How Windows to Go can protect data for business travelers

Worried about workers traveling internationally with sensitive company data on a laptop? A Windows to Go USB stick might be the answer for intrusive searches or bans on airplanes.

cybersecurity stock
Gerd Altmann (CC0)

Often, Microsoft presents technological solutions to problems experienced by only a tiny percentage of its customer base. Windows to Go was like that — a nice solution to a problem that was virtually non-existent back when it was first released in 2011. Six years later, though, Microsoft is looking prescient, since its solution fits a new problem that a lot more people want solved.

What is Windows to Go? It’s a way to take a Windows installation with you on a USB thumb drive. You pop that thumb drive into any computer, boot from the USB, and your personalized installation of Windows — with all of your applications and files and access to corporate resources — is there. When finished, shut down, unplug the USB thumb drive, and away you go. It’s essentially portable Windows.

Windows to Go becomes more attractive in a world that seems to consider anyone traveling with electronics to be a security threat. You probably recall the recent news of the ban on laptops from all flights entering the United States from certain Middle Eastern countries, as well as, more recently, flights coming from Europe. Although this ban has been lifted, more stringent security protocols are reportedly being developed for both domestic and international flights.

We could soon be entering a world where laptops are either checked in the baggage hold or not brought on trips at all. There’s also a growing chance that customs officers at ports of entry will demand access to electronics for either cursory or in-depth examinations. Having nothing but a nice little USB thumb drive tucked away somewhere could be a smart approach.

The implications for enterprises are obvious. Many organizations have security policies that prohibit employees from leaving their corporate laptops unattended. Many do not, as a matter of policy, encrypt the hard drives of those laptops. (This is clearly a mistake in today’s world, but that does not change the reality of the situation.) And many of them send field workers into some very remote and insecure areas of the world, often with valuable business assets and trade secrets stored in digital form on those workers’ laptops.

Those organizations now confront new security protocols that make it more likely that workers will be separated from their laptops, or that the devices will be searched. Those are big risks that must be mitigated.

The best thing to do might be to tell business travelers to leave the laptop at work. If there were a way for workers to leave the device behind while still carrying all the data and applications they need, that would be ideal. That’s where Windows to Go comes in.

Plug and work

Windows to Go was introduced in the Windows 8 release wave as an alternative to virtual desktop infrastructure. It is essentially a portable, self-contained installation of Windows that you use on a USB thumb drive — a USB 3 drive, to be precise, which has the necessary read, write and data transmission speeds to run an operating system. Configured properly, that thumb drive is an entirely self-contained, encrypted computer that fits in your pocket. You can pop it in your travel bag or tuck it into your socks, if you’re that type of person.

To access the content, you just plug it into any reasonably modern PC and boot off the USB drive. Your OS, documents, wallpaper, VPN, personal settings, applications and everything else are right there for you. If the IT department has configured DirectAccess, that copy of Windows can reach out over the internet and retrieve your managed settings, object configurations and more.

Because you have booted from the USB drive, everything you do will be retained on the thumb drive, not the hard drive of the host computer. (See below for more details.) When you’re done, you just pull out the thumb drive, and not even a shadow of your activities will remain behind.

Just a few differences

There are some differences between Windows to Go, in its default configuration, and a similar copy of Windows installed on a fixed drive in a PC:

  • The hard drive of the host computer on which Windows to Go is running is hidden by default. This keeps whatever crap is on the local system from seeping onto the Windows to Go USB drive and ensures that users properly save and retrieve documents to the USB stick. You can disable this functionality, but it is more secure to leave the hiding feature on.
  • Booting from the thumb drive is easy, but it isn’t instantaneous. The first time you use the stick on any new target computer (that is, the “guest hardware” into which you plug the Windows to Go USB stick), a process kicks off that identifies the correct hardware drivers for the target system and enables and installs them. This process may reboot the computer several times, after which the boot process will proceed straight into Windows.
  • Windows to Go detects drive removal. Windows in this configuration will pause the whole computer if the USB drive is removed, and after 60 seconds it will shut itself down unless the USB drive is reinserted into the target machine before then. This is a good security precaution. Say that one of your users plugs her Windows to Go thumb drive into an airport kiosk and then just removes the stick without shutting down the computer. If her data persisted on the host computer, someone could easily access it after she left to catch her plane. The 60-second grace period is a welcome feature to anyone who might inadvertently remove the stick before finishing her task.
  • Access to the Windows Store is disabled by default, but it can be re-enabled through a Group Policy object change.

Otherwise, Windows to Go behaves identically to Windows fully installed on a fixed computer. And you can keep using it on any number of host computers without any worries that you are picking up any unwanted malware from them.

Deploying Windows to Go

It is not much more work to deploy Windows to Go than it is to release images of any version of Windows these days — tools that you probably already use such as DISM and ImageX will work just fine. All you need is the correct USB drive hardware (see below), a Windows Enterprise image and the Windows Enterprise host computer that will write and provision the Windows to Go image to the USB stick.

It is possible to scale this deployment process with PowerShell scripts that will let you can make multiple sticks at once. Microsoft’s TechNet site has a comprehensive guide to deploying Windows to Go USB sticks, including those scripts. It’s well worthwhile to walk through the process ahead of time so you get a feel for the steps needed to complete the provisioning.

After the sticks are created, you just hand them out to their respective users, with a bit of instruction about how it all works and the booting process. (Those repeated reboots could freak a user out if she hadn’t expected them.)

As to what computers to use as Windows to Go hosts, users have a few options:

  • They could take a bare-metal laptop, one that has no operating system installed at all. (One with a simple installation of Linux or Windows but no data would be fine as well.) No data is at risk if someone tries to access it while it is out of the user’s hands. Once user and laptop are reunited, she can plug in the thumb drive, which has never left her possession, and carry on.
  • They can use Windows to Go on any publicly available computer in a business center, a hotel, a convention venue or an airport. Since the computer reboots to boot into Windows to Go, they don’t have to be concerned about software keyloggers or other runtime-based malware. Do caution users, however, about hardware keyloggers. If you find that risk too great, go with the stripped-down laptop.
  • They can probably much more safely use any computer controlled by your own company’s global offices. If the users are visiting clients’ or partners’ offices overseas, you will probably want to assess the risk for each individual case.
  • They can purchase burner equipment at their destination and return with it or destroy it. You can pick up a cheap laptop sufficient to run Windows to Go at any office supply store. A few hundred dollars might be considered a good investment when weighed against the risks of the other options.

Microsoft lists officially supported Windows to Go USB drives. I have hands-on experience with the IronKey Workspace W300, W500 and W700 drives and can recommend them based on their additional security features, such as boot passwords and self-destruction capabilities for hard-core security buffs. But USB 3 devices not on the list might work as well. Avoid the Kingston DataTraveler, even though it is on Microsoft’s list. It became scorching hot in my tests after less than an hour of Windows to Go usage.

Licensing Windows to Go

Of course, USB thumb drives and burner laptops could be the least of the expense of using Windows to Go. You are not going anywhere without submitting to the money grab that is Microsoft licensing.

Windows to Go is part of the Software Assurance program, that bundle of additional benefits and license flexibility that you get by forking over a premium of about a 33% to 40% on top of the cost of the license in question. (This can generally be upwards of $300 per license in total cost, though that figure will obviously depend on the volume discounts you get and the number of licenses covered by your agreement.) The benefits of SA differ depending on whether your license is for a consumer or a server operating system and whether you’re talking about server application software or business applications such as Office.

Because Windows to Go involves an operating system license, it is part of the Windows SA benefit package. Your first big decision is if you want to license per device or per user. A per-device license will let you use Windows to Go on any third-party device while off-site. A per-user license lets you use Windows to Go on any device, corporate-owned or not, on-site or off-site. Either licensing method allows for using Windows to Go on a personally owned device, but not while you are on a corporate campus. (This has to do with roaming benefits, or the ability to take a copy of the software you use at work and put it on your home machine.)

Give Go a go

Windows to Go was ahead of its time, but its day may have come, as international travelers face new restrictions on electronics. Security departments should like it, and any inconvenience for the traveler is offset by the need to carry one small thing instead of one heavy thing. And if bans on electronics fade away as a threat, a policy embracing Windows to Go is easy to retire. Give it a look.

Copyright © 2017 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon