Managing "BYO" PCs in the enterprise (including WOA)


With more and more people providing their own hardware for work, the “bring your own” PC is becoming more commonplace and IT Pros want to have the confidence that they can support their clients who follow this trend. The presence of BYO does not change the need for IT Pros to manage, secure, and remain accountable for the network assets of an organization, and we all know that written policies can only go so far.

This post focuses on managing WOA PCs, which are designed with this “consumerization of IT” in mind. PCs of all form factors built on x86/64 architecture have the full complement of management tools available to them, especially those supported by third-party code running on the system. Since WOA PCs only support third-party code through the Windows Store and WinRT-based applications, we set out to develop industry-leading management capabilities that support BYO or company-deployed WOA PCs. This post was authored by Jeffrey Sutherland, a program manager lead in our Management Systems group.

–Steven


One of the major trends in IT in recent years has been the drive towards “consumerization of IT,” which is a term describing how consumer technology, from phones to PCs, is bleeding into business organizations in all forms and fashions. And increasingly, the devices that are showing up are owned by and liable to the employee rather than the organization they work for. We see this most notably in the smartphone device category, but more recently also in tablets or other portable PC form factors that are increasingly showing up in the workplace. As organizations embrace consumerization, IT must consider how much control they can exert over a user’s personally-owned device, and how much management is “good enough.” These questions were top of mind for us as we began our journey to Windows 8, and particularly, as we built Windows for the ARM processor architecture. Our focus has been on how we can continue to deliver PCs and software that users need, like applications and data-access on any device, with enough IT control to assert that the device is trustworthy, while avoiding any compromise of the user’s privacy on their personal device.

In Steven’s earlier blog post about Windows on ARM, or WOA, he talked about how the bulk of the Windows experience remains the same on ARM as it is on x86/64, and the products share a significant amount of code. So, while this post will focus primarily on WOA, many of the features discussed are equally applicable to both processor architectures. In addition, this post covers the capabilities on the PC, itself, not the overall management infrastructure and tools used by IT. Also, please keep in mind all the security capabilities built into Windows that come with WOA from the basics of networking all the way through drive encryption.

Line-of-Business applications and the WOA management client

Demand for access to the business apps that users rely on – from email to licensed software from an independent software vendor to home-grown apps developed by IT – is one of the most important use cases for “consumer” devices in the enterprise. We know that developers are going to find it easy and convenient to build elegant Metro style apps that automatically work on any Windows 8 system including WOA, and developers of line-of-business (LOB) apps won’t be any different. But many organizations want to directly control and manage access to their internal LOB apps, including the distribution of the app binaries for installation. For these organizations, publishing their LOB apps to the public Windows Store doesn’t make sense, since there is no reason to broadcast these applications to others or to have their application deployment managed through the Windows Store process. And access to these resources and the data that they expose requires an assurance to IT that the systems accessing them meet an established bar for security and data protection.

Organizations have been dealing with apps on x86/64 machines for a long time using a variety of tools and methods, including management products like System Center Configuration Manager and Windows Intune. Management of Metro style LOB apps on x86/64 will be able to leverage those same existing tools and methods and only requires that the client be configured to trust the apps that come from a source other than the Windows Store. For more information on the base capabilities of adding and removing Metro style apps on x86/64, see How to Add and Remove Apps. Developing WOA, however, provided us a unique opportunity to architect how LOB apps can be delivered to users in a way that meets the needs of IT while continuing to guarantee a consistent and reliable end-to-end experience over the life of the PC.

For WOA, we have integrated a new management client that can communicate with a management infrastructure in the cloud to deliver LOB apps to users. You’ll hear more about this management infrastructure at a later date from our friends on the System Center blog, so this post will focus on the benefits and capabilities of the WOA management client itself.

There are actually two parts to the WOA management client: the built-in system component, which we’ll call the agent; and a Metro-style app, which we’ll call the self-service portal, or SSP, that the consumer uses to browse for and install LOB apps made available to them. Both parts of the WOA management client are well behaved Windows 8 apps in terms of user experience, power management/battery life, network awareness (for metered networks), and overall functionality.

The agent does most of the heavy lifting on the client. It configures the client to communicate with the organization’s management infrastructure; periodically synchronizes with the management infrastructure to check for any updated LOB apps and apply the latest settings policies configured by IT for the device; and handles the actual download and installation of any LOB apps that the user wants to install. Finally, if the user or the administrator chooses to remove the device from the management infrastructure, it clears the configuration of the agent itself and disables any LOB apps the user installed from the SSP.

Connecting to the management infrastructure

Let’s explore some of these elements in more detail, starting with connecting the client to the management infrastructure. In truth, this step begins with the IT admin who specifies the group of Active Directory (AD) domain users who are authorized to connect devices into the service. The admin also has the option to specify the maximum number of devices allowed per user. For authorized users, the actual steps to connect a device are quite simple. Using a new Control Panel applet on their WOA device, the user supplies their company email address and password, just like they do to set up an Exchange email account. The agent then performs a service lookup to locate the organization’s management infrastructure based on the user’s email address.


Control Panel System window overlaid with dialog for entering company credentials to access company apps and resources
Connecting to your management infrastructure is as easy as entering your company email address and password

Once the agent has found the right address, it establishes a secure connection to the management infrastructure using SSL Server Authentication and authenticates the user. If the user is successfully authenticated and has been authorized by the admin to connect devices, the service issues a user certificate to the user who initiated the connection. This certificate is sent back to the agent along with the organization root certificate and instructions for the agent, which it uses to configure its ongoing communications with the management infrastructure. All of this happens in a matter of seconds and typically requires no further interaction from the user. Once complete, the user is directed to install the SSP while the agent completes the connection in the background.

Control Panel System window overlaid with Connecting dialog

Control Panel System window overlaid with dialog showing user is connected to company network

Completing the connection

Next, the agent automatically initiates a session with the management infrastructure, using the user certificate to authenticate. This session and any subsequent sessions are performed using SSL Mutual Authentication to ensure the security of the connection. This initial session completes the registration of the device with the service by supplying some basic device information such as the make and model, the OS version, device capabilities, and other hardware information. This allows IT admins to monitor what types of devices are connecting to the organization, so they can improve the apps and services they deliver to users over time.

Following the initial session, the agent initiates communication with the management infrastructure in two circumstances:

  • First, as a maintenance task that runs daily at a time that the user can configure on the client. The activities performed during these maintenance sessions focus on reporting updated hardware information to the management infrastructure, applying changes to the settings policies for the device, reporting compliance back to the management infrastructure, and applying app updates to LOB apps, or retrying any previously failed LOB app installations initiated from the SSP.
  • Secondly, the agent will communicate with the management infrastructure anytime the user initiates an app installation from the SSP. These user-initiated sessions are solely focused on app installation and do not perform the maintenance and management activities described in the first case.

Regardless of whether a session is initiated automatically by a scheduled maintenance task or manually by the user, the WOA management client continues to behave well relative to the state of the battery on the device and its current network conditions.

Settings policy management

As already discussed, access to LOB apps typically requires systems to comply with basic security and data protection policies. From the management infrastructure, the IT admin is able to configure a set of policies that we believe are the most critical to give IT the assurances they need without seriously affecting the user’s experience with their device, including:

  • Allow Convenience Logon
  • Maximum Failed Password Attempts
  • Maximum Inactivity Time Lock
  • Minimum Device Password Complex Characters
  • Minimum Password Length
  • Password Enabled
  • Password Expiration
  • Password History

Although our new WOA management client can only connect with a single management infrastructure at a time, we may decide to add other policy sources before we release Windows 8 and so we’ve architected the policy system to handle this. In the case where more than one policy exists for the same Windows 8 device, the policies will be merged and the most restrictive configuration will be selected for each. This resultant policy will apply to every administrative user on the Windows 8 device and every standard user with an Exchange account configured. Standard users who do not have an Exchange account will not be subject to the policy, but Windows 8 already restricts those users from accessing data in other users’ profiles and from privileged locations, thereby automatically protecting your corporate data.

In addition to the configurable policies described above, the agent can also be used to automatically configure a VPN profile for the user, so that WOA devices easily connect to a corporate network without requiring any user action. Finally, the agent can also monitor and report on compliance of WOA devices for the following:

  • Drive Encryption Status
  • Auto Update Status
  • Antivirus Status
  • AntiSpyWare Status

Leveraging this compliance information, IT admins can more effectively control access to corporate resources if a device is determined to be at risk. Yet once again, the user’s basic experience with the device is left intact and their personal privacy is maintained.

Before we move on, let’s consider a couple of the policies listed above and how they practically affect a Windows 8 system. First, we’ll look at Allow Convenience Logon. Windows 8 offers users convenience login features, like biometric login or the picture password feature. These options maintain a high level of security for Windows 8 devices, while solving one of the biggest headaches for users and IT alike: forgetting your password. Yet some organizations may require additional time before they are ready to embrace these alternative logon methods, so the Allow Convenience Logon option lets IT manage when to allow convenience logins in their organization.

Secondly, let’s look at how drive encryption and Maximum Failed Password Attempts work together. You probably know people who’ve picked up their smartphone only to find that the device has wiped itself after their young child was playing with it and inadvertently entered the wrong password repeatedly. Nothing so severe will happen with your Windows 8 devices, fortunately. Windows 8 provides strong data protection already out of the box. So, when a user exceeds the password entry threshold, Windows will instead cryptographically lock all encrypted volumes and reboot the device into the Windows 8 recovery console. If your device has been lost or stolen, this effectively renders the device unreadable. But if you’re simply the victim of your young son or daughter trying to get to Angry Birds while your device is locked, you can easily recover with the use of a recovery key that Windows 8 can automatically store on your behalf in your SkyDrive account. This way, you are able to get back up and running without enduring a lengthy wait to re-install all of your apps and copy down all of your data.

LOB app management

The features we’ve covered so far are obviously focused more on the mechanics of the management client and infrastructure along with the needs of the IT admin, but ultimately the entire solution exists to benefit the end user by enabling access to their LOB apps. Without such a benefit there’s little reason a user would go through the trouble of using the enterprise management infrastructure. So let’s dig deeper into LOB app delivery on the WOA platform.

In our previous blog post about WOA, we told you that “consumers obtain all software… through the Windows Store and Microsoft Update or Windows Update.” Now, with the addition of the WOA management client, we’re adding a fourth trusted source of software for the WOA platform. As mentioned, the Metro style self-service portal app, or SSP, is the day-to-day interface for the corporate user to access their management infrastructure. Here they can browse to discover LOB apps that have been made available to them by the IT admin. There are actually four different types of apps that IT can publish for users in the SSP:

  • Internally-developed Metro style apps that are not published in the Windows Store
  • Apps produced by independent software vendors that are licensed to the organization for internal distribution
  • Web links that launch websites and web-based apps directly in the browser
  • Links to app listings in the Windows Store. This is a convenient way for IT to make users aware of useful business apps that are publicly available.

Since the user specified his or her corporate credentials as part of the initial connection with the management infrastructure, the IT admin can then specify which apps are published to each user individually, based on the user’s AD domain user account, or as a member of AD user groups. As a result, the user only sees those apps that are applicable to them in the SSP.

Woodgrove Center SSP app, with dropdown filters for categories and names; buttons for Aps, My Devices, and IT Center; apps available for download: Woodgrove Supplier, Woodgrove Asset Request, Woodgrove Expenses, etc.

Browsing for LOB apps in the self-service portal (SSP) for a fictional company called Woodgrove
NOTE: This screenshot shows an early prototype of the SSP and may not reflect the final product.

Before any LOB apps can be delivered through the management infrastructure, there are two things that happen on the client. First, an activation key is issued by the management infrastructure and applied to the WOA device to allow the agent to install apps. Second, any certificates used to sign the LOB apps must be added to the certificate store on the device. In most cases, both the activation key and the root certificates are automatically applied during the first session after establishing the connection with the management infrastructure. Otherwise, they are automatically deployed during a subsequent session after the IT admin has turned on the feature in the management infrastructure.

When the user chooses to install an app from the SSP, the request is sent to the management infrastructure and a download link is provided to the agent. The agent then downloads the app, verifies the validity of the content, checks the signature, and installs the app. All of this typically occurs within seconds and is generally invisible to the user. In the event that an error occurs during any part of this process (e.g. the location of the content is unavailable), the agent queues the app for a retry during its next regularly scheduled maintenance session. In either case, the agent reports the state of the installation back to the management infrastructure.

Details page for Woodgrove Expenses includes: Publisher, Category, Description info, and Insall button.
The
details page of an app in the SSP, where the user can initiate installation
NOTE: This screenshot shows an early prototype of the SSP, and may not reflect the final product.

As part of its regular maintenance sessions, the agent will inventory which LOB apps are currently installed and report that information back to the management infrastructure so the IT admin can effectively manage their LOB apps. Only Metro-style apps that were installed via the SSP and the management client are included in this inventory from a WOA device. Apps installed from the Windows Store are never reported as part of the inventory.

Anytime the IT admin publishes an update for an app that has been installed on a WOA device, the agent will automatically download and install the update during its next regular maintenance session.

Disconnecting from the management infrastructure

Finally, let’s look at how to disconnect a device from the management infrastructure. Disconnecting may be initiated either locally by the user or remotely by the IT admin. User-initiated disconnection is performed much like the initial connection, and is initiated from the same location in the Control Panel. Users may choose to disconnect for any number of reasons, including leaving the company or getting a new device and no longer needing access to their LOB apps on the old device. When an admin initiates a disconnection, the agent performs the disconnection during its next regular maintenance session. Admins may choose to disconnect a user’s device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy.

During disconnection, the agent does the following:

  • Removes the activation key that allowed the agent to install LOB apps. Once removed, any Metro style apps that were installed via the SSP and management client are deactivated. Note, however, that the apps are not automatically removed from the device, but they can no longer be launched and the user is no longer able to install additional LOB apps.
  • Removes any certificates that the agent has provisioned.
  • Ceases enforcement of the settings policies that the management infrastructure has applied.
  • Reports successful deactivation to the management infrastructure if the admin initiated the process.
  • Removes the agent configuration, including the scheduled maintenance task. Once completed, the agent remains dormant unless the user reconnects it to the management infrastructure.

Summary

Given the trend towards “consumerization” of IT and our introduction of WOA with Windows 8, we wanted to rethink the way systems management is done. We worked to strike a balance between the sometimes competing needs of IT admins and the consumer who uses the device on a day-to-day basis. With the new WOA management client connecting to a management infrastructure in the cloud, we believe we’ve accomplished those goals, and we hope you’ll agree when you see it all in action.

– Jeffrey Sutherland

Comments (58)

  1. Someone says:

    Why are you guys referring to it as WOA and not Windows RT?

  2. Anthony Zoko says:

    Would be nice to have some of this infrastructure built into Small Business Server or even Home Server Editions.

    Nice work!

  3. freetushkan says:

    Someone, answer is very trivial – it's old post ;)

  4. seriously? says:

    You have created an entirely new management infrastructure apart from the existing AD/GP management….how could you?  You are pissing away everything that has made your solutions respectable.  Stop drinking the consumization koolaid BS!

  5. Someone says:

    @freetushkan I'm pretty sure that they didn't come up with this name overnight! It must have been decided upon a while ago. Anyways its a non issue, so whatever :)

  6. I completely agree with @Anthony Zoko about having this integrated in to Small Business Server or Home Server. There are lots of small businesses that would like to have this or that little custom application written for them to use or license from a company for their employees where the Windows Store model wouldn't work. Also, as a developer I write software for myself and others in my family and being able to deploy those apps without paying for or otherwise dealing with the Windows Store would be a huge boon. I've been looking at reasons to replace my Synology with a Windows Home Server, but the Windows Home Servers have nothing valuable to offer beyond what my Synology does. However, a feature like this would be absolutely wonderful!

  7. Branding Police says:

    Somebody didn't get the memo that the WOA SKU is called "Windows RT" now.  Here's a trick to help you remember in the future:  it rhymes with "Windows RT" which is the new dev platform announced at BUILD

  8. de@iru.ch says:

    1. Windows RT is still a stupid name

    2. Establishing the connection over a classic desktop control panel item is a bad idea. Why not do it Metro-style?

    3. Can you provide some more details about the management of those devices? What does that look like?

    4. Is this way of connecting only available to Windows RT/WOA? Or also for Intel-based tablets? What about regular computers/notebooks?

    5. What is the advantage of doing it this way instead of the AD-way? The cloud-based ability to push apps even when employees are at home?

    6. is DirectAccess supported on WOA? How are LOB apps supposed to connect to internal servers?

  9. Ole says:

    How many Start menus does it takes to fix Windows 8?

  10. LD says:

    @Ole

    1- the one in windows 7

  11. A person with questions says:

    Why are apps from the company left on the device after it disconnects if they are no longer able to be launched?  They're just taking up space at that point.  Why not delete them automatically or offer that as an option to the user.  Does the user currently have to delete each unusable app manually?

  12. Anonymous says:

    Is this leveraging Windows InTune, Configuration Manager 2012, or something different?

  13. Lawrence says:

    I wish that when I brought my computer home I could be free of all the Work policies, and then when I go to work then it's secure – like having two PCs in one. Without the secure entry, I could access my videos, browse the web but not have access to my work files, etc…have you thought about something like that?

  14. worrall says:

    What 2-factor authentication methods will be available? Currently we use Smartcards to secure our networks. If this is password only, it's not going to fly from the get-go.

  15. JF says:

    I realize the screenshots are still preliminary, but could you please clarify how users enter their credentials? The screenshot shows the Explorer Control Panel… I can't imagine a situation where a user would ever be "delighted" by having to go to the desktop view on a tablet, for any reason at all. Hoping this temporary.

  16. JF says:

    @Lawrence

    That's an interesting concept… it would involve removing the activation key while at a specific GPS location or through a toggle, I'd imagine. Ultimately might be more trouble than it's worth. That said, I absolutely despise "complex" character passwords. Most people end up writing it on a post it on their computer anyway. Kind of defeats the purpose. Hope companies catch on and allow "convenience" log-on!

  17. davis says:

    Is there this same support on x86 and x86-64 Windows 8? There's no reason why a corporation's approach to BYOD would be different depending on which architecture of Windows tablet the employee happens to buy.

  18. Guido van Brakel says:

    Does this requires an enterprise CA in place in the organisation for exchanging those certificates?

  19. Victor Nazarenko says:

    You say "management infrastructure in the cloud ". Public cloud? Private cloud?

    Can I use this in isloated network (without internet connrction)?

  20. jader3rd says:

    Without Domain joining, how would a WOA device access secure SharePoint documents/sites? Will there be some sort of handshake with the SSP?

  21. Ray says:

    I am not if i have get your point

  22. Khun T says:

    What the server version that need to do all of this, WinServer 2003, 2008, 2012?

    Also, what kind of server setup that required to accomplish this?

  23. Adam Koncz says:

    Please make GroupPolicy part of every version of Windows. It is ridiculous that if you have a Home version you cant have full admin rights.

  24. Tyler says:

    How does a company make this available to their employees? Can a small business like mine do this? Does it cost money?

  25. Scott says:

    I think a device should be able to connect to multiple company portals.  Otherwise, someone who works for two companies or a consultant who needs access to resources at multiple companies would be in a quandry.  They would have to pick which one to go with and skip the other(s), or they would have to constantly change back and forth.

  26. Valkyrie-MT says:

    So, if I want to play a game at home, but have added my Win8 Tablet to the Company infrastructure, I have to enter a login with requirements imposed by my company?  My kids use the iPad all the time and they would not be able to use this without creating a separate account that has no password because they cannot read (although the picture password is too difficult for most 3 year olds to consistently get right).  I can imagine coming home from work with the tablet locked and the kids pick it up and can't get in.  After the screen locks it should present the user with the login choices again and not just the password prompt for the currently logged in user.  Also, maybe you could use GPS or presence of the home Wifi to determine the unlock screen prompt.  So if the home wifi is detected or GPS shows you are at home, the default selection should be my personal/family login with no password.  My kids need to be able to easily get on without the password when the tablet is at home.  It time for new thinking!  Use the sensors in these devices to make things work better!  

    Thanks.  

  27. JF says:

    @Valkrie-MT

    I agree. One the annoying thing about current generation tablets like the iPad is that they hold a single profile. It would be a huge step forward to allow multiple user profiles. With respect to this article, could the app activation key be specific to a single user in such a case? This would render any company app useless unless the right user (using the right security logon method) can access sensitive company data.

  28. ReMark says:

    Please give us a post of news about Desktop environment (post CPreview)

  29. Hi, Everyone, thanks for the feedback & some interesting suggestions.

    We did write this blog and had it planned to go up before the naming announcement.

    @Anthony Zoko: (and others) The update on the System Center blog will show how both small & large businesses can get to this functionality.  

    @Lawrence & @JF – interesting ideas – thanks for the suggestions.  In this release we don’t do that.  

    @davis: We do support this functionality on x86. However, x86 also has a load more management functionality through Domain membership, Group Policy and existing tools like System Center.

    @jader3rd: Any Windows system without Domain membership retains has the ability to store credentials to any site it connects to.

    /iain

  30. pmbAustin says:

    Agree with @Adam Koncz … I wish it were possible on ALL versions of windows for the machine administrator to enforce policies against other specified users on that same machine… thing like not allowing installation of new software, or locking the desktop, or hiding the control panel, etc, etc.  I also think the family protection stuff should just be baked in with a nice UI (and the Group Policy editor and the like should be above and beyond for the more technically minded folks who want and need the capabilities, irrespective of parent/child accounts… like "here's an account I can let my friend use without worrying about him mucking up my machine because I've totally locked it down").

  31. Carlos says:

    I know that this comment should not be here, but I think they should change the name of Windows 8 for ARM devices, I think they should leave it in Windows 8 ARM, thus would have 4 names, which would be Windows 8, Windows 8 Pro, Windows 8 Enterprise and Windows 8 ARM. If you leave it like Windows RT people will confound.

  32. John says:

    Why did you guys name the Windows Runtime to be "WinRT" (inside of x86 and ARM devices) and name the OS inside of the ARM tablets to be "Windows RT" (which is only inside of ARM devices)?

    Probably no one on this blog will be confused, but it would be easy to make a case that this could lead to more consumer confusion.

    Please pick a different name for Windows RT before you get to the Windows 8 RC, and way before you begin advertising to consumers. If not, you can expect more confusion on the part of consumers and lost sales, and more lost market share.

  33. Windows RT has nothing to do with "windows" !!!!!!!(neither 8 at that point!!)

    So the real name may be Microsoft Metro ARM(or RT)

  34. RPotter says:

    @John They aren't selling copies of Windows RT to consumers. Windows RT will only be available preinstalled on hardware. Hence there will be no confusion.

  35. Mark says:

    WOw, there is a ton of information in this post! and I think you have done a good job with granting at least a limited set of management features to a wide range of casually-connected devices.

    Some of it I am struggling to see how it will work. for example, We currently use a 30 minute timer on password lockouts. This allows a simple mistake to be corrected without IT assistance in many cases, or a simple phone-call to the frontline IT help desk and a domain password reset/unlock for the rest.

    In the instance mentioned, a password lockout now encrypts the data and boots into recovery console – several questions immediately come to mind…

    how user-friendly is the recovery console? will a novice who quite probably has never seen it before be able to know what to do?

    Can the IT help-desk reach into the Recovery Console and reset the domain password?

    Does this apply to Desktop and/or RT?

    If Desktop, what about someone else who may want to log on to the computer? actually that applies to RT as well, since multiple people can log in to the same tablet/pad. But if it is encrypted then the whole computer becomes a doorstop because of one guys password problems.

    if RT (does RT even have a Recovery Console?) the recovery console has access to my Skydrive account? What if there is a networking problem, how would I debug it? How do I authenticate through the corporate firewall?

    The problem with giving us a taste of the info is we want more and more of it!

  36. On a related note,

    how come you are only including the Windows To Go feature in the enterprise edition of Windows 8? I'm asking because you have been proudly displaying this feature as a grand new addition to Windows 8, and a huge potential selling point. Instead it would become a very cool, yet very inaccessible feature, as Windows 8 Enterprise will be a very inaccessible OS (I have never actually seen a physical Windows 7 Enterprise machine in my life). Also, there are sure to be some people that want this feature that are not working for some large company that offers Enterprise for their computers.

    Just a suggestion :-)

  37. Louis St-Amour says:

    @Alex Kven – Windows "To Go" as I understand it is the enterprise-branded version of the consumer feature, Windows account profiles. Basically, login with your Windows account (formerly Windows Live ID, formerly Passport.net formerly Microsoft Passport) and instead of a local user, you will have a remote, cloud user. You can switch at any time between the two. The difference is, for enterprises, they allow you to run your own server to store the data and settings and stuff instead of using Microsoft's. Consumers (and many businesses) won't care and just as they use iCloud and Google Docs, they'll appreciate these new Microsoft cloud features when it comes time to swap computers — or even if they have multiple computers in the house.

  38. Louis St-Amour says:

    Way to get egg on my face for writing before I googled. Anyway, Windows To Go is an interesting feature (boot Windows settings from a USB on any computer) but I do think that the Microsoft account method preferred for consumers will be the way everyone gets around not having that feature. The USB is a security method — everyone else will use the Internet to sync their apps and settings. Done.

  39. No domain support on Windows RT/WOA means no Network Access Protection. NAP was great for BYO devices. Is Microsoft even investing any more into NAP in Windows Server 8?

    Now going a bit offtopic as MS is messing up the licensing of SKUs: If user feedback is still listened to at Microsoft, please make Windows 8 Enterprise available in retail license too. I don't want to lose AppLocker, RemoteFX, VDI and other premium RDP features by "upgrading" Windows 7 Ultimate to Windows 8 Pro. Software Assurance is expensive and isn't always the best value for SMBs depending on the number of PCs you have. Having the option of having a retail license is very important. Microsoft did the same mistake with Office 2010 where SharePoint Workspace 2010 and Office Customization Tool is only available in the Professional Plus SKU which is a volume license-only edition of Office. Making the same mistake again. I think MS wants to force all non-consumers into buying Software Assurance. I definitely won't be buying SA as it doesn't give me value.

  40. Kio says:

    Another useless post by Sinofsky.

  41. Alex V says:

    "Another useless post by Sinofsky." +1

  42. Is Sinofsky going to respond the generally negative response?

    http://www.pcmag.com/…/0,2817,2403209,00.asp

    Forcing metro and removing the start menu is a huge mistake.

  43. Samuca says:

    The Windows WOA wil connect with mapp drive on fileserver?

  44. test says:

    Will this mean that a tablet running Windows 8 will also have Java and flash capabilities, unlike the i-pad and android tablets?

  45. nameless one says:

    @test

    android supports both, java and flash.

    android ftfw

  46. Off-topic. After giving yet another chance to IE, I came back to Firefox. For two reasons: inefficient autofill and lack of add-ons. Since IE will work together with the charms bar on Windows 8, I wouldn't expect desktop IE 10 to bring a better integration of extensions (like buttons for Google Reader, Pocket, etc.). But I sincerely cannot understand why it is that hard for the IE team to implement IE 10 with an autofill feature that is as good as in Chrome and Firefox, that is, that doesn't require the user to type or click. If it is a security issue, just make it optional. Little things like this make a huge difference on a daily basis.

  47. Xero says:

    @DanyRodier1,

    I save my passwords and other credentals in IE9/10 and it works fine. But there is another similar issue described below:

    [IE-amnesia]

    In IE9 and IE10, if the system shutdown unexpectedly (like take of the battery), on next reboot the IE9 in Windows7 and IE10 in Windows8 will forget the saved passwords, such as Gmail, Hotmail and other user preferences such as Bing region. My region is Australia. So by default it opens the Australia page. But if I change it to US-English and restart the computer it always remember my preference. But the unexpected shutdown flashes the saved preferences!! FF remembers that of Bing, Hotmail, Gmail (..yada yada) even the system shutdown abruptly, crash unexpectedly or for any reason (without saving settings.. you can reproduce it very easily!)…

  48. @Xero,

    Indeed, it works fine, that is, it fills in credentials correctly. But this was not my issue. Contrary to the autofill feature on Chrome and Firefox, on IE one has to enter the first letter or to click in the field to make credentials appear. For example, each time I go to my blog on WordPress I need to type the first letter of my username or click in the username field to get my credentials filled in. When one does that several times a day, it gets really annoying. On Chrome and Firefox, credentials are already there as the webpage opens, one only has to type/click enter. This is one thiny difference that makes a big difference on a daily basis.

  49. pmbAustin says:

    @Xero, it does more than forget passwords and auto-fill… it completely blows away cookies.  I go to some sites that "remember" threads I've read in cookies, and when a bad shutdown happens, it completely loses everything.  All marked/tagged threads are gone.  It's VERY annoying and frustrating, and you're right, this absolutely needs to be fixed.

  50. Xero says:

    @pmgAustin, indeed .. it also forgets most popular site in about:Tabs and the page is blank as its my first time I opened the IE!

    @DanyRodier1, as a workaround, rather counting on the auto-fill ease-of-access, I use the Remember Password functionality of webpage.

    @IE10-Team,

    1- [Quick Tabs]

    Please make the Quick Tabs (ctrl+Q) enabled by default in desktop version and bring about some enhancements in it, such as; display resource consumption and volume control for each-tab. Also display the combined volume control of IE outstandingly on the Quick Tabs view. Moreover, allow users to multi-select the tabs by dragging the mouse on QT view and select/deselect them while holding the Ctrl key. Then make them carry out the combo operations like: close-selected-tabs, group-selected-tabs, save-group as a pinned site, mark-favorite and yada yada.

    2- [F12 Developer Tools]

    2a. If you guys also bring some aesthetical and performance improvements in F12 Developer Tools, that would be an extra treat! Besides there are more things to consider:

    2a. While inspecting with the F12 developer tools, the asynchronous page update doesn't immediately update the code in devtools’ HTML tab. We need to close and reopen devtools to seek the updated code.

    2b. When we click 'edit' in the HTML tab, it should narrow down the code to that of the selected tag and it's innerHTML (only) in edit mode.

    2c. Implement autocomplete for Style while creating or editing rules in both CSS and HTML tabs.

    2d. Preview of images onmouseover in tags such as <img src=….>, <input type=image….> or image embedded in stylesheet.

    2e. Implement an easy way to add a new Style rule in HTML tab rather than switching to the CSS tab. For example; pressing <enter> for the first time should highlight-to-edit the name of the selected rule, next <enter> should switch the focus to that rule’s value then next rule's name and its value and since so forth, until it reaches the end of "that selector" (only). After that, the next <enter> should cause the creation of new rule's name-value pair under that selector. So this way, if the users have to create new rule promptly, rather than going to CSS tab and find the selector then right click to select AddRule, within the (right-side: Styles of) HTML tab, they select the last value of the desired selector and hit enter to create a new rule.

    3- [IE Shortcuts]

    3a. While holding Ctrl, if we click the "back" or "forward" button of Windows Explorer or Internet Explorer, the corresponding page should be opened in a new tab (in case of IE) and new window (in WinExplorer's case). This shortcut is present in EVERY non-IE browsers so at least provide this *missing shortcut* in IE10.

    3b. While holding the Ctrl button if you press 0 (zero) on qwerty keyboard, the zoomed page is reverted to normal. But if the 0 is pressed on numpad, the shortcut doesn't work. Since Ctrl + numpad-0-key is not reserved for any action, please override this shortcut as EVERY non-IE browser does.

    4- [Download Hub]

    A system-wide "Download Hub" (similar to Users..Download folder) would be a time saver. Be it the IE-metro/desktop download, torrent/p2p or manually entered URL(connect.microsoft.com/…/create-download-in-ie-download-manager), all kinds of downloads must be carried out and managed from a single hub. This is where we would be able to segregate the downloads on the basis of responsible app and manage their downloads which may also help to avoid the redundancy. Currently, IE metro and IE desktop have separate download managers. With Firefox 14, there would be a similar manager as of IE and Chrome has its own. The extension can be provided to App/Metro devs so they have choice to make the in-app downloads via download hub.

    Would be very obliged if a real member of the IE-Team consider reading the comment.

  51. @Xero & @pmbAustin

    I also experience the issue with lost passwords/cookies/most visited sites. It happened to me multiple times after crashes, and as you say it's extremely annoying and frustrating.

    Microsoft, please fix it. It has been reported on connect, reproduced by multiple users, and your engineers still marked it as not reproducible.

    The issues on connect:

    connect.microsoft.com/…/new-tab-page-loses-activity-history-shows-only-sites-visited-today-and-passwords-lost-at-same-time

    connect.microsoft.com/…/ie9-crash-wipes-all-user-data

  52. Johnny Organnelle says:

    Are the manageable VPN settings for DirectAccess, regular RRAS connectoids, or both?  Thanks.

  53. "2. Establishing the connection over a classic desktop control panel item is a bad idea. Why not do it Metro-style?"

    Exactly what this person said!  If Metro is the future, why are you making new things on the desktop?  Also, consider that small business owners – even ones without any kind of server at all – will find this very valuable too – not just big corporations with dedicated IT departments and servers.  Make sure it's widely accessible and fully usable on Metro.

    Especially consider the new Windows Phone 8 ("Apollo") based on Windows 8.  Corporations need to manage their apps on those devices, too.  What are you going to do, enroll the user on a smartphone using the desktop?!  That's why you need a Metro interface.

    Or are you just not going to allow line-of-business apps and the other features you describe here on the new Windows Phone 8?  That would be dumb, dumb, dumb.

    (For the record, I think including the desktop on a smartphone is a GREAT idea for when the phone is plugged into a projector or external monitor, but not so useful on the small smartphone screen itself for obvious reasons.  Requiring the smartphone user to plug in a projector to enroll the device is not feasible.)

    It's bad enough that you're reinventing the wheel and not allowing the existing group policy / domain infrastructure on WOA/Windows Phone 8/Apollo.  This solution you propose here offers too much flexibility.  It might be appropriate for a "bring-your-own-device" scenario where you don't want to take too much control away from the user, but not appropriate for a corporate-provided device.  For example, a lot of corporations need to deploy a locked-down setup to their mobile devices, which shouldn't allow things like the addition or removal of any apps, or changing many settings.

    Imagine a corporation buying a few dozen WOA tablets to be used by low-level personnel at a hospital, for example.  Users are going to be doing one thing, and one thing only: working with patient charts using a custom application.  They don't need to be allowed to monkey around with things like installing other apps (i.e. games), screwing up the system-wide settings so that the next person to use the device can't do his/her job, or changing the user accounts on the device.  It's not what they are paid for.  Heck, they don't/shouldn't even have access to the Metro LOB application installer you mention in this article!  Let the admins force install apps for users and leave it at that.

  54. Somewhat unrelated… what is with this trend of employees bringing their own devices?  I wouldn't "bring" and use my own device for significant work at a job due to the liability concerns.  You'd think that would be common sense.  Work devices are for work.  Home devices are for personal use.  Sharing a device is all fun and games until the employee-employer relationship goes south.

  55. hamakaze nihon says:

    It may seldom be related to a report.

    How about carrying out activity from the Microsoft Corporation side, in order to spread Metro UI?

    It seems that the activity "Go Metro" is carried out in our country in Japanese Microsoft in fact.

    A customer will not follow easily, unless it carries out at least it.

    Is [ the back ] flv correspondence impossible one more and a standard [ for WMP ] one?

    I think that it is good with at least the codec being attached.

    WMP is still 12?

    The neighborhood, I would appreciate your favor.

  56. Tim Anderson says:

    If you deploy an app via SSP, is there an auto-update mechanism?

    Tim