Windows-To-Go - Block access to data when connected to a normal Windows PC

Question

We would like to use Windows-To-Go in our company.
I have installed it on a Windows-To-Go certified USB key.

I really love it, but I'm a little concerned regarding access to the file-system.

The setup

• Windows 8.1 Enterprise
• Local user account. No admin permissions
• Bitlocker encrypted with a PIN (PIN is the only option when using Windows-To-Go)
  
  

The situation

We would like to give this key to users so they can work from home. (They use it to start a VPN session and connect to a VMware VDI Windows session)
To boot they need to fill in the encryption PIN.
When windows is booted they can log in with a local user account.
From here they have no admin permission and cant modify system files.
Everything is great!

The problem

My concern is when they boot their PC like they normally would and connect the USB device to their own Windows session.
They are prompted to type a PIN (since the file system is encrypted), but unfortunately this PIN is known because they need is to boot from USB.
From here they can access and modify ALL the system files !!


So my question is:
How can we make sure that a user without admin permission can't access the system files?

Answer 1

Unfortunately there is not a way to protect the USB stick beyond the bitlocker to go. Since the user has the password they can mount in their machine and have access to the files. Whenever someone has physical access there is always this type of issue.

You may want to look at a Remote Desktop solution instead if you need total control. Remote Desktop Services Overview https://technet.microsoft.com/en-us/library/hh831447.aspx?f=255&MSPPError=-2147217396