Top 10 Windows 8 Features #4: Windows To Go

The basic premise of Windows To Go sounds like it escaped from an alternate universe: Now you can take Windows home with you from work, and run it on your living room PC. "That’s crazy," you might respond, "it’s already on my living room PC!" But this is Windows 8, which is so, so different that the ability to create take-home, bootable OS instances on a thumb drive actually makes sense in a number of important ways. Ironically, though, Windows To Go isn't really about Windows 8 at all. It’s about the benefits of getting Windows into a space that used to be too tight for it to fit - and also an experimental, bottom-up approach to implementing tighter network security.

Easily the biggest threat to businesses’ network security has come from their employees’ ability to connect their PCs to corporate networks, both directly and remotely. Most unwanted activity derives from the outside, which is partly why typical security models adopt the “fortress mentality” ­­– a scheme which is largely incompatible with openness of cloud computing. Similarly, the trend toward Bring Your Own Device (BYOD) to work was intended to save on capital expenditures, but somne companies end up spending the savings on network maintenance: remediating all the malware and other unwanted content that employees bring with them.

So Windows To Go is an experiment in what Microsoft calls an “alternative workplace scenario.”

The Open, Closed System

Here’s the basic premise: Businesses need to be able to manage the workspaces on which their applications are being used, but employees may not want their personal computers managed for them by their bosses. Borrowing an idea from virtualization, Windows To Go creates an environment that can be managed separately from the personal environment, letting employees lend businesses the use of their processors without signing over the deed to their computers. Employees use the business workspace while the Windows To Go thumb drive is plugged in and operating. Once it’s removed, the computer resumes being personal again.

The Windows To Go thumb drive is something admins will have to prepare themselves; it’s not a device you buy from Microsoft. Back in 2006, Microsoft premiered a concept called Windows Image Manager (WIM) which is a system for preparing installations of Windows that already include both the policies and the software (including third-party) that businesses prescribe, so that it can be painted onto multiple users’ systems in one step like wallpaper.  With the new Windows Server 2013, admins can use this same WIM to paint Windows 8 Enterprise images onto thumb drives. So a Windows To Go image is a copy of Windows 8 that’s licensed to the business, not the employee. The worker can use it at work or at home, and it contains either the applications or access to the applications that the admin directly manages. And even if a worker does take her own PC to work with her, she can use the Windows To Go image during work hours separately from the (presumably licensed) operating system installed on that PC.

To pull this off, Windows To Go makes some very significant tradeoffs, some of which will render the whole idea a non-starter for some businesses and users.  The biggest sacrifice is that the user’s local hard disk is inaccessible from the Windows To Go environment. If there is any single way to absolutely ensure that the Windows To Go workspace doesn’t get infected by downloaded malware, it’s completely annihilating access to the local hard drive.

So where are you supposed to store documents, you may ask? A PC with Windows To Go can access the storage devices of systems in its local network.  Microsoft provided me with a Windows To Go drive using the last Windows 8 Release Preview for my own experiments. I have several PCs in my peer-to-peer office network, some with Windows 7, others with the Windows 8 Release to Manufactuing (RTM) version. Ironically, I had no trouble sharing documents with the Windows 7-based machines; the Windows 8 devices had more difficulty, in some cases with the whole notion of password-protected sharing.

In a test involving three PCs (one Windows 7, one Windows 8 RTM with OS provided by Microsoft, and the third Windows To Go), the Windows To Go machine appeared to kick the Windows 8 RTM machine out of the homegroup (more about that concept in a moment). While the Windows To Go machine was booted, the homegroup password created earlier by the Windows 7 machine was considered invalid. But once the Windows To Go machine was powered off, the same password was accepted.

It’s enough that admins have to deal with networking issues between their own PCs, without having to introduce a truckload of new issues with their colleagues’ PCs. Besides all that, assuming networking connections are not a problem, not everyone will have the luxury of more than one PC at home.

Given all that, the preferred response to the question of where you store your documents is, “In the cloud” – specifically Microsoft’s own SkyDrive. After all, Microsoft has always tried to leverage its strength in one platform to promote another. 

An Interesting Experiment

Windows To Go is most definitely an experiment (though not a terribly costly one for Microsoft) to see whether businesses have any influence over what operating system gets used at home. If admins like the idea of a controllable business environment that isn’t a virtual machine, that’s administrable through System Center or other common tools, and that’s guaranteed to be disconnected from the key delivery source for malware in businesses, they might just get employees to swallow it like candy. In turn, those employees get the new Windows 8 and probably Office 2013, plus a channel for syncing documents.

Here is where the enticement may start to fall apart, for both parties: The reason a consumer would want to try Windows 8 is to play with all its cool features, including the Windows RT apps installable from the new Windows Store. But such apps would have to be installed on the Windows To Go device, not on the PC. It’s doubtful that admins would permit users to do this.

For companies, the whole point of administrator control of business workspaces is to have control over the Desktop. Administering the Desktop, by definition, is taken to mean keeping it stable. But the Windows 8 Start Screen, which sublimates the old Desktop, is as unstable as NBC’s fall schedule. By design, it’s a bubbling cauldron of change, intended more to be cultivated like a garden than administered like a bookcase. Typical company manuals instructions like, “To launch the application, double-click on the icon in the second column of the fourth row,” are pointless for the Start Screen, whose tiles for Office apps can literally float off the screen if the user bookmarks enough pages in Internet Explorer.

Security & Reliability Are Still Issues

Believe it or not, there’s also the issue of security ­­– which was supposedly the whole point of Windows To Go's existence. Because the operating system is stored on a thumb drive – an easily copyable unit of memory – it cannot be considered a trusted device by any security system that relies on a Trusted Platform Module (TPM) for authentication.  

For some business networks, that’s the ballgame; if you can’t log on from a system that doesn’t have TPM, forget it. What’s more, Microsoft’s own BitLocker – which encrypts and protects content stored on thumb drives and other removable storage ­­– prefers the presence of a TPM for authenticating its encryption keys. You can go without it, but in a TPM’s absence, Windows To Go's alternative is the use of something called a “secure password,” which these days ranks up there with “safe school” and “affordable health insurance.”

The final leg to stand on is reliability, and Windows To Go teeters here as well. A big part of Windows 8’s value proposition is synchronization, which takes place through what’s now called the Microsoft Account. When you log onto a new Windows 8 machine using an existing Account, many of the settings from the previous machine (your avatar, choice of colors, Desktop wallpaper among them) carry over. For syncing to happen reliably, each Windows 8 machine must be registered with Microsoft as “trusted.”

That’s a tall order for a device that isn’t really a machine at all. If you tell Microsoft to “trust” a Windows To Go instance as though it were a machine, and anyone were to copy that thumb drive, suddenly you’ve cloned the machine. Which one does Microsoft trust now? What’s the value of a trusted machine if any one of them may not actually be a machine, or that one could be more original than the other?

The quandary doesn’t end there. After having Microsoft officially “trust” the “machine” it loaned me, I had difficulties getting Windows To Go join the homegroup. On two occasions, after I shut down the laptop running Windows To Go, the fact that the machine with my Account wasn’t in a homegroup synced with the Windows 8 RTM tablet that was, subsequently kicked it out of the homegroup and forced me to retrain it to recognize my own network.  

You have to ask whose genius idea was it to synchronize a setting stating explicitly the lack of connectivity, over a machine that must obviously be connected in order to sync in the first place?

Why Windows To Go Matters

It’s the type of ridiculousness - with a capital “M” - that I've gotten all too used to over the decades. And yet I rank Windows To Go #4 on my Top 10 list of Windows 8 features. Am I an “oxy-moron?”

Here’s my thinking: One of Microsoft’s distinguishing features has been that it rarely quits anything after the first try. There is clearly something to the idea of giving employees a safe workspace they can hold in their hands. Windows 7 tried separating workspaces virtually with the homegroup concept – a way of separating home policies from work policies, so that unwanted content in one does not infect the other. Homegroups typically work well (at least in Windows 7-only scenarios), but because homegroups and workgroups share local hard drives, the concept is not perfect. And delivering virtual workspaces as virtual machines doesn’t change this fact.

If you could run an entire workspace without the need of the local hard drive, and without impacting performance, you could improve business network security tremendously. This is why Windows To Go is such a big deal: It could lead, eventually, to huge savings for business. User Account Control was a big deal for Vista too, and as you’ll recall, Microsoft didn’t get it right the first time or the second time. But the third time was the charm and I look forward to a similar progression for Windows To Go.

See All of the Windows Top 10 Windows 8 Features