default, because
apps purchased through the Windows Store are tied to the devices hardware and can be installed
on as many as five devices. This means that the app will not run if the Windows To Go workspace is
booted from more than five different devices.
You can enable the Windows Store by using the Allow Store to install apps on Windows To Go
workspaces Group Policy setting found at \Computer Configuration\Administrative Templates\
Windows Components\Store. Use this policy setting when the workspace will be booted from the
same or a limited number of computers.
If the Windows Store will remain disabled, Microsoft recommends that you remove the default
Windows Storerelated apps, such as Sports or News, from the Windows To Go workspace image.
These apps are updated through the Windows Store and therefore cannot be updated with the
Windows Store disabled. Educational apps that you sideload are unaffected by this policy and can
still be loaded, run, and managed through normal app management processes.
Additional resources:
Windows Store apps: A deployment guide for education at http://www.microsoft.com/
download/details.aspx?id=39685
Management of Windows To Go using Group Policy at http://technet.microsoft.com/en-us/
library/c598d28c-5829-42ce-8d43-a7a5a4382537#BKMK_wtggp
How to Add and Remove Apps at http://technet.microsoft.com/en-us/library/hh852635.
aspx
Managing Client Access to the Windows Store at http://technet.microsoft.com/en-us/
library/hh832040.aspx
Prepare Your Organization for Windows To Go at http://technet.microsoft.com/en-us/
library/0fd52a81-c871-4567-aaaf-bd29c2ee65d4

WINDOWS TO GO

13

Activating Windows To Go workspaces

Windows To Go can use Active Directory-Based Activation (ADBA) and Key Management Service
(KMS) activation, similar to a typical installation of Windows8.1. However, Windows To Go cannot
use Multiple Activation Key (MAK) activation, as MAK activation binds to the host computers
hardware. Windows To Go uses a standard Windows license and counts as an installation for
applicable licensing agreements.
The Windows To Go workspace needs to renew its activation every 180days. It does this whenever
the workspace is booted within the schools network or when using a remote connection like
DirectAccess or a VPN. If workspaces are not used within the 180-day period, you will need to
reactivate them by connecting them to the network containing the ADBA or KMS services.
Applications to be used within the workspace might also need to be activated. Office2013 uses the
same activation methods as Windows To Go, but software from other vendors, such as LMSs and
other educational applications, might have different licensing. Verify the Windows To Go usage
scenario with the appropriate vendors to ensure licensing compliance.
Additional resources:
Plan for Volume Activation at http://technet.microsoft.com/library/jj134042.aspx
Understanding KMS at http://technet.microsoft.com/en-us/library/ff793434.aspx
Active Directory-Based Activation Overview at http://technet.microsoft.com/en-us/library/
hh852637.aspx
Volume activation of Office2013 at http://technet.microsoft.com/en-US/library/ee705504.
aspx

WINDOWS TO GO

14

Managing Windows To Go
You can use the same Windows management tools with which you are already familiar to manage
Windows To Go drives. You do not need to learn any new tools to manage Windows To Go within
your institution. For example, you can manage Windows To Go workspaces by using:
Group Policy See Group Policy at http://technet.microsoft.com/windowsserver/bb310732.
aspx for more information.
Windows Intune See Windows Intune at http://technet.microsoft.com/windows/intune.
aspx for more information.
System Center2012 Configuration Manager See System Center Configuration Manager
at http://technet.microsoft.com/systemcenter/bb507744.aspx for more information.
You can also use Group Policy to manage Windows To Go, and Microsoft recommends that you
create a separate organizational unit (OU) for the Windows To Go workspaces and one for host
computers. You can use the OU for Windows To Go workspace to:
Change settings for the Windows Store
Change standby sleep states
Change hibernate settings
You can use the OU for host computers to provide granular control over the Windows To Go
Startup Options so that only certain computers will be configured to boot from the USB drive.

Group Policy settings related to the Windows To Go workspace

The settings in the following list are particular to Windows To Go workspaces:
Allow hibernate (S4) when started from a Windows To Go workspace This policy setting
specifies whether the PC can use the hibernation sleep state (S4) when started from a
Windows To Go workspace. By default, hibernation is disabled when using Windows To Go
workspaces, so enabling this setting explicitly turns the ability back on. When a computer
enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is
important that the hardware attached to the system as well as the disk itself are unchanged.
This is inherently incompatible with roaming between PC hosts. Hibernation should only be
used when the Windows To Go workspace is not being used to roam between host PCs.

WINDOWS TO GO

15

 Disallow standby sleep states (S1S3) when starting from

a Windows To Go workspace This policy setting specifies
whether the PC can use standby sleep states (S1S3) when
started from a Windows To Go workspace. The sleep state also
presents a unique challenge to Windows To Go users. When
a computer goes to sleep, it appears as if it were shut down.
It would be easy for a user to think that a Windows To Go
workspace in sleep mode were actually shut down, and the
user could remove the Windows To Go drive and take it home.
Removing the drive in this scenario is equivalent to an unclean
shutdown, which may result in the loss of unsaved user data or
the corruption of the drive.

NOTE
For the host PC to resume
correctly when hibernation
is enabled, the Windows
To Go workspace must
continue to use the same
USB port.

Moreover, if the user now boots the drive on another PC and

brings it back to the first PC, which still happens to be in the
sleep state, it will lead to an arbitrary crash, and eventually
corruption of the drive results in the workspace being unusable.
If you enable this policy setting, the Windows To Go workspace
cannot use the standby states to cause the PC to enter sleep
mode. If you disable or do not configure this policy setting, the
Windows To Go workspace can place the PC in sleep mode.
Allow Store to install apps on Windows To Go
workspaces This policy setting allows or denies access
to the Store application from a Windows To Go workspace
running Windows 8. (This policy does not apply to devices
running Windows 8.1.) If you enable this setting, access to
the Store application is allowed from the Windows To Go
workspace. Enable this policy setting only when the Windows
To Go workspace will be used with a single PC. When roaming
Windows To Go devices to multiple PCs, installing applications
from the Windows Store is not a supported scenario. However,
sideloaded Windows Store apps can run in Windows To Go
workspaces even when roamed among multiple PCs. If you
disable or do not configure this policy setting, access to the
Windows Store application is denied on the Windows To Go
workspace.

WINDOWS TO GO

16

Group Policy settings related to the host computer

The Windows To Go Default Startup Options policy setting
controls whether the host computer boots to Windows To Go if a
USB device containing a Windows To Go workspace is connected and
controls whether users can make changes using the Windows To
Go Startup Options settings dialog box. If you enable this policy
setting, booting to Windows To Go when a USB device is connected
will be enabled, and users will not be able to make changes using the
Windows To Go Startup Options settings dialog box. If you disable
this policy setting, booting to Windows To Go when a USB device is
connected will not be enabled unless a user configures the option
manually in the firmware. If you do not configure this policy setting,
users who are members of the local Administrators group can enable
or disable booting from USB by using the Windows To Go Startup
Options settings dialog box.

NOTE
Enabling this policy
setting causes PCs running
Windows8.1 to attempt to
boot from any USB device
that is inserted into the PC
before it is started.

Additional resources:
Prepare Your Organization for Windows To Go at http://
technet.microsoft.com/en-us/library/jj592678.aspx
Deployment Considerations for Windows To Go at http://
technet.microsoft.com/en-us/library/jj592685.aspx

WINDOWS TO GO

17

Storing user data and settings

In a typical Windows installation, user data and settings are stored on the computers internal disk.
However, with Windows To Go, access to the internal disk is disabled. Data and settings are instead
stored within the workspace itself on the USB drive. Microsoft does not recommend this scenario.
The USB drive with the Windows To Go workspace contains no recovery options; therefore, if the
drive is lost or damaged, the user will lose their data and settings. With this in mind, users need a
method to access their data and settings from multiple locations when using the Windows To Go
workspace.
Multiple options are available for access to data and settings from within a Windows To Go
workspace. For example, UE-V with Folder Redirection and Offline Files is an excellent way to
separate data and settings from the workspace and enable them to roam. These technologies
require little infrastructure and are very easy to configure.
If the infrastructure or expertise is not available for these technologies, SkyDrive is also an option.
SkyDrive can be used to synchronize both data and some Windows8.1 settings (e.g., Internet
Explorer Favorites, desktop wallpaper, and so on) when logging on to the Windows To Go
workspace with a Microsoft account.
Table 3 describes the options for data and setting storage.
Table 3 Options for Data and Setting Storage in Windows To Go
Local storage in the
Windows To Go

UE-V with Folder

Redirection

SkyDrive

workspace

Requires no additional
configuration

Requires agent
installation in the
workspace and Group
Policy infrastructure

Requires minimal
configuration; must
log on with a Microsoft
account for settings to
be synchronized

IT expertise

None

ITpro

End user

Backup

None

Uses backup methods

already in place in the
infrastructure

Cloud-based service
that is backed up in the
datacenter

Data and settings

roaming

None

Yes

Yes, as long as a
Microsoft account is
used

Bandwidth used

None

Intranet

Internet

Configuration

WINDOWS TO GO

18

UE-V with Folder Redirection

UE-V with Folder Redirection provides access to data and settings for a consistent desktop
experience no matter where the user logs on. It is the recommended method for providing access
to data and settings with Windows To Go, because it provides the best combination of flexibility
and manageability for most infrastructures.
UE-V with Folder Redirection consists of several components that combine to provide a seamless
virtualized experience:
UE-V UE-V synchronizes users settings with a simple network file share. Changes made to
Windows and application settings will be synchronized with the file share and available when
users log onto their Windows To Go workspace or any domain-joined PC.
Folder Redirection Folder Redirection stores user data and application-related data on a
file share so that user can access the data regardless of logon location.
Offline Files Offline Files ensure that files and folders are accessible even if the device is
currently disconnected from the network. This includes the UE-V settings store and any
redirected folders. Configuring Offline Files is essential if students are allowed to take their
Windows To Go workspaces home with them.

Cloud storage
Cloud storage is a viable option for keeping user data in a Windows To Go deployment. When
considering cloud storage, SkyDrive and Office365 provide many options.
Anyone can obtain SkyDrive storage, and Microsoft provides up to 7GB of space at no cost. Users
can purchase additional space, if necessary. Visit http://windows.microsoft.com/en-US/skydrive/
for more information on SkyDrive. SkyDrive requires a Microsoft account, and students under
the age of 13 require parent authorization. For more information, see Windows8.1 deployment
planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682.
Office365 also offers a full version of Office, with storage available in the cloud. This is a viable
option if Office will be the primary tool used in the Windows To Go deployment. Office365 offers
educational institution plans, including a free tier for students and faculty.
With SkyDrive, both data and settings can be stored in the cloud. These settings can include things
like Internet Explorer favorites, desktop, and other settings. If SkyDrive is disabled through Group
Policy, it would also be disabled for both data and settings storage. However, if you create a new
OU for the Windows To Go drives, then SkyDrive could be enabled for that OU specifically.

WINDOWS TO GO

19

Additional resources:
Windows User State Virtualization at http://technet.microsoft.com/en-us/library/ff877478.
aspx
User Experience Virtualization at http://technet.microsoft.com/en-us/windows/hh943107.
aspx
SkyDrive website at http://windows.microsoft.com/en-US/skydrive/
Office365 Deployment at http://technet.microsoft.com/en-us/library/hh852466.aspx
Security and Data Protection Considerations for Windows To Go at http://technet.microsoft.
com/en-us/library/jj592679.aspx
Supporting Information Workers with Reliable File Services and Storage at http://technet.
microsoft.com/en-us/library/hh831495
Folder Redirection, Offline Files, and Roaming User Profiles Overview at http://technet.
microsoft.com/library/hh848267
Overview of user and roaming settings for Office2013 at http://technet.microsoft.com/enus/library/jj733593.aspx

WINDOWS TO GO

20

Configuring Windows To Go for remote access

Enabling users to access network resources from off-campus locations such as at home is an
important aspect of the Windows To Go usage scenario. To provide access to network resources,
you might deploy a remote access solution. Windows To Go can use such already-supported
remote access solutions as:
DirectAccess DirectAccess provides an advanced remote access solution that enables builtin security, monitoring, and integration with other Microsoft enterprise services.
Traditional VPN-based solution A VPN is also supported as a means to enable remote
access from Windows To Go. Windows 8.1 adds support for a wider variety of VPN clients.
Auto-triggered VPN Use an app or resource that needs access through the inbox VPN (e.g.,
a companys intranet site) and Windows 8.1 automatically prompts to sign in with one click.
This feature is available with Microsoft and third-party inbox VPN clients.
See the section Configure Windows To Go workspace for remote access in the Deploy Windows
To Go in Your Organization guide at http://technet.microsoft.com/en-us/library/jj721578.aspx for
more information, including Windows PowerShell scripts related to the remote access deployment.
Additional resources:
Remote Access (DirectAccess, Routing and Remote Access) Overview at http://technet.
microsoft.com/library/hh831416
Deploy Windows To Go in Your Organization at http://technet.microsoft.com/en-us/library/
jj721578.aspx
Offline Domain Join (Djoin.exe) Step-by-Step Guide at http://technet.microsoft.com/en-us/
library/dd392267(WS.10).aspx
Whats New in Remote Access in Windows Server 2012 R2 at http://technet.microsoft.com/
en-us/library/dn383589.aspx

WINDOWS TO GO

21

Securing Windows To Go drives

A key security consideration for Windows To Go deployment is the use of BitLocker. BitLocker helps
to protect the data within the workspace if the USB drive is lost. Using BitLocker can help protect
students security and privacy in the event of a lost Windows To Go workspace.
As described earlier, BitLocker in a Windows To Go workspace does not use the TPM. The user
instead is prompted for a password to unlock the drive. You can control the password policy
through Group Policy; by default, passwords are eight characters in length.
When first inserted into the provisioning computer, the USB drive to be used for the workspace
is considered a normal removable data drive. The drive must have one or more volumes already
defined. In addition, you may need to change Group Policy settings related to BitLocker to use
the Windows To Go Creator Wizard with BitLocker. These policies, which are found in Computer
Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive
Encryption, include:
Control use of BitLocker on removable drives Controls whether BitLocker can be used on
removable drives. This policy must be enabled.
Configure use of smart cards on removable data drives If this policy is enabled, sign in
with your smart card prior to beginning the Windows To Go Creator Wizard.
Configure use of passwords for removable data drives The computer on which you run
the Windows To Go Creator Wizard must be able to connect to a domain controller when this
setting, along with the Require password complexity option, are enabled.
Require additional authentication at startup This setting, which you must also change,
enables the use of passwords with an operating system drive so that BitLocker can be
configured within the workspace. Enable the setting by selecting the Allow BitLocker
without a compatible TPM option.
An option that enables easier management of BitLocker is Microsoft BitLocker Administration and
Monitoring (MBAM). MBAM, which is part of the Microsoft Desktop Optimization Pack, is available
with Microsoft Software Assurance licensing. Visit http://www.microsoft.com/en-us/windows/
enterprise/products-and-technologies/mdop/mbam.aspx for more information on MBAM.

WINDOWS TO GO

22

Configuring BitLocker before distribution

You can configure BitLocker prior to distributing the Windows To Go
workspace to users. Doing so reduces the amount of time necessary
to enable BitLocker encryption on the drive. Importantly, it protects
the drive and workspace immediately.
Another advantage to enabling BitLocker during provisioning is
that the recovery keys are backed up to the provisioning computer
account in Active Directory Domain Services (ADDS). In situations
where ADDS is not used to store recovery keys, you can save the
recovery keys to a file or print the keys. In addition, you must set the
password for BitLocker encryption during provisioning and instruct
the user to change the password on first boot. You do so by using
Windows PowerShell cmdlets. See Deploy Windows To Go in Your
Organization at http://technet.microsoft.com/en-us/library/jj721578.
aspx for more information, including scripts for enabling BitLocker.
When BitLocker is enabled after provisioning, the recovery keys are
stored with the workspaces computer account.

NOTE
Do not pre-provision
BitLocker if you will
be using a USB drive
duplicator to create
multiple copies of
Windows To Go
workspaces.

Configuring BitLocker after distribution

You can also configure BitLocker after distribution. In this scenario,
the user (with administrative rights on the workspace) enables
BitLocker after boot. This means that you must grant administrative
privileges to the user for the workspace; it also means that the drive
and workspace are not protected by BitLocker until the user enables
the protection.
MBAM provides an alternative: You can centrally enforce BitLocker
policies that you define in Group Policy. Additionally, standard user
accounts can encrypt their drives, and MBAM provides a self-service
recovery portal that can help users quickly recover their drives if they
forget their passwords.
A potential disadvantage of configuring BitLocker after distribution
is that you must obtain recovery keys from the user if the keys are
not stored in ADDS (although you can use MBAM for this purpose,
as well). In addition, the user can store recovery keys in a file, by
printing them, or on SkyDrive. You can also define BitLocker policies

WINDOWS TO GO

23

that require AD DS storage of recovery keys, which ensures that BitLocker does not encrypt a drive
unless it can backup recovery keys to AD DS.
Additional resources:
Security and Data Protection Considerations for Windows To Go at http://technet.microsoft.
com/en-us/library/jj592679.aspx
Deploy Windows To Go in Your Organization at http://technet.microsoft.com/en-us/library/
jj721578.aspx
Why cant I enable BitLocker from Windows To Go Creator? at http://technet.microsoft.
com/en-us/library/636ac947-a781-4874-8fd0-7fc2ed2c17f6#wtg_faq_blfail
BitLocker Overview at http://technet.microsoft.com/en-us/library/hh831713.aspx
Enable BitLocker protection for your Windows To Go drive at http://technet.microsoft.com/
en-us/library/jj721578.aspx#BKMK_4wtgdeploy
The MBAM website at http://www.microsoft.com/en-us/windows/enterprise/products-andtechnologies/mdop/mbam.aspx

WINDOWS TO GO

24

Building multiple Windows To Go drives

When you need to distribute a Windows To Go workspace to more than a few users within the
institution, you can look to bulk methods to duplicate the workspace. You can use a USB drive
duplicator to create a large number of copies of a given workspace. This scenario is appropriate
when the workspace has the same applications and tools and will be distributed to the same types
of users, such as students; it also enables you to create multiple workspaces, one for students and
one for faculty.
When using a drive duplicator, be aware of the following caveats:
Do not boot the drive prior to duplication.
Do not enable BitLocker on the drive.
Do not configure offline domain join in the workspace.
Whether you need to create a single or many copies of a workspace, a Windows PowerShell cmdlet
might be appropriate. See Advanced deployment sample script at http://technet.microsoft.com/
en-us/library/jj721578.aspx#wtg_adv_script for more information, including a sample script for
creating multiple drives with Windows PowerShell. By using Windows PowerShell, you can create
custom workspaces (e.g. based on grade, homeroom, and so on).
Additional resources:
Deploy Windows To Go in Your Organization at http://technet.microsoft.com/en-us/library/
jj721578.aspx

WINDOWS TO GO

25

Talking about Windows To Go

Communicate with students and faculty when introducing Windows To Go. Windows To Go
requires users to change their workflows, and they should be aware of limitations and changes
necessary to make their use of Windows To Go successful. One idea would be to provide this
information in a wiki or through a handout, as appropriate. In particular, educate users to:
Ensure that the host computer is not in a sleep state when inserting the Windows To Go drive
Ensure that the host computer has been fully shut down before inserting the Windows To Go
drive
Insert the Windows To Go drive directly into the computer, not into a USB hub
Always shut down Windows and wait for the shutdown process to finish fully before removing
the Windows To Go drive
Also, consider how Windows To Go will be supported. If training is necessary for help desk staff,
plan for that training in advance of the deployment.
Additional resources:
Best Practice Recommendations for Windows To Go at http://technet.microsoft.com/en-us/
library/jj592681.aspx

WINDOWS TO GO

26

Conclusion
Windows To Go is an excellent solution for educational deployments. The ability to provide a
standardized Windows experience that runs from virtually anywhere means that people can get
their work done faster and more easily than before. You can create Windows To Go workspaces
and manage them by using the same tools you already use within your organization. You can
create a Windows To Go workspace by using a wizard or Windows PowerShell, and you can
manage Windows To Go workspaces through Group Policy. To learn about other ways you can
deploy Windows8.1 in your school, see Windows8.1 deployment planning: A guide for education at
http://www.microsoft.com/download/details.aspx?id=39682.

WINDOWS TO GO

27

 2014 Microsoft Corporation. All rights reserved.

This document is for informational purposes only and
is provided as is. Views expressed in this document,
including URL and any other Internet Web site references,
may change without notice. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.