30 Jan 2013 - Windows RT in the Enterprise

Microsoft Corporation

Copyright (c) 2013 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. 

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes.

Last updated January 30th, 2013.

1 | P a g e

Table of ContentsIntroduction.................................................................................................................................................4

Why Companion Devices?...........................................................................................................................5

User Experience...........................................................................................................................................5

Peripheral Devices.......................................................................................................................................6

Applications and Features...........................................................................................................................7

Deploying Line of Business Applications..................................................................................................7

Office Home & Student 2013 RT..............................................................................................................8

Mail, Calendar, People, and Messaging...................................................................................................8

Internet Explorer.....................................................................................................................................9

Video.......................................................................................................................................................9

Lync.......................................................................................................................................................10

Skype.....................................................................................................................................................10

Additional Applications..........................................................................................................................10

Connectivity...............................................................................................................................................10

Directly Connected to the Corporate Network......................................................................................10

Wireless Networks.............................................................................................................................10

Wired Networks.................................................................................................................................11

Proxy Servers.....................................................................................................................................11

IPSec Domain Isolation......................................................................................................................11

VPN Connectivity...................................................................................................................................11

Printing..................................................................................................................................................13

Remote Application Access.......................................................................................................................13

RemoteApp............................................................................................................................................13

Virtual Desktop Infrastructure...............................................................................................................14

Remote Desktop Services......................................................................................................................15

Remote Assistance................................................................................................................................15

Third-Party Apps....................................................................................................................................15

Data Access...............................................................................................................................................16

SkyDrive.................................................................................................................................................16

2 | P a g e

SkyDrive Pro..........................................................................................................................................16

Network Share Access...........................................................................................................................16

WebDAV Access.....................................................................................................................................16

Security......................................................................................................................................................16

Smart Cards...........................................................................................................................................17

Boot Security.........................................................................................................................................17

Device Encryption..................................................................................................................................17

BitLocker To Go.....................................................................................................................................18

Accounts................................................................................................................................................18

Convenience Passwords........................................................................................................................18

Credential Locker...................................................................................................................................19

SmartScreen..........................................................................................................................................19

Windows Defender................................................................................................................................19

Windows Firewall..................................................................................................................................19

Network Access Protection....................................................................................................................19

Manageability............................................................................................................................................20

Enterprise Systems Management..........................................................................................................20

PowerShell.............................................................................................................................................20

Governance Through Exchange ActiveSync...........................................................................................21

Windows Update...................................................................................................................................22

Data Backup...........................................................................................................................................22

Local Policy............................................................................................................................................22

Support......................................................................................................................................................22

Summary...................................................................................................................................................23

Glossary.....................................................................................................................................................24

For Additional Information........................................................................................................................26

3 | P a g e

IntroductionWindows-based tablet devices are now available from a variety of manufacturers, offering a variety of capabilities. Deciding which device is best for a particular scenario requires considering the key capabilities:

Mobility. People who carry their devices, whether for travel to different cities or for routine meetings in their office building, appreciate tablets that are lightweight and have long battery life, which allows them to operate from wherever they are at that moment.

Workload. Some people are casual users, primarily reading e-mail, browsing the web, and running a variety of other apps that do not require much computing power. Others may be manipulating large spreadsheets, analyzing datasets, developing line-of-business software, or performing other more intensive operations.

Apps. For some employees, new immersive Windows 8 line-of-business apps and Windows Store apps will allow them to perform the majority of their work, while others may require access to existing line-of-business desktop apps. These desktop apps can be run either natively on Windows 8 tablets or accessed remotely using the RemoteApp technology, as long as appropriate connectivity is available.

Corporate Access. Some people may need access to the corporate network for their jobs, typically for using line-of-business apps. This can be accomplished using DirectAccess or a VPN connection when away from the office but on the Internet. Others need occasional online access, but frequently work offline and synchronize their files with the cloud or other remote computers.

Always On. Other users may need the constant connectivity provided by the “Connected Standby” feature so that apps can continue receiving information from networks even while the device is turned off. These apps can even notify people by playing notification sounds in cases of important events.

Manageability. Organizations may need to actively manage the devices used by employees.

Depending on which of these capabilities are most important, enterprises might choose devices running Windows 8 Enterprise or Windows 8 Pro, or they might choose devices running Windows RT. (See http://blogs.windows.com/windows/b/business/archive/2012/12/14/which-tablet-should-you-choose-for-your-business.aspx for additional information.)

Devices that run Windows RT excel at mobility, and are instantly on and always connected. They can also run newly-developed Windows Store apps. But they are not designed for heavy workloads; they cannot run existing desktop applications; they cannot join Active Directory domains or be managed using Group Policy; and they have more limited corporate network access capabilities. As a result, Windows RT devices typically will not be used in enterprises in the same broad scenarios as Windows 8 devices which have robust enterprise capabilities.

4 | P a g e

Even with these trade-offs, there are use cases where Windows RT devices may be a good choice for enterprise customers. For example, these devices may be good as companion devices for those who already have Windows-based PCs, or as special-purpose devices running custom line-of-business apps used by some job roles (for example, sales).

The remainder of this document describes the specific capabilities and considerations of Windows RT from the enterprise perspective. Understanding these capabilities and trade-offs is key to making an informed decision as to what types of devices are right for your organization.

Why Companion Devices?Companion devices (such as Windows-based tablets, iPads, and Android devices) are becoming pervasive in work environments. People like these devices because they are lightweight, have long battery life, and bring improved user experiences with touch interfaces and “instant on” performance. While some can use these companion devices to meet all of their needs, in enterprise environments many use these in conjunction with existing work PCs. These devices are also enabling new categories of cloud-connected applications, while also providing the business productivity capabilities that organizations have come to expect from existing PC form factors.

From an enterprise perspective, these companion devices will impact your organizations in at least two ways. First, many organizations are choosing to embrace the “bring your own device” (BYOD) strategy that allows employees to bring consumer-oriented devices into a corporate environment. To make these devices most productive, your organization can take proactive steps to ensure that these devices are supported by your enterprise infrastructure.

Second, many organizations will also start adopting companion devices for specific use cases, some driven by the capabilities of the new types of applications, some driven by the new device form factors now available. In either case, different categories of users may benefit from these companion device capabilities. Organizations should study these capabilities to determine which groups of users will benefit most and begin working on pilot projects to confirm these benefits, taking into account the tablet device choices described above. As with BYOD scenarios, this also requires taking proactive steps to ensure that these devices are supported by your enterprise infrastructure.

User ExperienceWindows RT devices are designed for long battery life, while at the same time being thin, light, and sleek, regardless of form factor. This is enabled by the use of low-powered ARM processors designed from the ground up for energy efficiency, paired with additional power-saving hardware components, and the power-optimized Windows RT operating system.

The degree to which Windows RT has been optimized can only be achieved through the close cooperation between Microsoft and the OEM and silicon partners producing the Windows RT devices, the firmware that drives them, and the components that go into them. To ensure the best possible

5 | P a g e

experience, a Windows RT device is always shipped as a preconfigured, optimized system; enterprises cannot load their own customized Windows image on the devices as they can with Windows 8.

As a result of these optimizations in Windows RT, these devices typically will never be turned off. Instead, they will operate in a newly-designed Connected Standby power mode, similar to what is currently used for mobile phones. While the screen is on, you have access to the full capabilities of the device; when the screen goes dark, the device enters Connected Standby mode. (Even while the screen is on, Windows RT will dynamically adjust the power consumption for unused parts of the system, as you would expect.) By using this Connected Standby mode, Windows RT devices are always instantly ready for use.

Even though Windows RT is a distinctly separate operating system from Windows 8, it does share much of the same functionality. As a result, you can be assured that the experience of using Windows RT will be very similar to Windows 8. Some examples include:

Both natively support touch operation, while also supporting mouse and keyboard operation. Both provide the new “Start” screen experience for launching and organizing apps. Both support the new Windows Store application experience.

o The Store app is used with both operating systems to install and update Windows Store apps.

o The same Windows runtime (WinRT) APIs are used in both Windows 8 and Windows RT so that Windows Store applications can run on both operating systems.

Both support a desktop environment.o File Explorer can be used to manage files and folders, connect to network shares, and

access external storage devices.o You will have access to the Control Panel and its deep array of settings to give you a

finer-grained level of control over your system.o The command shell and various utilities (such as Notepad and Regedit) are available on

both Windows 8 and Windows RT.o Note that Windows RT only supports the desktop applications included with the device,

while Windows 8 supports the installation of additional desktop applications. Both support multiple user accounts.

o You can use local computer accounts or Microsoft accounts to log on to both Windows 8 and Windows RT. (Note that Windows 8 also supports Active Directory accounts, while Windows RT does not.)

o You can use picture passwords and PINs (as convenience passwords) with both operating systems.

o You can have multiple Administrator accounts as well as multiple standard user accounts.

6 | P a g e

Peripheral DevicesWindows RT adopts a new model for supporting a large variety of peripherals out of the box by leveraging standardized protocols and class drivers, which eliminates the need for specific drivers for each peripheral device. Class drivers are included in the operating system to support most mouse, keyboard, printer, camera, scanner, smartcard, Bluetooth, and storage devices, with a Windows RT certification process available to provide assurances that specific devices will work. See www.microsoft.com/en-us/windows/compatibility/winrt/CompatCenter/Home for information about the devices that have been certified.

Applications and FeaturesWith both Windows 8 and Windows RT, a new application model has been created to create touch-enabled, immersive applications which we commonly refer to as “Windows Store apps.” In most cases, the applications created using this application model can be used on both Windows 8 and Windows RT operating systems, as they implement the same underlying programming API (called WinRT). This makes it easy to support both Windows 8 and Windows RT in your organization from a single application.

This application model is distinctly different from what is used to create desktop applications, although the same Visual Studio toolset and programming languages can be used to create them. The full functionality of this new application model is exposed to all programming languages, including C#, XAML, JavaScript, HTML5, Visual Basic.NET, C++, and C, so your developers can use languages and technologies that they already know when creating these applications.

Deploying Line of Business ApplicationsMost organizations will want to deploy their internal line of business apps themselves (rather than making these apps publicly available to everyone through the online Windows Store for anyone to request and install). To support this, Windows RT (like Windows 8 Pro and Windows 8 Enterprise) supports the installation of applications through a process called “sideloading.” After a Windows RT computer has been enabled for sideloading, line-of-business Windows Store apps can be installed.

Enabling sideloading for Windows RT devices requires the installation of a special “Enterprise Sideloading” product key on each device. For many customers (including those with enterprise agreements or Select+ agreements), these product keys will be provided at no charge as part of the Software Assurance benefits for Windows. In other cases, these keys can be purchased. For more information, see How to Add and Remove Apps , the “Windows 8 Enterprise Sideloading” section of the Microsoft Product List document, and the Volume Licensing Guide for Windows 8 and Windows RT.

In most cases, enterprises will want to provide an “enterprise app store” where users of Windows RT devices can select from available line-of-business apps that will then be installed on the device. This enterprise app store can also be used to install organization-selected third-party apps, as well as web shortcuts. Windows Intune provides this functionality; see the “Cloud-Based Management” section below for more information.

7 | P a g e

These sideloading functions can also be performed using simple PowerShell commands, or through other Windows Store apps that implement similar functionality (through the WinRT APIs for app installation).

Office Home & Student 2013 RTWindows RT includes Office Home & Student 2013 RT, which consists of cloud-enabled versions of the Excel, Word, PowerPoint, and OneNote desktop applications that have been optimized to run on Windows RT hardware, and ensures they are power-efficient and touch-friendly, while maintaining document compatibility. Some functionality has been removed; see http://blogs.office.com/b/office-next/archive/2012/09/13/building-office-for-windows-rt.aspx for more details. After the final edition of Office Home & Student 2013 RT is released in a customer’s language, their Windows RT device will be automatically updated with the final edition for free through Windows Update (Wi-Fi connection required; ISP fees may apply).

Office Home & Student 2013 RT is licensed for non-commercial use. Commercial use rights are provided automatically when the Windows RT device is used as a companion device by the primary user of a device licensed for Office 2013 volume license or qualifying Office 365 offerings which includes Office 365 ProPlus, Office 365 Small Business Premium, Office 365 Midsize Business, and Office 365 Enterprise E3/E4. For more information, see http://office.com/officeRT and www.microsoftvolumelicensing.com/userights/DocumentSearch.aspx?Mode=3&DocumentTypeId=1.

In addition to the in-box Office Home & Student 2013 RT components, additional OneNote and Lync apps are available through the Windows Store. These apps have been designed and optimized to take advantage of the unique capabilities of Windows 8 and Windows RT.

Mail, Calendar, People, and MessagingWindows RT includes a set of core communication apps that work together with both Exchange ActiveSync (which is the protocol used by Exchange and Outlook.com) and IMAP-based e-mail services (such as those provided by many ISPs), as well as various social networks. Together, these apps provide key productivity functionality, especially when combined with Office Home & Student 2013 RT. See http://windows.microsoft.com/en-US/windows-8/mail-calendar for additional information.

To use Mail and other core communication apps, a Microsoft account must be provided. After this account has been added, additional Exchange ActiveSync and IMAP accounts can be added.

Note that the communication apps provide basic mail, contact, and calendar functionality compared to the full-featured Outlook desktop application, which is not available on Windows RT as it is not part of Office Home & Student 2013 RT. Examples of functionality not present in the Mail and Calendar apps include:

No support for information rights management (IRM) protected e-mail messages. (Office Home & Student 2013 RT does support reading but not creating IRM-protected documents, including those provided through e-mail attachments. The workaround for IRM-protected mail is to access the mail in the web browser through Exchange’s Outlook Web App.)

8 | P a g e

No free/busy search capabilities to see other people’s calendars when scheduling new meetings. No support for client-side or server-side e-mail rules. No support for S/MIME signed e-mail communication. No support for POP3 e-mail services. For more information, see Using email accounts over POP

on Windows 8 and Windows RT .

The communication apps do provide support for “remote wipe” capabilities of Exchange ActiveSync. This enables enterprise administrators to ensure that e-mail, calendar, and contact information is removed from lost devices or devices belonging to departed employees. Note that data that is not directly managed by the communication apps (for example, documents, photos, music, and so on, on the file system) will not be removed. To help protect this data, the built-in automatic device encryption of Windows RT is used to ensure that only authorized users can access these files. For more information on these capabilities, see the “Device Encryption” and “Governance Through ActiveSync” sections later in this document. (Note that Windows RT itself does not offer a system-level “remote wipe” capability.)

For more information about the Mail application, see the following blog posting: http://blogs.technet.com/b/exchange/archive/2012/11/26/supporting-windows-8-mail-in-your-organization.aspx .

The Windows Store apps and features included in Windows RT will be enhanced and updated over time. Updates for included Windows Store apps can be installed using the built-in Windows Store app; users will be notified when updates are available and can install these when they choose.

Another option available to those using Exchange 2013 or Office 365 is the Outlook Web App. When used on Windows RT with Internet Explorer 10, Outlook Web App can enable offline access to a mailbox. See http://office.microsoft.com/en-us/support/using-outlook-web-app-offline-HA102828007.aspx for more information.

Internet ExplorerWindows RT includes Internet Explorer 10, a completely new web browser that’s fast, fluid, and perfect for touch. Internet Explorer 10 has two different browsing experiences: a full-screen, immersive browser that’s ideal for tablets, and a traditional desktop version for legacy web browsing.

Although Internet Explorer 10 in Windows RT supports Adobe Flash for a limited list of websites, there is no support for additional plug-ins. For more information about how site developers can have their Adobe Flash site added to the list of sites, see http://msdn.microsoft.com/library/ie/jj193557.aspx.

VideoWindows RT includes an application to play a variety of media file formats. See http://msdn.microsoft.com/library/windows/apps/hh986969.aspx for a full list of the formats supported. These formats can be used from any Windows Store app, including custom line-of-business Windows Store apps.

9 | P a g e

Note that additional types of media files may be playable on Windows RT devices, but these could require additional Windows Store apps.

LyncFor organizations that use Lync as their communication platform, an app supporting Windows RT is available in the Windows Store. This app provides the core voice and video calling capabilities, instant messaging, and meeting support. See http://apps.microsoft.com/windows/en-us/app/lync/ba4b9485-8712-41ff-a9ea-6243a3e07682 for more details. (Note that the Lync app will allow viewing shared desktops, but the user Windows RT desktop cannot be shared using the app.)

SkypeA Skype app is available in the Windows Store. This app provides voice and video calling, as well as instant messaging capabilities. See http://apps.microsoft.com/windows/en-US/app/skype/5e19cc61-8994-4797-bdc7-c21263f6282b for more details.

Additional ApplicationsWindows RT also includes a variety of additional apps, such as Finance, SkyDrive, Sports, Travel, News, and Games. Like all of the in-box Windows Store apps, these can be uninstalled through the Start screen or through PowerShell if they are not desired. See http://technet.microsoft.com/library/hh852635.aspx for details on how to remove Windows Store apps. (Note that users can reinstall them from the Windows Store if needed.)

ConnectivityWhen using a Windows RT device to access enterprise resources, it is important to recognize that these devices may be used while connected to the corporate network or while connected to the Internet. In each case, it may be necessary to put in place specific configurations to enable these devices (or any BYOD devices) to access secured resources.

Note that Windows RT does not include support for DirectAccess, because this enterprise-targeted functionality is only present in Windows 8 Enterprise.

Directly Connected to the Corporate NetworkMost Windows RT devices will be able to connect to a corporate network with either wireless or wired networking. However, because these devices cannot be joined to Active Directory, there may be some additional configuration necessary, or restrictions put in place that prevent full network access, as explained below.

Wireless NetworksBecause no group policies are processed by Windows RT, settings such as preconfigured wireless network SSIDs will not be available on these devices. This configuration can be performed manually though by providing instructions to the users telling them the SSID to which they need to connect, along

10 | P a g e

with the security details for that connection. This is typically a one-time operation, as Windows RT will remember the details for future connections.

For maximum security as well as auditing, wireless routers can often be configured to use Active Directory or certificates (often using smart cards) to authenticate users, as an alternative to using a preconfigured (and therefore public) connection key. Windows RT fully supports these 802.1x authentication options, as well as the built-in extensible authentication protocol (EAP) options described at http://technet.microsoft.com/library/hh945104.aspx. (Note that Windows RT may not support 802.1x connections if additional third-party software needs to be installed on the device, as this software will not be available for Windows RT.)

Wired NetworksWired network access will also be supported by many Windows RT devices because device manufacturers may optionally include a physical Ethernet port in their hardware designs. Typically, configuration is not required for wired network connections, but in cases where this is needed the Control Panel or PowerShell can be used to configure the needed settings.

The same 802.1x authentication capabilities described in the “Wireless Networks” section above are also supported for wired connections.

Proxy ServersAgain, because no group policies are processed by Windows RT, settings for proxy servers may need to be either configured manually or through other means. The simplest way to enable Windows RT to detect the presence of an internal proxy server that must be used when accessing the Internet is to enable the Web Proxy Autodiscovery Protocol (WPAD) on your corporate network. This involves configuring specific DHCP options, as well as a web server that can provide configuration details to each computer. For more information, consult the documentation provided by your web proxy product vendor. For Forefront TMG, see http://technet.microsoft.com/library/cc995261.aspx.

Note that Windows Store apps do not use the same proxy settings that are being used with Internet Explorer. For more information about proxy configurations, troubleshooting, and issues that you may encounter, see http://support.microsoft.com/kb/2778122 and http://support.microsoft.com/kb/2777643.

IPSec Domain IsolationIf using IPSec for domain isolation, devices that are not joined to an Active Directory domain (such as Windows RT devices) may not be able to access some network servers. If access to these is required, they may need to be excluded from default IPSec isolation rules, which turns them into boundary servers. This can be done selectively to allow access to a limited number of servers. Alternatively, a Remote Desktop Gateway could be leveraged to provide “proxy” access to these isolated systems.

VPN ConnectivityWhen Windows RT devices are connected to the Internet, they may need to connect to enterprise resources. This is often done by establishing a virtual private network (VPN) connection into the

11 | P a g e

corporate network. Once connected through VPN, the Windows RT device behaves like it is directly connected to the corporate network, which allows access to internal applications and servers as appropriate.

To support the establishment of a VPN connection, a standard VPN client is included by default in Windows RT. This VPN client can interoperate with Windows Server 2012 VPN servers, as well as additional third-party VPN servers through the supported PPTP, L2TP, and IKEv2 protocols with a variety of authentication methods as described in the documentation posted at http://technet.microsoft.com/library/jj613765.

Third-party VPN server solution

OS version

Tunnels supported

Authentication methods supported

Crypto Suites supported

CISCO

(2951 VPN Server)

IOS 15.1.4

PPTP L2TP / IPSec

with PSK L2TP / IPSec

with Cert IPSec (IKEv2)

CHAP PSK (over v4

and v6) Machine

Certificate EAP1

IPSec:AH auth: HMAC_SHA_1_96, HMAC_MD5_96ESP Encryption: AES_128, CBC_3DES, CBC_DES, None

IKEv2:Encryption: 3DES, AES_128, AES_192, AES_256Integrity:SHA1, SHA_256, SHA_384DH Group: DH2

Juniper

(SSG series)

6.2.0r5.0 L2TP / IPSec with PSK

L2TP / IPSec with Cert

IPSec (IKEv2)

CHAP PSK (over v4

and v6) Machine

Certificate EAP1

The VPN client configuration details necessary for connecting into a corporate network can be manually configured through the standard networking user interface. The VPN client can also be configured using a simple PowerShell script. This PowerShell script could be provided directly to the end user, to simplify the configuration steps they need to provide, or it could even be leveraged as part of a Windows Intune management infrastructure to automate the configuration entirely. See http://technet.microsoft.com/library/jj613766.aspx for additional details. (Note that Windows Intune by itself does not provide a means to configure VPN connections. To do this configuration, Windows Intune needs to be integrated with a System Center 2012 Configuration Manager SP1 infrastructure.)

In some VPN authentication configurations, it may also be necessary to install additional security certificates, which can be done using PowerShell, the Certutil.exe command-line utility, or the “Certificates” control panel.

Smart cards can also be used for authenticating VPN connections. See the “Smart Card” topic later in this document for additional details on the types of smart cards supported by Windows RT.

12 | P a g e

For organizations using RSA SecurID tokens, these can be used with the standard VPN client. For information about this configuration, see http://technet.microsoft.com/library/jj900206.aspx.

Note that Windows RT does not support the Connection Manager Administration Kit (CMAK), so that cannot be used for configuring VPN connections. Also, the built-in VPN client does not support third-party SSL VPNs. Additional third-party VPN client software cannot be installed on Windows RT.

PrintingAs previously mentioned, Windows RT includes a class driver that enables printing directly to thousands of different printer models. See www.microsoft.com/en-us/windows/compatibility/winrt/CompatCenter/Home for more details. Note that some devices may require firmware updates to support this capability.

Windows RT will also support printing to network printers shared from a Windows 8 or Windows Server 2012 print server through enhancements to the printer driver architecture implemented in those releases. See http://msdn.microsoft.com/library/windows/hardware/Hh706306(v=vs.85).aspx for more information about this new printer driver architecture (referred to as “v4 printer drivers”).

Remote Application AccessIn some scenarios, certain applications may not be available for Windows RT. This could be because they are existing desktop applications that cannot be installed on Windows RT, those that cannot be used outside of the corporate network, those that are isolated using IPSec domain isolation, or any other applications that have special requirements that cannot be directly met by Windows RT. Fortunately, there are multiple options for solving these issues.

RemoteAppBy leveraging the Remote Desktop Services features in Windows Server 2008 R2 or Windows Server 2012, traditional desktop applications can be run on the server with the user interface presented on the Windows RT device. Additionally, with Windows Server 2012, Windows Store apps can also be run in this way.

With Windows Server 2012, additional improvements have been made to the RemoteApp experience. These improvements include:

Multi-touch support, which enables the best experience for accessing Windows Store apps remotely.

Better network bandwidth awareness for WAN-connected clients. RemoteFX improvements, which offers support for streaming video and other multimedia

applications, as well as USB redirection support, which allows some types of local peripherals to be used by applications running remotely.

Simplified configuration support that enables devices to automatically discover available RemoteApp servers and applications.

13 | P a g e

See http://technet.microsoft.com/library/hh831447.aspx for more information on these new improvements.

To configure a Windows RT device to access the RemoteApp server, some simple configuration steps need to be performed on the Windows RT device to specify the URL of the server, for example, “https://contoso.com/RDWeb/Feed/webfeed.aspx”

To leverage the automatic discovery capability mentioned above, an additional DNS entry must be created so that the URL can be determined based on an e-mail address entered on that same screen. See http://technet.microsoft.com/library/hh831442.aspx for instructions on how to configure this DNS entry.

Once configured with the URL of the Remote Desktop server or gateway, the RemoteApp programs published by that server can be launched from the Start screen like any locally installed application. The first time the application launches, it will take several seconds for a session to be established with the Remote Desktop Services server, but subsequent application launches will be quicker.

When these applications run, they typically leverage the user’s Active Directory account, which allows the application to access enterprise data within the corporate network – no data related to the applications ever needs to be stored on the Windows RT device, which helps to ensure compliance with enterprise security and control policies.

Virtual Desktop InfrastructureAnother option that can be used from Windows RT is a virtual desktop infrastructure, or VDI. As with the previously-discussed remote desktop capability, VDI presents an image of a full remote desktop running in an enterprise datacenter. But unlike with remote desktop, this image represents an entire virtual machine dedicated to the current Windows RT user.

14 | P a g e

These virtual machines can be pooled (shared between multiple users) or dedicated to a particular user as required. In either case, all enterprise data remains within the corporate network and is not stored on the Windows RT device; only the user experience is remotely presented to the device.

When using VDI sessions (either directly or through an Internet-connected Remote Desktop gateway), Windows RT devices can leverage RemoteFX to provide a rich multimedia experience, leveraging either a built-in software GPU or the server’s own hardware GPU. Full multipoint touch capabilities are also supported.

Also new with VDI on Windows Server 2012 is support for USB redirection. Users can make any USB peripheral attached to the Windows RT device available directly to the VDI session, enabling it to be used with applications running in that session.

The primary challenge with VDI scenarios is making them cost effective, as each concurrent VDI session can require significant server resources (CPU, disk, memory, and network). With enhancements made in Windows Server 2012, these resources have been reduced making this a practical solution for scenarios where isolated or dedicated Windows instances are required. For other scenarios, consider Remote Desktop scenarios as these have lower resource requirements.

Remote Desktop Services Windows RT can also be used to establish a full remote desktop connection to a Remote Desktop Services server, as well as to any other Windows 7 Professional, Windows 7 Enterprise, Windows 8 Pro, Windows 8 Enterprise, Windows Server 2008 R2, or Windows Server 2012 computer. When used through the Remote Desktop gateway, this can even be done across the Internet, without using a VPN connection (the same as can be done with RemoteApp programs). To enable this, Windows RT includes the desktop Remote Desktop Connection application (Mstsc.exe), or you can install the small “Remote Desktop” app from the Windows Store to provide an even better experience. (Note that Windows RT does not provide support for making a remote desktop connection into the device; only outbound connections are possible.)

Remote AssistanceWindows RT does support Remote Assistance, so users of the device could request help from remote support personal. With that invitation, the remote support personnel could connect to the user’s session to help troubleshoot any problems the user may be encountering.

Third-Party AppsSoftware vendors can also provide Windows Store apps for Windows RT that enable remote application presentation, remote desktop connections, and remote data access. For example, the Citrix Receiver app is available to access a variety of Citrix virtualization solutions.

15 | P a g e

Data AccessWindows RT devices provide local storage for documents and settings, just like any version of Windows. Many devices will also support storage devices such as microSDXC cards, and will also support USB storage devices, including USB keys and USB hard drives.

SkyDriveWindows RT devices can utilize SkyDrive cloud storage for synchronizing personalization and configuration settings between devices, even between Windows RT and Windows 8 devices.

To go beyond just personalization and configuration, SkyDrive can also be used for storing and retrieving documents, pictures, or any other data files. These can be created or edited using Office Home & Student 2013 RT or other Windows Store apps.

Although the full contents of a particular SkyDrive are not synchronized to the Windows RT device, documents that were used while connected to the Internet will continue to be accessible offline because they are automatically cached on the Windows RT device.

SkyDrive ProAlthough there is currently no SkyDrive Pro client application for Windows RT, files stored in a user’s SharePoint personal site document library can be directly accessed through Internet Explorer provided the appropriate network connectivity is available.

Using Office Home & Student 2013 RT, users will also be able to easily access SharePoint libraries directly from the Office desktop applications just as they can from other Windows-based PCs, as long as network connectivity and security allows (as discussed above).

Network Share AccessWindows RT devices can access file shares on other Windows-based devices using standard Windows networking protocols to make a connection to these file shares. Because users of these devices will not be logged on using domain-based credentials, it will typically be necessary to specify an alternate user ID and password (or use a smart card) to access these file shares.

Note that Windows RT does not include support for offline files, folder redirection, or other client-side caching (CSC) functionality found in Windows 8 Pro and Windows 8 Enterprise.

WebDAV AccessWindows RT devices can access files and folders through the WebDAV protocol, which leverages the built-in “WebClient” service capabilities.

SecurityWindows RT is designed to leverage all of the security technologies present in Windows 8, several of which are new. Not only does Windows RT support these technologies, many of them are required for

16 | P a g e

all Windows RT devices to help ensure that the devices are protected from the first time they are turned on.

Smart CardsIn situations where multi-factor authentication using smart cards is required, Windows RT does include class drivers that support smart cards that follow either the Generic Identity Device Specification (GIDS) or the Personal Identity Verification (PIV) standards.

All Windows RT devices also include support for virtual smart cards, which provide the same multi-factor authentication benefits of smart cards without the need for any extra hardware by storing the associated certificates in the device’s Trusted Platform Module (TPM). As described in Windows Hardware Certification Requirements for Client and Server Systems, TPM capability must be present in all Windows RT devices. Therefore, these virtual smart cards could be considered as an alternative to using physical smart cards and readers. After a virtual smart card has been created (which can be done using the Tpmvscmgr.exe command-line utility), certificates can be loaded onto it using PowerShell, the Certutil.exe command-line utility, or the “Certificates” control panel.

Boot SecurityAll Windows RT devices use the Unified Extensible Firmware Interface (UEFI), a modern replacement for the previous PC BIOS that PCs have used since they were first created. While the most noticeable improvement with UEFI is faster startup and resumption from hibernation (“instant on”), it also provides some key security benefits to help ensure that malware cannot insert itself into the startup process. Through the use of Secure Boot, which ensures that only properly signed and certified boot files are loaded, and Trusted Boot, which makes sure that the checksums of these boot files do not change, Windows RT can help ensure that no rootkits or other tampering are present.

Device EncryptionAt the next level, Windows RT offers Device Encryption, a capability based on the same BitLocker drive encryption technology that is available in Windows 8 Pro and Windows 8 Enterprise. Device Encryption has been optimized for Windows RT devices to provide full volume encryption, which leverages AES encryption with 128-bit keys with a TPM protector.

All Windows RT devices are encrypted when the computer first starts, but it is not protected with an encryption key until someone logs on to the computer using a Microsoft account that is an Administrator of the computer. After this happens, the encryption key is applied and a recovery key will be automatically uploaded into the SkyDrive associated with the account. The recovery key will also be backed up into SkyDrive for each subsequent Microsoft account that logs on with Administrator rights.

Because the device is not protected with an encryption key until an administrative Microsoft account logs on, it is very important that this is performed at least once on every Windows RT device.

Windows RT can be configured so that Device Encryption automatically forces the device to ask for the recovery key if tampering (for example, trying to log on multiple times with an incorrect password) is detected. This must be enabled through local policy by setting the “Interactive logon: Machine account

17 | P a g e

lockout threshold” setting under “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options,” or by using the “MaxFailedPasswordAttempts” policy of Exchange ActiveSync (also configurable through Windows Intune), to specify the number of failed password attempts before the device will request a recovery key.

The recovery key can be obtained from the SkyDrive associated with any Microsoft account that logged on to the Windows RT device with administrator rights. This can be retrieved by accessing the http://windows.microsoft.com/recoverykey website.

Device Encryption in Windows RT does not provide the full functionality of BitLocker. Some of the features that are specific to BitLocker and not included in Windows RT Device Encryption include:

An extended set of protectors (for example, network, PIN, TPM, password). Management capabilities enabled through Active Directory, such as recovery key escrow and

support for Microsoft BitLocker Administration and Monitoring (MBAM).

Note that Device Encryption is not FIPS-compliant due to the storage of a non-compliant recovery key on SkyDrive.

BitLocker To GoAlthough Windows RT cannot create encrypted BitLocker To Go USB drives or SD cards, it is able to use these drives or cards once they have been encrypted from Windows 8 Pro or Windows 8 Enterprise (or even Windows 7) computers. When inserting the BitLocker To Go USB drive or SD card, the user will be prompted to provide the required password before they can access or update the data on the USB drive or SD card.

AccountsWindows RT supports the use of multiple user accounts. These accounts can have full Administrator access or can be set up as “standard” users with limited configuration capabilities. (Even standard users can install Windows Store apps from the Windows Store, unless the Windows Store has been disabled.)

Windows RT supports using either local accounts or Microsoft accounts. Note that some operations such as installing applications from the Windows Store, as well as some applications including Mail, Calendar, and Contacts, require the use of a Microsoft account. The synchronization of Windows RT settings and encryption key backups also require the use of a Microsoft account. As a result, it is recommended that Microsoft accounts be used for most Windows RT devices.

Note that Windows RT and Windows 8 do not support using Active Directory federated IDs in place of Microsoft accounts to access the Windows Store. See http://windows.microsoft.com/en-US/windows-live/sign-in-what-is-microsoft-account for more information on Microsoft accounts.

Convenience PasswordsWindows RT provides support for leveraging two new types of convenience passwords:

18 | P a g e

Picture passwords, where a series of three user-defined gestures can be used with a custom lock screen picture to unlock the device

PINs, where the user enters the correct four-digit value to unlock the device

The user account still has a traditional password assigned to it, so these just make it easier to log on, especially on touch devices, by not requiring that the full password be entered.

These convenience password mechanisms can be disabled (either through Exchange ActiveSync policy, Windows Intune, or local computer policy) in situations where they are not desirable.

Credential LockerWindows RT includes the Credential Locker, a service that stores user accounts and passwords from Windows Store apps and websites so that they can be automatically presented back to the app or website the next time they are needed. For more information on Credential Locker, see http://technet.microsoft.com/library/jj554668.aspx.

SmartScreenWindows RT includes SmartScreen capabilities that check all downloaded files to help ensure that they are safe. SmartScreen leverages application reputations to determine which files may be dangerous and which files are not; for those that are not, no prompt would be displayed. For files that do not have a known reputation, or for those that have a bad reputation, SmartScreen will prompt the user for confirmation before continuing.

Windows DefenderWindows Defender provides real-time protection on Windows RT from malware, including viruses, worms, bots, and rootkits by using the latest set of malware signatures from the Microsoft Malware Protection Center, which Windows Update will deliver regularly along with the latest Microsoft antimalware engine. This expanded set of signatures is a significant improvement over previous versions, which only included signatures for spyware, adware, and potentially unwanted software.

Windows FirewallThe Windows Firewall is also included in Windows RT and enabled by default, to ensure that the network attack surface is minimized. Configuration of the firewall is more limited though, because Group Policy — only available for Active Directory-joined computers — cannot be used to push out a specific configuration. Scripted configuration using Netsh can be performed.

Network Access ProtectionWindows RT does support Network Access Protection (NAP), which can be used to control access to corporate network resources based on the device’s compliance with corporate controls. Note that Windows RT does not support third-party system health agents (SHA).

19 | P a g e

ManageabilityWhile Windows RT does not support Active Directory, Group Policy, and related management technologies, it does provide some management capabilities that are useful for enterprises. These capabilities are useful in different scenarios, ranging from governance for employee-owned computers to full management of enterprise-owned computers.

Enterprise Systems ManagementWindows RT includes a management client that enables devices to be connected to the Windows Intune cloud-based management infrastructure. Once connected, a variety of management tasks are possible, including software publishing, inventory collection, configuration management, and software update deployment.

Windows Intune also integrates with System Center 2012 Configuration Manager Service Pack 1 (SP1) so that all administrative tasks, for Windows Intune-managed clients as well as Configuration Manager clients, can be performed through Configuration Manager. This single pane-of-glass administration simplifies the management of Windows 8, Windows RT, and previous versions of Windows.

Windows Intune can be used to create an enterprise app store that enables users of Windows RT devices to request line-of-business apps; Windows Intune will take care of performing the necessary sideloading operations to install those applications on the device. Windows Intune will also manage the necessary sideloading product keys needed for each Windows RT device, as well as the enterprise certificate used to sign the line-of-business applications.

Windows Intune can also be used to push out specific configurations such as VPN definitions (when integrated with Configuration Manager), governance policy settings, and even custom scripts to configure Windows RT as required. It can also monitor those settings to ensure compliance with corporate policies.

See www.windowsintune.com for more information about Windows Intune.

PowerShellWindows PowerShell is supported on Windows RT, and provides key functionality for managing and configuring Windows RT. As previously mentioned, this includes many useful capabilities, including: sideloading applications, configuring VPN connections, Windows Firewall configuration, certificate management, and more.

While PowerShell's scripting language, in-box cmdlets, providers, and management capabilities fundamentally act as they do on other platforms, there are some differences on Windows RT, which focuses PowerShell on direct management scenarios. Differences include:

Binary PowerShell modules (other than the ones provided as part of Windows RT) are not supported on Windows RT, although script modules can be used.

Scripting access to the .NET Framework, as well as access through the Add-Type cmdlet, is not supported on Windows RT.

20 | P a g e

The PowerShell Integrated Scripting Environment (ISE) is not included in Windows RT, so the PowerShell command line-based host must be used for running scripts.

Windows Store apps cannot programmatically run PowerShell commands as the interfaces for those commands are not exposed through the WinRT API set. (In some situations, the WinRT HttpClient class could be used to manage remote computers through PowerShell web services, but loopback connections to the local computers are not possible.)

Inbound remoting is disabled by default, but can be enabled if needed by starting the Windows Remote Management (WinRM) service and configuring WinRM on the device.

Implicit remoting is not supported by PowerShell on Windows RT because of constraints in place in Windows RT.

Governance Through Exchange ActiveSyncWhen connecting a Windows RT device to a mailbox hosted on an Exchange Server, the Exchange ActiveSync (EAS) protocol is used. This protocol provides support for configuring specific security-related policies on a Windows RT device to ensure that corporate e-mail stored on the device is protected appropriately, while also providing a mechanism for remotely removing an e-mail (as well as calendar and contact information) in case the device is lost or if the user’s Exchange account is removed or disabled.

The specific policies that can be set on Windows RT, as documented at http://msdn.microsoft.com/library/windows/apps/windows.security.exchangeactivesyncprovisioning.easclientsecuritypolicy.aspx, are:

DisallowConvenienceLogon Read/write Gets or sets the ability to prevent convenience logons. When set, picture passwords will not be allowed.

MaxInactivityTimeLock Read/write Gets or sets the maximum length of time the computer can remain inactive before it is locked.

MaxPasswordFailedAttempts Read/write Gets or sets the maximum number of failed password attempts for logging on. After the failed attempt threshold has been exceeded, the Windows RT device will be put into encryption recovery mode, requiring that the recovery key be provided to unlock the device.

MinPasswordComplexCharacters

Read/write Gets or sets the minimum number of complex characters that are required for a password.

MinPasswordLength Read/write Gets or set the minimum length of password allowed.

PasswordExpiration Read/write Gets or set the length of time that a password is valid.

PasswordHistory Read/write Gets or set the password information previously used.

21 | P a g e

RequireEncryption Read/write Gets or sets whether device encryption is required.

Windows UpdateTo keep Windows RT up-to-date, it will be serviced through Windows Update for all operating system components, including Office Home & Student 2013 RT, as well as drivers and firmware updates.

For Windows Store apps that come with Windows RT, as well as any additional apps installed from the Windows Store, notification of new versions will be provided through the Store app, with installation of the new versions initiated by the user when convenient for them. These will not be automatically installed.

Note that Windows RT can only be updated by using Windows Update; Windows Server Update Services (WSUS) cannot be used to deploy updates to Windows RT.

Data BackupAs mentioned previously, Windows RT can use SkyDrive as a backup mechanism, in case the device is damaged or lost. Windows RT also supports the File History feature which can be used to back up user data from a Windows RT device to an external storage device. See http://windows.microsoft.com/en-US/windows-8/how-use-file-history for more information on how to use File History for data backup.

Local PolicyAlthough Windows RT does not include support for Group Policy (because this requires joining an Active Directory domain), it does include support for local policy configuration by using the standard local policy editor MMC snap-in. This enables accounts with administrative rights to configure computer and local policies that apply to all users of the Windows RT device.

To enable local policy on Windows RT, the “Group Policy Client” service must be manually enabled using an Administrator account. See http://technet.microsoft.com/library/jj574108.aspx#BKMK_WinRT for more information.

SupportConsumer support for Windows RT will be provided by the manufacturer of the device. For commercial support, organizations may leverage a Professional support contract, Professional pay-per-incident (PPI) support, or a Premier support contract.

To help ensure a safe and secure ecosystem, Windows RT will provide full support for both security updates as well as non-security updates (for example, to ensure performance and reliability). Hotfixes or design change requests will not be available.

Note that Windows RT is not classified as a business or developer product as outlined in the definitions described in the Microsoft Support Lifecycle. As a result, Windows RT will not have the same extended

22 | P a g e

lifecycle as these other products. See http://support.microsoft.com/gp/lifecycle-windows-rt-faq for more information.

SummaryWindows RT devices are primarily designed as consumer devices, but can be used in corporate environments as well, either using employee-owned devices or company-owned devices depending on the situation. To properly support Windows RT devices in the workplace, enterprises should understand the capabilities provided in and restrictions imposed by Windows RT, as well as the specific infrastructure requirements for supporting Windows RT devices within their organization.

Enterprises are encouraged to consider Windows RT devices when appropriate, given the capabilities and restrictions described above. In some situations, using Windows 8-based (x86) devices may be most appropriate.

23 | P a g e

Glossary

Bring Your Own Device. A policy adopted by many organizations that allows users to use personal devices (smart phones, tablets, laptops, and so on) in their work environment. These devices are typically owned by the individual, so they are not managed by the organization. However, the organization often wants to establish requirements on the usage of these devices in a work environment through governance: requiring certain minimum settings or software versions before the devices can be used or supported.

Desktop Application. A traditional Windows application that runs in the desktop environment. These may run on Windows 8 or Windows 7 (and typically even earlier versions of Windows), but are not typically optimized for use in a full screen, touch environment. These are typically installed using the Windows Installer (MSI), App-V, or a variety of other Setup.exe-style installation programs. While these applications may be listed in the Windows Store, they cannot be installed from the Windows Store. Although most desktop applications will run on Windows 8-based devices, only the desktop applications that are included with Windows RT (Office, Notepad, Regedit, Calc, and so on) can run on Windows RT; it is not possible to install additional desktop applications on Windows RT. (Compare to Windows Store App.)

Device Encryption. The built-in disk encryption technology used to protect data stored on a Windows RT device. This technology is based on the BitLocker feature of Windows 8.

Enterprise App Store. A private app store managed by enterprises to enable the deployment of line-of-business apps and other third-party apps. For Windows Store apps, this enterprise app store would leverage sideloading in order to install the apps on the Windows device.

Sideloading. The process of installing a Windows Store app onto a Windows 8 or Windows RT computer without using the Windows Store. To do this, the computer must be enabled for sideloading. In the case of Windows RT, this means you must install an enterprise sideloading key on the device.

System Center 2012 Configuration Manager. A comprehensive enterprise systems management product used to manage Windows computers. Configuration Manager provides the Enterprise App Store functionality described above.

Unified Extensible Firmware Interface (UEFI). The firmware used to start all Windows RT devices. This firmware supports Secure Boot and Measured Boot to protect the operating system from malware that might try to interfere with the startup process. See www.uefi.org for more information.

Windows Store App. A new style of application introduced with Windows 8 and Windows RT. These apps are designed for full-screen touch usage, while also supporting mouse and keyboard interaction. Developers can create these applications in .NET languages (C#, Visual Basic) as well as in C++ or JavaScript/HTML. In most cases, these applications are platform-neutral, so they can run on Windows 8

24 | P a g e

or Windows RT-based devices. Typically Windows Store apps are installed from the online Windows Store, but they can also be installed though sideloading. (Compare to Desktop Application.)

Windows 8 App. Another term for a Windows Store app. (Note that this does not necessarily mean that the app only runs on Windows 8; most Windows Store apps will run on Windows 8 and Windows RT.)

Windows 8. The latest version of the Windows operating system that runs on x86 or x64 processors from Intel and AMD.

Windows Intune. A public cloud-based enterprise systems management tool that supports the management of Windows 8 and Windows RT devices (and others). This subscription-based service provides software publishing, inventory collection, configuration management, and software update deployment capabilities. It can also be integrated with System Center 2012 Configuration Manager to support management from a single console. Windows Intune also provides the Enterprise App Store functionality described above. See www.windowsintune.com for more information.

Windows RT. A new member of the Windows family that runs on ARM processors.

WinRT. The application programming interface (API) for creating Windows Store apps.

WinRT App. Another term for a Windows Store App.

25 | P a g e

For Additional Information

Which tablet should you choose for your business?http://blogs.windows.com/windows/b/business/archive/2012/12/14/which-tablet-should-you-choose-for-your-business.aspx

Exchange ActiveSync: Frequently-Asked Questionshttp://technet.microsoft.com/exchange/bb288524.aspx

Office Home & Student 2013 RThttp://office.com/officeRT

Springboard Series for Windows 8http://technet.microsoft.com/windows/hh771457.aspx

System Center 2012 Configuration Managerhttp://technet.microsoft.com/systemcenter/hh285244.aspx

Windows Intunehttp://technet.microsoft.com/windows/intune

Windows RThttp://windows.microsoft.com/en-US/windows/rt-welcome

Windows RT Device Compatibility List (USB peripherals that work with Windows RT)www.microsoft.com/en-us/windows/compatibility/winrt/CompatCenter/Home

Windows Store App Developmenthttp://msdn.microsoft.com/windows/apps/br229512.aspx

26 | P a g e