ironkey™ workspace w500 on-premise server edition€¦ · antivirus support for windows to go...

IRONKEY™ WORKSPACE W500 ON-PREMISE SERVER EDITION

Deployment and Installation Guide

Copyright 2013 Imation Corp.

Imation and Imation logo, IronKey and IronKey logo are trademarks of Imation Corp. All other trademarks are the property of their respective owners.

Imation Enterprises Corp.1 Imation WayOakdale, MN 55128-3414 USA

www.imation.com

Support: http://www.Imation.com/support

CONTENTS

3

Introducing IronKey Workspace W500 4About Microsoft Windows To Go 4General Overview 4Components 5Glossary 6

Planning your Microsoft Windows To Go deployment 8Minimum System Requirements 8Image Architecture 8Windows To Go Image Customization 9Antivirus Support For Windows To Go 9Activating Windows Licenses 10Software License Agreements 10IronKey Enterprise Server 10

IronKey Enterprise Server tasks 11Adding policies 11Adding users 12

Installing Windows To Go 14Preparing to Install Windows To Go 14Initializing an IronKey Workspace W500 Device 19Installing Windows To Go 21Customizing Windows To Go before issuing devices 23Issuing the IronKey Workspace W500 Device to users 25

Using IKRestore 28Converting between 32-bit and 64-bit architectures 28

Reference Documentation 30IronKey Enterprise Server Documentation 30Windows To Go 30Windows Assessment and Deployment Kit 30

INTRODUCING IRONKEY WORKSPACE W500

IronKey Workspace W500 is a trusted, secure USB flash drive. The Microsoft-certified Windows To Go device, IronKey Workspace W500 allows users to change virtually any computer into their own secure personal workspace, capable of using all host system resources. Administrators can control the corporate IT Windows image that installs on the device to include all company applications. IronKey Workspace W500 uses hardware encryption to secure the operating system partition.

IronKey Workspace W500 devices can be managed using IronKey Enterprise Server. This guide was written for Administrators who are tasked with installing Windows To Go, setting up IronKey Enterprise Server, installing Windows To Go, and issuing IronKey Workspace W500 devices to users.

For more documentation resources, see “Reference Documentation” on page 30.

ABOUT MICROSOFT WINDOWS TO GOMicrosoft® Windows To Go™ is a new deployment model for the mobile workforce. Introduced with Windows 8 Enterprise, Windows To Go allows you to install Windows 8 onto a Microsoft-certified USB device, such as IronKey Workspace W500 by Imation, for use with Windows To Go.

With Windows To Go, users can boot into multiple computer systems from a single installation of their operating system.

Designed for use with any PC that meets Windows 7 or Windows 8 certification requirements, Windows To Go enables users to carry their entire computer work environment and all of their data on a single IronKey Workspace W500 USB device.

Windows To Go installations can use the same Windows 8 Enterprise images used for desktop and laptop computers and the installations can all be managed in the same way.

GENERAL OVERVIEWIronKey Enterprise Server allows you to manage IronKey Workspace W500 devices using a centralized administrative console. IronKey Enterprise Management Console gives administrators control over protecting your organization’s portable data and ensures that IronKey security policies are enforced. Before you can deploy devices using IronKey Enterprise Server, you must install the server and set up your administrative devices. For more information on installing and setting up the server, see the IronKey Enterprise Server Setup Guide.

The following diagram provides a high-level outline of the tasks involved in the deployment process.

4

INTRODUCING IRONKEY WORKSPACE W500 (CONTINUED)

Figure 1: Overview of IronKey Enterprise Server workflow

COMPONENTSThe following components are included in the IronKey Workspace W500 Server solution. The server is purchased separately from the W500 product.

1. IronKey Enterprise Server Software Kit—contains six IronKey devices:

• One Setup device that contains the necessary software for installing the IronKey Enterprise Server.

• Four System Admin devices

• One Standard User device for testing

5


2. IronKey Workspace W500 device—Pre-configured with the Control Panel application and a Preboot Environment image, Licensed to run IronKey Workspace W500.

The following utilities are also included on the IronKey Enterprise Server Setup device in the following folder:

E:\IronKey Workspace\W500\ where “E” is the drive letter of the device

• Admin Unlocker Tool software—Unlocks the OS partition in the local host environment in order to install Windows To Go to the secure OS partition

• IronKey Workspace Lock Screen wallpaper scripts—Allows you to replace the default wallpaper in a Windows To Go image file

• IronKey Control Panel installation wizard

• IKRestore application—to convert system architecture from 64-bit to 32-bit

Note: The IronKey Workspace utilities and documentation is also available as a download from the IronKey Support Page at: https://support.ironkey.com.

GLOSSARYThe following table provides definitions for common terms used in both the server and W500 documentation.

Table 1: Common terminology

Term Definition

activation The process by which the user activates a device (using the activation code sent by the administrator). Activation binds the user to the device in IronKey Enterprise Server and applies policies to the device.

Admin Code A combination of characters that you set when you initialize a IronKey Workspace W500 device. The code acts like a password and unlocks the operating system partition so that you can install Windows To Go. You will need to enter the same code when you add user to the server. Once the device is activated by a user and they change the device password, the Admin Code is no longer used to unlock the OS. This code is intended for Admin use only.

bootability Refers to the probability that a W500 device will successfully boot from a host computer. In order to boot into a variety of different host system configurations, you can maximize the bootability of the device by setting it to Deployment Mode. See “To set the device mode for deployment” on page 24.

6


Configuration Mode

This mode allows you to make changes to the operation system partition. The device is automatically in this mode after you install Windows To Go. You should change the mode to Deployment Mode when you issue the device to the user. See also, Deployment Mode.

Deployment Mode Switching the device mode to “Deployment Mode” maximizes the number of host systems on which the end user is able to boot their W500 device. You can set this mode after you initialize and install Windows To Go. See also, Configuration Mode.

host environment Same as the non-boot environment. Describes the scenario when the user is accessing the operating system of the host computer and does not boot into Windows To Go.

initialization The process by which you unlock the operating system partition on the W500 device (using the Admin Code set in the Server Management Console) and set the management option for the device.

issuance The phase during an IronKey Workspace deployment where devices are issued to end users after initializing the device and installing Windows To Go.

non-boot environment

Refers to using the device as a USB drive on the host computer without booting the Windows To Go operating system on the device.

Secure Boot A component of UEFI-based (Unified Extensible Firmware Interface) computers that increases the security of the system by preventing unauthorized software from loading when the system starts up. Secure boot ensures that all software, including the operating system has a valid signature.

Table 1: Common terminology

Term Definition

7

PLANNING YOUR MICROSOFT WINDOWS TO GO DEPLOYMENT

When planning your Windows To Go deployment, you can still follow the usual planning steps for a typical Windows deployment. This chapter outlines some extra items to consider when deploying IronKey Workspace W500 devices in an IronKey Enterprise Server environment.

MINIMUM SYSTEM REQUIREMENTSAll targeted host computers for Windows To Go must be certified for use with either Windows 7 or Windows 8 operating systems. The following table outlines the host computer's minimum requirements for Windows 8:

IMAGE ARCHITECTUREThe Windows To Go image architecture that you choose to deploy will depend on the host PC's BIOS type (Legacy BIOS, or UEFI BIOS) and the host PC's processor architecture (32-bit/x86 or 64-bit/x64), as shown in the table below.

Item Requirement

Boot process Capable of USB boot

Firmware USB boot enabled. (PCs certified for use with Windows 7 or Windows 8 can be configured to boot directly from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to boot from USB)

Processor architecture Must support the image on the Windows To Go drive. IronKey Workspace W500 supports both 32-bit and 64-bit.

External USB Hubs Not supported; connect the Windows To Go drive directly to the host machine

Processor 1 GHz or faster

RAM 2 GB or greater

Graphics DirectX 9 graphics device with WDDM 1.2 or greater driver

USB port USB 2.0 port or greater

*source: http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_hardware

Host PC Firmware Type Host PC Processor ArchitectureCompatible Windows To Go Image Architectures

Legacy BIOS 32-bit 32-bit only

Legacy BIOS 64-bit 32-bit and 64-bit

UEFI BIOS 32-bit 32-bit only

UEFI BIOS 64-bit 64-bit only

USB port USB 2.0 port or greater

*source: http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_hardware

8

http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_hardware

http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_hardware

PLANNING YOUR MICROSOFT WINDOWS TO GO DEPLOYMENT (CONTINUED)

Note: While Windows RT is a version of Windows 8, built to run on ARM devices, Windows To Go does not support ARM architectures.

WINDOWS TO GO IMAGE CUSTOMIZATIONCustomizing the operating system for a Windows To Go deployment follows the same workflow as Windows 8 deployments; for example, required third party drivers can be included in the same way as they would for a regular Windows 8 image for a personal computer and laptop.

With IronKey Workspace W500, you can customize the Windows To Go image file to display the IronKey Lock Screen wallpaper when you boot the device. For more information, see “Updating the Windows To Go Lock Screen Wallpaper” on page 15.

In order to manage IronKey Workspace W500 devices with IronKey Enterprise Server, you must install the IronKey Control Panel on each device. You can add the Control Panel to the image or install it on the device after you install Windows To Go.

There are only a few caveats that you need to be aware of when customizing Windows 8 for a Windows To Go deployment; the following list describes some important differences between Windows To Go and Windows 8:

• Any application that binds to the host PC's hardware during the software installation procedure will not work on a Windows To Go USB device.

• By default, the hibernate feature is disabled in Windows To Go.

• By default, the Windows 8 Store is disabled in Windows To Go.

• By default, the host PC's internal hard drives are offline in Windows To Go.

• Windows To Go does not support TPM to unlock BitLocker.

• The Windows Recovery Environment is not available in Windows To Go.

For more information on the differences between Windows To Go and a typical installation of Windows read the Microsoft Windows To Go: Feature Overview guide (see link on page 30).

ANTIVIRUS SUPPORT FOR WINDOWS TO GOImation recommends that you enable Microsoft Windows Defender for antivirus protection in the Windows To Go environment. As of the initial release date of IronKey Workspace W500, the following antivirus products do not support Windows To Go as a deployment model:

• McAfee VirusScan Enterprise

• Symantec Endpoint Protection http://www.symantec.com/business/support/index?page=content&id=TECH195325

9

PLANNING YOUR MICROSOFT WINDOWS TO GO DEPLOYMENT (CONTINUED)

ACTIVATING WINDOWS LICENSESBefore deploying Windows To Go, examine your Windows license to ensure that you are not using Multiple Activation Key (MAK) to activate Windows To Go installations; MAK will require each host PC to use a separate Windows activation license.

Microsoft recommends that you use either Active Directory-based activation, or alternatively use the Key Management Services for Windows To Go activation management.

SOFTWARE LICENSE AGREEMENTSBefore including any software as part of a custom Windows To Go image, you should investigate all licensing requirements and agreements of the software manufacturer before including software as part of the image.

While most software will function properly when installed on a Windows To Go USB device, ensuring that the software manufacturer's End User License Agreement is compatible with a roaming Windows To Go-style deployment model is advised.

IRONKEY ENTERPRISE SERVERWhen planning your deployment, the following list outlines some of the tasks administrators will need to complete to be able to manage W500 devices with the Server.

• Install and set up the IronKey Enterprise Server (this is outside the scope of this guide, see the Iron-Key Enterprise Server Setup Guide)

• Create policies for devices with the IronKey Enterprise Admin Console

• Add users with W500 devices to the Server account

• Install and customize Windows To Go on devices (for example, the IronKey Control Panel)

10

IRONKEY ENTERPRISE SERVER TASKS

IronKey Enterprise Server must be successfully installed before you can manage IronKey Workspace W500 devices. Installing the server is outside the scope of this manual. For more information, see the IronKey Enterprise Server Setup Guide.

Using the Admin Console for IronKey Enterprise Server, there are two main administrative tasks that you must complete to manage W500:

• Adding policies for devices

• Adding users

ADDING POLICIES Policies let you control the behavior of IronKey Enterprise devices. For example, you can change device password parameters or perform remote administrative tasks using Silver Bullet, such as resetting a device password or recovering a device that has been lost. When a user activates a new device, the policy is applied to the device. Managed devices will automatically check for policy updates and download the latest policy after the user unlocks the device. Policy changes are enforced the next time the device is unlocked.

Some policy parameters do not apply to IronKey Workspace W500 devices. These include Silver Bullet Access Controls and Onboard software. These and other policy settings are described in detail in the “Managing Policies” chapter of the IronKey Enterprise Server Admin Guide.

To add a policy

1. In the Admin Console, click Manage Policies on the left sidebar.

2. In the IronKey Policy List menu bar, click the Add Policy button.

3. Type a name for the new policy in the Policy Name box under General Settings.

4. In the Password Policy section under General Password Settings, select the password requirements.

11

IRONKEY ENTERPRISE SERVER TASKS (CONTINUED)

5. If you want to add other items, such as Silver Bullet Services, select them now.

6. When you are finished choosing policy settings, click the Save As New button.

Note: All managed devices must have the IronKey Control Panel application installed as part of the Windows To Go deployment image. The Control Panel enables the device to receive Silver Bullet updates when the device is booted in the Secure Workspace environment. For more information, see “Installing the IronKey Control Panel in Windows To Go” on page 17.

Caution: If a user is currently booted into Windows To Go and you disable the device using Silver Bullet, the operating system on the device will crash when the device receives the update from the server (the device contacts the server every 10 minutes). This could cause permanent damage to the operating system and loss of data.

ADDING USERSWhen you add a W500 user to the Enterprise Server account, you must also reference the Admin Code for the device. The Admin Code is set during device initialization. It is used to unlock the operating system partition so that you can install Windows To Go.

When you add a user, you can have the server send the user an e-mail activation code. Users will need this code when they activate the device. During device activation, policies are downloaded to the device and the user will be required to set a device password. The new device password replaces the existing Admin Code.

To add a user

1 In the Admin Console, click Manage Users from the sidebar.

This option is not available for W500 devices

This option is available for W500 devices

12

IRONKEY ENTERPRISE SERVER TASKS (CONTINUED)

2. Click the Add button in the top right and click Add User.

3. Enter the following user information:

• Name—Optional; A user’s online account user name cannot be used twice even if the user is deleted.

• Email—Highly recommended if you want to email the Activation Code

• Role—Choose Standard User for a general W500 user or any of the other user role options.

• Email Activation Code to user—if you do not want an automated email sent to the user, deselect the check box; however, you must provide the activation code to the user either manually or through another email system, or activate the device for the user.

4. Click W500 device. You can also add other devices for the user, for example an X250 device. For more information, see the “Managing Devices” chapter of the IronKey Enterprise Server Admin Guide.

5. Type an Admin Code in the text box and then re-type to confirm the code in the Confirm text box.

6. Click the Save button. The user is added to the Enterprise Account and, if applicable, an automated e-mail with device activation instructions is sent to the user.

Note: For more information about adding users, see the “Managing Users” chapter of the IronKey Enterprise Server Admin Guide.

13

INSTALLING WINDOWS TO GO

With Windows 8 Enterprise, Microsoft provides a new feature that allows you to deploy Windows To Go USB devices using the same custom image that is used for desktop and laptop computers. Microsoft supports the existing tools and applications that are used as standard practice for deploying images; the process for image creation, capturing, re-sealing and installation remains the same.

IronKey Workspace W500 devices are secure USB devices. Administrators must initialize and unlock the device before they can install the Windows To Go operating system to the device. Typical Windows To Go certified drives do not have this extra security measure.

The following workflow outlines the major steps involved in creating a bootable IronKey Workspace W500 device that can be managed by IronKey Enterprise Server.

Figure 2:Steps to install and issue devices to users

PREPARING TO INSTALL WINDOWS TO GOYou will receive the following components as part of your IronKey Workspace W500 device package:

• IronKey Workspace W500 device (in the box)• Pre-configured with the Control Panel application and a Preboot Environment image• Licensed to run IronKey Workspace

• IronKey Workspace W500 utilities (available on the IronKey Enterprise Server Setup device or as a download from the IronKey Support Web page at: https://support.ironkey.com).

• Admin Unlocker Tool software—Unlocks the OS partition in the local host environment in order to install Windows To Go to the secure OS partition

• IronKey Workspace Lock Screen wallpaper scripts—Allows you to replace the default wallpaper in a Windows To Go image file

• IronKey Control Panel installer—this application is required to manage the device with the Iron-Key Enterprise Server

14

INSTALLING WINDOWS TO GO (CONTINUED)

You are responsible for:

1 Providing a customized Windows To Go image file (in WIM format). For more information, see “Windows To Go Image Customization” on page 9.

You can extract the golden base Windows 8 Enterprise installation image file from the Windows 8 Enterprise installation DVD or DVD-ISO. The filename for the Windows 8 Enterprise golden base image is “install.wim”; it is located in the “sources” folder on the root of the drive for the DVD and DVD-ISO.

• Replacing Lock Screen wallpaper—When you customize the image file, you can replace the Lock Screen wallpaper for the Windows To Go image file with IronKey Workspace-branded wallpaper. For more information, see “Updating the Windows To Go Lock Screen Wallpaper” on page 15.

• Installing IronKey Control Panel—For large deployments you can install the application on the Windows To Go image file

• Setting power management options—Determines policy options for Hibernate and Sleep mode in Windows To Go

2. Copying the image file to the Windows 8 Enterprise* computer—This is the computer that you will use to install Windows 8 Enterprise onto the IronKey Workspace W500 device.

* If you are using the Windows To Go wizard to install Windows To Go, you must use a Windows 8 Enter-prise computer.

Note: For more information about how to plan your Microsoft Windows To Go deployment, see “Planning your Microsoft Windows To Go deployment” on page 8.

Windows Automated Installation KitThe Windows Automated Installation Kit (AIK) has been renamed to the Windows Assessment and Deployment Kit (ADK) for Windows 8 and includes the Windows OEM Pre-installation Kit.

On a Windows 8 Enterprise system with the Windows ADK installed, you can customize, assess, and deploy Windows onto new computers, including IronKey Workspace W500 USB devices.

The workflow for customizing a Windows 8 image for use on a Windows To Go USB device uses the same familiar steps that you use for Windows deployments; you will be comfortable when configuring and capturing your Windows image using the new Windows ADK.

Updating the Windows To Go Lock Screen Wallpaper

IronKey Workspace W500 comes with scripts that allow you to modify the Lock Screen wallpaper for a Windows To Go image (WIM) file. In Windows To Go, the Lock Screen wallpaper is the default image that the user sees when the operating system boots. Using a Lock Screen wallpaper that indicates that the system is booting their secure IronKey Workspace environment (and not the locally installed host operating system) is helpful, especially if the host operating system is also using Windows 8.

15


It is recommended that you update the Windows To Go image with the IronKey Workspace Lock Screen before you install Windows To Go on IronKey Workspace W500 devices. However, you can also update the Lock Screen manually on the device after you install Windows To Go, see “Customizing Windows To Go before issuing devices” on page 23.

The following update scripts are available on the IronKey Enterprise Server Setup device or as a download from the IronKey Support Web page at: https://support.ironkey.com.

• replace_locked_screen.bat—Performs the Lock Screen wallpaper replacement. It can be used in conjunction with the other WIM-related scripts (included on the device) to update the Lock Screen in a Windows To Go Image file.

This script can also replace the Lock Screen of a pre-installed Windows To Go image that is either offline or already booted in Windows To Go.

• mount_wim.bat—Mounts a Windows Image file (WIM) to a mount folder to enable the manipulation of the image without having to install Windows To Go.

• commit_wim.bat—Commits all changes made to a mounted WIM file.

• discard_wim.bat—Discards all changes made to a mounted WIM file.

You will use three and possibly all four of these scripts to update the default Lock Screen in the WIM file with the IronKey Workspace-branded wallpaper. The update process involves mounting the WIM file, updating the Lock Screen, and then committing all changes made to the mounted image to the WIM file.

Note 1: You must use computers running either Windows 7 Enterprise or Windows 8 Enterprise to execute these scripts.

Note 2: All scripts must be run with Administrator credentials and all files that accompany the script files must be included to execute successfully.

To update the Lock Screen for a Windows image file (WIM)

1. From the IronKey Enterprise Server Setup device, copy the following folder to the local computer:

E:\IronKey Workspace\W500\Customization\replace_lock_screen_wallpaper where “E” is the drive letter of the device.

2. Start a command prompt with Administrative credentials and change the current folder to the location where you copied the replace_lock_screen_wallpaper scripts.

16


3. Mount the target WIM file using the mount_wim.bat script:

At the command prompt, type mount_wim.bat <WimFile> where <WimFile> is the name of the Windows To Go image file.

For example: mount_win.bat install.wim or

mount_wim.bat E:\WindowsToGoImages\x86\salesWTG_04_2013.wim

The WIM file is now mounted in the mount folder that is created in the same folder as the mount_wim.bat script.

4. Update the Lock Screen of the mounted WIM file using the replace_locked_screen.bat script:

Type replace_locked_screen.bat <MountedImagePath>

For example: replace_locked_screen.bat mount

The Lock Screen in the mount folder is now updated.

5. Commit the changes made to the mounted WIM file using the commit_wim.bat script:

Type commit_wim.bat

The changes made to the mounted WIM file are saved and the original WIM file is updated with these changes.

Tip: To discard all changes made to the mounted WIM file type discard_wim.bat. All changes to the mounted WIM file are discarded, leaving the original WIM file untouched.

Installing the IronKey Control Panel in Windows To Go

IronKey Workspace W500 comes with an IronKey Control Panel installation wizard. The wizard installs the Control Panel to your Windows To Go image. The Control Panel allows managed W500 devices to receive Silver Bullet updates from the Server when booted into the Secure Workspace environment. It is recommended that you install the Control Panel for all managed IronKey Workspace W500 deployments.

For large deployments, the IronKey Control Panel can be pre-installed with other applications on the Windows To Go image. You can also install it manually after you install Windows To Go (see page 24), or use another supported Windows update procedure.

The file is available on the IronKey Enterprise Server Setup device or as a download from the IronKey Workspace link on the IronKey Support Web page at: https://support.ironkey.com.

Setting power management options in Windows To Go

When users authenticate in pre-boot, the IronKey Cryptochip ensures the hardware policy and data-at-rest security condition. The Cryptochip prevents hackers from dictionary attacks, side channel, noise analysis attacks, and so on. It also ensures that the encryption key and the user data is destroyed. Once the user boots into Windows To Go, IronKey Cryptochip has no access control over the user.

17


Desktop and laptop power management schemes use Sleep (S3) and Hibernate (S4) options to conserve power. In Sleep mode, a user can still access data in WTG when he resumes working. A device is vulnerable to a security attack if the device and the host computer are compromised (or taken) while WTG is in Sleep mode. In Hibernate mode, the user must first go through IronKey Cryptochip authentication before he can access data in WTG and resume working. Authenticating removes the vulnerability that occurs with Sleep mode.

With Windows To Go, Sleep mode is enabled by default but Hibernate mode is not. To resolve this security issue, IronKey recommends that you enable Hibernate (S4) and disable Sleep (S3) mode in the Windows To Go image. Power management options are controlled by Group Policy settings for WTG.

Hibernate (S4) policy setting This policy setting specifies whether the host computer can use the hibernation sleep state (S4) when started from a Windows To Go Workspace device. By default, hibernation is disabled when using Windows To Go. Enabling it explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk resumes, it is important that hardware attached to the system, as well as the disk itself, are unchanged; that is, the device continues to use the same USB port.

Hibernate mode and roaming between computer hosts is not supported. Do not use Hibernate mode if the Windows To Go Workspace device will be used to roam between host computers.

Sleep (S1-S3) policy settingThis policy setting specifies whether the computer can use the standby sleep state (S1-S3) when started from a Windows To Go Workspace. When a computer goes to sleep, it appears as if it is shut down. If the user removes the device while the computer is in Sleep mode, he may lose unsaved data and the drive may become corrupt. If the user plugs the Workspace into another computer and then returns to the first host system while in Sleep mode, the device will fail and could result in corruption of the drive, rendering the Workspace unusable. If you enable the Sleep policy setting, the Windows To Go workspace cannot use the standby states to cause the computer to enter sleep mode. If you do not disable this policy setting, the Windows To Go Workspace can place the computer in sleep mode.

18


To set power management policies for Sleep and Hibernate mode

1. In the Local Group Policy Editor, browse to the following folder:

\\Computer Configuration\Administrative Templates\Windows Components\Portable Operat-

ing System\

2. Do the following:

• Enable Hibernate mode—Select Enable for the Allow hibernate (S4) when starting from Windows To Go setting.

• Disable Sleep mode—Select Disable for the Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace setting.

Note: If you do not set power management options on the Windows To Go image, you can set these manually on each device after you install Windows To Go.

INITIALIZING AN IRONKEY WORKSPACE W500 DEVICEAfter copying the WIM file to the Windows 8 Enterprise computer, you can initialize the device. Initializing a device creates an Admin Code for the device and lets you choose a device management option.

The Admin Code is a combination of characters that act like a password. It is used to unlock the operating system partition so that you can install Windows To Go. The Admin Code is associated with a user on the server and is included as part of the activation code to activate the device. If you set different Admin Codes for each device, ensure that the user is given the device with the same Admin Code as the one associated with that user on the server.

19


Management optionsThere are two management options:

• Managed—Device is managed by IronKey Enterprise Server; the server lets you create users, assign device policies, assign W500 devices to users, and more.

• Unmanaged—Device is not managed by IronKey Enterprise Server. Disabling device management may be helpful in the following situations:

• During image customization—An unmanaged device lets you customize and test your WTG image without having to create a test user, issue the device to the user, and activate the device.

• During rollout testing phases—If installing IronKey Enterprise Server is not part of the early phase of your product evaluation and you do not need to manage the devices at this time.

• If your company has not purchased IronKey Enterprise Server as part of the IronKey Workspace W500 product.

To initialize an IronKey Workspace W500 device

1 Insert the W500 device into a Windows 8 Enterprise computer.

2. In the AdminUnlocker folder on the IronKey Workspace W500, double-click the AdminUnlocker.exe file to start the Admin Unlocker tool.

3. Click Initialize.

4. Type an Admin Code in the text box, and then retype the code in the Confirm text box. Agree to the EULA and click Continue.

20


5. On the Device Management page, click Manage this device if you want to manage the device with the server, and then click Apply. This check box is enabled by default.

If you do NOT want to manage the device with the server, click to clear the Manage this device check box, and then click Apply.

Once the device is initialized, you can install Windows To Go.

INSTALLING WINDOWS TO GOAfter you initialize the IronKey Workspace W500 device, you can install Windows To Go by running the Windows To Go wizard. After a successful installation, you can complete any final customization requirements before you issue the device to the user. This guide documents the install process using the Windows To Go wizard. However, you can choose to install the image using the method that works best for your company’s deployment plan.

As part of the Windows To Go install wizard, you can optionally choose to enable BitLocker. However, Imation does not recommend using BitLocker for IronKey Workspace W500 devices. The operating system partition for IronKey Workspace W500 devices is encrypted in hardware so using the software encryption that Bitlocker provides is not necessary.

Preventing Data LeakageMicrosoft recommends two specific settings that will help protect against accidental data leakage with a Windows To Go USB device. These are set by default when you use the Windows To Go wizard.

1. The first Microsoft recommendation is to provision the USB drive with the NoDefaultDriveLetter attribute enabled. The NoDefaultDriveLetter attribute prevents the host operating system (for example, Windows 7 desktop) from assigning a drive letter when the user inserts their Windows To Go device into a running computer. When a user inserts the WTG device into a running computer, the drive will not automatically appear in Windows Explorer, and AutoPlay will not be displayed. This reduces the likelihood of data leak-age between the Windows To Go drive and the host PC when the Windows To Go operating system is offline.

2. Their second recommendation is to enable the new OFFLINE_INTERNAL (4) Windows 8 SAN policy for the Windows To Go installation. This policy setting prevents Windows To Go from automatically connect-ing to the internal hard drives of the host PC. This reduces the likelihood of data leakage from between the host PC and the Windows To Go drive when the host operating system is offline.

21


Note: The NoDefaultDriveLetter drive attribute and the OFFLINE_INTERNAL SAN policy are both automatically set when using the Windows To Go wizard.

To install Windows To Go


2. Double-click the AdminUnlocker.exe file to start the Admin Unlocker tool.

3. Click OS Partition.

4. Type the Admin Code to unlock the operating system.

5. Click Exit to close the Admin Unlocker tool.

6. If you are installing the image using the Windows To Go wizard, start the Windows 8 Control Panel.

7. Start the Windows To Go wizard from the Windows 8 Control Panel.

22


8. Select the operating system (OS) partition on the W500 device in the Windows To Go wizard.

The OS partition is larger than the application partition that is 1 GB.

9. Select the Windows To Go WIM file that you want to deploy.

If the WIM file is not automatically detected by the wizard, use the Add search location button and select the folder where the WIM file is located.

10. Complete the remaining steps in the Windows To Go wizard.

Imation does not recommend that you enable BitLocker. The IronKey Workspace W500 device uses hard-ware encryption to protect the device.

11. When the wizard finishes installing the WIM image, you can complete any final customizations to the device (for example, change the device to Deployment Mode, see page 23) before you issue the device to the user.

CUSTOMIZING WINDOWS TO GO BEFORE ISSUING DEVICESTo customize your Windows To Go installation before issuing the device, you must first unlock the operating system partition, and then boot into Windows To Go.

Common customization procedures include:

• Installing the IronKey Control Panel—If the application was not installed as part of your WTG image, you can install it manually. This application is required to manage the device with IronKey Enterprise Server.

• Updating the Lock screen—If you did not customize this as part of creating the Windows To Go image file, you can update it on each device. For more information about the Lock screen and update scripts, see page 15.

23


• Setting power management options—If you did not set this when the Windows To Go image was created, you can set it on the device. For information, see “Setting power management options in Windows To Go” on page 17.

• Setting the device mode for deployment (recommended)—When you first install Windows To Go, the device is automatically set in Configuration mode to allow you to modify the operating partition. Before you give the device to a user, you should change the device mode to Deployment Mode. Deployment Mode maximizes the number of host computers on which the W500 device will suc-cessfully boot. However, once set, you cannot make changes to the operating system partition unless you change back to Configuration mode.

To unlock the device and boot into Windows To Go

1 Insert the W500 device into a computer that has been powered off.

2. Turn on the host computer and boot into the Preboot Environment of the W500 device.

3. If you are using a managed device, you will be notified that this device has not yet been activated. You may proceed with booting into Windows To Go by clicking OK.

4. Type the Admin Code for the W500 device, and then click Unlock.

5. The system will reboot into Windows To Go. Once booted into Windows To Go, you can perform any final customization steps required for this device.

To update the lock screen on a device

1. On the IronKey Enterprise Server Setup device, copy the following folder to the imaged W500 device:

E:\IronKey Workspace\W500\Customization\replace_lock_screen_wallpaper where “E” is the drive letter of the device.

2. Using the operating system on the device, start a command prompt with Administrative credentials and change the current folder to the location where you copied the replace_lock_screen_wallpaper scripts.

3. Type replace_locked_screen.bat C: to run the replace_screen.bat script and specify the C: drive as the Windows To Go operating system partition.

4. When the script finishes, reboot the system to view the updated Lock Screen wallpaper.

To manually install the Control Panel

1. While booted in the custom image environment, start the IronKey Control Panel wizard by double-clicking the IronKey Control Panel setup.exe file. The file is located on the IronKey Enterprise Server Setup device or as a download from the IronKey Support Web site at: https://support.ironkey.com.

2. Follow the steps in the wizard to install the IronKey Control Panel.

Once installed, the Control Panel will auto-launch when the user logs into Windows To Go.

To set the device mode for deployment


24


2. In the AdminUnlocker folder, double-click the AdminUnlocker.exe file to start the Admin Unlocker tool.

3. On the main page of the Admin Unlocker tool, click Deployment Mode.

If the device is already in Deployment Mode and you need to modify the device, click Configuration Mode.

4. Click Apply.

ISSUING THE IRONKEY WORKSPACE W500 DEVICE TO USERSAfter Windows To Go is successfully installed on the device, you (or the end user) must complete the following tasks:

• Preconfigure the target Windows 8 compatible computer for use with the bootable USB device. This must be configured for each system on which the device will be used.

• Boot into the secure Workspace to configure the Windows installation settings. Configuring these settings is only required the first time you boot the device after installing Windows To Go. For man-aged devices, the user will have to activate the device in a non-boot environment before they boot into the secure Workspace.

Managed devices—When you give a managed device to a user, instruct the user to start the IronKey Control Panel in a non-boot environment and activate the device. They will need the Activation Code that they received by e-mail. The user will be prompted to set a password for the device during the device activation process. Once activated, the device can be managed by IronKey Enterprise Server.

25


Unmanaged devices—If the device is not managed by the Server, you should set a password on the device so that you do not have to give the user the Admin Code to unlock the device. After the password is set, the Admin Code is no longer valid for the device. Advise the user to change the password when you give them the device.

Note: For information about how to use their device, users can review the IronKey Workspace W500 User Guide from the IronKey Control Panel.

To preconfigure the target Windows 8 computer

1. Shut down the target Windows 8 compatible computer if it is not already turned off.

2. Turn on the computer and enter the BIOS/UEFI.

3. Configure the system to boot from USB.

4. Save the new BIOS/UEFI settings and shut down the computer.

Note: If a user wants to use the device with another computer, he must ensure that the target computer is configured to boot from USB. For more information about boot settings, see “Boot settings” on page 29.

To boot into the secure Workspace environment for the first time

1. If this is a managed device, the user must activate it in a non-boot environment before they can boot into the secure Workspace.

2. Ensure that the target Windows 8 compatible computer (that you preconfigured in the previous proce-dure) is powered off.

3. Insert the W500 device into the USB port of the target Windows 8 compatible computer.

4. Turn on the computer and wait for the IronKey Workspace Preboot Environment to boot.

5. If the device is unmanaged, the user (or Admin) must type the Admin Code and then click Unlock.

6. The computer will reboot into the secure Windows To Go workspace. Follow the onscreen instructions to configure settings for the Windows installation on the device. This is only required the first time the user boots into the secure Workspace.

Note: When a user boots into the secure Workspace on different computers, Windows To Go will adapt to the hardware of the local system to use its unique set of hardware components. This hardware adaptation process will not be performed with subsequent boots on the same computer. The device stores information for each system from which it has been booted. It applies the hardware profile for that system as the computer boots.

To change the device password

1. Insert the device into the USB port of the preconfigured Windows 7, or Windows 8 computer.

2. Start the Control Panel application by double-clicking the IronKey.exe file on the W500 device.

3. Type the default password and click Unlock.

26


4. Click the Settings button, and then click Password.

5. Type the Current and New Password in the appropriate text boxes, and then confirm the new password by typing it in the Confirm Password text box.

6. Click the Change Password button.

7. Click the Lock button, and then right-click the IronKey taskbar icon and click Exit.

8. You can now perform a safe-eject operation to remove the device from the computer.

27

USING IKRESTORE

IKRestore is an application that converts an IronKey Workspace W500 device with 64-bit architecture to one that uses a 32-bit architecture or the reverse.

CONVERTING BETWEEN 32-BIT AND 64-BIT ARCHITECTURESBy default, IronKey Workspace W500 devices use a 64-bit architecture image that comes pre-installed on the device. Most computers today are 64-bit computers. However, some older systems that still use 32-bit technology will not boot W500 devices with a 64-bit image. You should assess the topography of the machines used in your organization. You may need to convert the default 64-bit image on W500 devices to use the 32-bit architecture.

Converting to a 32-bit system will ensure that the device works on older 32-bit systems and newer 64-bit systems that run in compatibility mode. However, Secure Boot is not available in compatibility mode and some 64-bit systems do not support this mode.

IronKey Workspace W500 comes with two IKRestore images: a 64-bit architecture image, that is applied to the application partition, and a 32-bit architecture image. The IKRestore images are available on the IronKey Enterprise Server Setup device or as a download from the IronKey Support Web page at: https://support.ironkey.com.

Refer to the following table for further clarification on which W500 image architecture will be supported.

To convert from 64-bit to 32-bit

1. Plug in the W500 device (64bit) in the host environment.

2. Double click the IKRestore 32-bit file.

3. Follow the instructions in the application.

4. After the IKRestore application finishes, when prompted, remove the device and plug it back in.

Table 2: Supported architecture

W500 Image Architecture

Computer Processor Architecture

32-bit 64-bit

32-bit image supported supported on some systems

64-bit image not supported supported

28

USING IKRESTORE (CONTINUED)

When enabling host computers to boot from W500 devices, select the following options according to the image architecture on the device.

Table 3: Boot settings

Image Architecture

BIOS-based computers UEFI-based computers

64-bit image

• Turn on USB BOOT and set USB MassStorage device to first in the boot order

• Disable Legacy or CSM mode (if it exists) and enable UEFI mode with Secure Boot enabled.

• From the local Windows 8 OS, enable Windows To Go Boot Entry from the Portable Operating System Template in the Global Policy.

32-bit image

• Turn on USB BOOT and set USB MassStorage device to first in the boot order

• Enable Legacy or CSM mode (if it exists) and disable UEFI Secure Boot mode.

• Set USB MassStorage device to first in the boot order.

29

REFERENCE DOCUMENTATION

The following is a list of IronKey manuals and online documentation by Microsoft for Windows To Go, BitLocker, Windows ADK, and other Windows To Go related information.

IRONKEY ENTERPRISE SERVER DOCUMENTATION• IronKey Enterprise Server Quick Start Guide

• IronKey Enterprise Server Setup Guide

• IronKey Enterprise Server Admin Guide

WINDOWS TO GO

WINDOWS ASSESSMENT AND DEPLOYMENT KIT

Topic Online documentation

Windows To Go: Feature Overview

http://technet.microsoft.com/en-us/library/hh831833.aspx

Windows To Go Frequently Asked Questions

http://technet.microsoft.com/en-us/library/jj592680.aspx

Prepare your organization for Windows To Go


Deployment considerations for Windows To Go


Security and data protection considerations for Windows To Go


Best practice recommendations for Windows To Go


Windows To Go Step by Step http://social.technet.microsoft.com/wiki/contents/articles/6991.windows-to-go-step-by-step.aspx

Topic Online documentation

Windows ADK Quickstart http://technet.microsoft.com/en-us/library/hh825343.aspx

About the Windows Assessment and Deployment Kit

http://msdn.microsoft.com/en-us/library/windows/hardware/br259106.aspx

Windows Deployment with the Windows ADK


30







http://social.technet.microsoft.com/wiki/contents/articles/6991.windows-to-go-step-by-step.aspx

http://social.technet.microsoft.com/wiki/contents/articles/6991.windows-to-go-step-by-step.aspx





ironkey™ workspace w500 on-premise server edition€¦ · antivirus support for windows to go...

Documents