Windows 8 has enhanced security with BitLocker, AppLocker, Windows Store apps, Secure Boot, Measured Boot and much more. It also offers superior seamless, fast and fluid experience for remote or VDI sessions with inbuilt support for technology like mobile broadband in ways you probably hadn’t considered. Simon May takes a look at why Windows 8 is great for business.
Over the past few years the world of end user computing has changed dramatically. Back in 2009 when Windows 7 was released there were few end-users who used multiple devices. I was working for an organisation that was one of the exceptions, issuing some users with relatively dumb smart phones for email access. My how the world has changed.
User Demands Have Changed
Today it’s highly unlikely that your end-users are only carrying one device, many are carrying two or three. In some rare circumstances (Andrew Fryer and I) typically carry 7 devices each, we are extreme end users inside of Microsoft. As the world has changed so much our devices also need to change in almost every aspect. In the world of end user computing we are mainly driven by what our users expect from a device and as we all know some of those expectations are explicit and some are not.
On the list of explicit requirements are usually things like the ability power it on and in todays world very quickly – almost instantaneously. Small, light, fast, clear, bright, intuitive are also right up there on the list of expectation adjectives for end users. The list of implied expectations I think is far more interesting: security, reliability, easy to repair are often taken for granted or assumed by the user. Lets take a look at why Windows 8 is necessary to help IT deliver on some of these requirements.
The security features of Windows 8 are pervasive throughout the OS and build upon and compound the previous security investments in Windows. For example the Windows Store app model requires that apps declare to the end user (or to the IT Admin) precisely what the app needs to access within Windows such as the users work or home networks, documents, web cams etc. Additionally Windows Store apps don’t execute with the users standard set of permissions – instead they use a subset in much the same way Internet Explorer does. The upshot being that the app is less able to affect the devices stability. I use the term Windows Store here but that doesn’t require the app to have been obtained via the Windows Store, side-loading (the process of installing without using the store) is more relevant for many enterprises.
Encryption is an area where Windows 8 excels and compounds previous improvements. In Windows 8 BitLocker Drive Encryption (BDE) can be set to only encrypt data as it is placed onto the disk, where as previous versions of BDE would also encrypt the “white space” on the disk that contains no data. If you want you can still allow that to occur. BitLocker’s approach of only encrypting data as it is placed on disk becomes a boon when you consider the deployment process. With Windows 8 and System Center Configuration Manager 2012 we have the ability to pre-provision BitLocker or to put it another way encrypt the hard disk before Windows 8 is even installed. The upshot is that Windows 8 can be provisioned in an encrypted state. For anyone who’s had a build engineer take a device from your build factory before disk encryption has been run, and subsequently breach security by issuing the device to a user this will probably want Windows 8 as a result of that feature alone. It’s a job saver.
Encryption, More User Focused
There are other improvements too for BitLocker, most importantly these affect usability for the end user. With Windows 8 and BitLocker users can change their own BitLocker PIN without the need for admin rights, simplifying the process. Most BitLocker users I’ve seen (and EVERYONE) in Microsoft must run BitLocker to protect YOUR data never change their BitLocker PINs but they should. I actually helped a colleague add a PIN a few days ago as he was having to enter his BitLocker recover key upon every boot to use his device. Sub-Optimal! This is of course the next end user improvement, BitLocker can in Windows 8 with UEFI hardware network unlock itself. This process prevents your users having to find and enter their BitLocker recovery key on trusted networks, you as the IT guy define that network and the whole process is secured using public key certificates. This will reduce downtime and helpdesk calls for your users and for IT.
If you don’t think BitLocker is for you then consider what happens when you loose a device, also consider that most users think their devices are encrypted even if they aren’t since they’re smartphones and tablets often are. Now make the link to you CIO / CEO / CFO probably thinking you encrypt all devices and again deploying BitLocker could be a job saver.
Windows 8 with UEFI hardware also implements Secure Boot. Put simply the UEFI chip holds the current signature of Windows 8 and if that changes Windows 8 will enter recovery and recover to the state that Secure Boot knows, reboot and succeed to start. This is important because pre-boot malware has become an attack vector of choice. As a Malware creator getting your malware under the OS is a home run because it’s hard to detect once the device has started. Secure Boot prevents that ever happening.
Measured boot takes the Secure Boot process one step further and checks more granularly that files and processes within the OS haven’t changed by comparing more signatures. The measured boot process uses the TPM to check that boot is progressing as planned and has not been compromised.
For many control over what apps can run on a device is a paramount concern, in fact in the UK some industry sectors are unable to deploy devices upon which applications cannot be blocked. Windows 8 and Windows Server 2012 allow you to decide what apps can or cannot run on Windows 8 devices within your enterprise using AppLocker technology. AppLocker is not new to Windows 8 and Server 2012, it has been available since Windows 7 and Windows Server 2008R2 but in Windows 8 and Server 2012 AppLocker extends to Modern UI or Windows Store Apps. AppLocker is implemented through Group Policy and by creating a GPO to either enable or disable specific apps that are either side loaded or are delivered from the Windows Store. This process provides complete control. AppLocker can be used to allow or deny based on publisher, version or name of the app with publisher being the most permissive or restrictive (allowing or blocking all apps for a publisher) and name being the least permissive or restrictive (requiring an exact name match).
With regard to the AppLocker user experience at camps I’ve repeatedly been asked how to remove tiles from a users Start screen. AppLocker can help you achieve that. When apps have been blocked or only specific apps have been allowed (which infers all others are blocked) the app will not launch, cannot be installed from the store and upon login the tile is removed from the start screen (after the AppLocker policy is applied). The user may have paid for the app they are loosing access to and could be annoyed at the IT Admins blocking of their favourite app, but they still retain their purchase which will work on other devices that don’t have the GPO applied to them. Some IT Admins may want to use WMI filtering to make GPOs more dynamic, removing the block when the user is connected to an alternate network for example.
Anti-Malware by Default
Every Windows 8 devices has anti-malware protection by default. That is an incredibly important statement for enterprises because they can be sure that when someone brings a Windows 8 device into the office, even if it’s not corporately owned it will have some form of protection. Furthermore it is impossible to turn off Windows Update on a Windows RT device. Couple this anti-malware protection with a NAP solution with SHVs and you’ll be a step closer to safely allowing BYOD. For enterprises that want to take control of the anti-malware solutions in Windows 8 you will need to use either Windows Intune or System Center Configuration Manager 2012 SP1 with System Center Endpoint Protection. Once either solution is enabled you’ll have the ability to control updates and report compliance across your estate. Additionally you’ll have the ability to instantly, remotely initiate anti-malware detection so you won’t need to talk the user through the process.
The style in which we as individuals work has changed much over the past 3 to 4 years too. Always on connectivity is now expected and many of us work from home or on the road on a regular basis. One of the reasons for this change has been the abundance of access to the Internet from almost everywhere. Of course, being realistic, not all Internet connections are created equally and the quality of service you receive varies significantly. Trust me on this I know, I’ve spent over 40 nights in hotels this year and I run events where the Internet (which is always business-grade 30mbs minimum as advertised) varies dramatically. Thankfully we’ve realised this and there are changes throughout Windows 8 that make this experience better.
Mobile broadband now accounts for a vast amount of connections to the Internet with most smartphones and tablets being constantly connected. Services range from GPRS to 4G in the UK and those terms indicate vast ranges in bandwidth but not only in bandwidth, latency and loss are also a huge factor in modern networks. If we look at how people were connecting back in around 2000 when I started my career WAN connections were a known quantity – you got what you paid for. If you wanted a 1mbs backbone (yup) for your core network with 100ms round trip you pay for it and get it. Today that kind of connectivity is almost taken for granted and is substandard – your mobile phone connects better. If you wanted to make that purchase today you will have myriad options, you will probably go with the cheapest. The point is really that network conditions have changed and your devices now have to cope with many different network types.
Mobile broadband is now intrinsically understood by Windows 8. When Windows 8 sees mobile broadband hardware, a SIM and a connection you have the option to connect from the charms. Not only that but Windows 8 understands that you don’t want to experience shocking bills and so limits what happens over that connection. Windows 8 automatically marks mobile broadband connections as “metered” connections, and some activities, such as getting updates from Windows Update are not undertaken on metered connections. Metered connections are constantly tracked to tell you how much data you’ve used as well and many of the major carriers have Windows 8 apps to provide you with deeper intelligence on your bill. If an alarm bell just rang in your head, as it did in mine, about Windows Update not running on a metered connection and therefore not downloading anti-malware updates on a metered connection the fear not. IT admins can control metered connections with Group Policy, as you would expect.
It’s not only Windows 8 that understands metered connections. System Center Configuration Manager 2012 SP1 also understands metered connections, an app can in fact make use of the information. CM12 however uses the information to give you control over whether your users can download from your CM12 Distribution Points (DPs) over a metered connection.
As good remotely as locally
Because so many people now connect when they’re out and about access to remote sessions has become ever more important. There are times when you don’t want the data walking out of the data centre which is where VDI and Remote Desktop Services come into play. In Windows 8 and Windows Server 2012 these two areas have undergone massive improvement. Firstly the client and server now negotiate to find the best connection quality for both bandwidth usage and server performance, and they do that continually to maintain remote sessions that look as good as local sessions.
Ensuring that remote sessions look as good as local sessions was a key directive for the team. When I remote onto a Windows 8 VDI desktop it should feel local, and it does. Touch is respected (up to 256 points!! if the client supports that) and things flow as quickly on remote sessions as they do locally. Video is a prime example, watch Windows 7 and Windows 8 side by side and you quickly see the difference. The key is the way that the remote session is rendered, dynamically analysing the content on screen and sending that content to the users remote client in the most appropriate way. If the client sees moving pictures, it’s probably video and h.264 is used to encode and send the video (if it’s available for rendering on the client). If the content is a picture then a low res version is sent to the client and progressively updated with more detail – this lets the user get on with their task, such as viewing a webpage. Oh and for those guys working on trade floors, we now support up to 16 monitors.
Under the hood there is a also work being done to support those more lossy, more latent networks. In the case of video in a Windows 8 VDI or Server 2012 RDS session the video is sent as UDP packets and not as TCP packets. The difference being that UDP doesn’t require the acknowledgement of receivership that TCP does, in most cases dropping a frame or two while watching a video doesn’t hurt the experience so much. Video sent over TCP could require every frame to be acknowledged, slowing the frame rate right down, delivering a very jerky experience.
Of course the thought of VDI is great but the practicality is not for everyone and other solutions make sense. It’s great to not need to take a computer with you, but to have all your apps, your documents and your corporate access with you. Windows To Go is the solution that makes this work, allowing you to take Windows 8 with you on a USB drive, pop the drive into any Windows 7 certified PC, boot and log in. You then get your personalised experience with you. If you care about security you can encrypt the stick with BitLocker and you can implement DirectAccess to allow you to encrypt any network traffic back to your corporate HQ – right down to the specific servers being accessed. The second you pull your stick out of the PC you booted with it the PC will lock up, blocking all drive, keyboard, mouse and touch access. Thirty seconds later it will reboot to the PCs own OS. However if you pop your stick back in within 30 seconds you seamlessly carry on where you left off. Enterprises can use System Center Configuration Manager 2012 SP1 to manage the creation of the sticks with your normal enterprise deployment practices. We are seeing some organisations deploy Windows To Go to their temporary workforces to save cost, asking them to bring their own PC and boot from a stick.
Enabling BYOD with Windows To Go
Windows To Go sticks are managed just like any other computer in your estate. They have an AD account, they appear in CM12 as computers, when they’re in a PC they are the PC and you can do almost anything to them that you can to a normal Windows 8 device. Critically there is not usability difference to the end user.
Over the course of this article I’ve highlighted how Windows Store apps take a more modern approach; how BitLocker and pre-provisioning and used space encryption will save hours and pounds; how integration with new hardware can strengthen security and malware resistance with Secure Boot and Measured boot; how AppLocker will help you control application usage in Windows 8; how built in Anti-Malware will help increase trust and manageability in BYOD environments; how remote connectivity is improved throughout Windows 8 with mobile broadband and metered network integration; how VDI and RDS help when dealing with demanding users and remote connections and finally how Windows To Go can help with BYOD questions.
In short I’m up to about 2 pages of A4 at 10pt text or 2800 words and I’m only half way through the features of Windows 8 that matter for business.
The best thing you can do, right this second, is try Windows Server 2012, Windows 8 and System Center 2012 SP1
I have to say this one caught me out. I’m just setting up a task sequence to deploy Windows 8 and pre-provision BitLocker (which is wicked fast by the way!) and got caught with enabling and activating the TPM from WinPE. The solution I came up with works for me, on a Samsung Series 7 Slate but might not work for all hardware vendors (TPM is a little tricky like that).
The process turned out to be pretty simple.
The final effect takes advantage of Windows 8’s used space only encryption and starts encryption before the OS is even deployed, encrypting as the OS deploys – the net result is a fully encrypted machine within minutes!
Don’t forget to download Windows Server 2012, System Center and Windows 8 Enterprise to try this out and take a look at my other posts on System Center.