While Windows RT 8.1 does not support Active Directory, Group Policy, and related management technologies, it does provide some management capabilities that are useful for enterprises. These capabilities are useful in different scenarios, ranging from governance for employee-owned computers to full management of enterprise-owned computers.
Mobile Device Management
Windows RT 8.1 implements an open mobile device management (MDM) protocol that enables management of the devices by any MDM cloud-based product that enables these open protocols. Initially, support for this open MDM capability will be provided by:
- Microsoft, with Windows Intune
Windows RT 8.1 devices must complete an enrollment process before they can be managed by an MDM product. This registration process is initiated by the user, specifying their account and credential details to complete the registration process. Once registered, a variety of management capabilities are available to the MDM product:
- Hardware and software inventory
- Configuration of key settings
- Line-of-business modern application installation and updating
- Certificate provisioning and deployment
- Data protection, including remote business data removal (wipe)
- Wi-Fi and VPN profile deployment
- Sideloading key management
Windows Intune provides full support for the open MDM capabilities provided in Windows 8.1 and Windows RT 8.1. It also integrates with System Center 2012 R2 Configuration Manager so that all administrative tasks, for Windows Intune-managed clients as well as Configuration Manager clients, can be performed through Configuration Manager. This single pane-of-glass administration simplifies the management of Windows 8.1, Windows RT 8.1, and previous versions of Windows.
Windows Intune also provides a “Company Portal” app that implements an enterprise apps tore, enabling users of Windows RT devices to request line-of-business apps; Windows Intune will take care of performing the necessary sideloading operations (via open MDM) to install those applications on the device.
www.windowsintune.com for more information about Windows Intune.
Windows PowerShell is supported on Windows RT 8.1, and provides key functionality for managing and configuring Windows RT. As previously mentioned, this includes many useful capabilities, including: sideloading applications, configuring VPN connections, Windows Firewall configuration, certificate management, and more.
While PowerShell's scripting language, in-box cmdlets, providers, and management capabilities fundamentally act as they do on other platforms, there are some differences on Windows RT, which focuses PowerShell on direct management scenarios. Differences include:
- Binary PowerShell modules (other than the ones provided as part of Windows RT) are not supported on Windows RT 8.1, although script modules can be used.
- Scripting access to the .NET Framework, as well as access through the Add-Type cmdlet, is not supported on Windows RT 8.1.
- The PowerShell Integrated Scripting Environment (ISE) is not included in Windows RT, so the PowerShell command line-based host must be used for running scripts.
- Windows Store apps cannot programmatically run PowerShell commands as the interfaces for those commands are not exposed through the WinRT API set. (In some situations, the WinRT HttpClient class could be used to manage remote computers through PowerShell web services, but loopback connections to the local computers are not possible.)
- Inbound remoting is disabled by default, but can be enabled if needed by starting the Windows Remote Management (WinRM) service and configuring WinRM on the device.
- Implicit remoting is not supported by PowerShell on Windows RT because of constraints in place in Windows RT 8.1.
Governance Through Exchange ActiveSync
When connecting a Windows RT 8.1 device to a mailbox hosted on an Exchange Server using the Mail app, the Exchange ActiveSync (EAS) protocol is used. This protocol provides support for configuring specific security-related policies on a Windows RT device to ensure that corporate e-mail stored on the device is protected appropriately, while also providing a mechanism for remotely removing an e-mail (as well as calendar and contact information) in case the device is lost or if the user’s Exchange account is removed or disabled.
The specific policies that can be set on Windows RT 8.1, as documented in the
MSDN Library, are:
DisallowConvenienceLogon||Read/write||Gets or sets the ability to prevent convenience logons. When set, picture passwords will not be allowed.|
MaxInactivityTimeLock||Read/write||Gets or sets the maximum length of time the computer can remain inactive before it is locked.|
MaxPasswordFailedAttempts||Read/write||Gets or sets the maximum number of failed password attempts for logging on. After the failed attempt threshold has been exceeded, the Windows RT device will be put into encryption recovery mode, requiring that the recovery key be provided to unlock the device.|
MinPasswordComplexCharacters||Read/write||Gets or sets the minimum number of complex characters that are required for a password.|
MinPasswordLength||Read/write||Gets or set the minimum length of password allowed.|
PasswordExpiration||Read/write||Gets or set the length of time that a password is valid.|
PasswordHistory||Read/write||Gets or set the password information previously used.|
RequireEncryption||Read/write||Gets or sets whether device encryption is required.|
To keep Windows RT 8.1 up-to-date, it will be serviced through Windows Update for all operating system components, including Office Home & Student 2013 RT, as well as drivers and firmware updates.
For Windows Store apps that come with Windows RT 8.1, as well as any additional apps installed from the Windows Store, notification of new versions will be provided through the Store app, with installation of the new versions initiated by the user when convenient for them. These will not be automatically installed.
Note that Windows RT can only be updated by using Windows Update; Windows Server Update Services (WSUS) cannot be used to deploy updates to Windows RT 8.1.
As mentioned previously, Windows RT 8.1 can use SkyDrive and Work Folders for data backup and recovery, in case the device is damaged or lost. Windows RT 8.1 also supports the File History feature which can be used to back up user data from a Windows RT 8.1 device to an external storage device. See
How to use File History for more information on how to use File History for data backup.
Windows RT 8.1 includes support for a new feature called Assigned Access, which enables an administrator to specify an app that should automatically execute when a specific user logs in. That user can run nothing else, nor can they get to the Start screen. This effectively implements a single-purpose kiosk behavior.
To configure Assigned Access, use the PC Settings app and navigate to “Accounts,” then “Other Accounts.” From there, choose “Set up an account for assigned access” and choose the user and the app that should be run when that user logs in.
Start Screen Control
Windows RT 8.1 (as well as Windows 8.1 Enterprise) supports a new policy setting that enforces a specific start screen layout that the user cannot change. This is useful for shared computers, multi-purpose kiosks where there is a need to run multiple apps, and other fixed-use scenarios.
To configure Start Screen control, follow these steps:
- Install a sideloading product key on the Windows RT device. (The Start Screen control policy requires this on Windows RT 8.1.)
- Log into a computer using a temporary account. Configure the Start screen for that user the way you would like it to be for other users.
- Run PowerShell and execute the following command (specifying a valid UNC path):
Export-StartLayout -as XML -path \\server\share\layout.xml
- Open the Local Group Policy Editor, then navigate to “User Configuration \ Administrative Templates \ Start Menu and Taskbar”. Edit the “Start Screen Layout” setting, specifying the path to the XML file exported before.
Note that local policy is not applied to Windows RT by default; see the next section for details on how to enable this.
Although Windows RT 8.1 does not include support for Group Policy (because this requires joining an Active Directory domain), it does include support for local policy configuration by using the standard local policy editor MMC snap-in. This enables accounts with administrative rights to configure computer and local policies that apply to all users of the Windows RT device.
To enable local policy on Windows RT 8.1, the “Group Policy Client” service must be manually enabled using an Administrator account. See
Local Group Policy for Windows RT for more information.