Windows To Go Step by Step
Introduction
Windows To Go workspace is an enterprise feature of Windows® 8 that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. Offering a new mobility option, Windows To Go workspace is not intended to replace desktops or laptops, or supplant other mobility offerings.
Before you begin
- Have a Windows To Go certified USB drive. See the Windows To Go Design Document Hardware Considerations for more information
- Have a host system with Windows 8 Enterprise client installed (command line scripting will need any version of Windows 8 except for Windows RT and two free drive letters; the examples use S and W).
- A Windows 8 Enterprise sysprep generalized .WIM file (can be from install media or a captured custom Enterprise image). See Creating Images for more information about creating .WIM files.
- You may wish to review the Windows To Go Design and Windows To Go Deployment documents for additional information.
Step by Step guide on building Windows To Go
In this guide we are creating the operating system image that will be used on the Windows To Go drive. The preferred method for creating a single WTG device is to use the Windows To Go Creator Wizard. Alternatively you can do this manually using a combination of Windows PowerShell and command-line tools.
! Note
The Windows To Go creator wizard is only available on Windows 8 Enterprise clients.
To create a Windows To Go workspace with Windows To Go Creator Wizard
** **
- Connect the Certified WTG USB drive you will make into a Windows To Go drive to your machine.
- Validate that the WIM file location you wish to use is accessible to the elevated user that will run the tool and that the WIM contains a valid Enterprise sysprep generalized image.
- Click Win+W, type Windows To Go and then press Enter. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. The Windows To Go Creator Wizard opens.
- On the Choose the drive you want to use page, select the drive that represent the USB drive you inserted in step 1.
- On the Choose a Windows 8 image page, click Add Search Location and then navigate to the WIM file folder location verified in step 2 to identify the Windows image that you are going to use for your Windows To Go workspace.
- (Optional) On the Set a BitLocker password (optional) page, you can select Use BitLocker with my Windows To Go Workspace to encrypt your Windows To Go drive. If you do not wish to encrypt the drive at this time click Skip. You can also decide later and enable BitLocker once you have booted into your WTG device. If you choose to encrypt now:
- Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmwares do not support non-ASCII characters.
- If you chose to use BitLocker to protect your drive, your recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it may also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten.
- ! WARNING
If you are planning to use a USB-Duplicator to create multiple Windows To Go drives, DO NOT enable BitLocker prior to duplication. Drives protected with BitLocker should not be duplicated as they will use the same encryption key. - Retype the password, and then click Next.
- Click Create to start the Windows To Go workspace provisioning process.
- Wait for the creation process to complete, which could take up to 30 minutes or longer depending on the size of the image you are creating. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. You can now enable the Windows To Go startup options and reboot into your Windows To Go device.
To create a Windows To Go workspace with PowerShell commands
The following Windows PowerShell cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. Ensure that only the USB drive you want to provision as a WTG device is connected.
Launch an elevated Windows PowerShell prompt by pressing Win+Q, typing in powershell and then pressing Ctrl+Shift+Enter or right-clicking Windows Powershell and clicking Run as administrator.
In the Windows PowerShell session type the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This partition scheme can support computers that use either UEFI or BIOS firmware:
#The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase.
#
# To skip the confirmation prompt, append –confirm:$False
Clear-Disk –InputObject $Disk[0] -RemoveData
# This command initializes a new MBR disk
Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR
# This command creates a 350 MB system partition
$SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive
# This formats the volume with a FAT32 Filesystem
# To skip the confirmation dialog, append –Confirm:$False
Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
-Partition $SystemPartition
# This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
$OSPartition = New-Partition –InputObject $Disk[0] -UseMaximumSize
Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
-Partition $OSPartition
# This command assigns drive letters to the new drive, the drive letters chosen should not already be in use.
Set-Partition -InputObject $SystemPartition -NewDriveLetter "S"
Set-Partition -InputObject $OSPartition -NewDriveLetter "W"
# This command toggles the NODEFAULTDRIVELETTER flag on the partition which
prevents drive letters being assigned to either partition when inserted into a different machine.
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
Next you need to apply the operating system image that you want to use with Windows To Go on the operating system partition you just created on the disk (this will take up to 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the Deployment Image Servicing and Management command-line tool (DISM), note that the index number must be set correctly to a valid Enterprise image in the .WIM file:
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.WIM /index:1 /applydir:W:\
Be sure to specify a WIM file that contains a sysprep generalized image.
Now use the bcdboot command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The /f ALL parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step:
W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
Apply the new SAN policy setting OFFLINE_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a san_policy.xml file on the disk with the following content:
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="offlineServicing">
<component
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
language="neutral"
name="Microsoft-Windows-PartitionManager"
processorArchitecture="x86"
publicKeyToken="31bf3856ad364e35"
versionScope="nonSxS"
>
<SanPolicy>4</SanPolicy>
</component>
<component
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
language="neutral"
name="Microsoft-Windows-PartitionManager"
processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35"
versionScope="nonSxS"
>
<SanPolicy>4</SanPolicy>
</component>
</settings>
</unattend>
Save the san_policy.xml file created in the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command:
Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml
Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file:
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-WinRE-RecoveryAgent"
processorArchitecture="x86"
publicKeyToken="31bf3856ad364e35" language="neutral"
versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UninstallWindowsRE>true</UninstallWindowsRE>
</component>
<component name="Microsoft-Windows-WinRE-RecoveryAgent"
processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral"
versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UninstallWindowsRE>true</UninstallWindowsRE>
</component>
</settings>
</unattend>
Once the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\Windows\System32\sysprep\
Note
Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the %systemroot%\panther folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used**.**
**
**If you do not wish to boot your Windows To Go device on this machine and want to remove it to boot on another machine, be sure to use the Safely remove hardware option to safely disconnect the device before physically removing the device.
Booting your Windows To Go workspace
Now that your workspace is ready you have two primary options for booting, using either the new Windows 8 startup options or configuring your machines firmware.
Enable the Windows To Go Startup options
- Click Win+W
- Type "Change Windows To Go startup options", click enter
- Select Yes
- Click Save Changes
Set the firmware boot order to USB first.
- Reference your machines user manual for instructions.