Windows to Go where exactly?

Recently, I’ve seen a lot of excitement around Windows to Go, a new feature available in Windows 8. Windows to Go (WTG) enables Windows 8 (Enterprise) to boot from a USB Flash Drive (UFD).

Fundamentally, WTG includes three technical features:

  1. Windows support for USB boot (including USB 3.0)
  2. Support for installing and running Windows from a removable USB hard drive (yes, this is a different line item than 1)
  3. Support for handling “surprise removal” of Windows without hanging or crashing.

The latter is a rather nifty trick – since UFDs can be yanked from a system much more readily than internal drives, Windows has to handle the scenario of it’s main boot drive being pulled – which it hasn’t ever handled gently before. Historically, you unplug Windows’ boot drive (the one it’s actually running from, not the one it booted from, which is called the system drive – yes, really) and Windows crashes immediately. Windows Embedded has supported a few tricks here, but packaged versions of Windows never supported it, nor did they support booting and running from USB storage – which Windows XP Embedded (and WinPE) has done since they both added it a few years after Windows XP released to manufacuring.

The other thing that WTG adds that Windows never had before was a license to boot Windows this way. You see, there are few things stronger than the bond Microsoft has when it comes to Windows licenses being glued to PCs.

From the first time I saw WTG, I knew where it would end up, licensing-wise, in Microsoft’s product stack. It would land in Software Assurance (SA) – the featureset only available to enterprise customers paying annually for “subscriptions” to Windows. This means that as much fun as it could be for geeks, it is a feature unavailable to them unless they work in an organization that has SA on Windows. WTG is also available as a part of Windows Intune or a Virtual Desktop Access (VDA) subscription – but again, not available to organizations who only run the license of Windows that comes with their new PCs, and not available to consumers at all.

I’ve had many people comment on what a great solution WTG is – that it solves many problems. Frankly, I’m not sure. To me, WTG is effectively Virtual Desktop Infrastructure (VDI) where you take your desktop with you. It could prove useful in organizations where shift changes have multiple users using the same PC, or users simply have a collection of shared PCs to use. But really, all WTG does is enable users to roam their entire Windows PC state with them wherever they go. While the innate SkyDrive integration in Windows 8 and Office 2013, and SkyDrive Pro integration in SharePoint 2013 could enable seamless synchronization from WTG “PCs” to a central location, it means WTG needs to have Internet connectivity on a regular basis – or a user who loses their WTG key (as I lost mine – thankfully with no key data on it) loses their entire unsynchronized workload with it.

WTG does not perform any magic to keep Windows up to date, it requires patching and can get out of date – or compromised – just as easily as an install of Windows on a normal hard disk can.

I’m in an unusual situation to be considering WTG’s viability. In 2001, while working as a setup Program Manager in Windows, I started looking into what it would take to boot Windows PE (aka “WinPE”, our ultralight version of Windows, used during Windows setup since Vista) off of USB Flash Drives. With the help of two resourceful developers and an architect, we had a prototype running during 2002, and we worked hand in hand – 10 years ago – to get OEMs to build UFD boot support into their PCs. We talked about booting Windows itself from UFDs, and another project looked at storing user profiles themselves on UFDs.. While Windows Embedded did add the code to boot Windows from USB to their codebase, Windows itself (outside of WinPE) didn’t until Windows 8 added it for WTG. While I even have a patent that aligns with the idea of booting an entire PC from Windows, I still remain unconvinced that WTG makes sense for most scenarios. It makes sense where you need VDI but don’t have reliable access to a network (but then conversely creates issues where these Windows images can’t be patched or managed, and user documents can be loast as mentioned).

Some have suggested it’s suitable alternative to handing out tablets – I have to disagree, since you still need to provide hardware for WTG to boot from. It’s like handing a student a e-SATA drive and telling them to have a great schoolyear. The advantage of WTG is that it can boot Windows on – theoretically – any system the user has access to. The problems are rather significant, in my opinion (stated in order that users could hit them):

  1. PCs do not have a friendly boot structure. Even though we started the effort to boot Windows from USB 10 years ago, Windows PCs are no easier to boot from UFD than they were 10 years ago. I would have loved it if we could have gotten OEMs to standardize on say, hold down the Windows Key+U and it will boot from UFD. But no, that never happened. We’re still barely moving past BIOS and into EFI, which was already underway then to a degree as well.
  2. Organizations have spent so much time securing both their boot process (BIOS passwords anyone?) and USB connectivity (USB storage being a principal threat vector for PC infection) that in particular, passwords will ironically have to be thrown out. Users will need to, for the near term, be able to futz with BIOS settings – the last thing a non-technical user could or should be doing with Windows.
  3. Compatibility. WTG will work on PCs that have USB 2, but not terribly well. When we first tested UFD boot with OEMs, we found some took forever to boot (as they had questionable USB implementions in the BIOS itself), some crashed, some wound up with race conditions that caused issues once Windows was up and running. I don’t believe all of this has been rectified, since Windows still doesn’t get booted up on PCs regularly over USB.  WTG works best with USB 3 – which most PCs don’t have, and even those that do, like my Lenovo, often sport USB 3 on select ports, but not all – making it a confusing user proposition to actually try and work with. WTG is also the same as Windows 8, and has the same hardware requirements. It’s not as if you can take a bunch of early-era Windows XP systems out of service and have them serve as WTG hosts. Finally, WTG isn’t magic – it still requires drivers to work with the hardware it is running  from. If you can’t get the wired or wireless network up and running – which are still the most frequently unavailable devices I run into, personally, what hope do you have of downloading drivers for them or for any other device not included in your WTG image?
  4. Servicing. To that same end – if your WTG image isn’t connected regularly, yet is connecting to PCs regularly so you can add or remove files from it, you’ve created a new threat vector for the company network, since you have a “loosely managed” device that can become patient zero when it does finally connect to the network..
  5. Data loss. There are two aspects to this. One, most UFDs that exist today do not support two partitions. There are two drives that are tested and supported with WTG – because these two show up as “fixed”, not removable, USB 3 drives, they work great with WTG and – crucially – support BitLocker drive encryption. Nobody on this planet should EVER use WTG without BitLocker or a third-party disk encryption tool. NOBODY. The idea, in this time where we are constantly hearing about this laptop or that laptop being stolen or lost without it having drive encryption – and a new model for Windows that’s even easier to lose, and that it can even be deployed without BitLocker? Terrifies me. Second, as mentioned earlier if these Windows instances don’t have reliable network connectivity and the WTG device is lost – as tiny flash drives can be – the WTG device owner’s hard work is lost forever. A roaming user profile can’t save you if you never log on and sync it. :-/
Short story long, I think WTG is interesting technology, as it was when we started playing with the primordial ooze of Windows from USB 10 years ago. But I’m still not convinced that the problems it can create are outweighed by the small list of benefits it could bring. Disagree? Have  specific scenarios where you think WTG makes sense, or you think WTG solves problems for IT in a way that Windows on a HDD doesn’t, let me know in the comments!
  • http://twitter.com/FiveOhFour Fee

    I personally like it simply for the prospect of using it as a repair tool. Someone has a PC that wont boot for whatever reason, if the stars align i could boot that pc from a WTG drive and explore the “ill” hard drive without removing it, possibly quickly restoring it, maybe there is already a better alternative in the corporate space for remotely accessing a networked drive even when it cant boot, if so than maybe this is less appealing, but this one thing i like the concept for, as a diagnostic tool more than anything, not something to allow roaming computer use and save sensitive material on. just my thoughts

  • http://twitter.com/getwired Wes Miller

    Good thoughts – although Windows PE can do this today (and has been able to for 10 years). While Windows on a WTG drive can run almost any piece of software, Windows PE is more constrained – but lots of AV/anti-rootkit tools do run on it.

  • Leon

    WTG + Direct Access is fantastic for remote workers, as you can lock it down and ensure it is a well managed OS. It avoids data leakage as remote workers oftern work on home PCs or download nastys onto there corp machine. with WTG they can have a personal OS and a work OS. Its great for maintenance if a OS dies just replace it and you can remotely provision via SCCM2012. It has 1 up on local hypervisors, in that they can work (and often do) on any PC securely. Personally I am using it as part of our overseas project to rein in the wild PCs without having to spend money on remote support staff or server infrastructure. WTG + App-V + SCCM2012 + direct access is the name of the game (with some intelligent usage of Windows Sync center to avoid data loss). Also you can resize the WTG partition and pop some space (with a encryped Lumension container to avoid virus’s tranmitting to corp WTG OS) on there in case the user needs to transfer wifi drivers to get anything working.