One of my favourite enterprise features that Microsoft is adding to Windows 8 is Windows To Go, which lets you provision a desktop on a USB flash drive and take it with you to boot on any hardware that meets the usual Windows 8 requirements. An IT department can build a desktop image, with applications installed (perhaps some of the intranet apps that you wouldn’t let your staff install on their home PC), and even domain join it before passing it to someone who needs to travel light, or who wants to be able to do some sensitive work on their personal laptop (the one that’s full of spyware and crap because their kids have had the ability to install anything – you know the one – it’s got so many browser toolbars that any web page is only an inch or two tall!). You can even secure it with BitLocker, without requiring a TPM chip in the hardware that’s going to host it.
Speaking of that host hardware, as I said, so long as it would support Windows 8 and will boot from USB, then you’re good to go. You won’t have access to any internal drives in that hardware (unless you’re also the administrator of that machine), but you will be able to use additional devices that you’ve plugged into its other USB ports, for example. When you use Windows To Go on a host PC for the first time, it’s going to do some plug’n’play detection (which may take a few minutes), then continue to boot. Every new bit of hardware is going to be stored in a profile, so the next time you use the same host it’s going to boot much faster (about as fast as you would expect from an internal drive).
Windows To Go isn’t, as a recent TechTarget mailing so cleverly pointed out, the answer to all your “Consumerisation of IT” dreams – they astutely observed that Windows To Go won’t run on an iPad. Running Windows from a USB flash drive on a device that has no USB port is apparently beyond Microsoft – shame on them!
As an additional security measure, if you need to exit in a hurry (I like to imagine myself using Windows To Go behind enemy lines while I’m on some kind of secret mission – I don’t know why!), then you can just pull the drive out and the machine will freeze. If you don’t push it back into the same USB port within 60 seconds then the machine will reboot. If you knocked it out by accident (because the guy entering the internet cafe wasn’t actually a SPECTRE assassin hot on your heels), then you can plug it back in and carry on – if you were playing a video at the time, for example, it’ll take under a second to continue playback.
So to recap, as the IT guy, you can give somebody a Windows 8 instance (which you trust) that they can boot on their own hardware (which you don’t trust!), and you can continue to manage that instance like you would any other domain computer. You can give them software that you wouldn’t let them install on an untrusted computer without all the expense of giving them a trusted computer that you’ve configured. Just as importantly, your user can do important work stuff on the shiny new laptop that they bought for themselves without having to give it to you so that you can configure it and take away their admin rights. It’s a fantastic step in the right direction where “Bring Your Own Device/Computer” (BYOD/BYOC) is concerned.
With Windows 8 just in Consumer Preview (and Windows Server 8 in Beta) at present, all the details aren’t fully released about this feature yet, so some of this may not be 100% acurate at the time you read this:
You need at least a 32GB (my test image has Windows 8, Office 2010, Windows Live Essentials and a bunch of files on it and it still has 15GB free). The drive should be USB 3.0, although it’s going to work when plugged into a USB 2.0 port. These flash drive aren’t aren’t especially cheap at the moment, and they don’t all work as you’d hope…
When OEMs build drives, they have firmware that includes (among other things) a Removable Media Bit. The RMB is the thing that tells Windows whether the drive is “fixed” or “removable” (it defines the seperation in Windows Explorer). The trouble is that if you get one where the RMB is set to “removable” then Windows won’t do certain things with it. It won’t let you partition the drive, so you can’t use BitLocker; it won’t run Windows Update (including standalone WU packages); it won’t let you download apps from the Microsoft Store, and I dare say there are other things that I haven’t come up against yet. With some drives you can flip the value of the RMB, but on the Kingston DT Ultimate G2 32GB that I have, you can’t (I asked Kingston about this and told them why it was an issue – they’re going to bear it in mind for future products).
The upshot is that while you may be able to get Windows To Go to work today, you might not be able to do everything with it, and you might want to exercise caution before buying a load of drives, even if someone says that it works with a particular model.
All that said, if you want to give it a go, there are step-by-step instructions on the TechNet wiki, and a very informative video from the 2011 BUILD conference. Also, Ars Technica has an step-by-step with a slightly different method, using the WAIK and a single partition, so you can do it on a “removable” drive (although you can tweak the TechNet steps to do that too).
Before I forget (and because this is one of the things that I was asked at the TechDays UK IT Camp this week), you are going to be activating Windows via AD or a key management server, hence my pointing out right at the start of this post that this is an enterprise feature.