Getting serious about security–Windows To Go in education

Two weeks ago I wrote about Windows To Go in education – outlining some of the scenarios that it could be used for, such as allowing students to access your standard Windows applications from their home computer, or to make BYOD in education easier (see the original article).

Windows To Go gives you a fully manageable corporate Windows 8 desktop on a bootable external USB stick. This could allow support for “Bring Your Own PC” and give access to your IT environment for users’ own devices without compromising security. The user just plugs the USB stick into their own computer, and instead of booting up as normal, the computer boots from the stick, and runs the Windows setup that’s on their (so if you give them a USB stick with Windows 8 and your classroom apps, when they plug it into a Windows XP home computer, it will magically temporarily transform it into a Windows 8 system!)

Obviously it’s good from a teaching and learning perspective, but I know that many of the IT people in Australian education have ‘security’ considerations at the front of their mind. And that sometimes the need for security overrides the ability to make things easier and more flexible for users – staff and students.

Windows To Go security considerations

So how does Windows To Go cope in a secure IT environment? Well, in addition to what we’ve written about security and data protection considerations for Windows To Go, the NSA (the US government’s National Security Agency) have produced a Windows To Go NSA Factsheet, covering the use of Windows To Go in secure IT environments. Although it isn’t specifically about BYOD in education, there’s plenty of relevant information.

So what advice does the NSA offer for Windows To Go? Well, first they start with useful scenarios for Windows To Go centred around providing a managed Windows environment while allowing users to roam to different machines in the workplace or home:


…scenarios such as managed free seating, temporary or contract workforce, and working from home. A preconfigured and managed Windows To Go device with a VPN solution, such as Direct Access, can provide a trusted environment for remote access into an enterprise network.

Travel amongst sites often requires a user to travel with a laptop or mobile device. Windows To Go could be used as a solution allowing employees to travel lighter while still having access to their desktop and managed network environment.

In high assurance scenarios, a Windows To Go device could ease situations where storage drives and devices must be removed and locked up when not in use.


In education we face these types of scenario daily – not just employees but students too. In universities, the ability to give a visiting researcher access to your full system by just giving them a USB key, or allowing your researchers to use your full system when they are away from your campus – without having to lug a laptop everywhere. And in schools and TAFEs, where there are many part-time teachers and support staff, the ability to give them ‘their own’ secure setup on a stick, but without having to give everybody a dedicated device.

The document goes on to list the security risks and effective mitigations (for example, encryption to prevent loss of data, enterprise administration to prevent unmanaged or rogue workspaces, and the default ability to disable access to hard disks on their host computers, to prevent data leakage). And it even goes on to walk you through the process of creating a secure Windows To Go workspace on a USB stick.

Learn MoreRead the full report from the NSA "Configuring Windows To Go as a Mobile Desktop Solution"