Tuesday, February 19, 2013

“Windows To Go” UEFI Only

“Windows to Go”,

I am sure most of you heard and read about this new feature available with Windows 8. For those of you who do not know, “Windows to Go” is a fully fledged Windows 8 OS on a USB stick or external USB drive. One might argue that there are other methods to create an OS on a USB stick, true, but this is more than that. First of all, Microsoft gives for each Windows 8 Enterprise license you pay for a WTG for free. The deployment is made easy and is enterprise ready - Microsoft calls this a “Workspace”. And I believe that in a year or so this will be a widely used method to provide desktops to employees and to encourage the BYOD in the enterprise.

The scenarios that come to my mind:

I have been working by several clients where I am not allowed to connect my own laptop to the client’s network, and even if you do receive a derogation for that, still your machine will be limited in accessing all the resources you might need to use to get the job done. One of my clients has given me a VDI desktop. With a VMware plugin installed I am able to access a Virtual Windows 7 machine hosted on the client’s VDI infrastructure. I must tell you, unless the company has spent enough money on appropriately sizing their VDI environment the experience is really crappy. It is extremely slow and not very smooth. And on Fridays it is even inaccessible because everybody works from home on Fridays here in the Netherlands (even if I manage to connect it is really unusable. I am not joking, it is true).

Another client of mine has given me a laptop with their own image deployed and joined to their domain = a managed machine. Of course this works much better, but this requires me to carry 2 laptops with me at all times, because most of my stuff is on my Avanade machine. Sometimes if you get lucky, and beg long enough, the client will provide a small lightweight notebook which helps with limiting the amount of weight you have to carry daily. And still - schlepping around 2 laptops is not an ideal situation.

Now imagine that these 2 clients, instead of investing in a laptop and/or allocating a VDI desktop for me, would just give me a Windows To Go? A certified USB stick of 64 GB costs about 150 USD/EUR. The OS license is free as mentioned above, I keep my own hardware and do not have to carry anything extra with me. Such a WTG is joined to the customer’s Active Directory Domain and is a managed workstation from every perspective! Couple it with Direct Access, like Avanade did for example, and you have a perfect solution. And even if you are juggling 2 or more projects at a time all you need is to mark the USB keys correctly J !

Another scenario could be: Users get only workstations at work and incidentally they have to work remotely from home, so they do not really qualify for a notebook. Instead of buying them a laptop, give them a WTG! Everybody has a computer at home these days, and 85% of households have a couple, and at least one which is less than 3-4 years old. Why invest in hardware if the user has one at home already?
Take my work room for example: I have a nice big screen attached to a desktop which is nicely built into my desk and all the cables are nicely tucked away, I do not even have a proper spot or space where I can put my work laptop down, which means I need to go work either at the kitchen or dining room table. Which means my family is around me and I am in their way all the time (well actually they are in my way, but hey a husband at home has not rights in the kitchen). The kids are all the time asking something and every time I have to make a phone call I have to hide in one of the other rooms so they do not disturb. Now having the WTG, I just plug it into the desktop in my work-room and start my Avanade workstation which has all my stuff on it and is connected to the Avanade Network with Direct Access.

You know it can even be simpler than that: Imagine you have an office with flexible work places. Place on each workspace a desktop without any OS deployed – really with an empty hard drive (or no hard drive at all). Deploy WTG sticks and give it to the users. They can plug it into any of the workstations and have their own desktop always regardless of which workstation the user is using. What I mean to say is, all you need then is hardware for hardware’s sake – no OS is required on the machines.

Sounds nice no, well there are caveats to WTG from security perspective. You are probably wondering about the title of this article by now, about the “UEFI Only” part right? Well let me explain:

A couple of month ago I went out and bought a 32 GB USB 3 stick with an intention of installing Windows to Go on it. Well I was extremely disappointed when the wizard told me that the stick is not compatible. Reading some articles on TechNet explained this. Windows To Go is only supported on a certified sticks (I’ll post links to supported sticks later in the article). The main requirement is that the stick present itself as a fixed drive to Windows. Well I managed to install windows 8 on the stick using a VHD following one of the articles on the web, but this was not it. It was difficult to install and it performed badly. Then I found a piece of software manufacturers use to modify the sticks in the factories… and after “hacking” my stick I was able to flip the so called “removable bit” value. Now my stick presented itself as a fixed drive and I was able to use the built in wizard in Windows 8 (only enterprise version of Windows 8 has this wizard on board in the control panel). Eureka, I thought, and 45 minutes later I was able to start from my USB drive and actually logged into freshly installed Window 8. The performance was not amazing, but workable. I then went ahead and joined my machine to Avanade Domain and since I am a DA phase 2 pilot (internal pilot for Direct Access we have) I have dispatched an email to our DA man, Justin Martin, to put my new WTG machine into the correct OU. I also put our ITS Windows 8 Deployment lead on the CC (Simon Windell). To my surprise Simon reacted to my message - that the machine I have just joined to the Avanade domain must be immediately dis-joined form the Active Directory Domain, since the WTG is not allowed in Avanade environment for security reasons. I contacted Simon who explained that Windows To Go does not utilize the TPM chip for encrypting the drive and since Avanade requires TPM based encryption the machine is not compliant and thus is not allowed on the Avanade Domain. You can imagine both my surprise and disappointment, if we do not allow WTG ourselves, then how am I going to advise clients to use it? I am not going too deep into the reasons why, but the bottom line is since the standard out of the box Windows to Go installation allows both Legacy and UEFI boot, when booted using Legacy BIOS the system can be compromised, since the encryption pair is not stored on a TPM chip but on the stick itself.

OK, there must be a way to build a WTG which only supports UEFI right? And yes there is! Microsoft designed Windows to Go to work on as much hardware as possible. All you need is a machine which is capable of booting from USB. This is why when created out of the box a Windows to Go stick will support both Legacy BIOS and UEFI boot process. I am not going into the discussion whether the fear of that such a stick can be hacked and decrypted is feasible… Each company should investigate the probability and decide on their own. But in case you do not want to go and investigate then keep reading and learn how you can create an UEFI boot only Windows to Go.

Simon kindly has lend me a certified Windows to Go USB drive and I started to look for the way to build a WTG with UEFI boot only. The base for my method are these 2 TechNet Articles: Windows To Go Step by Step and Deploy Windows To Go in Your Organization. Basically I looked at the PowerShell script mentioned in both articles and following the logic created a Windows To Go stick which only boots if a device supports UEFI boot.

We will need a Machine with Windows 8 Enterprise installed – The WTG Host Machine. And an .iso image of the same Windows available.

To start we need to format the stick with GPT partition table since UEFI boot process only works when the partition is GPT:

Start Diskpart from elevated command prompt.

Type list disk and select the correct one:

clip_image002

In my case it’s Disk 1

Select Disk 1
Type Clean to clean any present partitions
Type Convert GPT to convert the disk to GPT partition table

Now we are going to create the EFI partition:

Type create partition EFI size=100
The MSR partition of 128 MB is already there and I suspect that this is created as soon as I converted the disk to GPT partition table.

clip_image004

Type: format quick fs=fat32 label=EFI

Type: assign letter=S

Now we need to create the OS partition which will take the rest of the space available

Type: create partition primary

clip_image006

Type: format fs=ntfs quick label=UFD-Windows (this can be anything i.e. WTG)

Type: assign letter=w (also the choice is all yours for assigning the drive letter)

Now we need to make it not mountable on other systems. This makes sure that if you plug the WTG into a running machine the drive will not be accessible and will not get a drive letter. Although the drive can be still mounted via the Disk Management in windows (and on MAC it does mount), but since we are going to encrypt the drive it still will not be accessible unless you know the password.

Type: attribute volume set NODEFAULTDRIVELETTER

(Keep the diskpart window open)

Here is what it should look like:

clip_image008

Now we need to load the OS onto the drive and we are going to use DISM.EXE to apply the image. Have the Windows 8 .iso file handy and mounted (which is easy in windows 8, since there is built in support to mount an .iso image)

So start another elevated command prompt, mount the DVD image and run the following command:

dism /apply-image /imagefile:G:\sources\install.wim /index:1 /applydir:W:\

Wait a while till it is completely done (get a coffee, because it will take time).

Once it is ready we need to move the boot files to the correct location:
Move the boot files to the UEFI partition:

W:\Windows\System32\bcdboot W:\Windows /s S: /f UEFI

Now we need to do 2 more things:

Make sure that when the WTG boots the physical drives are not visible and not mounted.

Remove the Windows Recovery Environment (since WinRe is not supported on a WTG)

This we do using the following 2 XML files: Just copy the code from each column and give the files the corresponding names.

San_policy.xml

Unattend.xml

<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="offlineServicing">
<component xmlns:wcm=http://schemas.microsoft.com/WMIConfig/2002/State
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
language="neutral"
name="Microsoft-Windows-PartitionManager"
processorArchitecture="x86"
publicKeyToken="31bf3856ad364e35"
versionScope="nonSxS"
>
<SanPolicy>4</SanPolicy>
</component>
<component xmlns:wcm=http://schemas.microsoft.com/WMIConfig/2002/State
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
language="neutral"
name="Microsoft-Windows-PartitionManager"
processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35"
versionScope="nonSxS"
>
<SanPolicy>4</SanPolicy>
</component>
</settings>
</unattend>

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-WinRE-RecoveryAgent"
processorArchitecture="x86"
publicKeyToken="31bf3856ad364e35" language="neutral"
versionScope="nonSxS"
xmlns:wcm=http://schemas.microsoft.com/WMIConfig/2002/State
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UninstallWindowsRE>true</UninstallWindowsRE>
</component>
<component name="Microsoft-Windows-WinRE-RecoveryAgent"
processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral"
versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UninstallWindowsRE>true</UninstallWindowsRE>
</component>
</settings>
</unattend>

Copy this SAN_Policy.xml file to the root of W: and then execute the following command:

Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml

This will apply the San_Policy.xml to the image.

Then place the following unattend.xml file into the “w:\windows\system32\sysprep” folder

So now we are all done! We have created a Windows to Go which will only boot using UEFI boot sequence. To check this we can now boot using the WTG, but before you can do this the BIOS needs to be edited to allow UEFI. This is not an issue if you have UEFI only device then there is no need to modify anything in BIOS (besides the boot order perhaps). But my machine is Dell Latitude E6410 and since my currently loaded Windows 8 is not UEFI, I had to turn the UEFI option on. After going through the first time setup of the machine (installing the drivers, etc…) I wanted to verify the fact that this is really booting using the UEFI boot sequence. To do that start elevated command prompt and run

bcdedit /enum

This will tell you whether your machine has booted using UEFI boot sequence or Legacy boot: I would say find the differences
(hint: path in the boot loader section)

UEFI Boot

clip_image010

Legacy Boot

clip_image012

So I went ahead and joined my machine to the Avanade domain and then wanted to bitlock the OS drive as required per Avanade Policy! Well that was not possible, since the domain policy does not allow Bitlocker on OS drive without TPM. Hmmm, that’s no good! I have booted back to the desktop and decided to turn on the bitlocker from there. The Windows to Go Host machine (this is the machine which is used to create Windows to Go sticks) is capable of accessing the partitions of the WTG which was created on this host and since it is then treated just like any other USB drive I was able to encrypt the drive from the powershell.

Start elevated Windows Powershell command prompt:

First we need to add the recovery password as an option: run the following command:

Add-BitLockerKeyProtector W: -RecoveryPasswordProtector

clip_image014

This will also allow you to save the recovery password somewhere, in my image I have masked the recovery password of course.

Now we need to create a variable to store the password:

$spwd = ConvertTo-SecureString -String <password> -AsplainText –Force

Replace <password> with 6 digit pin code

Then run the following command to turn on Bitlocker encryption:

Enable-BitLocker W: -PasswordProtector $spwd

clip_image016

After this command the encryption process will start and it takes a considerable amount of time. I also read somewhere that you can just pause it and let is continue once you boot with the WTG. Nice thing is also that since my WTG host machine is domain joined the recovery password is also saved to the AD, but under my Host machine name (so not WTG hostname).

So this is all done and we have a working Windows To Go stick that is only bootable utilizing the UEFI boot sequence and is useless on machines where BIOS only support Legacy boot. The last thing I needed to prove to our ITS, was that the Secure Boot is on. Secure boot together with UEFI boot sequence guarantee that only specified OS is allowed to be booted. Problem is that my Latitude E6410 does not support Secure Boot. Incidentally a couple of days after I have created the UEFI only WTG I had a session planned with one of my colleagues to hook up SharePoint 2013 to Exchange 2013. Well once I got to his place in the morning he had a brand new windows 8 tablet from Acer. He was complaining that he was not able to load Windows 8 Enterprise on it using the image on the USB disk. This rang the bell by me, the reason the USB disk is not seen by the boot process is most probably because it is UEFI only so it needs a GPT formatted disk to be able to boot up from it. I told him “I’ll help you install the Enterprise version of Windows 8 on your tablet after you let me boot once from my own Windows to Go”. The boot went really smooth and after booted into the OS I checked whether secure boot is on:

Start elevated Windows Powershell prompt and run the following command:

Confirm-SecureBootUEFI

And ta-dah! Secure boot is on!!! It says TRUE!

clip_image018

Sorry for the quality of the image, but I used my phone to take it!

So in conclusion: My method is supported by Microsoft (since I have consulted a member of the product group). And I am sure my steps can be scripted to automate the tasks.

The only thing we need to figure out how can we filter and check whether a machine is or is not allowed to be joined to the domain.