Windows RT 8.1 in the Enterprise: Security

Published: April 16, 2014

Applies To: Windows RT 8.1

In Windows RT 8.1 you have security technologies available to you including smart cards, boot security, device encryption, BitLocker To Go, Windows Firewall, Network Access Protection (NAP), and many more.

Windows RT 8.1 leverages the security technologies present in Windows 8.1, several of which are new. For enterprise environments, these include smart cards, device encryption, BitLocker To Go, SmartScreen, Windows Defender, Windows Firewall, and Network Access Protection. Not only does Windows RT 8.1 support these technologies, many of them are required for all Windows RT devices to help ensure that the devices are protected from the first time they are turned on.

In situations where multi-factor authentication using smart cards is required, Windows RT 8.1 does include class drivers that support smart cards that follow either the Generic Identity Device Specification (GIDS) or the Personal Identity Verification (PIV) standards.

All Windows RT 8.1 devices also include support for virtual smart cards, which provide the same multi-factor authentication benefits of smart cards without the need for any extra hardware by storing the associated certificates in the device’s Trusted Platform Module (TPM). As described in Windows Hardware Certification Requirements for Client and Server Systems, TPM capability must be present in all Windows RT devices. Therefore, these virtual smart cards could be considered as an alternative to using physical smart cards and readers. After a virtual smart card has been created (which can be done using the Tpmvscmgr.exe command-line tool), certificates can be loaded onto it using PowerShell, the Certutil.exe command-line tool, or the Certificates control panel.

All Windows RT devices use the Unified Extensible Firmware Interface (UEFI), a modern replacement for the previous PC BIOS that PCs have used since they were first created. While the most noticeable improvement with UEFI is faster startup and resumption from hibernation (“instant on”), it also provides some key security benefits to help ensure that malware cannot insert itself into the startup process. Through the use of Secure Boot, which ensures that only properly signed and certified boot files are loaded, and Trusted Boot, which makes sure that the checksums of these boot files do not change, Windows RT can help ensure that no rootkits or other tampering are present.

At the next level, Windows RT offers Device Encryption, a capability based on the same BitLocker drive encryption technology that is available in Windows 8 Pro and Windows 8 Enterprise. Device Encryption has been optimized for Windows RT devices to provide full volume encryption, which leverages AES encryption with 128-bit keys with a TPM protector.

All Windows RT devices are encrypted when the computer first starts, but it is not protected with an encryption key until someone logs on to the computer using a Microsoft account that is an Administrator of the computer. After this happens, the encryption key is applied and a recovery key will be automatically uploaded into the OneDrive associated with the account. The recovery key will also be backed up into OneDrive for each subsequent Microsoft account that logs on with Administrator rights.

Because the device is not protected with an encryption key until an administrative Microsoft account logs on, it is very important that this is performed at least once on every Windows RT device.

Windows RT can be configured so that Device Encryption automatically forces the device to ask for the recovery key if tampering (for example, trying to log on multiple times with an incorrect password) is detected. This must be enabled through local policy by setting the Interactive logon: Machine account lockout threshold setting under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, or by using the MaxFailedPasswordAttempts policy of Exchange ActiveSync (also configurable through Windows Intune), to specify the number of failed password attempts before the device will request a recovery key.

The recovery key can be obtained from the OneDrive associated with any Microsoft account that logged on to the Windows RT device with Administrator rights. This can be retrieved by accessing the Recovery Key website.

Device Encryption in Windows RT does not provide the full functionality of BitLocker. Some of the features that are specific to BitLocker and not included in Windows RT Device Encryption include:

  • An extended set of protectors (for example, network, PIN, TPM, password).

  • Management capabilities enabled through Active Directory, such as recovery key escrow and support for Microsoft BitLocker Administration and Monitoring (MBAM).

Note that Device Encryption on versions of Windows prior to version 8.1 do not support FIPS-compliance mode. In Windows 8.1 a FIPS-compliant encryption option has been added. To use it the FIPS-compliant Group Policy setting must be enabled prior to encrypting the device. Also, storing recovery keys in Active Directory, OneDrive, and other centralized storage mechanisms does not impact FIPS status.

Although Windows RT 8.1 cannot create encrypted BitLocker To Go USB drives or SD cards, it is able to use these drives or cards after they have been encrypted from Windows 8 Pro or Windows 8 Enterprise (or even Windows 7) computers. When inserting the BitLocker To Go USB drive or SD card, the user will be prompted to provide the required password before they can access or update the data on the USB drive or SD card.

Windows RT 8.1 supports the use of multiple user accounts. These accounts can have full Administrator access or can be set up as “standard” users with limited configuration capabilities. (Even standard users can install Windows Store apps from the Windows Store, unless the Windows Store has been disabled.)

Windows RT 8.1 supports using either local accounts or Microsoft accounts. Note that some operations such as installing applications from the Windows Store, as well as some applications including Mail, Calendar, and Contacts, require the use of a Microsoft account. The synchronization of Windows RT settings and encryption key backups also require the use of a Microsoft account. As a result, it is recommended that Microsoft accounts be used for most Windows RT devices.

Note that Windows RT 8.1 and Windows 8.1 do not support using Active Directory federated IDs in place of Microsoft accounts to access the Windows Store. For more information on Microsoft accounts, see What is a Microsoft account?

Windows RT 8.1 provides support for leveraging three types of convenience passwords:

  • Picture passwords, where a series of three user-defined gestures can be used with a custom lock screen picture to unlock the device

  • PINs, where the user enters the correct four-digit value to unlock the device

  • Biometrics, where the user specifies a fingerprint that can be used to unlock the device (using a fingerprint reader)

The user account still has a traditional password assigned to it, so these just make it easier to log on, especially on touch devices, by not requiring that the full password be entered.

These convenience password mechanisms can be disabled (either through Exchange ActiveSync policy, Windows Intune, or local computer policy) in situations where they are not desirable.

Windows RT 8.1 includes Credential Locker, a service that stores user accounts and passwords from Windows Store apps and websites so that they can be automatically presented back to the app or website the next time they are needed. For more information on Credential Locker, see Credential Locker Overview.

Windows RT 8.1 includes SmartScreen capabilities that check all downloaded files to help ensure that they are safe. SmartScreen leverages application reputations to determine which files may be dangerous and which files are not; for those that are not, no prompt would be displayed. For files that do not have a known reputation, or for those that have a bad reputation, SmartScreen will prompt the user for confirmation before continuing.

Windows Defender provides real-time protection on Windows RT 8.1 from malware, including viruses, worms, bots, and rootkits by using the latest set of malware signatures from the Microsoft Malware Protection Center, which Windows Update will deliver regularly along with the latest Microsoft antimalware engine. This expanded set of signatures is a significant improvement over previous versions, which only included signatures for spyware, adware, and potentially unwanted software.

The Windows Firewall is also included in Windows RT 8.1 and enabled by default, to ensure that the network attack surface is minimized. Configuration of the firewall is more limited though, because Group Policy — only available for Active Directory-joined computers — cannot be used to push out a specific configuration. Scripted configuration using Netsh can be performed.

Windows RT 8.1 does support Network Access Protection (NAP), which can be used to control access to corporate network resources based on the device’s compliance with corporate controls. Note that Windows RT 8.1 does not support third-party system health agents (SHA).

Windows RT 8.1 includes support for Workplace Join, a process through which the Windows RT device is registered into Active Directory. This registration information can be used to ensure that only trusted, registered devices are able to access secure corporate data; this leverages Dynamic Access Control capabilities in Windows Server 2012 R2.

Community Additions