Spyrus Windows To Go – Overview

Windows To Go, available on Windows 8 and Windows 10 Enterprise editions, can provide every member of your mobile workforce with the equivalent of their corporate desktop computer on a USB drive they can carry in their pocket or bag. The device can be plugged into any PC whereupon it bypasses the PC’s operating system and boots a fully functional version of Windows which can be worked on both with or without an internet connection.

The benefits are clear: you can be productive from practically any location; there is no longer the need to lug around vulnerable and expensive laptops, and with the Spyrus Windows To Go (WTG) solution the implementation is totally secure.


The first thing you are likely to be concerned with when confronted with the prospect of carrying an image of your corporate desktop around with you on a USB drive is security. What if you lost it or it was stolen or compromised in some other fashion? How easily could its valuable and sensitive data be accessed?

Certainly, the threat is real; there are many ways of exploiting any weaknesses and vulnerabilities in the software and hardware. In many ways it is a game of cat and mouse; the more sophisticated the threats to our data security become, the even more sophisticated measures we need to take in order to always be at least one step ahead.

So what are these sophisticated security measures? The security features that are available on the various models differ. Two provide hardware-based full-disk encryption while two more make use of smart card capabilities. The following summarises some of the important security features implemented in Spyrus WTG.

Trust Anchor

WS and WSP versions of the Spyrus WTG device incorporate a Rosetta micro security controller as a hardware trust anchor. The device includes a range of hardware security features and has been certified to FIPS-140 level 3 security. This is where all keys are encrypted and stored, and is responsible for user authentication and credential management.

Data-at-Rest Protection

As already mentioned, there is always the chance that you will lose your USB drive, so how is it protected should it come into the possession of hackers either by chance or by design? Given that a single Spyrus WTG drive can contain up to 512 GB data, the potential loss could be astronomic.

Naturally, the answer is strong encryption, and these devices use the strongest possible encryption that they are allowed to by law, making them impregnable to most attacks. High entropy (very random) keys are used and protected from various snooping exploits by the trust anchor mentioned above. The hardware is tamper resistant and no passwords are stored on the device.

User Authentication

The old chestnut is that any security system is only as strong as the user password, and guessing passwords has become both an art and a science. The Spyrus WTG implements several measures to protect against this vulnerability: strong passwords are enforced; passwords are sent on an encrypted channel, and you can only make so many failed attempts.

Boot Authentication

As you can boot your device on any PC, there is always the danger that you are booting onto a machine that has been compromised. Certain versions of the Spyrus WTG drive are able to perform tests that provide a high level of assurance that the computer is safe.

In-Use Protection

The above measures provide sophisticated protection while the device is not in use and during boot up, but what happens after that? Once you are working within Windows how are you protected against any malware that might be lurking or against external intrusions? Fortunately, there are several measures designed to keep you safe.

As mentioned, with Spyrus WTG you are completely isolated from the computer’s hard drives so you can be confident that you won’t be affected by any malware located there; neither will you leave any traces of what you did when you were there.

You are also protected from any attempted changes to your security settings and read only protection ensures that your data files are protected from any attempted intrusions. Other protections include configurable data vaults; centralised enterprise management which includes the ability to perform a range of tasks such as disabling the device remotely and resetting the password; and smart cart capabilities.

Horses for Courses

Hopefully, we have convinced you that the SPYRUS WTG solution is secure and offers a real alternative to a mobile work force and other work place scenarios such as working from home, BYOD (bring your own device), shared workstations and so forth. Naturally not everybody’s needs are the same, and to accommodate this there is a range of device models with different levels of security, memory capacity and other features.

The entry level WTG drive is the Portable Workplace and offers software based full disk encryption. The Secure Portable Workplace (SWP) drive adds hardware based full disk encryption along with enhanced user authentication and boot-up integrity checks. The Worksafe (WS) model incorporates smart card capabilities, and the Worksafe Pro (WSP) incorporates all the security measures we have outlined and more.

All devices provide robust physical protection and tamper-proof encapsulated electronics, and they are available with memory sizes of between 32 Gbytes and 512 Gbytes.


Spyrus provides a software suite to facilitate the deployment of WTG drives. This includes a Creator utility to tailor the drives to requirements of your organisation including the OS configuration, applications, data vaults and other options.

It is clear, however, that configuring an enterprise Spyrus WTG solution presents a significant challenge to any organisation and IT department. Pygmalion has been providing services based on the Microsoft platform since 2009, and as a Microsoft Gold Partner they are ideally positioned to implement a bespoke Spyrus WTG for your organisation, so it would seem to be a good spring board for moving forward.