Module 3:

Windows To Go Overview

NameTitle

The CA Accelerate 1:M IT Pro Boot Camp

`

BYOD goes mainstream

changing security landscape

enabling mobility critical for success

anywhere, anytime expectations

`* Any device certified for use with Windows 7, Windows 8, or Windows 8.1, regardless of the OS running on the host machine. Software Assurance (SA) for Windows required .

01100111110100111100100110001001

Booting from Internal hard drive

FIREWALL

App-VUE-V

Folder Re-Direct

01100111110100111100100110001001

Booting from External USB drive

App-VUE-V

Folder Re-Direct

App-VUE-V

Folder Re-Direct

BitLocker

Windows To Go, Your Portable WorkspaceA consistent Windows 8.1 experience on any device with Windows To Go

`

Mobility for the EnterpriseWindows To Go: Windows in your back pocket

ContractorsBring Your Own Device (at work)

Travel Light / Work from Home

Shared PCs Up and Running on Windows 8

`

Travel Light: At work, at home, on the road

Corporate Office

Home

Branch Office

Library/Coffee house

Software Assurance (SA) for Windows

Covered under SA roaming rights* (no additional license required)

Software Assurance (SA) for Windows

*Roaming rights provide the primary user of an SA covered device rights to run Windows To Go or VDI from non-corp devices while off premise.

Covered under SA roaming rights* (no additional license required)

`

Bring Your Own Device; Employees and Contingent Staff

Work Location

Primary Device

Secondary Device

Windows VDA or Software Assurance (SA) for Windows

Companion Subscription License (CSL)*

*Windows CSL provides the primary user of an SA or VDA covered device rights to run Windows To Go or VDI from secondary non-corp owned devices.

`

Shared PCs

Software Assurance (SA) for Windows

Multiple Users Single or Multiple Locations Shared PCs

`

Windows in your back pocket

Secure ManageableEasy To Use

`

Protecting corporate dataSupports BitLocker drive encryption

New Password Key ProtectorPre-OS password to unlock Windows To GoTrusted Platform Module (TPM) is not usedMDOP 2013 and MBAM

Protection with Trusted Boot

Protects Windows boot process and anti-malware software

Protection with Windows

Can take advantage of all Windows security offerings, just like a laptopFor example, remote connectivity solutions still enforce the same security requirements

`

Secure: Prevents data leakage

Separation from host PCs internal hard drive

Makes the host’s internal hard drive offlineExternal Storage Devices are still accessible Utilizes SAN policyCan be controlled by Group Policy

Host PC’s internal Hard Drive not visible

`

Booting from USB

Windows To Go Startup Options

Allows host PCs to automatically boot from USBAvailable on Windows 8 and Windows 8.1 hosts 2 Easy Steps in Windows 8 /

Windows 8.1Search for “Windows To Go Startup options” Select “Yes”

Not Running Windows 8 / Windows 8.1

USB boot “hotkeys”Configure BIOS to boot from USB

`

Full Fidelity ExperienceHigh performance

Full native hardware access on the host machine Same peripheral support as Windows 8.1Touch enabled, mouse and keyboard aware

Windows 8: New Windows apps in the enterprise

Windows Store is disabled by defaultFor users that don’t roam, GP can enable the storeEnterprise sideloading of LOB metro-style apps works regardless

Windows 8.1: New Windows apps in the enterprise

Windows Store is enabled by defaultEnterprise sideloading of LOB metro-style apps continues to work

`

Easy to Use: Redefine Mobility

Work Across Multiple PCs

On a new PC drivers are installed on first bootIdentifies computer from characteristics of machine firmware Stores configuration to boot faster on previously used PCs

Work Across system Firmware

Can be configured to boot on both UEFI and Legacy BIOS Both sets of boot components are placed on a system partitionDoesn’t solve architecture incompatibility

`

Easy To Use: Resilient to unintended removal

Resilient to unintended removal from host device

Resumes workspace when USB is put back on within 60 seconds

Protects data by enforcing system shut down after 60 secondsUser removes

USB during a running session

USB Boot disc

removal is

detected by the

USB stack

USB Drive is returned to

host PC within 60 seconds

The system freezes, the stack waits 60 seconds for the USB drive

to return

System will resume

System is turned off

Yes

No

`

Differences Between Windows To Go and Windows

Windows Recovery

Windows Recovery environment is not availableRefresh or Reset your PC is not available

Special Considerations

Hibernate is disabled by defaultDon’t insert the Windows To Go drive into a running PCAlways shut down Windows and wait for shutdown to complete before removing a Windows To Go driveSupported on PCs certified for use with Windows 7, 8, and 8.1 regardless of the OS on the machine

`

Windows To Go Certified Drives

Why is the use of a certified drive important?

Certified drives are optimized to meet the necessary requirements for booting and running Windows from a USB drive: Built for high random read / write speeds Support thousands of random access I/O per

second Provide wear-leveling features improving drive

longevity Tuned to ensure they boot and run on hardware

certified for use with Windows 7, Windows 8, and Windows 8.1

Only certified and optimized drives are supported

`

Manufacturer Storage size

Kingston® DataTraveler® Workspace

www.kingston.com/wtg

32, 64, 128 GB

Manufacturer Storage size

Super Talent RC4

www.supertalent.com/wtg32, 64, 128, 256 GB

Imation IronKey® Workspace W300

www.imation.com/wtg

32, 64, 128 GB

Imation IronKey® Workspace W500

www.imation.com/wtg

32, 64, 128 GB

Super Talent Express RC8

www.supertalent.com/wtg 32, 64, 128 GB

SPYRUS Portable Workplace™

www.spyruswtg.com 32, 64, 128 GB

WD My Passport Enterprise

www.wd.com/wtg 500 GB

SPYRUS Secure Portable Workplace™

www.spyruswtg.com

32, 64, 128 GB

Windows To Go Certified DrivesOptimized for booting and running Windows 8 and Windows 8.1 Enterprise on hardware certified for use with Windows 7 or higher Windows operating systems.

*Microsoft only supports certified drives.

`

Evaluation: Self Provision with the Creator ToolWindows To Go Creator in Windows 8.1

EnterpriseProvision single drive with an Enterprise Image only

Select Drive

Select Image

Enable BitLocker

Can be custom WIM or pointed at mediaNeed admin access

Can enable BitLocker

Deployment

`

Deployment Scenarios

IT Provisioning for central deployment

IT scripts the creation of drives Users pick up Windows To Go stick from central locationUsers boot at work to join domain and enable BitLockerWindows To Go is ready to use

User Self-Provisioning

System Center 2012 Configuration Manager SP1System Center 2012 R2 Configuration Manager

`

IT Provisioning for Central Deployment

IT Admin Experience

Uses PowerShell scripts to provision from Windows 8.1Provision from Windows 7 with cmd scriptsCan use same tools and image for laptops and Windows To GoAdvanced options like BitLocker at deployment time or Offline Domain Join

(Standard) User Experience

User receives device from IT adminFirst boot of the device may occur at home if DirectAccess and Offline Domain Join is utilizedRun Windows To Go device for necessary scenarios

`

Duplication: IT Provisioning

USB Duplicator

Specialized USB duplication hardware All drives are identical - user specialization occurs as separate stepCertified drive partners offer duplication services

PowerShell + USB Hub

Use PowerShell’s multiple process capabilitiesParallel provisioning of all drives attached to a machineAllows for unique drive creation (e.g. using Offline Domain Join)

`

Deployment: User Self ProvisioningSystem Center Configuration Manager

IT Admin Experience

Uses existing Windows 8.1 deployment model for Windows To GoCreates prestaged media Creates a package with self service tool (provided)Deploys the Windows To Go package to the appropriate users

(Standard) User Experience

Browse the ConfigMgr Application Catalog Receives a UI that walks through basic inputs Reboots on CorpNet and completes the provisioning process

`

Manageability

Configure user and system settings with Group Policy

Group Policies introduced specific to Windows To GoPower Policy (hibernate and sleep)Store PolicyWindows To Go startup options

System Center Configuration Manager

Inventory software and hardwareDeploy applications and software updatesSettings complianceSystem Center 2012 Configuration Manager SP1 for Windows 8 only deploymentsSystem Center Configuration Manager R2 for Windows 8 / 8.1 deployments

`

How Windows To Go works: Putting it all together

Certified USB Drive

Management Tools System Center

Manage

Microsoft License Activation

Activate

IT User

Work Acros

s

Boot from managed and

unmanaged PCs

Windows 8.1

Line of Business Applications

Physical or Virtual

+Create &

Deploy

System Center / Creator Tool

Home

Office

Branch

`

Summary

Provides more Mobility

Easy To Use Secure & Manageable

Work from Many Deviceswith Flexible Use Rights

Access to Windows 8.1 Enterprise

Virtualize, Manage, Restore with MDOP

Software Assurance for Windows

DirectAccessConnected to corporate networks, seamlessly and more securely

BranchCacheUsers in the branch office can download documents and apps faster

AppLockerSpecify what software is allowed to run on a user's PCs

Virtual Desktop Infrastructure (VDI)Improved end-user experience

Windows To Go CreatorCreate a corporate Windows 8.1 environment on a USB stick

Windows To Go Use RightsAccess from any SA/VDA licensed deviceUse WTG on personal PC at work* or at home

Microsoft Advanced Group Policy Management (AGPM)Checkpoint your policy rollout, minimize downtime

Microsoft Diagnostics and Recovery Toolset (DaRT)Restore user productivity quickly

Microsoft User Experience Virtualization (UE-V)Change your device, keep your experience

Microsoft Application Virtualization (App-V)Virtually any application, anywhere

Microsoft Enterprise Desktop Virtualization (MED-V)Enable your Windows XP-based apps on Windows 7

* Companion Subscription License Required

Enterprise SideloadingDeploy Windows 8 apps from outside of the Windows Store

Microsoft BitLocker Administration

and Monitoring (MBAM)Simplified BitLocker management

Companion Subscription LicenseVDA/WTG right can be extended to up to 4 companion devices under add-on for SA

Virtual Desktop Access (VDA)Enable users to access virtual instances of Windows in a variety of user scenarios

Free VDA rights for Windows RT companion devices

Enterprise SideloadingDeploy Windows 8 apps from outside of the Windows Store on Windows RT and Pro

SA foundationaluse rights, technology, support

Start screen controlControl Start screen configurations for different groups using Group Policy

NEW

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.