Windows 8 Management, Security and Licensing Changes: What IT Pros Need To Know
IT pros are traditionally left holding the Windows bag with each new OS release, running to catch up and learn what's new, while maintaining a computing environment. While many IT pros could try to ignore Windows 8, adoption at the consumer level can be a pressure on company adoption. Additionally, there may be pushes from the top to enable bring-your-own-device scenarios in the workplace even as Microsoft begins to deliver Windows 8 for tablet devices.
Simply put, Windows 8 will bring new ways for IT pros to deal with client management, security and licensing. Those changes largely reflect Microsoft's moves to address a shift toward a more mobile device-centric world that is taking shape. And while much is known about Windows 8 at this point, much also remains shrouded in mystery, even at this late date.
Windows 8 won't be an easy shift for users or IT pros because things are just different. No doubt there will be much more to discover in the coming months with the release of the new OS, but here's your guide to what's known so far, as well as the open issues that still need resolution.
Dual UIs, Dual Platforms
The most obvious new aspect of Windows 8 is its dual user interface (UI), consisting of a "Metro" side that looks a lot like the Windows Phone touch screen plus a more classic "desktop" Windows 7-like UI. This dual UI reflects Microsoft's attempts to deal with a radical market shift, which is trending more toward mobile computing devices than toward PCs. That shift, with Google and Apple leading the way, has caused Microsoft's Windows monopoly to dissolve from 70 percent in 2008 to about 30 percent this year when all computing devices are taken into account, according to a new Forrester Research report.
It's possible to think of the desktop side of Windows 8 as something in transition that might one day go away, although Microsoft hasn't made that point. The message from Microsoft with Windows 8 seems to be that future applications will be Metro-style apps, which are more like simple mobile apps running full screen and designed for touch interaction. The new Windows Runtime in Windows 8 provides options for developers to build HTML 5 or XAML apps that can be repurposed for platforms other than Windows. Microsoft is still badly behind Apple and Google on the apps front, with maybe 1,000 apps currently available in the Windows Store. (Apple currently leads with a store that hosts 700,000 apps, followed by Google with 675,000 apps, according to Forrester Research estimates.)
Microsoft has been telling the story that Windows 8 will be highly backward compatible, both with Windows 7 software as well as the hardware used to run Windows 7. Many may recall Windows Vista nightmare scenarios where new hardware was required and software drivers weren't ready by launch. That problem seems to have been addressed organizationally under the stewardship of Steven Sinofsky, president of the Windows Division. A logo-based PC capable of running Windows 7 will be capable of running Windows 8, according to a talk by Antoine Leblond, corporate vice president for Windows Web Services at Microsoft.
However, caution should be exercised when looking at touch-screen hardware compatibility with Windows 8, as well as the hardware requirements for running Hyper-V on Windows 8, when planning to use older equipment that's not certified for Windows 8. Those hardware specs are currently a bit hard to track down. Microsoft does alert IT pros to the issue, though, stating in its Windows 8 FAQ that "some features such as touch and Client Hyper-V may require advanced or Windows 8 certified hardware."
Windows 8 is really designed for touch interaction, so IT shops likely will need to consider upgrading to multitouch monitors that have minimum support for five touch points, although Microsoft has made the claim that "the vast majority of Windows 7 touchscreens can be used with Windows 8," in a blog post. It's possible to use a keyboard and mouse combination for both Metro-style and desktop Windows 8 applications, but it's maybe not so optimal for Metro-style apps. For instance, some applications, such as Office 2010, will run on the desktop side of Windows 8 and will be touch enabled, but it will be difficult to select some menu items with a finger. Microsoft appears to adding more space around menu commands in Office 2013 to make it more touch friendly.
Microsoft is a bit more explicit about the hardware limitations to running Hyper-V, which is the hypervisor used for desktop virtualization that comes with Windows 8. First of all, Hyper-V is just available for the x86/x64 Windows 8 machines, and not for Windows RT systems. Next, Hyper-V users will have to have a Windows 8 device that's 64 bit, with 4 GB of RAM, to run three or four virtual machines, according to Microsoft's announcement. There will also be problems running some apps in a virtual machine that are dependent on hardware or have low latencies, including games. The real game killer with running Hyper-V on Windows 8, though, has to do with licensing. Essentially, a Windows desktop hosted in a virtual machine atop Windows 8 has to be a licensed copy of Windows 8 for that machine or user, under Microsoft's licensing rules.
For IT pros sizing up hardware that can run Hyper-V, they need to know that the computer must be a 64-bit system with second level address translation (SLAT) capabilities. SLAT is a processor enhancement for virtualization, but Intel and AMD talk about that capability in different ways. It's possible to use the Windows Sysinternals tool Coreinfo to detect if a PC has Intel's "enhanced page tables" or AMD's "nested page tables," indicating SLAT support, according to this Microsoft blog. Intel processors with SLAT capability typically start with the letter "i" or they are based on "Nahalem, Westmere, or Sandybridge" Intel CPUs, according to another Microsoft blog.
Microsoft is releasing Windows 8 on the ARM hardware platform -- a first for its client OS, which has long stayed in the "Wintel" x86/x64 groove. The ARM platform is ubiquitous among various mobile devices and has the virtue of supporting longer battery durations. Consequently, IT pros likely will have to deal with the idiosyncrasies that will come with having two new Windows platforms to manage. On the ARM side, Microsoft uses a different name for the OS, calling it "Windows RT" rather than Windows 8 on ARM. Such changes, as well as differences in hardware and software capabilities, promise to add some confusion for IT pros and end users alike.
Microsoft will be releasing what Gartner calls a "plumbing release" with Windows 8, as opposed to a polishing release. The new OS has backward compatibility with Windows 7 software and hardware, but it has enough new elements that it's less likely to see success in the enterprise, according to the analyst and consulting firm. Many IT shops currently are happy just to move to Windows 7 and have told Gartner that they'll skip Windows 8, especially having tackled the complexities associated with migrating from Windows XP. Microsoft's view is a little different, advocating that companies run Windows Vista or Windows 7 concurrently with conducting Windows 8 pilots. But all agree that IT shops should get off Windows XP, which will face a loss of security patching support on April 8, 2014.
Client Device Management Changes
Microsoft has made some fundamental changes as to how IT pros will be able to manage computing devices, especially on the Windows RT side. The idea seems to be that Windows RT devices are treated more like locked-down smartphones than their Windows 8 x86/x64 cousins.
For instance, IT pros won't be able to join Windows RT machines to domains, nor will they be able to use Active Directory to directly manage Windows RT devices. Instead, Microsoft has described a system, initiated by the user through the device's Control Panel, that will install an agent on the user's Windows RT device. This agent allows IT organizations to direct the user to install Windows Store applications or line-of-business (LOB) applications through the use of a self-service Web portal page. Apps get pushed down from the portal to the user's device via a process that Microsoft calls "enterprise sideloading" or they are accessed from the Windows Store through a process Microsoft calls "deep linking." Microsoft describes the details of enterprise sideloading in this TechNet library article, but basically LOB apps must be "signed with a certificate chained to a root certificate." IT pros thinking that apps are just apps will have to get used to this distinction in Windows 8. Microsoft defines LOB apps in a technical sense, according to the Windows 8 architecture. "Line-of-business apps require users to authenticate using corporate credentials, access internal information, or are designed specifically for internal use," according to the TechNet article.
Publishing apps via enterprise sideloading requires licensing Windows 8 with Software Assurance coverage or a Microsoft Virtual Desktop Access license (a VDA license is a no-cost option that comes with Software Assurance). This blog outlines the basic details. However, see Microsoft's "Volume Licensing Guide: Windows 8 and Windows RT" (PDF) for a more detailed outline of Microsoft's licensing requirements to perform enterprise sideloading. For instance, for volume licensing subscribers, Microsoft is requiring the use of a "volume licensing multiple activation key" (MAK) to sideload apps to non-domain-joined devices. The MAK is provided as a benefit of Windows 8 Software Assurance coverage at no extra cost.
The use of an agent on Windows RT systems seems designed to better accommodate bring-your-own-device scenarios, where a user's personal device is brought to work. The agent can be used to enforce certain policies, such as Windows Update being turned on and ensuring that antimalware definitions are up to date (Windows Update and Windows Defender are turned on by default in Windows RT systems). The user can still install their own personal applications on their devices from the Windows Store, and those apps won't be subject to IT pro control. However, IT pros will be able to disable the company's line-of-business applications on the employee's Windows RT device remotely and measure things like security compliance. The bits aren't wiped out by such disabling. Instead, the certificates for those apps are revoked, so they don't run. This concept of signing apps to the OS is a major aspect of the security model used with Windows 8 and Windows RT. IT pros also have Group Policy control to restrict device access to the Windows Store for both users and groups, but only for domain-joined Windows 8 devices, not Windows RT devices.
The x86/x64 Windows 8 devices do not have this same restriction on using Active Directory, so nothing much changes from the traditional approach in managing those devices. Still, if Active Directory can't be used to directly manage Windows RT devices, then where's the security and control over users? Microsoft hasn't explained this at great length, but apparently Active Directory is used by IT in the background to identify which users can access the Web portal to get line-of-business apps. Active Directory, used either on premises or via the cloud, still plays an important role.
"Whether your device is a Windows device or a non-Windows device, everything that the user is going to do from that device is going to be based on their Active Directory ID," explained Brad Anderson, Microsoft's corporate vice president of the Management and Security Division, during a TechEd Europe event in June.
Management and the SP1 Milestone
IT pros will need a way to manage Windows 8 and Windows RT devices en masse. For that, they can turn to Microsoft System Center 2012 Configuration Manager -- except that they must wait for Service Pack 1 (SP1) to appear, which will add System Center 2012 support for Windows 8 and Windows Server 2012. SP1 is currently at beta release, but it is expected to arrive in "early 2013."
Microsoft also has described its Windows Intune service as an alternative method for such mobile device management. This Windows Intune management capability will be dependent upon the next service update, which is expected to appear during the same timeframe as SP1 for System Center 2012.
The new service pack for System Center 2012 will broaden client device and server management capabilities. In addition to having the ability to manage Windows 8 and Windows RT devices with SP1, IT pros will be able to manage Windows To Go USB-based memory sticks, Mac OS X clients, Windows Server 2012, Unix and Linux servers, Windows Phone 8 smartphones and various Windows Embedded devices (thin clients, kiosks, digital signs and point-of-sale devices).
The Windows Intune client device management capabilities, based on the use of Windows Azure Active Directory services, were shown at Microsoft's TechEd Europe event by Anderson. He explained that the main criterion for device management has to do with whether the devices support Microsoft's Exchange Active Sync technology. Devices that do, including Apple iOS- and Android-based computing devices, can be managed by System Center 2012 Configuration Manager SP1 as well as the next Windows Intune service update. Presumably, IT pros would be able to leverage Exchange Server to manage devices too, or other management suites, but Microsoft has not said as much.
Windows 8's Security Model
The security model used for Windows 8 is based on Windows 7, Microsoft admits, but one big difference is the application sandbox afforded by the Microsoft Store, which has a multipart vetting process for all submitted apps. Those submitting apps use the Windows App Certification Kit to check compatibility. One criterion for apps being in the Windows Store is that they do not change the state of the user's machine, according to Linda Averett, director of program management for developer experience in Windows, in a June TechEd session.
Outside apps that users may try to install on their devices also get checked. Microsoft extended its SmartScreen application reputation service, seen in its Internet Explorer 9 browser, to the Windows 8 core, according to "Introducing Windows 8: An Overview for IT Professionals," a free e-book that can be downloaded here. Internet Explorer 10, the browser that ships with Windows 8, uses an unrelated but similarly named Microsoft technology, called "SmartScreen Filter," that will warn users before they visit sites that haven't built a positive rating with the reputation service.
New hardware running Windows 8 will also have a "secure boot" capability that aims to prevent rootkits (or so-called "bootkits") from infecting the bootloader, which starts up before the operating system loads. This secure boot capability isn't Microsoft's technology but it's based on the Universal Extensible Firmware Interface (UEFI) 2.3.1 specification, which provides an update to the old PC BIOS technology, which has been around since the 1980s. Microsoft will require that secure boot be turned on by default for shipping Windows 8 systems, but it will be possible to disable it on x86/x86 systems using OS settings. The systems where it will not be possible to turn off secure boot will be shipping Windows RT devices. Linux developers and hobbyists have raised objections about secure boot systems because the signing of the OS to a Certificate Authority could lock out dual-booting Linux on PCs. The Linux Foundation is currently working on a solution to that impasse.
While the secure boot feature requires UEFI technology, it does not require a trusted platform module (TPM) to work. Instead, there's a process called "measured boot" that relies on the TPM. It's at this measured boot phase that that the boot process gets verified. Third-party software vendors such as Wave Systems Corp. are involved in providing such "remote attestation" services in the measured boot phase.
When Windows finally boots after all of these security checks, there will be a moment for the launch of so-called "early launch antimalware" (ELAM), which is provided by third-party software vendors. ELAM is just a component of a full-featured antimalware and it doesn't affect the main desktop antimalware loaded on the machine, according to a description by Aryeh Goretsky, a distinguished researcher at security firm ESET. ELAM can't remove malware but just serves to detect security issues, Goretsky explained in an ESET white paper, "Windows 8: FUD for Thought" (PDF).
Goretsky described Windows 8 as "the most secure version of Microsoft Windows to date," although he noted it's not invulnerable. Moreover, some of the secure boot protections depend on having 64-bit machines. Overall, though, he gave a general thumbs up to Microsoft's Windows 8 security approach.
"Microsoft has invested heavily in securing its mountain and flagship product, the Microsoft Windows operating system, by securing systems at multiple points where infection might be attempted: the preboot environment is protected by UEFI Secure Boot, the boot process by ELAM, and the operating system after it has fully loaded by Windows Defender," Goretsky wrote.
Microsoft also includes a few familiar and general security technologies in Windows 8 that are designed to ward off malware that tries to exploit the inner-workings of Microsoft's software. For instance, the address space layout randomization technology (ASLR) is included. ASLR randomizes the location of processes so that malware can't locate code in memory. Also making an appearance in the new Windows is data execution prevention (DEP), which is designed to stop attackers from executing code stored in buffer overflows.
Windows Defender comes with Windows 8 and is described by Goretsky as "a rebadged version of Microsoft Security Essentials," which is the antimalware solution that Microsoft currently provides at no extra cost to licensed Windows users. He noted that the general public may not have Windows Defender turned on by default when they buy a new Windows 8 PC as there's still space for third-party software vendors to bundle and sell their solutions.
IE 10 Oddities
Windows 8 will come with the Internet Explorer 10 browser, which is being belatedly designed for use on Windows 7 systems, too. IE 10 will have a split personality engendered by Windows 8's dual UIs, known as Metro and desktop (although Microsoft has indicated that it will change the Metro name). Those using IE 10 on Windows 8 will encounter a few peculiarities because the browser will work a little differently depending on whether it's used on the Metro side or the desktop side of the OS.
Microsoft Cofounder Paul Allen discovered some of these IE 10 browser peculiarities in his review of the release candidate version of Windows 8. He found that favorites (otherwise known as "bookmarks") in IE 10 were only available on one browser side of the OS, and not on the other side. However, it's likely Microsoft will have smoothed such difficulties by the time of product release. A September-updated MSDN library article on IE 10 on Windows 8 states that "Your RSS feeds are only available from Internet Explorer for the desktop, but your favorites, frequent sites, history, and typed URLs are shared between the two browsing experiences."
On Windows RT systems, it's possible that we'll only see Microsoft's IE 10 browser being available. Windows RT devices, like their x86/x64 cousins, will have the two UIs, Metro and desktop. However, independent software vendors developing applications for Windows RT likely won't have the same privileged access as Microsoft does to the Windows RT OS via APIs. Microsoft reportedly has locked down third-party software vendor access to the desktop side of the OS. It is said, mostly in press accounts, that only two Microsoft applications -- namely, Internet Explorer 10 and Office 2013 RT -- have full access to the desktop-side capabilities of Windows RT systems. This disparity has caused third-party browser makers, such as Mozilla and Google, to cry foul, claiming that Microsoft is unfairly undercutting competition in the browser space, especially on Windows RT machines.
It turns out that third-party browser makers can only build a sort of hybrid browser that Microsoft describes as a so-called "Metro style enabled desktop browser" (Word doc). This special browser is built for the desktop side of Windows 8, but it can run on x86/x64 machines as either a Metro-style application or as a desktop application.
IE 10 Security
One big security step Microsoft is taking with IE 10 is its restriction on browser add-ons, otherwise known as "plug-ins." Microsoft has banished add-ons to IE 10 on the Metro side except for Adobe's Flash Player, which apparently still will be needed to tide over organizations with Web sites that don't support HTML 5-based graphics. Microsoft will deliver IE 10 on October 26 with a built-in and touch-enabled Flash Player that will work across both the Metro and desktop sides of Windows 8.
Although it had seemed that add-ons were totally gone from IE 10, based on past Microsoft statements, an "Internet Explorer 10 FAQ for IT Pros" document states that, on the desktop side of Windows 8, IE 10 does support add-ons. The FAQ lists ActiveX, Flash and Silverlight as supported. Another notable point in the FAQ is that Windows 8 just supports IE 10, and not earlier versions of Microsoft's browser.
Microsoft will also turn on a do-not-track feature in IE 10 by default. The do-not-track privacy feature tells third-party advertisers not to track the user's Web clicks, but it's a voluntary approach that could be ignored. Moreover, Microsoft's decision to turn on do-not-tract by default has been meeting resistance from advertisers and W3C technology experts alike.
It may be confusing enough to IE 10 users that the browser can run on either the Metro or desktop sides of Windows 8, with two UIs. However, this distinction turns out to be an important aspect for a new security feature of IE 10 called the "enhanced protected mode" (EPM). This new feature extends the tradition of Microsoft's "protected mode," which was first introduced as part of IE 7 running on Windows Vista, according to an IE blog post by Andy Ziegler, senior program manager of Internet Explorer. What's different this time is a new security sandbox has been added called "AppContainer," which works with the EPM feature in IE 10 on Windows 8.
AppContainer is a feature mostly designed to support the Metro-style version of apps used with IE 10. AppContainer blocks read and write access to Windows systems, according to Eric Law, a program manager for Internet Explorer, in a blog post. All Metro-style apps running on Windows 8 will run in AppContainer, as well as all tabs running in IE 10 with EPM turned on. The security protections afforded by AppContainer include restricting inbound connections to browser add-ons and blocking Metro app connections to locally installed IIS or Apache servers, as well as blocks to Internet port scanning and cross-site forgery attacks.
EPM works differently, depending on which IE 10 browser UI is used in Windows 8. For Metro-style IE 10, those processes run at 64-bit by default. However, for the desktop IE 10 experience on Windows 8, the content processes run at 32-bit by default. Users can change that default to 64-bit by enabling EPM for the desktop version of the browser, provided that the underlying Windows operating system also is 64 bit, Microsoft has explained.
The one big drawback right now to enabling EPM on the desktop mode of IE 10 is that browser add-ons, such as Adobe Flash, aren't yet designed to work with EPM.
"Most users expect add-ons to work in Desktop IE, but very few add-ons are AppContainer-compatible today," Law explained. "If you enable EPM in the desktop and have a BHO [browser helper object] or Toolbar that isn't EPM compatible, the add-on will be disabled."
Presumably, since Microsoft is including a built-in Adobe Flash Player in IE 10, it will have solved this integration problem with EPM by the Windows 8 launch date. Expect more such nuances to come when Windows 8 and IE 10 are released on October 26.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.