Windows to Go - A Guide for Education
December 16, 2016 | Author: Sersson John | Category: N/A
Short Description
Windows to Go - A Guide for Education...
Description
Windows To Go A deployment guide for education
January 2014
Table of contents 1
Understanding Windows To Go 1
Windows To Go for IT
2 Windows To Go for faculty 2 Windows To Go for students 4
Preparing to use Windows To Go 4 Windows To Go limitations 5 Roaming with Windows To Go 5 Determine user setting storage 6 Determine remote access requirements 6 Determine host computer requirements 7 Select the USB drive for Windows To Go 7 Understand Windows To Go image creation
9
Creating a Windows To Go drive 9 Using the Windows To Go Creator Wizard 10 Using Windows PowerShell cmdlets
12
Starting a Windows To Go drive
13
Enabling the Windows Store
14 Activating Windows To Go workspaces 15
Managing Windows To Go
15 Group Policy settings related to the Windows To Go workspace 17 Group Policy settings related to the host computer 18
Storing user data and settings 19 UE-V with Folder Redirection 19 Cloud storage
21
Configuring Windows To Go for remote access
22 Securing Windows To Go drives 23 Configuring BitLocker before distribution 23 Configuring BitLocker after distribution 25 Building multiple Windows To Go drives 26 Talking about Windows To Go 27 Conclusion
Windows To Go
A deployment guide for education Windows To Go is a feature of the Windows 8.1 Enterprise operating system that enables the operating system to run from a USB drive. Using Windows To Go in an education environment provides numerous benefits to faculty and students alike. It enables faculty and students to use a personalized copy of Windows 8.1 on virtually any PC, at almost any location. This guide provides an overview of Windows To Go deployment for schools. It is for IT pros and discusses the benefits, limitations, and processes involved in deploying Windows To Go.
Understanding Windows To Go Windows To Go creates a bootable Windows 8.1 image on a USB drive. This means that the standardized Windows image already used on institution-owned devices now becomes available with greatly increased portability and convenience. Users do not need to lug around a laptop or other device to have their Windows desktop available: That desktop is now available on a USB drive, and they can run it on any PC that is compatible with Windows 7, Windows 8, or Windows 8.1.
Windows To Go for IT Windows To Go helps IT in several ways: • Portability Windows To Go enables IT to offer the flexibility of free seating. Faculty and students can use their own Windows desktop from almost any PC in the school. • Cost savings IT does not need to deploy individual computers but rather can deploy the Windows To Go workspace on USB drives to provide a consistent, personalized Windows 8.1 experience. It is easy to setup and configure, and distribution is simple. • Management Today’s IT infrastructure uses Group Policy and technologies like BitLocker Drive Encryption, Microsoft BranchCache, Application Virtualization, DirectAccess, and other
WINDOWS TO GO
1
advanced technologies to ensure highly reliable and secure services to users. Windows To Go supports all of those technologies and more. You do not need to change your IT processes and management tools to add Windows To Go to your IT infrastructure.
Windows To Go for faculty Windows To Go gives faculty a consistent Windows 8.1 experience from almost anywhere. Is seating available in a computer lab? Need to move to another classroom? The educator’s personal Windows 8.1 desktop is available at all of these locations by booting into the Windows To Go workspace. Faculty members use numerous tools to provide the best learning experience for the classroom, such as Microsoft Office and the specialized Learning Management System (LMS). At the same time, computers with that specialized software are typically shared among two or more educators, making it difficult to find a time to get classroom-related administrative work done. With a Windows To Go workspace, sharing a computer becomes a thing of the past. With Windows To Go, any compatible computer, regardless of the operating system installed on it, can be used. This means that faculty members can use a Windows To Go workspace at work, from home, or from an off-campus location, providing the same experience regardless of location. Faculty are no longer tethered to a specific computer, room, or building.
Windows To Go for students Like faculty, students can benefit from the Windows To Go experience. Students can use a Windows To Go workspace to boot into their own Windows workspace from home or from a free seat in school. They can have the same personal Windows 8.1 experience in each classroom. Students can also use Windows To Go workspaces to get their homework done and perform research-related tasks by using specialized software without needing to install that software on their own device. All they need is a compatible computer and USB drive, and the workspace is up and running. You can customize Windows To Go workspaces for particular curriculums, grade levels, and so on, then distribute them to students. Doing so helps to facilitate the learning experience while minimizing the time invested in configuring the technology. Windows To Go workspaces have low replacement cost. If a student loses the USB drive with the workspace on it or if the drive becomes damaged, it can be replaced at a much lower cost than a PC.
WINDOWS TO GO
2
Additional resources: • “Windows 8 Enterprise in Your Pocket” at http://www.microsoft.com/en-us/windows/ enterprise/products-and-technologies/devices/windowstogo.aspx • “Windows To Go: Frequently Asked Questions” at http://technet.microsoft.com/en-us/library/ jj592680.aspx
WINDOWS TO GO
3
Preparing to use Windows To Go This section describes the infrastructure-related items that you must consider for a Windows To Go deployment and also provides considerations for that preparation. In addition to the considerations that the following sections describe, see Windows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682 for considerations affecting any Windows 8.1 deployment in an educational institution.
Windows To Go limitations Although Windows To Go is similar to a typical Windows 8.1 Enterprise installation on a PC, some differences exist: • No access to internal disks By default, the host computer’s disks are not accessible by a Windows To Go installation, and a USB drive with a Windows To Go workspace is not accessible by the Windows operating system installed on the computer. You can eliminate both of these limitations by using Group Policy. However, these restrictions are in place to protect the security and privacy of the Windows To Go workspace, and to help prevent enduser confusion. • Recovery options are limited The Windows Recovery Environment (Windows RE) is not available in Windows To Go, nor are refresh and reset options. You should re-provision the Windows To Go workspace onto the USB drive in the event a Windows To Go workspace becomes unrecoverable. Because recovery options are limited, Microsoft does not recommend storing user data on the Windows To Go USB drive. Instead, use a network- or cloud-based solution like Folder Redirection or SkyDrive. • Trusted Platform Module (TPM) is not used The TPM is tied to a specific physical computer. Therefore, because Windows To Go workspaces move among computers, the TPM is not used in a Windows To Go workspace. In its place, a password is required for BitLocker on a Windows To Go workspace. • Windows Store is disabled (Windows 8 only) In Windows 8, the Windows Store is disabled by default, because apps are tied to the computer itself. You can use Group Policy to enable the Windows Store. In Windows 8.1, this limitation is gone, and the Windows Store is enabled by default. Regardless of the Windows Store status, you can still sideload apps for which you have installation files. For more information about sideloading Windows Store apps, see Windows Store apps: A deployment guide for education at http://www.microsoft.com/ download/details.aspx?id=39685.
WINDOWS TO GO
4
• Hibernate is disabled Hibernation expects to find the same hardware when the operating system resumes. Because Windows To Go workspaces will likely roam among computers, hibernation is disabled. Like the Windows Store, you can re-enable hibernate, but only enable hibernation if you are certain that the device will only be used on the same physical computer.
Roaming with Windows To Go During the boot process, Windows To Go examines the host computer’s hardware and installs the necessary device drivers. This process generally works well, especially if people will be using Windows To Go on host computers with similar hardware configurations. However, if the workspace will be used on different hardware with different device configurations, then you might need to inject additional drivers into the image. Testing the image on the hardware is a key step to ensure compatibility for the devices to be used with Windows To Go. Some applications can bind to specific hardware. For example, an application might tie its licensing or activation to the computer’s hardware. If the Windows To Go workspace will be used on multiple host computers with different hardware configurations, the applications might not roam. Ensure that each application you are installing in a Windows To Go workspace supports roaming or provide for an alternate method of using those applications, such as Windows Server 2012 R2 RemoteApp. Students and faculty are not usually aware of which type of firmware their computers have, and so they will likely boot their workspaces on different types. They can boot Windows To Go on computers with different types of firmware. Computers certified for Windows 8.1 have Unified Extensible Firmware Interface (UEFI), while Windows 7 computers use the legacy BIOS firmware. Rather than creating separate workspaces for different firmware types, Windows To Go can boot on either firmware type.
Determine user setting storage Users need access to their data and settings within the Windows To Go workspace in addition to their usual device. Determine how best to provide this access, whether through a user state virtualization (USV) technology or through other means. Options include local storage, Microsoft User Experience Virtualization (UE-V) with Folder Redirection and Offline Files, SkyDrive, Microsoft Office 365, and other cloud-based storage solutions. Windows 8.1 also enables logon with a Microsoft account, which includes the option of roaming for many user settings. This aspect of Windows To Go is discussed in the section “Storing user data and settings” on page 18 in this guide.
WINDOWS TO GO
5
Determine remote access requirements If Windows To Go workspaces will be used from off-campus locations, then you might provide a method for remote access. You can do so by using DirectAccess or by using an existing virtual private network (VPN) solution. More detail on remote access is given in “Configuring Windows To Go for remote access” on page 21.
Determine host computer requirements Windows To Go supports many different types of hardware. This support enables users to run Windows To Go workspaces on hardware certified for Windows 8.1, Windows 8, and Windows 7 alike. Note the following host computer requirements: • Booting The computer must be capable of booting from a USB drive, and the drive must be directly connected; USB hubs are not supported.
NOTE Windows To Go workspaces are not supported on Windows RT or Apple platforms.
• Firmware The computer can use UEFI or BIOS. • Graphics The computer should have Microsoft DirectX 9 with Windows Display Driver Model 1.2 or later driver. • Processor The computer should have a 1 GHz or faster processor, and the architecture can be 32 or 64 bit, as discussed later in this guide. • RAM The computer should have at least 2 GB of physical memory. • USB port The computer should have at least one USB 2.0 or 3.0 port. When considering the processor architecture, the firmware is an important consideration. Table 1 on page 7 describes the processor architecture considerations for Windows To Go.
WINDOWS TO GO
6
Host firmware
Host processor
Windows To Go
architecture
architecture
BIOS
32-bit
32-bit only
BIOS
64-bit
32-bit and 64-bit
UEFI
32-bit
32-bit only
UEFI
64-bit
64-bit only
Table 1 Processor Architecture and Windows To Go
Select the USB drive for Windows To Go The USB drive used for Windows To Go must be Windows To Go certified. Windows To Go–certified drives are optimized for the rate of I/O operations necessary for Windows. They are capable of booting on hardware certified for Windows 7, Windows 8, and Windows 8.1. The drives have manufacturer warranties and are meant to be used to support a typical Windows workload. Several hardware vendors offer these drives in a variety of sizes. See “Windows To Go Overview” at http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_ hardware for a list of currently supported drives.
NOTE A Windows To Go image running Windows 8.1 can
boot from a drive that contains a built-in smart card. These composite drives combine a mass storage drive and smart card in one device. Windows 8.1 can enumerate the smart card when booting from the Windows To Go drive or by connecting the device to another host machine. For more information, see “What’s New in Smart Cards” at http://technet.microsoft.com/ library/hh849637.aspx.
Understand Windows To Go image creation Ease of deployment is a key feature of Windows To Go. A Windows 8.1 release to manufacturing (RTM) image is all that is needed to begin the Windows To Go image-creation process. Alternately, you can fully
WINDOWS TO GO
NOTE You can also use Microsoft System Center 2012 R2 Configuration Manager to distribute workspaces. See the Microsoft TechNet article “How to Provision Windows To Go in Configuration Manager” at http://technet. microsoft.com/en-us/ library/jj651035.aspx for more information.
7
customize the image to include applications and other settings specific to the deployment. Users with local administrator privileges and a Windows 8.1 Enterprise image (an unlikely scenario in an education setting) can also create their own Windows To Go workspace. Therefore, school IT pros will be the likely sole creators of Windows To Go workspaces. If you do not customize the image, then you will need to provide for the resulting Windows To Go workspace to be joined to the domain and for applications to be installed in the workspace. You can use Group Policy to manage the workspace, and you may want to customize certain settings for your environment. See the section “Managing Windows To Go” on page 15 or the section “Image deployment and drive provisioning considerations” in the TechNet article “Deployment Considerations for Windows To Go” at http://technet.microsoft.com/en-us/library/jj592685. aspx#wtg_imagedep for more information on these Group Policy settings and Windows To Go deployment. You can create a Windows To Go workspace by using the Windows To Go Creator Wizard or Windows PowerShell cmdlets. After you have provisioned the workspace onto a USB drive, you can duplicate the workspace onto other USB drives (assuming that the workspace has not yet been started for the first time). See the TechNet article “Windows Deployment Options” at http://technet.microsoft.com/en-us/library/hh825230.aspx for more information on Windows Deployment Options and the topic “Windows PowerShell equivalent commands” in “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/jj721578. aspx#BKMK_manualwtgimage for more information on manual Windows To Go image creation. Additional resources: • “Deployment Consideration for Windows To Go” at http://technet.microsoft.com/en-us/ library/jj592685.aspx • “Windows To Go: Feature Overview” at http://technet.microsoft.com/library/hh831833.aspx • “Tips for configuring your BIOS settings to work with Windows To Go” at http://social.technet. microsoft.com/wiki/contents/articles/12911.tips-for-configuring-your-bios-settings-to-workwith-windows-to-go.aspx
WINDOWS TO GO
8
Creating a Windows To Go drive You can use either of two primary methods to create a Windows To Go drive: • The Windows To Go Creator Wizard • Windows PowerShell cmdlets The method you use depends largely on the goals of the deployment and the skills available for the deployment. Regardless of which method you employ, the result is a USB drive with a Windows To Go workspace on it. Table 2 provides considerations to help you decide which method of Windows To Go workspace creation is right for you.
Windows To Go Creator Wizard
Windows PowerShell
Number of workspaces needed
• Few
• Many workspaces with potentially unique configurations for each
Customizations needed
• None
Skills
• IT generalist
• USB duplicator
• Customized image
Table 2 Choosing a Windows To Go Creation Strategy
• Custom provisioning (e.g., offline domain join, partitioning, BitLocker) required • IT pro with Windows PowerShell experience
Using the Windows To Go Creator Wizard The Windows To Go Creator Wizard is a simple way to create a Windows To Go workspace quickly. The wizard creates a fully functional workspace with just a few mouse clicks. Using the Windows To Go Creator Wizard involves selecting the USB drive along with the Windows image to be used for the deployment. To use the wizard, you must have:
WINDOWS TO GO
9
• A Windows To Go–certified USB drive connected to the computer prior to starting the wizard • A Windows 8.1 Enterprise image, either the RTM image or a customized image that has been generalized with the Microsoft System Preparation Tool (Sysprep) • Local administrator privileges You can enable BitLocker during the Windows To Go Creator Wizard. If you will be using a drive duplicator to make copies of the workspace, however, do not enable BitLocker from the wizard but rather after deployment. See the topic “Enable BitLocker protection for your Windows To Go drive” in the TechNet article “Deploy Windows To Go in Your Organization” at http://technet.microsoft. com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for more information on enabling BitLocker. The overall process for workspace creation involves the following tasks: 1. Select the USB drive on which to create the Windows To Go workspace. 2. Select the Windows image to use as an installation source for the workspace. 3. Optionally, enable BitLocker on the workspace immediately. The process of workspace creation takes 20 to 30 minutes, and the result is that you have a Windows To Go workspace on the USB drive. From that point, you can either boot the workspace or duplicate it to other USB drives.
NOTE Always safely eject the USB drive when the provisioning process is complete. Removing the drive in an unsafe manner can result in an unbootable Windows To Go workspace.
Using Windows PowerShell cmdlets Use Windows PowerShell cmdlets to create Windows To Go workspaces when you need additional flexibility. Windows PowerShell enables you to create a custom, scripted solution for large-scale Windows To Go workspace creation.
WINDOWS TO GO
10
The tools used to create a Windows To Go workspace are essentially the same tools you use to manually provision and deploy Windows images. They include: • Disk partitioning cmdlets such as Clear-Disk, Initialize-Disk, New-Partition, FormatVolume, and so on • Deployment Image Servicing and Management (DISM) • Bcdboot You use these tools to perform the same steps manually that the Windows To Go Creator Wizard performs. The process includes the following tasks: 1. Partition the USB drive, including FAT32- and NTFS file system–formatted partitions. 2. Use DISM to apply the Windows image. 3. Use Bcdboot to enable the system to start on UEFI and BIOS systems. 4. Use DISM to apply a storage area network policy to prevent the internal disks from being used. 5. Create an answer file to disable Windows RE. Like the Windows To Go Creator Wizard, the result when using Windows PowerShell is that you have a Windows To Go workspace on the USB drive. See “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for more information about scripting Windows To Go provisioning by using Windows PowerShell. Additional resources: • “Deploy Windows To Go In Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx • “Getting Started with Windows PowerShell” at http://technet.microsoft.com/en-us/library/ hh857337.aspx • Windows PowerShell User’s Guide at http://technet.microsoft.com/en-us/library/cc196356. aspx
WINDOWS TO GO
11
Starting a Windows To Go drive Users of Windows To Go need to configure the host computer to boot from USB. For devices running an earlier version of the Windows operating system, the USB boot option can be enabled in the device’s firmware, such as the BIOS. For computers running Windows 8 or Windows 8.1, the Windows To Go workspace can also be configured to start using Windows To Go Startup Options. On the Start screen, press the Windows logo key + W, and then search for Windows To Go startup options to configure the computer to boot from a USB drive. Changing this setting requires administrator privileges. You can also set the option to boot from a USB drive by using Group Policy for Windows 8 and Windows 8.1. Regardless of whether you are using a Windows 7 host computer or a Windows 8.1 host computer, use caution when enabling boot from USB devices. Doing so may open an attack vector if the computer is booted from a USB drive containing malware.
NOTE Additional considerations exist when using a computer running Windows 7 as a host computer. See “Tips for configuring your BIOS settings to work with Windows To Go” at http:// social.technet.microsoft. com/wiki/contents/ articles/12911.tips-forconfiguring-your-biossettings-to-work-withwindows-to-go.aspx for more information.
When preparing a computer to boot into a Windows To Go workspace, make sure the computer is not currently in a sleep state. The USB drive with the Windows To Go workspace should be connected directly to a USB port on the computer, not through a USB hub. Additional resources: • “Deployment Considerations for Windows To Go” at http:// technet.microsoft.com/en-us/library/jj592685.aspx
WINDOWS TO GO
12
Enabling the Windows Store The Windows Store is enabled by default on Windows To Go drives running Windows 8.1. Users can start the drive on any number of host computers, access the Windows Store, and run their apps. In Windows 8, the Windows Store is disabled in a Windows To Go workspace by default, because apps purchased through the Windows Store are tied to the device’s hardware and can be installed on as many as five devices. This means that the app will not run if the Windows To Go workspace is booted from more than five different devices. You can enable the Windows Store by using the Allow Store to install apps on Windows To Go workspaces Group Policy setting found at \Computer Configuration\Administrative Templates\ Windows Components\Store. Use this policy setting when the workspace will be booted from the same or a limited number of computers. If the Windows Store will remain disabled, Microsoft recommends that you remove the default Windows Store–related apps, such as Sports or News, from the Windows To Go workspace image. These apps are updated through the Windows Store and therefore cannot be updated with the Windows Store disabled. Educational apps that you sideload are unaffected by this policy and can still be loaded, run, and managed through normal app management processes. Additional resources: • Windows Store apps: A deployment guide for education at http://www.microsoft.com/ download/details.aspx?id=39685 • “Management of Windows To Go using Group Policy” at http://technet.microsoft.com/en-us/ library/c598d28c-5829-42ce-8d43-a7a5a4382537#BKMK_wtggp • “How to Add and Remove Apps” at http://technet.microsoft.com/en-us/library/hh852635. aspx • “Managing Client Access to the Windows Store” at http://technet.microsoft.com/en-us/ library/hh832040.aspx • “Prepare Your Organization for Windows To Go” at http://technet.microsoft.com/en-us/ library/0fd52a81-c871-4567-aaaf-bd29c2ee65d4
WINDOWS TO GO
13
Activating Windows To Go workspaces Windows To Go can use Active Directory-Based Activation (ADBA) and Key Management Service (KMS) activation, similar to a typical installation of Windows 8.1. However, Windows To Go cannot use Multiple Activation Key (MAK) activation, as MAK activation binds to the host computer’s hardware. Windows To Go uses a standard Windows license and counts as an installation for applicable licensing agreements. The Windows To Go workspace needs to renew its activation every 180 days. It does this whenever the workspace is booted within the school’s network or when using a remote connection like DirectAccess or a VPN. If workspaces are not used within the 180-day period, you will need to reactivate them by connecting them to the network containing the ADBA or KMS services. Applications to be used within the workspace might also need to be activated. Office 2013 uses the same activation methods as Windows To Go, but software from other vendors, such as LMSs and other educational applications, might have different licensing. Verify the Windows To Go usage scenario with the appropriate vendors to ensure licensing compliance. Additional resources: • “Plan for Volume Activation” at http://technet.microsoft.com/library/jj134042.aspx • “Understanding KMS” at http://technet.microsoft.com/en-us/library/ff793434.aspx • “Active Directory-Based Activation Overview” at http://technet.microsoft.com/en-us/library/ hh852637.aspx • “Volume activation of Office 2013” at http://technet.microsoft.com/en-US/library/ee705504. aspx
WINDOWS TO GO
14
Managing Windows To Go You can use the same Windows management tools with which you are already familiar to manage Windows To Go drives. You do not need to learn any new tools to manage Windows To Go within your institution. For example, you can manage Windows To Go workspaces by using: • Group Policy See “Group Policy” at http://technet.microsoft.com/windowsserver/bb310732. aspx for more information. • Windows Intune See “Windows Intune” at http://technet.microsoft.com/windows/intune. aspx for more information. • System Center 2012 Configuration Manager See “System Center Configuration Manager” at http://technet.microsoft.com/systemcenter/bb507744.aspx for more information. You can also use Group Policy to manage Windows To Go, and Microsoft recommends that you create a separate organizational unit (OU) for the Windows To Go workspaces and one for host computers. You can use the OU for Windows To Go workspace to: • Change settings for the Windows Store • Change standby sleep states • Change hibernate settings You can use the OU for host computers to provide granular control over the Windows To Go Startup Options so that only certain computers will be configured to boot from the USB drive.
Group Policy settings related to the Windows To Go workspace The settings in the following list are particular to Windows To Go workspaces: • Allow hibernate (S4) when started from a Windows To Go workspace This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspaces, so enabling this setting explicitly turns the ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system as well as the disk itself are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs.
WINDOWS TO GO
15
• Disallow standby sleep states (S1–S3) when starting from a Windows To Go workspace This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it were shut down. It would be easy for a user to think that a Windows To Go workspace in sleep mode were actually shut down, and the user could remove the Windows To Go drive and take it home. Removing the drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption of the drive.
NOTE For the host PC to resume correctly when hibernation is enabled, the Windows To Go workspace must continue to use the same USB port.
Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash, and eventually corruption of the drive results in the workspace being unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode. • Allow Store to install apps on Windows To Go workspaces This policy setting allows or denies access to the Store application from a Windows To Go workspace running Windows 8. (This policy does not apply to devices running Windows 8.1.) If you enable this setting, access to the Store application is allowed from the Windows To Go workspace. Enable this policy setting only when the Windows To Go workspace will be used with a single PC. When roaming Windows To Go devices to multiple PCs, installing applications from the Windows Store is not a supported scenario. However, sideloaded Windows Store apps can run in Windows To Go workspaces even when roamed among multiple PCs. If you disable or do not configure this policy setting, access to the Windows Store application is denied on the Windows To Go workspace.
WINDOWS TO GO
16
Group Policy settings related to the host computer The Windows To Go Default Startup Options policy setting controls whether the host computer boots to Windows To Go if a USB device containing a Windows To Go workspace is connected and controls whether users can make changes using the Windows To Go Startup Options settings dialog box. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options settings dialog box. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB by using the Windows To Go Startup Options settings dialog box.
NOTE Enabling this policy setting causes PCs running Windows 8.1 to attempt to boot from any USB device that is inserted into the PC before it is started.
Additional resources: • “Prepare Your Organization for Windows To Go” at http:// technet.microsoft.com/en-us/library/jj592678.aspx • “Deployment Considerations for Windows To Go” at http:// technet.microsoft.com/en-us/library/jj592685.aspx
WINDOWS TO GO
17
Storing user data and settings In a typical Windows installation, user data and settings are stored on the computer’s internal disk. However, with Windows To Go, access to the internal disk is disabled. Data and settings are instead stored within the workspace itself on the USB drive. Microsoft does not recommend this scenario. The USB drive with the Windows To Go workspace contains no recovery options; therefore, if the drive is lost or damaged, the user will lose their data and settings. With this in mind, users need a method to access their data and settings from multiple locations when using the Windows To Go workspace. Multiple options are available for access to data and settings from within a Windows To Go workspace. For example, UE-V with Folder Redirection and Offline Files is an excellent way to separate data and settings from the workspace and enable them to roam. These technologies require little infrastructure and are very easy to configure. If the infrastructure or expertise is not available for these technologies, SkyDrive is also an option. SkyDrive can be used to synchronize both data and some Windows 8.1 settings (e.g., Internet Explorer Favorites, desktop wallpaper, and so on) when logging on to the Windows To Go workspace with a Microsoft account. Table 3 describes the options for data and setting storage. Table 3 Options for Data and Setting Storage in Windows To Go Local storage in the Windows To Go
UE-V with Folder Redirection
SkyDrive
workspace
Requires no additional configuration
Requires agent installation in the workspace and Group Policy infrastructure
Requires minimal configuration; must log on with a Microsoft account for settings to be synchronized
IT expertise
None
IT pro
End user
Backup
None
Uses backup methods already in place in the infrastructure
Cloud-based service that is backed up in the datacenter
Data and settings roaming
None
Yes
Yes, as long as a Microsoft account is used
Bandwidth used
None
Intranet
Internet
Configuration
WINDOWS TO GO
18
UE-V with Folder Redirection UE-V with Folder Redirection provides access to data and settings for a consistent desktop experience no matter where the user logs on. It is the recommended method for providing access to data and settings with Windows To Go, because it provides the best combination of flexibility and manageability for most infrastructures. UE-V with Folder Redirection consists of several components that combine to provide a seamless virtualized experience: • UE-V UE-V synchronizes users’ settings with a simple network file share. Changes made to Windows and application settings will be synchronized with the file share and available when users log onto their Windows To Go workspace or any domain-joined PC. • Folder Redirection Folder Redirection stores user data and application-related data on a file share so that user can access the data regardless of logon location. • Offline Files Offline Files ensure that files and folders are accessible even if the device is currently disconnected from the network. This includes the UE-V settings store and any redirected folders. Configuring Offline Files is essential if students are allowed to take their Windows To Go workspaces home with them.
Cloud storage Cloud storage is a viable option for keeping user data in a Windows To Go deployment. When considering cloud storage, SkyDrive and Office 365 provide many options. Anyone can obtain SkyDrive storage, and Microsoft provides up to 7 GB of space at no cost. Users can purchase additional space, if necessary. Visit http://windows.microsoft.com/en-US/skydrive/ for more information on SkyDrive. SkyDrive requires a Microsoft account, and students under the age of 13 require parent authorization. For more information, see Windows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682. Office 365 also offers a full version of Office, with storage available in the cloud. This is a viable option if Office will be the primary tool used in the Windows To Go deployment. Office 365 offers educational institution plans, including a free tier for students and faculty. With SkyDrive, both data and settings can be stored in the cloud. These settings can include things like Internet Explorer favorites, desktop, and other settings. If SkyDrive is disabled through Group Policy, it would also be disabled for both data and settings storage. However, if you create a new OU for the Windows To Go drives, then SkyDrive could be enabled for that OU specifically.
WINDOWS TO GO
19
Additional resources: • Windows User State Virtualization at http://technet.microsoft.com/en-us/library/ff877478. aspx • “User Experience Virtualization” at http://technet.microsoft.com/en-us/windows/hh943107. aspx • SkyDrive website at http://windows.microsoft.com/en-US/skydrive/ • “Office 365 Deployment” at http://technet.microsoft.com/en-us/library/hh852466.aspx • “Security and Data Protection Considerations for Windows To Go” at http://technet.microsoft. com/en-us/library/jj592679.aspx • “Supporting Information Workers with Reliable File Services and Storage” at http://technet. microsoft.com/en-us/library/hh831495 • “Folder Redirection, Offline Files, and Roaming User Profiles Overview” at http://technet. microsoft.com/library/hh848267 • “Overview of user and roaming settings for Office 2013” at http://technet.microsoft.com/enus/library/jj733593.aspx
WINDOWS TO GO
20
Configuring Windows To Go for remote access Enabling users to access network resources from off-campus locations such as at home is an important aspect of the Windows To Go usage scenario. To provide access to network resources, you might deploy a remote access solution. Windows To Go can use such already-supported remote access solutions as: • DirectAccess DirectAccess provides an advanced remote access solution that enables builtin security, monitoring, and integration with other Microsoft enterprise services. • Traditional VPN-based solution A VPN is also supported as a means to enable remote access from Windows To Go. Windows 8.1 adds support for a wider variety of VPN clients. • Auto-triggered VPN Use an app or resource that needs access through the inbox VPN (e.g., a company’s intranet site) and Windows 8.1 automatically prompts to sign in with one click. This feature is available with Microsoft and third-party inbox VPN clients. See the section “Configure Windows To Go workspace for remote access” in the Deploy Windows To Go in Your Organization guide at http://technet.microsoft.com/en-us/library/jj721578.aspx for more information, including Windows PowerShell scripts related to the remote access deployment. Additional resources: • “Remote Access (DirectAccess, Routing and Remote Access) Overview” at http://technet. microsoft.com/library/hh831416 • “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx • Offline Domain Join (Djoin.exe) Step-by-Step Guide at http://technet.microsoft.com/en-us/ library/dd392267(WS.10).aspx • “What’s New in Remote Access in Windows Server 2012 R2” at http://technet.microsoft.com/ en-us/library/dn383589.aspx
WINDOWS TO GO
21
Securing Windows To Go drives A key security consideration for Windows To Go deployment is the use of BitLocker. BitLocker helps to protect the data within the workspace if the USB drive is lost. Using BitLocker can help protect students’ security and privacy in the event of a lost Windows To Go workspace. As described earlier, BitLocker in a Windows To Go workspace does not use the TPM. The user instead is prompted for a password to unlock the drive. You can control the password policy through Group Policy; by default, passwords are eight characters in length. When first inserted into the provisioning computer, the USB drive to be used for the workspace is considered a normal removable data drive. The drive must have one or more volumes already defined. In addition, you may need to change Group Policy settings related to BitLocker to use the Windows To Go Creator Wizard with BitLocker. These policies, which are found in Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption, include: • Control use of BitLocker on removable drives Controls whether BitLocker can be used on removable drives. This policy must be enabled. • Configure use of smart cards on removable data drives If this policy is enabled, sign in with your smart card prior to beginning the Windows To Go Creator Wizard. • Configure use of passwords for removable data drives The computer on which you run the Windows To Go Creator Wizard must be able to connect to a domain controller when this setting, along with the Require password complexity option, are enabled. • Require additional authentication at startup This setting, which you must also change, enables the use of passwords with an operating system drive so that BitLocker can be configured within the workspace. Enable the setting by selecting the Allow BitLocker without a compatible TPM option. An option that enables easier management of BitLocker is Microsoft BitLocker Administration and Monitoring (MBAM). MBAM, which is part of the Microsoft Desktop Optimization Pack, is available with Microsoft Software Assurance licensing. Visit http://www.microsoft.com/en-us/windows/ enterprise/products-and-technologies/mdop/mbam.aspx for more information on MBAM.
WINDOWS TO GO
22
Configuring BitLocker before distribution You can configure BitLocker prior to distributing the Windows To Go workspace to users. Doing so reduces the amount of time necessary to enable BitLocker encryption on the drive. Importantly, it protects the drive and workspace immediately. Another advantage to enabling BitLocker during provisioning is that the recovery keys are backed up to the provisioning computer account in Active Directory Domain Services (AD DS). In situations where AD DS is not used to store recovery keys, you can save the recovery keys to a file or print the keys. In addition, you must set the password for BitLocker encryption during provisioning and instruct the user to change the password on first boot. You do so by using Windows PowerShell cmdlets. See “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/jj721578. aspx for more information, including scripts for enabling BitLocker. When BitLocker is enabled after provisioning, the recovery keys are stored with the workspace’s computer account.
NOTE Do not pre-provision BitLocker if you will be using a USB drive duplicator to create multiple copies of Windows To Go workspaces.
Configuring BitLocker after distribution You can also configure BitLocker after distribution. In this scenario, the user (with administrative rights on the workspace) enables BitLocker after boot. This means that you must grant administrative privileges to the user for the workspace; it also means that the drive and workspace are not protected by BitLocker until the user enables the protection. MBAM provides an alternative: You can centrally enforce BitLocker policies that you define in Group Policy. Additionally, standard user accounts can encrypt their drives, and MBAM provides a self-service recovery portal that can help users quickly recover their drives if they forget their passwords. A potential disadvantage of configuring BitLocker after distribution is that you must obtain recovery keys from the user if the keys are not stored in AD DS (although you can use MBAM for this purpose, as well). In addition, the user can store recovery keys in a file, by printing them, or on SkyDrive. You can also define BitLocker policies
WINDOWS TO GO
23
that require AD DS storage of recovery keys, which ensures that BitLocker does not encrypt a drive unless it can backup recovery keys to AD DS. Additional resources: • “Security and Data Protection Considerations for Windows To Go” at http://technet.microsoft. com/en-us/library/jj592679.aspx • “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx • “Why can’t I enable BitLocker from ‘Windows To Go Creator’?” at http://technet.microsoft. com/en-us/library/636ac947-a781-4874-8fd0-7fc2ed2c17f6#wtg_faq_blfail • “BitLocker Overview” at http://technet.microsoft.com/en-us/library/hh831713.aspx • “Enable BitLocker protection for your Windows To Go drive” at http://technet.microsoft.com/ en-us/library/jj721578.aspx#BKMK_4wtgdeploy • The MBAM website at http://www.microsoft.com/en-us/windows/enterprise/products-andtechnologies/mdop/mbam.aspx
WINDOWS TO GO
24
Building multiple Windows To Go drives When you need to distribute a Windows To Go workspace to more than a few users within the institution, you can look to bulk methods to duplicate the workspace. You can use a USB drive duplicator to create a large number of copies of a given workspace. This scenario is appropriate when the workspace has the same applications and tools and will be distributed to the same types of users, such as students; it also enables you to create multiple workspaces, one for students and one for faculty. When using a drive duplicator, be aware of the following caveats: • Do not boot the drive prior to duplication. • Do not enable BitLocker on the drive. • Do not configure offline domain join in the workspace. Whether you need to create a single or many copies of a workspace, a Windows PowerShell cmdlet might be appropriate. See “Advanced deployment sample script” at http://technet.microsoft.com/ en-us/library/jj721578.aspx#wtg_adv_script for more information, including a sample script for creating multiple drives with Windows PowerShell. By using Windows PowerShell, you can create custom workspaces (e.g. based on grade, homeroom, and so on). Additional resources: • “Deploy Windows To Go in Your Organization” at http://technet.microsoft.com/en-us/library/ jj721578.aspx
WINDOWS TO GO
25
Talking about Windows To Go Communicate with students and faculty when introducing Windows To Go. Windows To Go requires users to change their workflows, and they should be aware of limitations and changes necessary to make their use of Windows To Go successful. One idea would be to provide this information in a wiki or through a handout, as appropriate. In particular, educate users to: • Ensure that the host computer is not in a sleep state when inserting the Windows To Go drive • Ensure that the host computer has been fully shut down before inserting the Windows To Go drive • Insert the Windows To Go drive directly into the computer, not into a USB hub • Always shut down Windows and wait for the shutdown process to finish fully before removing the Windows To Go drive Also, consider how Windows To Go will be supported. If training is necessary for help desk staff, plan for that training in advance of the deployment. Additional resources: • “Best Practice Recommendations for Windows To Go” at http://technet.microsoft.com/en-us/ library/jj592681.aspx
WINDOWS TO GO
26
Conclusion Windows To Go is an excellent solution for educational deployments. The ability to provide a standardized Windows experience that runs from virtually anywhere means that people can get their work done faster and more easily than before. You can create Windows To Go workspaces and manage them by using the same tools you already use within your organization. You can create a Windows To Go workspace by using a wizard or Windows PowerShell, and you can manage Windows To Go workspaces through Group Policy. To learn about other ways you can deploy Windows 8.1 in your school, see Windows 8.1 deployment planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682.
WINDOWS TO GO
27
© 2014 Microsoft Corporation. All rights reserved. This document is for informational purposes only and is provided “as is.” Views expressed in this document, including URL and any other Internet Web site references, may change without notice. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
View more...
Comments
