Skip to main content

Manage Windows 8.1 devices in a bring your own device world

Applies to: Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2

Don't panic—We are not tossing professionalism to the wind. While the acronym BYOD can bring up fond memories of legendary college parties, rest assured that we are not talking togas and food fights here. Bring Your Own Device (BYOD) is an initiative that many organizations are adopting. It allows end-users to bring their personally-owned devices to work and use those devices to access company resources, such as files and applications.

While BYOD can help make end users more productive and eliminate the cost of physical devices from your organization’s balance sheet, you might find the analogy to out-of-control toga parties and food fights pretty close—at least in a technical sense. But the variety of new and innovative Windows 8.1 end-user devices can give you the control you need to manage and protect your organization while providing end users the flexibility they want.

This article lists ways you can manage end-user owned devices running Windows 8.1. It’s a checklist of sorts, and it provides links with detailed information that you can further explore. Let's get started with a quick summary of the methods you can employ:

Join BYOD devices to the domain

If you allow users to connect their BYOD devices running Windows 8.1 to your network, your organization probably requires them to join the domain.  (Domain Join requires Windows 8.1 Pro or Windows 8.1 Enterprise.) That’s not new for you but what about remote users who don’t have connectivity to your organization’s intranet? You can use the offline domain join process (Djoin.exe) in Windows 8.1 to join their computers to the domain without requiring them to connect to the intranet. You can learn more about this process in the article Offline Domain Join (Djoin.exe) Step-by-Step Guide. New for Windows 8.1 and Windows Server 2012, you join computers offline and provide DirectAccess policies. See the article DirectAccess Offline Domain Join for more information.

Manage computer and user settings by using Group Policy

With end users’ BYOD devices running Windows 8.1 joined to the domain, you can enforce computer and user settings on them by using Group Policy. (Group Policy also requires Windows 8.1 Pro or Windows 8.1 Enterprise.) Like Domain Join, you are almost certainly already familiar with Group Policy, but Windows 8.1 includes many improvements. For example, you can now update policy settings remotely. Learn about the functional improvements to Group Policy in the article What's New in Group Policy. Additionally, Windows 8.1 offers many new policy settings that you can use to manage BYOD devices, and we have updated the Group Policy Settings Reference to include them.

Control which Windows Store apps users can install by using AppLocker

On BYOD devices running Windows 8.1 Enterprise, AppLocker enables you to allow or block an app based on its file path, hash, or properties that persist across application updates (e.g., publisher name, product name, file name, and file version). You can refine AppLocker results by configuring individual and group exceptions. Windows 8.1 Enterprise adds support for Windows Store apps to AppLocker. For more information about AppLocker, see the AppLocker Overview.

Deploy Windows Store apps to BYOD devices by sideloading them

Sideloading a Windows Store app is the process of installing the app without distributing it through the Windows Store. You would sideload a line of business (LOB) app rather than distributing it publically through the store. The normal process requires (1) a domain-joined computer running Windows 8.1 Enterprise, (2) the Group Policy setting “Allow all trusted apps to install” be enabled, and (3) the app be signed by a trusted code-signing certificate. After meeting these requirements, you can sideload a Windows Store app for an individual user by using Windows PowerShell or for all users who share a device by using the Deployment Image Servicing and Management (DISM) tool. On BYOD devices that are not domain joined or are running Windows 8.1 Pro, you can use a sideloading product activation key. It sounds complicated, but it really is a simple process. The article How to Add and Remove Apps describes how to do it in step-by-step detail. Additionally, tools such as System Center 2012 Configuration Manager SP1 and the Microsoft Deployment Toolkit (MDT) 2012 provide automation for sideloading Windows Store apps. A future version of Windows Intune will also provide such functionality and you can learn more about that on the Windows Intune blog.

Manage the Internet Explorer 10 configuration

In Windows 8.1, Internet Explorer 10 has two browsing experiences: Internet Explorer is a Windows Store app that provides an immersive experience by using the new Windows 8.1 user interface, and Internet Explorer for the desktop provides a tabbed experience similar to Internet Explorer 9. The article Internet Explorer 10 provides a good overview of the new features for IT professionals. To help manage Internet Explorer 10 on BYOD devices running Windows 8.1, Internet Explorer 10 adds numerous Group Policy settings, which the article Group Policy Settings in Internet Explorer 10 describes. Notably, Internet Explorer 10 no longer supports the Internet Explorer Maintenance extension. Instead, Group Policy preferences include new preference items to support Internet Explorer 10 configuration. See Internet Explorer Maintenance Replacements for more information about these new preference items. Still more settings are configurable by using the Internet Explorer Administration Kit (IEAK), and this tool is a great solution for BYOD devices running Windows 8.1 that are not domain joined. See Internet Explorer Administration Kit (IEAK) Information and Downloads.

Encrypt operating system, fixed, and removable drives by using BitLocker

One thing you can count on in BYOD scenarios is that users will lose devices. However, BitLocker Drive Encryption (BitLocker) can provide protection against data theft and exposure by encrypting drives. BitLocker has been around since Windows Vista, and each Windows release has improved on it. Learn more about improvements that Windows 8.1 makes to BitLocker in the article BitLocker Overview. A new feature that you might like for BYOD devices is that end users can store their BitLocker recovery keys on OneDrive. Also, you can use Microsoft BitLocker Administration and Monitoring (MBAM) to more easily provision, manage, and monitor BitLocker deployment. It includes a self-service portal that allows users to recover their own recovery keys, getting them back to work quickly without a helpdesk call. For more information on MBAM, which is part of the Microsoft Desktop Optimization Package (MDOP), see the MBAM Resource Zone on TechNet.

Manage BYOD devices by using System Center 2012 Configuration Manager SP1

So how do you manage Windows 8.1 devices and apps, make certain they are up-to-date, and gain essential insights into the devices? The answer depends on whether we want on-premises or cloud-based management. Configuration Manager SP1 provides on-premises management of Windows 8.1 devices and apps. It lets you centrally manage Windows 8.1 devices, even the end-user owned devices in BYOD scenarios. Configuration Manager SP1 is a big topic, and you can find documentation for it in the TechNet Library (see Configuration Manager). Configuration Manager SP1 adds support for Windows 8.1, including managing Windows Store apps and Windows 8.1 operating system deployment, and the article What’s New in Configuration Manager SP1 describes these additions in detail.

Manage BYOD devices by using Windows Intune

Do you like the idea of managing BYOD devices by using Configuration Manager SP1 but want a cloud-based solution that you can use to manage BYOD devices running Windows 8.1? The next release of Windows Intune extends BYOD device management to Windows 8.1 by adding support for Windows 8.1 management, Windows Store app deployment and management, and integration with Configuration Manager. Follow the Windows Intune blog to stay up-to-date with the upcoming release.

Provide a portable Windows workspace that end users can start from almost any computer

BYOD scenarios, Windows To Go can only be described as an incredibly awesome feature. (Windows To Go requires Windows 8.1 Enterprise.)  Windows To Go enables you to create portable Windows 8.1 workspaces that end users can boot from USB drives on any computer that meets the Windows 7 or Windows 8.1 certification requirements. (The actual operating system installed on the computer is irrelevant.) You can create Windows To Go workspaces by using the Windows To Go wizard or by using Windows PowerShell. There are some differences between a local installation of Windows 8.1 and a Windows To Go workspace, and you can learn more about it in the article Windows To Go: Feature Overview. For example, local disks are offline when you start a Windows To Go workspace to help separate work and personal data. Windows To Go enables new scenarios. For example, you can provide end users a Windows To Go workspace that they can take back and forth between work and home while maintaining consistent access to the same desktop environment.

Provide remote access to a Windows 8.1 desktop by using Virtual Desktop Infrastructure (VDI)

BYOD scenarios can be complicated. Most of the items in this check list require that you touch the end user’s device in some way, either to join the domain or install an agent. There is generally no way around this, as you cannot allow unmanaged devices to connect to your network. However, an alternative is to provide remote access to a full-fidelity virtual desktop by using VDI. VDI is powered by Remote Desktop Services in Windows Server 2012and offers three deployment choices (session based, pooled VMs, or personal VMs) and a rich user experience powered by RemoteFX. End users can log onto their desktops from any device that supports the Remote Desktop Protocol (e.g., Windows RT devices, laptops running Windows 8.1, Apple iOS and Google Android devices, and more). The Desktop Virtualization home page on TechNet is a great place to start your exploration.


BYOD is great. It can unleash end users’ productivity, passion, and innovation. We believe that you can give users the flexibility they want on the devices they choose in a responsible way. That is, you can embrace BYOD while keeping your environment secure and well managed. To that end, Windows 8.1 provides end users with experiences they love and the enterprise-grade features you need. For more information about Windows 8.1 devices in BYOD scenarios, see Microsoft Technologies for Consumerization and Consumerization of IT FAQ.

Additional resources