Windows 8 for Business : Features Exclusive to Windows 8 Enterprise,Windows RT and Business

Microsoft is providing a unique set of features for users of the Windows 8 Enterprise edition. This high-end Windows 8 product edition is available only to corporate customers that subscribe to Microsoft’s Software Assurance volume licensing program. So while it doesn’t make sense to spend too much time describing each feature, we can at least provide a rundown of what most of us are missing.

Unique features in Windows 8 Enterprise include the following:

• Windows To Go: This feature lets you deploy a new, fully manageable Windows 8 environment on a bootable external USB flash drive, enabling the “Bring Your Own PC” (BYOPC) usage scenario. Employees can use Windows To Go on any company PC as well as from their home PC, securely accessing corporate resources on an encrypted device that would be useless in the hands of others. Windows To Go is a feature we hope to see ported to other Windows editions in the future, and it would be a huge boon to lab environments of all kinds, including those used by educational institutions.
• DirectAccess: This is a more modern take on VPN functionality, letting remote users seamlessly access corporate network resources without dealing with the hassles common to VPN solutions. DirectAccess is based on the proven HTTPS (secure HTTP) tunneling technology Microsoft first used with Exchange Server. There’s no VPN configuring, connecting, and reconnecting. In fact, there’s no VPN at all. Instead, DirectAccess-enabled PCs are simply always connected, securely, to the corporate network. As long as you have an Internet connection, you’re in. And for the end user, there’s nothing to see or configure. You’re simply connected. And on the administrative side, IT pros and admins can configure which corporate resources are available to which users, and they can direct Internet-based network traffic as they see fit.
• BranchCache: Aimed at distributed corporations, BranchCache lets servers and users’ PCs in branch offices cache files, websites, and other content that is sent from a central office over the WAN, so that it is not repeatedly downloaded at great cost by different users in the same location. With more and more corporate mergers and acquisitions, and larger companies maintaining separate physical offices in different locales, this is a real need.
• AppLocker: Introduced with Windows 7 as a replacement for Software Restriction Policies (SRP), AppLocker is more flexible and malleable but offers the same basic functionality: It uses Group Policy-based rules to determine which applications users can and cannot access. But it goes deeper than SRP by introducing the concept of publisher rules, where admins can specify which application versions are allowed or disallowed. For example, suppose there’s a known vulnerability in an out-of-date version of Adobe Reader, the popular PDF viewer utility. With AppLocker, you could specify that users are allowed to install and use Adobe Reader 10.01 (or whatever) or newer, only. Problem solved: Users retain the ability to view PDFs and you, the administrator, don’t need to worry that they’re doing so with obsolete and potentially dangerous versions of the software.
• VDI enhancements: With updates to RemoteFX and Windows Server 2012, users can access virtualized instances of Windows 8 Enterprise from the data center and receive rich desktop experiences via thin clients, including, interestingly, Windows RT-based tablets. (See the following section for more information about Windows RT in the enterprise.)
• Windows 8 (Metro-style) app deployment: Domain-joined PCs and tablets running Windows 8 Enterprise will automatically be enabled to “side-load” internal, Windows 8 Metro-style apps, bypassing the Windows Store.

While ARM-based Windows RT tablets and devices are aimed squarely at the consumer market, Microsoft also knows that these devices will be hugely popular at work, because they’re deployed by the employer or because users will simply choose to use them to get work done. There’s just one problem: Windows RT, like the basic version of Windows 8, doesn’t support domain join, so you can’t integrate your Windows sign-in with your employer’s Active Directory environment. Fortunately, Windows RT has two things going for it that will somewhat mitigate this issue.

First, Windows RT, like all versions of Windows 8, fully supports the Exchange ActiveSync (EAS) management protocol, the same technology that businesses use to manage devices all of kinds, including Windows Phones, Apple iPhones and iPads, Android handsets and tablets, and many other devices. EAS provides a ton of management functionality, including:

• Push-based corporate e-mail, calendaring, tasks, and contacts: And these all integrate with the appropriate Metro-style apps on Windows RT, including Mail, Calendar, and People.
• Password: Your workplace can specify a minimum password length, that a password is required to use the device, that an alphanumeric password is required, and password reset intervals. After a failed number of sign-in attempts, the device can be remote wiped or disabled. And many, many more password policies are available.
• Timeout: Your workplace can specify that if the device is left unused for a set period of time, it will be locked automatically.
• Device encryption: Your employer can require that any disks attached to the device be encrypted. This can include the primary storage device (the internal hard disk or SSD) as well as external storage. Windows RT provides this support with device encryption.
• Hardware device disabling: Your workplace can specify that certain devices in the Windows RT tablet be disabled, including the camera, Bluetooth, IrDA, and more.
• Software disabling: Your employer can specify that certain types of software be disabled, including consumer e-mail, POP3/IMAP e-mail, web browser, and more.

Second, Microsoft is providing a special Windows RT management client that will allow users to connect to a self-service portal on their employer’s servers and browse and install Metro-style line of business (LOB) apps that would otherwise require a domain connection, as well as perform other duties. Key among these is the ability of the employer to specify compliance around certain EAS-type policies such as device encryption, the enabling of Auto Updates, and the configuration of antivirus and anti-spyware solutions.

While these capabilities don’t quite amount to domain join, they do remove most of the pain with using a Windows RT-based device for work in a managed environment. It remains to be seen how many companies will be forward leaning enough to implement this in the years ahead, however.