Windows RT 8.1 in the Enterprise: Manageability
Applies To: Windows RT 8.1
In Windows RT 8.1 you have many options to manage your devices including mobile device management (MDM), Windows Intune, Windows PowerShell, ActiveSync, Windows Update, Start Screen Control, and Local Policy.
While Windows RT 8.1 does not support Active Directory, Group Policy, and related management technologies, it does provide some management capabilities that are useful for enterprises. These capabilities are useful in different scenarios, ranging from governance for employee-owned computers to full management of enterprise-owned computers.
Mobile Device Management
Windows Intune
Windows PowerShell
Governance Through Exchange ActiveSync
Windows Update
Data Backup
Assigned Access
Start Screen Control
Local Policy
Mobile Device Management
Windows RT 8.1 implements an open mobile device management (MDM) protocol that enables management of the devices by any MDM cloud-based product that enables these open protocols. Initially, support for this open MDM capability will be provided by:
Microsoft, with Windows Intune
AirWatch
MobileIron
Citrix
Windows RT 8.1 devices must complete an enrollment process before they can be managed by an MDM product. This registration process is initiated by the user, specifying their account and credential details to complete the registration process. After registered, a variety of management capabilities are available to the MDM product:
Hardware and software inventory
Configuration of key settings
Line-of-business modern application installation and updating
Certificate provisioning and deployment
Data protection, including remote business data removal (wipe)
Wi-Fi and VPN profile deployment
Sideloading key management
Windows Intune
Windows Intune provides full support for the open MDM capabilities provided in Windows 8.1 and Windows RT 8.1. It also integrates with System Center 2012 R2 Configuration Manager so that all administrative tasks, for Windows Intune-managed client computers as well as Configuration Manager client computers, can be performed through Configuration Manager. This single pane-of-glass administration simplifies the management of Windows 8.1, Windows RT 8.1, and previous versions of Windows.
Windows Intune also provides a Company Portal app that implements an enterprise apps store, enabling users of Windows RT devices to request line-of-business apps; Windows Intune will take care of performing the necessary sideloading operations (through open MDM) to install those applications on the device.
For more information about Windows Intune, click here.
Windows PowerShell
Windows PowerShell is supported on Windows RT 8.1, and provides key functionality for managing and configuring Windows RT. As previously mentioned, this includes many useful capabilities, including: sideloading applications, configuring VPN connections, Windows Firewall configuration, certificate management, and more.
While PowerShell's scripting language, in-box cmdlets, providers, and management capabilities fundamentally act as they do on other platforms, there are some differences on Windows RT, which focuses PowerShell on direct management scenarios. Differences include:
Binary PowerShell modules (other than the ones provided as part of Windows RT) are not supported on Windows RT 8.1, although script modules can be used.
Scripting access to the .NET Framework, as well as access through the Add-Type cmdlet, is not supported on Windows RT 8.1.
The PowerShell Integrated Scripting Environment (ISE) is not included in Windows RT, so the PowerShell command line-based host must be used for running scripts.
Windows Store apps cannot programmatically run PowerShell commands as the interfaces for those commands are not exposed through the WinRT API set. (In some situations, the WinRT HttpClient class could be used to manage remote computers through PowerShell web services, but loopback connections to the local computers are not possible.)
Inbound remoting is disabled by default, but can be enabled if needed by starting the Windows Remote Management (WinRM) service and configuring WinRM on the device.
Implicit remoting is not supported by PowerShell on Windows RT because of constraints in place in Windows RT 8.1.
Governance Through Exchange ActiveSync
When connecting a Windows RT 8.1 device to a mailbox hosted on an Exchange Server using the Mail app, the Exchange ActiveSync (EAS) protocol is used. This protocol provides support for configuring specific security-related policies on a Windows RT device to ensure that corporate email stored on the device is protected appropriately, while also providing a mechanism for remotely removing an email (as well as Calendar and Contact information) in case the device is lost or if the user’s Exchange account is removed or disabled.
Table 1 specific policies that can be set on Windows RT 8.1, as documented at EasClientSecurityPolicy class.
Table 1. Policies
Read/write |
Gets or sets the ability to prevent convenience logons. When set, picture passwords will not be allowed. |
|
Read/write |
Gets or sets the maximum length of time the computer can remain inactive before it is locked. |
|
Read/write |
Gets or sets the maximum number of failed password attempts for logging on. After the failed attempt threshold has been exceeded, the Windows RT device will be put into encryption recovery mode, requiring that the recovery key be provided to unlock the device. |
|
Read/write |
Gets or sets the minimum number of complex characters that are required for a password. |
|
Read/write |
Gets or set the minimum length of password allowed. |
|
Read/write |
Gets or set the length of time that a password is valid. |
|
Read/write |
Gets or set the password information previously used. |
|
Read/write |
Gets or sets whether device encryption is required. |
Windows Update
To keep Windows RT 8.1 up-to-date, it will be serviced through Windows Update for all operating system components, including Office Home & Student 2013 RT, as well as drivers and firmware updates.
For Windows Store apps that come with Windows RT 8.1, as well as any additional apps installed from the Windows Store, notification of new versions will be provided through the Store app, with installation of the new versions initiated by the user when convenient for them. These will not be automatically installed.
Note that Windows RT can only be updated by using Windows Update; Windows Server Update Services (WSUS) cannot be used to deploy updates to Windows RT 8.1.
Data Backup
As mentioned previously, Windows RT 8.1 can use OneDrive and Work Folders for data backup and recovery, in case the device is damaged or lost. Windows RT 8.1 also supports the File History feature which can be used to back up user data from a Windows RT 8.1 device to an external storage device. See Restore files or folders using File History for more information on how to use File History for data backup.
Assigned Access
Windows RT 8.1 includes support for a new feature called Assigned Access, which enables an administrator to specify an app that should automatically execute when a specific user logs on. That user can run nothing else, nor can they get to the Start screen. This effectively implements a single-purpose kiosk behavior.
To configure Assigned Access, use the PC Settings app and navigate to Accounts, then Other Accounts. From there, choose Set up an account for assigned access and choose the user and the app that should be run when that user logs on.
Start Screen Control
Windows RT 8.1 (as well as Windows 8.1 Enterprise) supports a new policy setting that enforces a specific start screen layout that the user cannot change. This is useful for shared computers, multi-purpose kiosks where there is a need to run multiple apps, and other fixed-use scenarios.
To configure Start Screen control, follow these steps:
Install a sideloading product key on the Windows RT device. (The Start Screen control policy requires this on Windows RT 8.1.)
Log on to a computer using a temporary account. Configure the Start screen for that user the way you would like it to be for other users.
Run PowerShell and run the following command (specifying a valid UNC path):
Export-StartLayout -as XML -path \\server\share\layout.xmlOpen Local Group Policy Editor, then navigate to
User Configuration \ Administrative Templates \ Start Menu and Taskbar. Edit the Start Screen Layout setting, specifying the path to the XML file exported beforehand.
Note
Local policy is not applied to Windows RT by default; see the next section for details on how to enable this.
Local Policy
Although Windows RT 8.1 does not include support for Group Policy (because this requires joining an Active Directory domain), it does include support for local policy configuration by using the standard local policy editor MMC snap-in. This enables accounts with administrative rights to configure computer and local policies that apply to all users of the Windows RT device.
To enable local policy on Windows RT 8.1, the Group Policy Client service must be manually enabled using an Administrator account. See Local Group Policy support for Windows RT for more information.