diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 865059c37e..0d59ddb05d 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1772,7 +1772,12 @@ }, { "source_path": "windows/deploy/deploy-windows-to-go.md", - "redirect_url": "/windows/deployment/deploy-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/deploy-windows-to-go", "redirect_document_id": false }, { @@ -11202,7 +11207,12 @@ }, { "source_path": "windows/plan/best-practice-recommendations-for-windows-to-go.md", - "redirect_url": "/windows/deployment/planning/best-practice-recommendations-for-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/best-practice-recommendations-for-windows-to-go", "redirect_document_id": false }, { @@ -11332,7 +11342,12 @@ }, { "source_path": "windows/plan/deployment-considerations-for-windows-to-go.md", - "redirect_url": "/windows/deployment/planning/deployment-considerations-for-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/deployment-considerations-for-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/deployment-considerations-for-windows-to-go", "redirect_document_id": false }, { @@ -11427,7 +11442,12 @@ }, { "source_path": "windows/plan/prepare-your-organization-for-windows-to-go.md", - "redirect_url": "/windows/deployment/planning/prepare-your-organization-for-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/prepare-your-organization-for-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/prepare-your-organization-for-windows-to-go", "redirect_document_id": false }, { @@ -11462,7 +11482,12 @@ }, { "source_path": "windows/plan/security-and-data-protection-considerations-for-windows-to-go.md", - "redirect_url": "/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/security-and-data-protection-considerations-for-windows-to-go", "redirect_document_id": false }, { @@ -11652,7 +11677,12 @@ }, { "source_path": "windows/plan/windows-to-go-overview.md", - "redirect_url": "/windows/deployment/planning/windows-to-go-overview", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/windows-to-go-overview.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/windows-to-go-overview", "redirect_document_id": false }, { @@ -12725,6 +12755,11 @@ "redirect_url": "/windows/deployment/update/waas-wufb-group-policy", "redirect_document_id": false }, + { + "source_path": "windows/deployment/planning/windows-to-go-frequently-asked-questions.yml", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/windows-to-go-frequently-asked-questions", + "redirect_document_id": false + }, { "source_path": "windows/deployment/upgrade/windows-10-edition-upgrades.md", "redirect_url": "/windows/deployment/upgrade/windows-edition-upgrades", diff --git a/education/windows/index.yml b/education/windows/index.yml index 3c3dfae79b..2959b14bbb 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -11,6 +11,7 @@ metadata: ms.collection: - education - tier1 + - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md index 0911784589..5733d483e9 100644 --- a/education/windows/tutorial-school-deployment/configure-device-settings.md +++ b/education/windows/tutorial-school-deployment/configure-device-settings.md @@ -3,6 +3,7 @@ title: Configure and secure devices with Microsoft Intune description: Learn how to configure policies with Microsoft Intune in preparation for device deployment. ms.date: 01/16/2024 ms.topic: tutorial +ms.collection: essentials-manage --- # Configure and secure devices with Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md index 11039ebcbb..27ad5f3a8d 100644 --- a/education/windows/tutorial-school-deployment/configure-devices-overview.md +++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md @@ -3,6 +3,7 @@ title: Configure devices with Microsoft Intune description: Learn how to configure policies and applications in preparation for device deployment. ms.date: 11/09/2023 ms.topic: tutorial +ms.collection: essentials-manage --- # Configure settings and applications with Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md index 6ddb3c8c54..c72273b7aa 100644 --- a/education/windows/tutorial-school-deployment/index.md +++ b/education/windows/tutorial-school-deployment/index.md @@ -3,6 +3,7 @@ title: Introduction to the tutorial deploy and manage Windows devices in a schoo description: Introduction to deployment and management of Windows devices in education environments. ms.date: 11/09/2023 ms.topic: tutorial +ms.collection: essentials-get-started --- # Tutorial: deploy and manage Windows devices in a school diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md index 0988c6c58f..1e319e16a4 100644 --- a/windows/client-management/client-tools/administrative-tools-in-windows.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -7,6 +7,7 @@ ms.topic: conceptual ms.collection: - highpri - tier2 +- essentials-manage --- # Windows Tools/Administrative Tools diff --git a/windows/configuration/lock-down-windows-11-to-specific-apps.md b/windows/configuration/lock-down-windows-11-to-specific-apps.md index e8f41d7572..ad6bdff78f 100644 --- a/windows/configuration/lock-down-windows-11-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-11-to-specific-apps.md @@ -151,7 +151,7 @@ The following example allows Photos, Weather, Calculator, Paint, and Notepad app - + ``` diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 04415dfdb1..8158e2b359 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -406,22 +406,6 @@ href: configure-a-pxe-server-to-load-windows-pe.md - name: Windows ADK for Windows 10 scenarios for IT Pros href: windows-adk-scenarios-for-it-pros.md - - name: Windows To Go - items: - - name: Deploy Windows To Go in your organization - href: deploy-windows-to-go.md - - name: "Windows To Go: feature overview" - href: planning/windows-to-go-overview.md - - name: Best practice recommendations for Windows To Go - href: planning/best-practice-recommendations-for-windows-to-go.md - - name: Deployment considerations for Windows To Go - href: planning/deployment-considerations-for-windows-to-go.md - - name: Prepare your organization for Windows To Go - href: planning/prepare-your-organization-for-windows-to-go.md - - name: Security and data protection considerations for Windows To Go - href: planning/security-and-data-protection-considerations-for-windows-to-go.md - - name: "Windows To Go: frequently asked questions" - href: planning/windows-to-go-frequently-asked-questions.yml - name: User State Migration Tool (USMT) technical reference items: - name: USMT overview articles @@ -592,4 +576,4 @@ - name: Install fonts in Windows client href: windows-10-missing-fonts.md - name: Customize Windows PE boot images - href: customize-boot-image.md + href: customize-boot-image.md \ No newline at end of file diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md deleted file mode 100644 index 9276cbf7c4..0000000000 --- a/windows/deployment/deploy-windows-to-go.md +++ /dev/null @@ -1,1025 +0,0 @@ ---- -title: Deploy Windows To Go in your organization (Windows 10) -description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface and programatically with Windows PowerShell. -manager: aaroncz -author: frankroj -ms.author: frankroj -ms.prod: windows-client -ms.technology: itpro-deploy -ms.topic: article -ms.date: 11/23/2022 ---- - -# Deploy Windows To Go in your organization - -*Applies to:* - -- Windows 10 - -This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment. - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -## Deployment tips - -The below list is items that you should be aware of before you start the deployment process: - -- Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives. - -- After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted. - -- When running a Windows To Go workspace, always shut down the workspace before unplugging the drive. - -- Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). - -- If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. - -## Basic deployment steps - -Unless you're using a customized operating system image, your initial Windows To Go workspace won't be domain joined, and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain, and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications. This section describes the instructions for creating the correct disk layout on the USB drive, applying the operating system image and the core Windows To Go specific configurations to the drive. The steps that follow are used in both small-scale and large-scale Windows To Go deployment scenarios. - -Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For more information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)). - -> [!WARNING] -> If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication. - -### Create the Windows To Go workspace - -In this step we're creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools. - -> [!WARNING] -> The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. - -#### To create a Windows To Go workspace with the Windows To Go Creator Wizard - -1. Sign into your Windows PC using an account with Administrator privileges. - -2. Insert the USB drive that you want to use as your Windows To Go drive into your PC. - -3. Verify that the `.wim` file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. - - > [!NOTE] - > For more information about `.wim` files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)). - -4. Search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens. - -5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then select **Next.** - -6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the `.wim` file location and select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**. - -7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, for instructions see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)). - - > [!WARNING] - > If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated. - - If you choose to encrypt the Windows To Go drive now, enter a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters. - - > [!IMPORTANT] - > The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)). - -8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then select **Create** to start the Windows To Go workspace creation process. - - > [!WARNING] - > The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased. - -9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page, you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer. - -Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using the Windows To Go startup options and boot your Windows To Go drive. - -#### Windows PowerShell equivalent commands - -The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC. - -1. Search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**. - -2. In the Windows PowerShell session, enter the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware: - -
-
- Expand to show PowerShell commands to partition an MBR disk - - ```powershell - # The following command will set $Disk to all USB drives with >20 GB of storage - - $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } - - #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase. - # - # To skip the confirmation prompt, append -confirm:$False - Clear-Disk -InputObject $Disk[0] -RemoveData - - # This command initializes a new MBR disk - Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR - - # This command creates a 350 MB system partition - $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive - - # This formats the volume with a FAT32 Filesystem - # To skip the confirmation dialog, append -Confirm:$False - Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 ` - -Partition $SystemPartition - - # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage. - $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize - Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS ` - -Partition $OSPartition - - # This command assigns drive letters to the new drive, the drive letters chosen should not already be in use. - Set-Partition -InputObject $SystemPartition -NewDriveLetter "S" - Set-Partition -InputObject $OSPartition -NewDriveLetter "W" - - # This command sets the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer. - Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE - ``` - -
- -3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - - > [!TIP] - > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - - ```cmd - #The WIM file must contain a sysprep generalized image. - dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ - ``` - -4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: - - ```cmd - W:\Windows\System32\bcdboot.exe W:\Windows /f ALL /s S: - ``` - -5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step: - -
-
- Expand to show example san_policy.xml file - - ```xml - - - - - 4 - - - 4 - - - - ``` - -
- -6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command: - - ```cmd - Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml - ``` - -7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file: - -
-
- Expand to show example san_policy.xml file - - ```xml - - - - - true - - - true - - - - ``` - -
- - After the answer file has been saved, copy `unattend.xml` into the sysprep folder on the Windows To Go drive (for example, `W:\Windows\System32\sysprep\`) - - > [!IMPORTANT] - > Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **`%systemroot%\panther`** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used. - - If you don't wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC. - -Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using the Windows To Go startup options to test your workspace configuration, [configure the workspace for offline domain join](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)), or [enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)). - -### To prepare a host computer - -Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it's attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace. - -> [!TIP] -> If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. - -If you want to use the Windows To Go workspace, shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer. - -To set the Windows To Go Startup options for host computers running Windows 10: - -1. Search for **Windows To Go startup options** and then press **Enter**. - -2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB - -For host computers running Windows 8 or Windows 8.1: - -1. Press **Windows logo key+W**, search for **Windows To Go startup options**, and then press **Enter**. - -2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB. - -You can configure your organization's computers to automatically start from the USB drive by enabling the following Group Policy setting: - -**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Portable Operating System** > **Windows To Go Default Startup Options** - -After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it's started. Users won't be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected won't occur unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options. - -Your host computer is now ready to boot directly into Windows To Go workspace when it's inserted prior to starting the computer. Optionally you can perform [Configure Windows To Go workspace for offline domain join](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) and [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)). - -### Booting your Windows To Go workspace - -After you've configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace: - -**To boot your workspace:** - -1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it. - -2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender. - -3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to enter the password, otherwise the workspace will boot directly into the Windows To Go workspace. - -## Advanced deployment steps - -The following steps are used for more advanced deployments where you want to have further control over the configuration of the Windows To Go drives, ensure that they're correctly configured for remote access to your organizational resources, and have been protected with BitLocker Drive Encryption. - -### Configure Windows To Go workspace for remote access - -Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer that is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that don't have physical access to your corporate network. - -**Prerequisites for remote access scenario:** - -- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer - -- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings. - -- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer - -- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain - -**To configure your Windows To Go workspace for remote access:** - -1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by <>) with the ones applicable for your environment: - - ```cmd - djoin.exe /provision /domain /machine /certtemplate /policynames /savefile /reuse - ``` - - > [!NOTE] - > The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using `djoin.exe` with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)). - -2. Insert the Windows To Go drive. - -3. Launch an elevated Windows PowerShell prompt by right-clicking the Windows PowerShell shortcut in the taskbar, and then clicking **Run as Administrator**. - -4. From the Windows PowerShell command prompt run: - -
-
- Expand this section to show PowerShell commands to run - - ```powershell - # The following command will set $Disk to all USB drives with >20 GB of storage - - $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } - - #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase. - # - # To skip the confirmation prompt, append -confirm:$False - Clear-Disk -InputObject $Disk[0] -RemoveData - - # This command initializes a new MBR disk - Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR - - # This command creates a 350 MB system partition - $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive - - # This formats the volume with a FAT32 Filesystem - # To skip the confirmation dialog, append -Confirm:$False - Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 ` - -Partition $SystemPartition - - # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage. - $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize - Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS ` - -Partition $OSPartition - - # This command assigns drive letters to the new drive, the drive letters chosen should not already be in use. - Set-Partition -InputObject $SystemPartition -NewDriveLetter "S" - Set-Partition -InputObject $OSPartition -NewDriveLetter "W" - - # This command toggles the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer. - Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE - ``` - -
- -5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - - ```cmd - #The WIM file must contain a sysprep generalized image. - dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ - ``` - - > [!TIP] - > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - -6. After those commands have completed, run the following command: - - ```cmd - djoin.exe /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows - ``` - -7. Next, we'll need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we're hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you've configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)): - -
-
- Expand this section to show example unattend.xml file - - ```xml - - - - - true - - true - 1 - Work - - - - true - - true - 1 - Work - - - - - ``` - -
- -8. Safely remove the Windows To Go drive. - -9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace. - - - If on premises using a host computer with a direct network connection, sign on using your domain credentials. - - - If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. - - > [!NOTE] - > Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. - -You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises. - -### Enable BitLocker protection for your Windows To Go drive - -Enabling BitLocker on your Windows To Go drive will help ensure that your data is protected from unauthorized use and that if your Windows To Go drive is lost or stolen it will not be easy for an unauthorized person to obtain confidential data or use the workspace to gain access to protected resources in your organization. When BitLocker is enabled, each time you boot your Windows To Go drive, you'll be asked to provide the BitLocker password to unlock the drive. The following procedure provides the steps for enabling BitLocker on your Windows To Go drive: - -#### Prerequisites for enabling BitLocker scenario - -- A Windows To Go drive that can be successfully provisioned. - -- A computer running Windows 8 configured as a Windows To Go host computer - -- Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary: - - - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** - - This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting. - - - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure use of passwords for operating system drives** - - This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** must be also enabled. - - - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Enable use of BitLocker authentication requiring preboot keyboard input on slates** - - This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives. - -You can choose to enable BitLocker protection on Windows To Go drives before distributing them to users as part of your provisioning process or you can allow your end-users to apply BitLocker protection to them after they have taken possession of the drive. A step-by-step procedure is provided for both scenarios. - -Enabling BitLocker during provisioning ensures that your operating system image is always protected by BitLocker. When enabling BitLocker during the provisioning process you can significantly reduce the time required for encrypting the drive by enabling BitLocker after configuring the disk and just prior to applying the image. If you use this method, you'll need to give users their BitLocker password when you give then their Windows To Go workspace. Also, you should instruct your users to boot their workspace and change their BitLocker password as soon as possible (this can be done with standard user privileges). - -Enabling BitLocker after distribution requires that your users turn on BitLocker. This means that your Windows To Go workspaces are unprotected until the user enables BitLocker. Administrative rights on the Windows To Go workspace are required to enable BitLocker. For more information about BitLocker, see the [BitLocker Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831713(v=ws.11)). - -#### BitLocker recovery keys - -BitLocker recovery keys are the keys that can be used to unlock a BitLocker protected drive if the standard unlock method fails. It's recommended that your BitLocker recovery keys be backed up to Active Directory Domain Services (AD DS). If you don't want to use AD DS to store recovery keys you can save recovery keys to a file or print them. How BitLocker recovery keys are managed differs depending on when BitLocker is enabled. - -- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive. - -- If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. - - > [!WARNING] - > If backing up recovery keys to AD DS isn't used and the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place. - -#### To enable BitLocker during provisioning - -1. Start the host computer that is running Windows 8. - -2. Insert your Windows To Go drive. - -3. Launch an elevated Windows PowerShell prompt by right-clicking the Windows PowerShell shortcut in the taskbar, and then clicking **Run as Administrator**. - -4. Provision the Windows To Go drive using the following cmdlets: - - > [!NOTE] - > If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. - -
-
- Expand this section to show PowerShell commands to run - - ```powershell - # The following command will set $Disk to all USB drives with >20 GB of storage - - $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } - - #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase. - # - # To skip the confirmation prompt, append -confirm:$False - Clear-Disk -InputObject $Disk[0] -RemoveData - - # This command initializes a new MBR disk - Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR - - # This command creates a 350 MB system partition - $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive - - # This formats the volume with a FAT32 Filesystem - # To skip the confirmation dialog, append -Confirm:$False - Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 ` - -Partition $SystemPartition - - # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage. - $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize - Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS ` - -Partition $OSPartition - - # This command assigns drive letters to the new drive, the drive letters chosen should not already be in use. - Set-Partition -InputObject $SystemPartition -NewDriveLetter "S" - Set-Partition -InputObject $OSPartition -NewDriveLetter "W" - - # This command toggles the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer. - Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE - ``` - -
- - Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - - > [!TIP] - > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - - ```cmd - #The WIM file must contain a sysprep generalized image. - dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ - ``` - -5. In the same PowerShell session, use the following cmdlet to add a recovery key to the drive: - - ```powershell - $BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector - ``` - -6. Next, use the following cmdlets to save the recovery key to a file: - - ```powershell - #The BitLocker Recovery key is essential if for some reason you forget the BitLocker password - #This recovery key can also be backed up into Active Directory using manage-bde.exe or the - #PowerShell cmdlet Backup-BitLockerKeyProtector. - $RecoveryPassword = $BitlockerRecoveryProtector.KeyProtector.RecoveryPassword - $RecoveryPassword > WTG-Demo_Bitlocker_Recovery_Password.txt - ``` - -7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation: - - ```powershell - # Create a variable to store the password - $spwd = ConvertTo-SecureString -String -AsplainText -Force - Enable-BitLocker W: -PasswordProtector $spwd - ``` - - > [!WARNING] - > To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. - -8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten. - - > [!WARNING] - > If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. - - If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#to-enable-bitlocker-after-distribution). - -9. Safely remove the Windows To Go drive. - -The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following information: - -- Initial BitLocker password that they'll need to boot the drives. - -- Current encryption status. - -- Instructions to change the BitLocker password after the initial boot. - -- Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact. - -#### To enable BitLocker after distribution - -1. Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace - -2. Press **Windows logo key+W** to open **Search Settings**, type BitLocker and then select the item for BitLocker Drive Encryption. - -3. The drives on the workspace are displayed, select **Turn BitLocker On** for the C: drive. The **BitLocker Setup Wizard** appears. - -4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option. - -> [!NOTE] -> If you have not configured the Group Policy setting **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace. - -### Advanced deployment sample script - -The following sample script supports the provisioning of multiple Windows To Go drives and the configuration of offline domain join. - -The sample script creates an unattend file that streamlines the deployment process so that the initial use of the Windows To Go drive doesn't prompt the end user for any additional configuration information before starting up. - -#### Prerequisites for running the advanced deployment sample script - -- To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts. - -- Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the `djoin.exe` command to include the `policynames` and potentially the `certtemplate` parameters. - -- The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters. - -#### To run the advanced deployment sample script - -1. Copy entire the code sample titled "Windows To Go multiple drive provisioning sample script" into a PowerShell script (.ps1) file. - -2. Make the modifications necessary for it to be appropriate to your deployment and save the file. - -3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt: - - ```powershell - Set-ExecutionPolicy RemoteSigned - ``` - - The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy). - - > [!TIP] - > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally, enter the following cmdlet, replacing `` with the name of the cmdlet you want to see the help for: - > - > `Get-Help -Online` - > - > This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser. - -#### Windows To Go multiple drive provisioning sample script - -
-
- Expand this section to view Windows To Go multiple drive provisioning sample script - -```powershell -<# -.SYNOPSIS -Windows To Go multiple drive provisioning sample script. - -.DESCRIPTION -This sample script will provision one or more Windows To Go drives, configure offline domain join (using random machine names) and provides an option for BitLocker encryption. To provide a seamless first boot experience, an unattend file is created that will set the first run (OOBE) settings to defaults. To improve performance of the script, copy your install image to a local location on the computer used for provisioning the drives. - -.EXAMPLE -.\WTG_MultiProvision.ps1 -InstallWIMPath c:\companyImages\amd64_enterprise.wim -provision drives connected to your machine with the provided image. -#> -param ( - [parameter(Mandatory=$true)] - [string] -#Path to install wim. If you have the full path to the wim or want to use a local file. - $InstallWIMPath, - - [string] -#Domain to which to join the Windows To Go workspaces. - $DomainName -) - - -<# - In order to set BitLocker Group Policies for our offline WTG image we need to create a Registry.pol file - in the System32\GroupPolicy folder. This file requires binary editing, which is not possible in PowerShell - directly so we have some C# code that we can use to add a type in our PowerShell instance that will write - the data for us. -#> -$Source = @" -using System; -using System.Collections.Generic; -using System.IO; -using System.Text; - -namespace MS.PolicyFileEditor -{ - //The PolicyEntry represents the DWORD Registry Key/Value/Data entry that will - //be written into the file. - public class PolicyEntry - { - private List byteList; - - public string KeyName { get; set; } - public string ValueName { get; set; } - - internal List DataBytes - { - get { return this.byteList; } - } - - public PolicyEntry( - string Key, - string Value, - uint data) - { - KeyName = Key; - ValueName = Value; - this.byteList = new List(); - byte[] arrBytes = BitConverter.GetBytes(data); - if (BitConverter.IsLittleEndian == false) { Array.Reverse(arrBytes); } - this.byteList.AddRange(arrBytes); - } - - ~PolicyEntry() - { - this.byteList = null; - } - } - - public class PolicyFile - { - private Dictionary entries; - - public List Entries - { - get - { - List policyList = new List(entries.Values); - return policyList; - } - } - - public PolicyFile() - { - this.entries = new Dictionary(StringComparer.OrdinalIgnoreCase); - } - - public void SetDWORDValue(string key, string value, uint data) - { - PolicyEntry entry = new PolicyEntry(key, value, data); - this.entries[entry.KeyName + "\\" + entry.ValueName] = entry; - } - - public void SaveFile(string file) - { - using (FileStream fs = new FileStream(file, FileMode.Create, FileAccess.Write)) - { - fs.Write(new byte[] { 0x50, 0x52, 0x65, 0x67, 0x01, 0x00, 0x00, 0x00 }, 0, 8); - byte[] openBracket = UnicodeEncoding.Unicode.GetBytes("["); - byte[] closeBracket = UnicodeEncoding.Unicode.GetBytes("]"); - byte[] semicolon = UnicodeEncoding.Unicode.GetBytes(";"); - byte[] nullChar = new byte[] { 0, 0 }; - - byte[] bytes; - - foreach (PolicyEntry entry in this.Entries) - { - fs.Write(openBracket, 0, 2); - bytes = UnicodeEncoding.Unicode.GetBytes(entry.KeyName); - fs.Write(bytes, 0, bytes.Length); - fs.Write(nullChar, 0, 2); - - fs.Write(semicolon, 0, 2); - bytes = UnicodeEncoding.Unicode.GetBytes(entry.ValueName); - fs.Write(bytes, 0, bytes.Length); - fs.Write(nullChar, 0, 2); - - fs.Write(semicolon, 0, 2); - bytes = BitConverter.GetBytes(4); - if (BitConverter.IsLittleEndian == false) { Array.Reverse(bytes); } - fs.Write(bytes, 0, 4); - - fs.Write(semicolon, 0, 2); - byte[] data = entry.DataBytes.ToArray(); - bytes = BitConverter.GetBytes((uint)data.Length); - if (BitConverter.IsLittleEndian == false) { Array.Reverse(bytes); } - fs.Write(bytes, 0, 4); - - fs.Write(semicolon, 0, 2); - fs.Write(data, 0, data.Length); - fs.Write(closeBracket, 0, 2); - } - fs.Close(); - } - } - } -} -"@ - -######################################################################## -# -# Helper Functions -# -Function CreateUnattendFile { -param ( - [parameter(Mandatory=$true)] - [string] - $Arch -) - - if ( Test-Path "WtgUnattend.xml" ) { - del .\WtgUnattend.xml - } - $unattendFile = New-Item "WtgUnattend.xml" -type File - $fileContent = @" - - - - - - true - 1 - Work - - - - en-US - en-US - en-US - en-US - - - true - - - -"@ - - Set-Content $unattendFile $fileContent - -#return the file object - $unattendFile -} - -Function CreateRegistryPolicyFile { - - $saveFileLocaiton = "" + (get-location) + "\registry.pol" - - $policyFile = New-Object MS.PolicyFileEditor.PolicyFile - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseAdvancedStartup", 1) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "EnableBDEWithNoTPM", 1) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPM", 2) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMPIN", 2) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMKey", 2) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMKeyPIN", 2) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "OSEnablePrebootInputProtectorsOnSlates", 1) - $policyFile.SaveFile($saveFileLocaiton) - - $saveFileLocaiton -} - -######################################################################## - -if ( Test-Path $installWIMPath ){ - write-output "Image: $installWIMPath" -} -else{ - write-output "Unable to find image: $installWIMPath" "Exiting the script" - exit -} - -if ( (Get-WindowsImage -ImagePath $InstallWIMPath -Index 1).Architecture -eq 0 ){ - $Arch = "x86" -} -else{ - $Arch = "amd64" -} - -$starttime = get-date - -#Add type information for modifing the Registy Policy file -Add-Type -TypeDefinition $Source -Language CSharp - -#Create helper files -$unattendFile = CreateUnattendFile -Arch $Arch -$registryPolFilePath = CreateRegistryPolicyFile - -$Disks = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } -if ($Disks -eq $null) -{ - Write-Output "No USB Disks found, exiting the script. Please check that you have a device connected." - exit -} - -#We want to make sure that all non-boot connected USB drives are online, writeable and cleaned. -#This command will erase all data from all USB drives larger than 20Gb connected to your machine -#To automate this step you can add: -confirm:$False -Clear-Disk -InputObject $Disks -RemoveData -erroraction SilentlyContinue - -# Currently the provisioning script needs drive letters (for dism and bcdboot.exe) and the script is more -# reliable when the main process determines all of the free drives and provides them to the sub-processes. -# Use a drive index starting at 1, since we need 2 free drives to proceed. (system & operating system) -$driveLetters = 68..90 | ForEach-Object { "$([char]$_):" } | - Where-Object { - (new-object System.IO.DriveInfo $_).DriveType -eq 'noRootdirectory' - } -$driveIndex = 1 - -foreach ($disk in $Disks) -{ - - if ( $driveIndex -lt $driveLetters.count ) - { - Start-Job -ScriptBlock { - $installWIMPath = $args[0] - $unattendFile = $args[1] - $Disk = $args[2] - $SystemDriveLetter = $args[3] - $OSDriveLetter = $args[4] - $DomainName = $args[5] - $policyFilePath = $args[6] - -#For compatibility between UEFI and legacy BIOS we use MBR for the disk. - Initialize-Disk -InputObject $Disk -PartitionStyle MBR - -#A short sleep between creating a new partition and formatting helps ensure the partition -#is ready before formatting. - $SystemPartition = New-Partition -InputObject $Disk -Size (350MB) -IsActive - Sleep 1 - Format-Volume -Partition $SystemPartition -FileSystem FAT32 -NewFileSystemLabel "UFD-System" -confirm:$False | Out-Null - - $OSPartition = New-Partition -InputObject $Disk -UseMaximumSize - Sleep 1 - Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS -Partition $OSPartition -confirm:$False | Out-Null - - -#The No default drive letter prevents other computers from displaying contents of the drive when connected as a Data drive. - Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE - Set-Partition -InputObject $SystemPartition -NewDriveLetter $SystemDriveLetter - Set-Partition -InputObject $OSPartition -NewDriveLetter $OSDriveLetter - - dism /apply-image /index:1 /applydir:${OSDriveLetter}:\ /imagefile:$InstallWIMPath - if (!$?){ - write-output "DISM image application failed, exiting." - exit - } - - copy $unattendFile ${OSDriveLetter}:\Windows\System32\sysprep\unattend.xml - -#Create the directory for the Machine Registry Policy file, surpressing the output and any error -#and copy the pre-created Registry.pol file to that location. - write-output "Set BitLocker default policies for WindowsToGo" - md ${OSDriveLetter}:\windows\System32\GroupPolicy\Machine | out-null - copy $policyFilePath ${OSDriveLetter}:\windows\System32\GroupPolicy\Machine - -#modify the registry of the image to set SanPolicy. This is also where you could set the default -#keyboard type for USB keyboards. - write-output "Modify SAN Policy" - reg load HKLM\PW-System ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log - reg add HKLM\PW-System\ControlSet001\Services\Partmgr\Parameters /v SanPolicy /d 4 /t REG_DWORD /f > info.log - reg unload HKLM\PW-System > info.log - -#We're running bcdboot from the newly applied image so we know that the correct boot files for the architecture and operating system are used. -#This will fail if we try to run an amd64 bcdboot.exe on x86. - cmd /c "$OSDriveLetter`:\Windows\system32\bcdboot $OSDriveLetter`:\Windows /f ALL /s $SystemDriveLetter`:" - if (!$?){ - write-output "BCDBOOT.exe failed, exiting script." - exit - } - - <# - If a domain name was provided to the script, we will create a random computer name - and perform an offline domain join for the device. With this command we also suppress the - Add User OOBE screen. -#> - if ($DomainName) - { -#using get-random, we will create a random computer name for the drive. - $suffix = Get-Random - $computername = "wtg-" + $suffix - djoin /provision /domain $DomainName /savefile ${OSDriveLetter}:\tempBLOB.bin /reuse /machine $computername - djoin /requestodj /loadfile ${OSDriveLetter}:\tempBLOB.bin /windowspath ${OSDriveLetter}:\windows > info.log - del ${OSDriveLetter}:\tempBLOB.bin - -#add offline registry key to skip user account screen - write-output "Add Offline Registry key for skipping UserAccount OOBE page." - reg load HKLM\PW-Temp${OSDriveLetter} ${OSDriveLetter}:\Windows\System32\config\SOFTWARE > info.log - reg add HKLM\PW-Temp${OSDriveLetter}\Microsoft\Windows\CurrentVersion\Setup\OOBE /v UnattendCreatedUser /d 1 /t REG_DWORD > info.log - reg unload HKLM\PW-Temp${OSDriveLetter} > info.log - } - - try - { - Write-VolumeCache -DriveLetter ${OSDriveLetter} - Write-Output "Disk is now ready to be removed." - } - catch [System.Management.Automation.CommandNotFoundException] - { - write-output "Flush Cache not supported, Be sure to safely remove the WTG device." - } - - - } -ArgumentList @($installWIMPath, $unattendFile, $disk, $driveLetters[$driveIndex-1][0], $driveLetters[$driveIndex][0], $DomainName, $registryPolFilePath) - } - $driveIndex = $driveIndex + 2 -} -#wait for all threads to finish -get-job | wait-job - -#print output from all threads -get-job | receive-job - -#delete the job objects -get-job | remove-job - - -#Cleanup helper files -del .\WtgUnattend.xml -del .\Registry.pol - -$finishtime = get-date -$elapsedTime = new-timespan $starttime $finishtime -write-output "Provsioning completed in: $elapsedTime (hh:mm:ss.000)" -write-output "" "Provisioning script complete." -``` - -
- -## Considerations when using different USB keyboard layouts with Windows To Go - -In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout: - -```cmd -reg.exe load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log -reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f -reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f -reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f -reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f -reg.exe unload HKLM\WTG-Keyboard -``` - -## Related articles - -[Windows To Go: feature overview](planning/windows-to-go-overview.md) - -[Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) - -[Prepare your organization for Windows To Go](planning//prepare-your-organization-for-windows-to-go.md) - -[Deployment considerations for Windows To Go](planning//deployment-considerations-for-windows-to-go.md) - -[Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md) - -[BitLocker overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831713(v=ws.11)) diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index f793410037..74599e8a5d 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -8,7 +8,10 @@ author: cmknox ms.author: carmenf manager: aaroncz ms.reviewer: mstewart -ms.collection: tier3 +ms.collection: + - tier3 + - essentials-privacy + - essentials-security ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index e34d7b6de7..15b4ac395f 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -12,6 +12,7 @@ metadata: ms.collection: - highpri - tier3 + - essentials-navigation author: aczechowski ms.author: aaroncz manager: aaroncz diff --git a/windows/deployment/do/waas-delivery-optimization-monitor.md b/windows/deployment/do/waas-delivery-optimization-monitor.md index 147c3cf0e9..8e98234bca 100644 --- a/windows/deployment/do/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/waas-delivery-optimization-monitor.md @@ -10,6 +10,7 @@ manager: aaroncz ms.reviewer: mstewart ms.collection: - tier3 + - essentials-manage ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 40c469034e..00cf90a2d6 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -8,7 +8,9 @@ author: cmknox ms.author: carmenf ms.reviewer: mstewart manager: aaroncz -ms.collection: tier3 +ms.collection: + - tier3 + - essentials-get-started ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 3f0f9432e6..0b5f3f8d58 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -11,6 +11,7 @@ ms.reviewer: mstewart ms.collection: - tier3 - highpri + - essentials-overview ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md deleted file mode 100644 index 07285db62e..0000000000 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Best practice recommendations for Windows To Go (Windows 10) -description: Learn about best practice recommendations for using Windows To Go, like using a USB 3.0 port with Windows to Go if it's available. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 ---- - -# Best practice recommendations for Windows To Go - - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following are the best practice recommendations for using Windows To Go: - -- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. -- Do not insert the Windows To Go drive into a running computer. -- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. -- If available, use a USB 3.0 port with Windows To Go. -- Do not install non-Microsoft core USB drivers on Windows To Go. -- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. - -Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. - -## More information - - -[Windows To Go: feature overview](windows-to-go-overview.md)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
- - - - - - - - - diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md deleted file mode 100644 index e4cce0cd24..0000000000 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ /dev/null @@ -1,179 +0,0 @@ ---- -title: Deployment considerations for Windows To Go (Windows 10) -description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 ---- - -# Deployment considerations for Windows To Go - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. - -> [!NOTE] -> Windows To Go does not support operating system upgrades. Windows To Go is designed as a feature that is managed centrally. IT departments that plan to transition from one operating system version to a later version will need to incorporate re-imaging their existing Windows To Go drives as part of their upgrade deployment process. - -The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go. - -- [Initial boot experiences](#wtg-initboot) -- [Image deployment and drive provisioning considerations](#wtg-imagedep) -- [Application installation and domain join](#wtg-appinstall) -- [Management of Windows To Go using Group Policy](#bkmk-wtggp) -- [Supporting booting from USB](#wtg-bootusb) -- [Updating firmware](#stg-firmware) -- [Configure Windows To Go startup options](#wtg-startup) -- [Change firmware settings](#wtg-changefirmware) - -## Initial boot experiences - -The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises: - -![initial boot on-premises.](images/wtg-first-boot-work.gif) - -When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It isn't necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but isn't required. - -![initial boot off-premises.](images/wtg-first-boot-home.gif) - -When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee's home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized. - -> [!TIP] -> Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)). - -DirectAccess can be used to ensure that the user can log in with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831520(v=ws.11)) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134200(v=ws.11)). If you don't want to use DirectAccess as an alternative user could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network. - -### Image deployment and drive provisioning considerations - -The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. - -![windows to go image deployment.](images/wtg-image-deployment.gif) - -The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device hasn't been booted. After the Windows To Go drive is initialized, it shouldn't be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives. - -> [!TIP] -> When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments. - -**Driver considerations** - -Windows includes most of the drivers that you'll need to support a wide variety of host computers. However, you'll occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you're using Windows To Go on a set of known host computers, you can add any more drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get more drivers if necessary. - -Wi-Fi network adapter drivers are one of the most important drivers to make sure that you include in your standard image so that users can easily connect to the internet for any additional updates. IT administrators that are attempting to build Windows 10 images for use with Windows To Go should consider adding additional Wi-Fi drivers to their image to ensure that their users have the best chance of still having basic network connectivity when roaming between systems. - -The following list of commonly used Wi-Fi network adapters that aren't supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image. - -|Vendor name|Product description|HWID|Windows Update availability| -|--- |--- |--- |--- | -|Broadcom|802.11abgn Wireless SDIO adapter|sd\vid_02d0&pid_4330&fn_1|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00d6106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00f5106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00ef106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00f4106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_010e106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00e4106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_433114e4&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_010f106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Marvell|Yukon 88E8001/8003/8010 PCI Gigabit Ethernet|pci\ven_11ab&dev_4320&subsys_811a1043|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619080)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619082)| -|Marvell|Libertas 802.11b/g Wireless|pci\ven_11ab&dev_1faa&subsys_6b001385&rev_03|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619128)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619129)| -|Qualcomm|Atheros AR6004 Wireless LAN Adapter|sd\vid_0271&pid_0401|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619086)
64-bit driver not available| -|Qualcomm|Atheros AR5BWB222 Wireless Network Adapter|pci\ven_168c&dev_0034&subsys_20031a56|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619348)
64-bit driver not available| -|Qualcomm|Atheros AR5BWB222 Wireless Network Adapter|pci\ven_168c&dev_0034&subsys_020a1028&rev_01|Contact the system OEM or Qualcom for driver availability.| -|Qualcomm|Atheros AR5005G Wireless Network Adapter|pci\ven_168c&dev_001a&subsys_04181468&rev_01|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619349)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619091)| -|Ralink|Wireless-G PCI Adapter|pci\ven_1814&dev_0301&subsys_00551737&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619092)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619093)| -|Ralink|Turbo Wireless LAN Card|pci\ven_1814&dev_0301&subsys_25611814&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619094)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619095)| -|Ralink|Wireless LAN Card V1|pci\ven_1814&dev_0302&subsys_3a711186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619097)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619098)| -|Ralink|D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)|pci\ven_1814&dev_0302&subsys_3c091186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619099)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619100)| - -IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that isn't supported by class drivers. Some consumer devices require OEM-specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)). - -### Application installation and domain join - -Unless you're using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace won't be domain joined and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications - -### Management of Windows To Go using Group Policy - -In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor. - -The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at `\\Computer Configuration\Administrative Templates\Windows Components\Store\` in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment: - -**Settings for workspaces** - -- **Allow hibernate (S4) when started from a Windows To Go workspace** - - This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it's important that the hardware attached to the system, and the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace isn't being used to roam between host PCs. - - > [!IMPORTANT] - > For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port. - -- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace** - - This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it's shut down. It could be easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace can't use the standby states to cause the PC to enter sleep mode. If you disable or don't configure this policy setting, the Windows To Go workspace can place the PC in sleep mode. - -**Settings for host PCs** - -- **Windows To Go Default Startup Options** - - This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users won't be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog. - - > [!IMPORTANT] - > Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started. - -## Supporting booting from USB - -The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB. - -> [!NOTE] -> Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options. - -If you're going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). - -### Roaming between different firmware types - -Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams. - -![bios layout.](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif) - -This presented a unique challenge for Windows To Go because the firmware type isn't easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware. - -To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually, you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command: - -![firmware roaming disk layout.](images/wtg-mbr-firmware-roaming.gif) - -This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware. - -### Configure Windows To Go startup options - -Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options, you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured. - -**To configure Windows To Go startup options** - -1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and, then press Enter. - - ![windows to go startup options.](images/wtg-startup-options.gif) - -2. Select **Yes** to enable the startup options. - - > [!TIP] - > If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog. - -3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**. - -### Change firmware settings - -If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer, you'll need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7, you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you don't suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode. - -## Related topics - -[Windows To Go: feature overview](windows-to-go-overview.md)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml) diff --git a/windows/deployment/planning/images/wtg-first-boot-home.gif b/windows/deployment/planning/images/wtg-first-boot-home.gif deleted file mode 100644 index 46cd605a2e..0000000000 Binary files a/windows/deployment/planning/images/wtg-first-boot-home.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-first-boot-work.gif b/windows/deployment/planning/images/wtg-first-boot-work.gif deleted file mode 100644 index c1a9a9d31d..0000000000 Binary files a/windows/deployment/planning/images/wtg-first-boot-work.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-gpt-uefi.gif b/windows/deployment/planning/images/wtg-gpt-uefi.gif deleted file mode 100644 index 2ff2079a3c..0000000000 Binary files a/windows/deployment/planning/images/wtg-gpt-uefi.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-image-deployment.gif b/windows/deployment/planning/images/wtg-image-deployment.gif deleted file mode 100644 index d622911f3e..0000000000 Binary files a/windows/deployment/planning/images/wtg-image-deployment.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-mbr-bios.gif b/windows/deployment/planning/images/wtg-mbr-bios.gif deleted file mode 100644 index b93796944a..0000000000 Binary files a/windows/deployment/planning/images/wtg-mbr-bios.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif b/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif deleted file mode 100644 index f21592c310..0000000000 Binary files a/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-startup-options.gif b/windows/deployment/planning/images/wtg-startup-options.gif deleted file mode 100644 index 302da78ea6..0000000000 Binary files a/windows/deployment/planning/images/wtg-startup-options.gif and /dev/null differ diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md deleted file mode 100644 index 5f5b94be3f..0000000000 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Prepare your organization for Windows To Go (Windows 10) -description: Though Windows To Go is no longer being developed, you can find info here about the what, why, and when of deployment. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 ---- - -# Prepare your organization for Windows To Go - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the "what", "why", and "when" questions an IT professional might have when planning to deploy Windows To Go. - -## What is Windows To Go? - -Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. A Windows To Go workspace isn't intended to replace desktops or laptops, or supplant other mobility offerings. - -Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are: - -- USB boot capable -- Have USB boot enabled in the firmware -- Meet Windows 7 minimum system requirements -- Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM isn't a supported processor for Windows To Go. -- Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace - -Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go. - -The following articles will familiarize you with how you can use a Windows To Go workspace. They also give you an overview of some of the things you should consider in your design. - -## Usage scenarios - - -The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer: - -- **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection, or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes. - -- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker. Then they can be assisted with any necessary other user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive. And run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker's personal computer. - -- **Managed free seating.** The employee is issued a Windows To Go drive. This drive is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return, they use the same USB flash drive but use a different host computer. - -- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work. This boot caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. - -- **Travel lightly.** In this situation, you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC. - -> [!NOTE] -> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace's computer object isn't potentially deleted from Active Directory Domain Services (AD DS). - - ## Infrastructure considerations - -Because Windows To Go requires no other software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no other infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group. - -## Activation considerations - -Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements. - -Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This method is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](/DeployOffice/vlactivation/plan-volume-activation-of-office). - -You should investigate other software manufacturer's licensing requirements to ensure they're compatible with roaming usage before deploying them to a Windows To Go workspace. - -> [!NOTE] -> Using Multiple Activation Key (MAK) activation isn't a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive. - - For more information about these activation methods and how they can be used in your organization, see [Plan for Volume Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134042(v=ws.11)). - -## Organizational unit structure and use of Group Policy Objects - -You may find it beneficial to create other Active Directory organizational unit (OU) structures to support your Windows To Go deployment: one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers that can boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation. - -If you're deploying Windows To Go workspaces for a scenario in which they're not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store. - -For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -## Computer account management - -If you configure Windows To Go drives for scenarios where drives may remain unused for extended periods of time such as used in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule, or modify any maintenance scripts to not clean computer accounts in the Windows To Go device organizational unit. - -## User account and data management - -People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to be able to get to the data that they work with, and to keep it accessible when the workspace isn't being used. For this reason, we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). - -Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace. - -## Remote connectivity - -If you want Windows To Go to be able to connect back to organizational resources when it's being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn636119(v=ws.11)). - -## Related articles - - -[Windows To Go: feature overview](windows-to-go-overview.md) - -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml) diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md deleted file mode 100644 index b376163521..0000000000 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Security and data protection considerations for Windows To Go (Windows 10) -description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 12/31/2017 ---- - -# Security and data protection considerations for Windows To Go - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. - -## Backup and restore - -When you don't save data on the Windows To Go drive, you don't need for a backup and restore solution for Windows To Go. If you're saving data on the drive and aren't using folder redirection and offline files, you should back up all of your data to a network location such as cloud storage or a network share, after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement. - -If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). - -## BitLocker - -We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) can't be used by BitLocker to protect the drive. Instead, you'll be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. - -You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. - -> [!Tip] -> If the Windows To Go Creator wizard isn't able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) - -When you use a host computer running Windows 7 that has BitLocker enabled, suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker isn't suspended first, the next boot of the computer is in recovery mode. - -## Disk discovery and data leakage - -We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive won't appear in Windows Explorer and an Auto-Play prompt won't be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. - -To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It's recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. - -For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)). - -## Security certifications for Windows To Go - -Windows to Go is a core capability of Windows when it's deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider's specific hardware environment. For more information about Windows security certifications, see the following articles. - -- [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria) - -- [FIPS 140 Evaluation](/windows/security/threat-protection/fips-140-validation) - -## Related articles - -[Windows To Go: feature overview](windows-to-go-overview.md) - -[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml) - - - diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml deleted file mode 100644 index 4907345be4..0000000000 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ /dev/null @@ -1,455 +0,0 @@ -### YamlMime:FAQ -metadata: - title: Windows To Go frequently asked questions (Windows 10) - description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature. - ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e - ms.reviewer: - author: frankroj - ms.author: frankroj - manager: aaroncz - keywords: FAQ, mobile, device, USB - ms.prod: windows-client - ms.technology: itpro-deploy - ms.mktglfcycl: deploy - ms.pagetype: mobility - ms.sitesec: library - audience: itpro - ms.topic: faq - ms.date: 10/28/2022 -title: 'Windows To Go: frequently asked questions' -summary: | - **Applies to** - - - Windows 10 - - > [!IMPORTANT] - > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - - The following list identifies some commonly asked questions about Windows To Go. - - - [What is Windows To Go?](#what-is-windows-to-go-) - - - [Does Windows To Go rely on virtualization?](#does-windows-to-go-rely-on-virtualization-) - - - [Who should use Windows To Go?](#who-should-use-windows-to-go-) - - - [How can Windows To Go be deployed in an organization?](#how-can-windows-to-go-be-deployed-in-an-organization-) - - - [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#is-windows-to-go-supported-on-both-usb-2-0-and-usb-3-0-drives-) - - - [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#is-windows-to-go-supported-on-usb-2-0-and-usb-3-0-ports-) - - - [How do I identify a USB 3.0 port?](#how-do-i-identify-a-usb-3-0-port-) - - - [Does Windows To Go run faster on a USB 3.0 port?](#does-windows-to-go-run-faster-on-a-usb-3-0-port-) - - - [Can the user self-provision Windows To Go?](#can-the-user-self-provision-windows-to-go-) - - - [How can Windows To Go be managed in an organization?](#how-can-windows-to-go-be-managed-in-an-organization-) - - - [How do I make my computer boot from USB?](#how-do-i-make-my-computer-boot-from-usb-) - - - [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-) - - - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-s-running-) - - - [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-) - - - [Why can't I enable BitLocker from Windows To Go Creator?](#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) - - - [What power states do Windows To Go support?](#what-power-states-does-windows-to-go-support-) - - - [Why is hibernation disabled in Windows To Go?](#why-is-hibernation-disabled-in-windows-to-go-) - - - [Does Windows To Go support crash dump analysis?](#does-windows-to-go-support-crash-dump-analysis-) - - - [Do "Windows To Go Startup Options" work with dual boot computers?](#do--windows-to-go-startup-options--work-with-dual-boot-computers-) - - - [I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?](#i-plugged-my-windows-to-go-drive-into-a-running-computer-and-i-can-t-see-the-partitions-on-the-drive--why-not-) - - - [I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?](#i-m-booted-into-windows-to-go--but-i-can-t-browse-to-the-internal-hard-drive-of-the-host-computer--why-not-) - - - [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#why-does-my-windows-to-go-drive-have-an-mbr-disk-format-with-a-fat32-system-partition-) - - - [Is Windows To Go secure if I use it on an untrusted machine?](#is-windows-to-go-secure-if-i-use-it-on-an-untrusted-computer-) - - - [Does Windows To Go work with ARM processors?](#does-windows-to-go-work-with-arm-processors-) - - - [Can I synchronize data from Windows To Go with my other computer?](#can-i-synchronize-data-from-windows-to-go-with-my-other-computer-) - - - [What size USB Flash Drive do I need to make a Windows To Go drive?](#what-size-usb-flash-drive-do-i-need-to-make-a-windows-to-go-drive-) - - - [Do I need to activate Windows To Go every time I roam?](#do-i-need-to-activate-windows-to-go-every-time-i-roam-) - - - [Can I use all Windows features on Windows To Go?](#can-i-use-all-windows-features-on-windows-to-go-) - - - [Can I use all my applications on Windows To Go?](#can-i-use-all-my-applications-on-windows-to-go-) - - - [Does Windows To Go work slower than standard Windows?](#does-windows-to-go-work-slower-than-standard-windows-) - - - [If I lose my Windows To Go drive, will my data be safe?](#if-i-lose-my-windows-to-go-drive--will-my-data-be-safe-) - - - [Can I boot Windows To Go on a Mac?](#can-i-boot-windows-to-go-on-a-mac-) - - - [Are there any APIs that allow applications to identify a Windows To Go workspace?](#are-there-any-apis-that-allow-applications-to-identify-a-windows-to-go-workspace-) - - - [How is Windows To Go licensed?](#how-is-windows-to-go-licensed-) - - - [Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?](#does-windows-recovery-environment-work-with-windows-to-go--what-s-the-guidance-for-recovering-a-windows-to-go-drive-) - - - [Why won't Windows To Go work on a computer running Windows XP or Windows Vista?](#why-won-t-windows-to-go-work-on-a-computer-running-windows-xp-or-windows-vista-) - - - [Why does the operating system on the host computer matter?](#why-does-the-operating-system-on-the-host-computer-matter-) - - - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-it-doesn-t-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - - - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) - - - [How do I upgrade the operating system on my Windows To Go drive?](#how-do-i-upgrade-the-operating-system-on-my-windows-to-go-drive-) - - -sections: - - name: Ignored - questions: - - question: | - What is Windows To Go? - answer: | - Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs. - - - question: | - Does Windows To Go rely on virtualization? - answer: | - No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It's just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. - - - question: | - Who should use Windows To Go? - answer: | - Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home. - - - question: | - How can Windows To Go be deployed in an organization? - answer: | - Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are: - - - A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware) - - - A Windows 10 Enterprise or Windows 10 Education image - - - A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys - - You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you're creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. - - - question: | - Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? - answer: | - No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go. - - - question: | - Is Windows To Go supported on USB 2.0 and USB 3.0 ports? - answer: | - Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later. - - - question: | - How do I identify a USB 3.0 port? - answer: | - USB 3.0 ports are usually marked blue or carry an SS marking on the side. - - - question: | - Does Windows To Go run faster on a USB 3.0 port? - answer: | - Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace. - - - question: | - Can the user self-provision Windows To Go? - answer: | - Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases include support for user self-provisioning of Windows To Go drives. - - - question: | - How can Windows To Go be managed in an organization? - answer: | - Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network. - - - question: | - How do I make my computer boot from USB? - answer: | - For host computers running Windows 10 - - - Using Cortana, search for **Windows To Go startup options**, and then press Enter. - - In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB. - - For host computers running Windows 8 or Windows 8.1: - - Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter. - - In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB. - - > [!NOTE] - > Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization. - - - - If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. - - To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you don't know which key to use to enter firmware setup.) - - After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first. - - Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis. - - For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). - - **Warning** - Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive. - - - - - question: | - Why isn't my computer booting from USB? - answer: | - Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation: - - 1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device. - - 2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. - - 3. If the computer isn't booting from a USB 3.0 port, try to boot from a USB 2.0 port. - - If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support. - - - question: | - What happens if I remove my Windows To Go drive while it's running? - answer: | - If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive isn't reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. - - **Warning** - You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive. - - - - - question: | - Can I use BitLocker to protect my Windows To Go drive? - answer: | - Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you'll be prompted to enter this password every time you use the Windows To Go workspace. - - - question: | - Why can't I enable BitLocker from Windows To Go Creator? - answer: | - Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three subfolders for fixed, operating system and removable data drive types. - - When you're using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: - - 1. **Control use of BitLocker on removable drives** - - If this setting is disabled BitLocker can't be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. - - 2. **Configure use of smart cards on removable data drives** - - If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you haven't already signed on using your smart card credentials before starting the Windows To Go Creator wizard. - - 3. **Configure use of passwords for removable data drives** - - If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection isn't available, the Windows To Go Creator wizard will fail to enable BitLocker. - - Additionally, the Windows To Go Creator will disable the BitLocker option if the drive doesn't have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. - - - question: | - What power states does Windows To Go support? - answer: | - Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace. - - - question: | - Why is hibernation disabled in Windows To Go? - answer: | - When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you're confident that you'll only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). - - - question: | - Does Windows To Go support crash dump analysis? - answer: | - Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0. - - - question: | - Do "Windows To Go Startup Options" work with dual boot computers? - answer: | - Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. - - If you have configured a dual boot computer with a Windows operating system and another operating system, it might work occasionally and fail occasionally. Using this configuration is unsupported. - - - question: | - I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not? - answer: | - Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. - - **Warning** - It's strongly recommended that you don't plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. - - - - - question: | - I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not? - answer: | - Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you're booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. - - **Warning** - It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefore user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. - - - - - question: | - Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition? - answer: | - This is done to allow Windows To Go to boot from UEFI and legacy systems. - - - question: | - Is Windows To Go secure if I use it on an untrusted computer? - answer: | - While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive. - - - question: | - Does Windows To Go work with ARM processors? - answer: | - No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors. - - - question: | - Can I synchronize data from Windows To Go with my other computer? - answer: | - To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need. - - - question: | - What size USB flash drive do I need to make a Windows To Go drive? - answer: | - The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size. - - - question: | - Do I need to activate Windows To Go every time I roam? - answer: | - No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace won't need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or through a remote connection using DirectAccess or a virtual private network connection), once activated the machine won't need to be activated again until the activation validity interval has passed. In a KMS configuration, the activation validity interval is 180 days. - - - question: | - Can I use all Windows features on Windows To Go? - answer: | - Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh. - - - question: | - Can I use all my applications on Windows To Go? - answer: | - Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time. - - - question: | - Does Windows To Go work slower than standard Windows? - answer: | - If you're using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you're booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. - - - question: | - If I lose my Windows To Go drive, will my data be safe? - answer: | - Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user won't be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. - - - question: | - Can I boot Windows To Go on a Mac? - answer: | - We're committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers aren't certified for use with Windows 7 or later, using Windows To Go isn't supported on a Mac. - - - question: | - Are there any APIs that allow applications to identify a Windows To Go workspace? - answer: | - Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true, it means that the operating system was booted from an external USB device. - - Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment. - - For more information, see the MSDN article on the [Win32\_OperatingSystem class](/windows/win32/cimwin32prov/win32-operatingsystem). - - - question: | - How is Windows To Go licensed? - answer: | - Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC. - - - question: | - Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive? - answer: | - No, use of Windows Recovery Environment isn't supported on Windows To Go. It's recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should reprovision the workspace. - - - question: | - Why won't Windows To Go work on a computer running Windows XP or Windows Vista? - answer: | - Actually it might. If you've purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you've configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. - - - question: | - Why does the operating system on the host computer matter? - answer: | - It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer can't boot from USB there's no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. - - - question: | - My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? - answer: | - The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary. - - You can reset the BitLocker system measurements to incorporate the new boot order using the following steps: - - 1. Sign in to the host computer using an account with administrator privileges. - - 2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. - - 3. Click **Suspend Protection** for the operating system drive. - - A message is displayed, informing you that your data won't be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. - - 4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki. - - 5. Restart the computer again and then sign in to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) - - 6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. - - 7. Click **Resume Protection** to re-enable BitLocker protection. - - The host computer will now be able to be booted from a USB drive without triggering recovery mode. - - > [!NOTE] - > The default BitLocker protection profile in Windows 8 or later doesn't monitor the boot order. - - - - - question: | - I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it? - answer: | - Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: - - 1. Open a command prompt with full administrator permissions. - - > [!NOTE] - > If your user account is a member of the Administrators group, but isn't the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. - - - - 2. Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt. - - 3. Use the `select disk` command to identify the drive. If you don't know the drive number, use the `list` command to display the list of disks available. - - 4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. - - - question: | - Why do I keep on getting the message "Installing devices…" when I boot Windows To Go? - answer: | - One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. - - In certain cases, third-party drivers for different hardware models or versions can reuse device IDs, driver file names, registry keys (or any other operating system constructs that don't support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. - - This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs that require conflicting drivers. - - - question: | - How do I upgrade the operating system on my Windows To Go drive? - answer: | - There's no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be reimaged with a new version of Windows in order to transition to the new operating system version. - -additionalContent: | - - ## Additional resources - - - [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) - - [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) - - [Windows To Go: feature overview](windows-to-go-overview.md) - - [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - - [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - - [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md deleted file mode 100644 index 4332f5785a..0000000000 --- a/windows/deployment/planning/windows-to-go-overview.md +++ /dev/null @@ -1,155 +0,0 @@ ---- -title: Windows To Go feature overview (Windows 10) -description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: overview -ms.technology: itpro-deploy -ms.collection: - - highpri - - tier2 -ms.date: 10/28/2022 ---- - -# Windows To Go: feature overview - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. - -PCs that meet the Windows 7 or later [certification requirements](/previous-versions/windows/hardware/cert-program/) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go isn't intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some other considerations that you should keep in mind before you start to use Windows To Go: - -- [Windows To Go: feature overview](#windows-to-go-feature-overview) - - [Differences between Windows To Go and a typical installation of Windows](#differences-between-windows-to-go-and-a-typical-installation-of-windows) - - [Roaming with Windows To Go](#roaming-with-windows-to-go) - - [Prepare for Windows To Go](#prepare-for-windows-to-go) - - [Hardware considerations for Windows To Go](#hardware-considerations-for-windows-to-go) - -> [!NOTE] -> Windows To Go isn't supported on Windows RT. - -## Differences between Windows To Go and a typical installation of Windows - -Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are: - -- **Internal disks are offline.** To ensure data isn't accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive won't be listed in Windows Explorer. -- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption, a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers. -- **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings. -- **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows. -- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer's standard for the computer doesn't apply when running a Windows To Go workspace, so the feature was disabled. -- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces can't be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows. - -## Roaming with Windows To Go - -Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer, it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is next booted on that host computer, it will be able to identify the host computer and load the correct set of drivers automatically. - -The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware, which will cause difficulties if the workspace is being used with multiple host computers. - -## Prepare for Windows To Go - -Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool. - -These same tools can be used to provision Windows To Go drive, just as if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) to review deployment tools available. - -> [!IMPORTANT] -> Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported. - -As you decide what to include in your Windows To Go image, be sure to consider the following questions: - -Are there any drivers that you need to inject into the image? - -How will data be stored and synchronized to appropriate locations from the USB device? - -Are there any applications that are incompatible with Windows To Go roaming that shouldn't be included in the image? - -What should be the architecture of the image - 32bit/64bit? - -What remote connectivity solution should be supported in the image if Windows To Go is used outside the corporate network? - -For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md). - -## Hardware considerations for Windows To Go - -**For USB drives** - -The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following items: - -- Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly. -- Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later. -- Windows To Go certified USB drives are built to last. Certified USB drives are backed with manufacturer warranties and should continue operating under normal usage. Refer to the manufacturer websites for warranty details. - -As of the date of publication, the following are the USB drives currently certified for use as Windows To Go drives: - -> [!WARNING] -> Using a USB drive that has not been certified is not supported. - -- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://www.kingston.com/support/technical/products?model=dtws)) -- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://www.kingston.com/support/technical/products?model=dtws)) -- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://www.kingston.com/support/technical/products?model=dtws)) -- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719)) - -- Super Talent Express RC4 for Windows To Go - - -and- - - Super Talent Express RC8 for Windows To Go - - ([http://www.supertalent.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618721)) - -- Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)) - - We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go. For more information about the WD Compass utility, see [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722) - -**For host computers** - -When assessing the use of a PC as a host for a Windows To Go workspace, you should consider the following criteria: - -- Hardware that has been certified for use with Windows 7 or later operating systems will work well with Windows To Go. -- Running a Windows To Go workspace from a computer that is running Windows RT isn't a supported scenario. -- Running a Windows To Go workspace on a Mac computer isn't a supported scenario. - -The following table details the characteristics that the host computer must have to be used with Windows To Go: - -|Item|Requirement| -|--- |--- | -|Boot process|Capable of USB boot| -|Firmware|USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you're unsure of the ability of your PC to boot from USB)| -|Processor architecture|Must support the image on the Windows To Go drive| -|External USB Hubs|Not supported; connect the Windows To Go drive directly to the host machine| -|Processor|1 GHz or faster| -|RAM|2 GB or greater| -|Graphics|DirectX 9 graphics device with WDDM 1.2 or greater driver| -|USB port|USB 2.0 port or greater| - -**Checking for architectural compatibility between the host PC and the Windows To Go drive** - -In addition to the USB boot support in the BIOS, the Windows 10 image on your Windows To Go drive must be compatible with the processor architecture and the firmware of the host PC as shown in the table below. - -|Host PC Firmware Type|Host PC Processor Architecture|Compatible Windows To Go Image Architecture| -|--- |--- |--- | -|Legacy BIOS|32-bit|32-bit only| -|Legacy BIOS|64-bit|32-bit and 64-bit| -|UEFI BIOS|32-bit|32-bit only| -|UEFI BIOS|64-bit|64-bit only| - -## Other resources - -- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) -- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) -- [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) - -## Related articles - -[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md) diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml index c79efcf511..d40a309a1d 100644 --- a/windows/deployment/windows-autopatch/index.yml +++ b/windows/deployment/windows-autopatch/index.yml @@ -17,6 +17,7 @@ metadata: ms.collection: - highpri - tier2 + - essentials-navigation # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md index 66164cc373..6504cc5500 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md @@ -13,6 +13,7 @@ ms.reviewer: andredm7 ms.collection: - highpri - tier1 + - essentials-manage --- # Software update management diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index fe9d6b3321..f478b5062c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -13,6 +13,7 @@ ms.reviewer: smithcharles ms.collection: - highpri - tier1 + - essentials-manage --- # Maintain the Windows Autopatch environment diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md index d998b1df2c..b3074bb000 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md @@ -13,6 +13,7 @@ ms.reviewer: rekhanr ms.collection: - highpri - tier1 + - essentials-manage --- # Policy health and remediation diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index 7fc5bce674..8de625c360 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -12,6 +12,7 @@ manager: dougeby ms.reviewer: hathind ms.collection: - tier2 + - essentials-get-started --- # Windows Autopatch deployment guide diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index 62ac288ad4..794dc96d53 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -12,6 +12,7 @@ manager: dougeby ms.collection: - highpri - tier1 + - essentials-overview ms.reviewer: hathind --- diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 0e481d7a66..0b12dcc310 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -13,6 +13,7 @@ ms.reviewer: hathind ms.collection: - highpri - tier1 + - essentials-privacy --- # Privacy diff --git a/windows/hub/index.yml b/windows/hub/index.yml index e651c1901d..51c7c76e38 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -11,6 +11,7 @@ metadata: ms.prod: windows-client ms.collection: - tier1 + - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index a6892742ba..149f150ae7 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -9,7 +9,9 @@ metadata: description: Learn about how privacy is managed in Windows. ms.prod: windows-client ms.topic: hub-page # Required - ms.collection: highpri + ms.collection: + - highpri + - essentials-privacy author: DHB-MSFT ms.author: danbrown manager: laurawi diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index cc4c373f09..3a606e7aa2 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -9,6 +9,7 @@ ms.author: danbrown manager: laurawi ms.date: 05/20/2019 ms.topic: conceptual +ms.collection: essentials-compliance --- # Windows Privacy Compliance:
A Guide for IT and Compliance Professionals diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md index 90bdaa9748..21442ea394 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md @@ -4,6 +4,7 @@ description: Learn how to plan and implement a WDAC deployment. ms.localizationpriority: medium ms.date: 01/23/2023 ms.topic: overview +ms.collection: essentials-get-started --- # Deploying Windows Defender Application Control (WDAC) policies diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md index 9b0edc0e23..889b1c2d8d 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md @@ -4,6 +4,7 @@ description: Gather information about how your deployed Windows Defender Applica ms.localizationpriority: medium ms.date: 03/30/2023 ms.topic: article +ms.collection: essentials-manage --- # Windows Defender Application Control operational guide diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md index 500f4c397b..e178b6f5e1 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md @@ -5,6 +5,8 @@ ms.localizationpriority: medium ms.collection: - tier3 - must-keep +- essentials-navigation +- essentials-overview ms.date: 08/30/2023 ms.topic: article --- diff --git a/windows/security/index.yml b/windows/security/index.yml index 99c0f44731..8f543bcde6 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -8,6 +8,7 @@ metadata: ms.topic: hub-page ms.collection: - tier1 + - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz diff --git a/windows/security/introduction.md b/windows/security/introduction.md index 92105b512d..dd2492a6b9 100644 --- a/windows/security/introduction.md +++ b/windows/security/introduction.md @@ -4,6 +4,9 @@ description: System security book. ms.date: 09/01/2023 ms.topic: tutorial ms.author: paoloma +ms.collection: + - essentials-security + - essentials-overview content_well_notification: - AI-contribution author: paolomatarazzo diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md index 019b29e36c..0459e43283 100644 --- a/windows/whats-new/windows-11-overview.md +++ b/windows/whats-new/windows-11-overview.md @@ -12,6 +12,7 @@ ms.topic: overview ms.collection: - highpri - tier1 + - essentials-overview appliesto: - ✅ Windows 11 ---