Windows Enterprise Desktop

August 7, 2013  10:52 AM

Dustin Ingalls posts on Win8.1 Security Enhancements

Ed Tittel Ed Tittel Profile: Ed Tittel

Group Program Manager for Windows Security and Identity Dustin Ingalls recently posted an interesting item to the Windows for your Business blog, in the wake of his attendance at the Black Hat security conference. Entitled “Black Hat 2013: Windows 8.1 Helps Keep Data Secure in a Modern Environment,” it walks readers through a list of changes and enhancements to Windows 8.1 explicitly added or beefed up to improve the new operating systems’ security capabilities.


Following Black Hat 2013, MS opens up further on new or extended Win8.1 security stuff.

Here’s a list of topics with some detail summarized from that blog post:

  • Trustworthy Hardware: MS is moving toward requiring support for a Trusted Platform Module (TPM), circuitry that provides enhanced cryptography, on-board secure storage for keys and certificates, and other strong security functions in future hardware (“We are working towards requiring TPM 2.0 on all devices by January 2015.”). Provides the foundation for improved security for BYOD situations.
  • Modern Access Control: ways that IT can restrict physical access to devices. Biometrics will gain capacitive full fingerprint support on touchscreen devices using the app-based Settings widget, with biometrics now applicable to any Windows credential prompt of any kind (instead of during login only). Improved APIs for biometric support in Windows Apps, including WinRT.
  • Multifactor Authentication for BYOD: Continued streamlining for managing Virtual Smart Cards (VCS) including support for enrollment and management in WinRT, with more controls over how devices connect to internal networks, and secure access controls for personal devices in BYOD situations.
  • Trustworthy Identities and Devices: MS will seek to “increase the trustworthiness of the PKI by help manage and drive certificate best practices and adherence to standards…” This will include a daily scanning service for the top 2,000,000 SSL/TLS sites to look for anomalies or bad practices, and a requirement from servers or sevices to require attestation that private certificates and keys are protected by hardware (if not, access is denied — see the first bullet point above).
  • Data Protection: In Win8.1 devices encryption applies to all editions for devices that support InstantGo, where Windows 8.1 Pro and Enterprise will also get the benefits of BitLocker, including BitLocker To Go, a network key protector, and automatic recovery key escrow in AD, plus a “remote wipe” capability that enables IT to delete sensitive data if a machine gets lost or stolen, or on BYOD machines (without affecting personal data).
  • Malware Resistance: Windows Defender gains heuristics to monitor “bad behaviors” in memory, the registry, or the file system (before malware signatures get created or are available), and Internet Explorer gains the ability to screen binary extensions before they get loaded, along with default use of Enhanced Protection Mode in IE11.

It will be interesting to see how all this plays out, and how well the TPM requirements perform on systems that include such circuitry.

August 5, 2013  11:07 AM

MS Stores: What You See Is NOT All You Can Get

Ed Tittel Ed Tittel Profile: Ed Tittel

My nine year old son, Gregory, is suffering from techno-lust. He wants to buy a an XPS 27 Touch, a Dell 27″ All-in-One touchscreen PC that comes with Windows 8 pre-installed, along with 8 GB RAM, a 1 TB conventional hard disk, wireless 802.11n, Bluetooth, and a wireless keyboard and mouse. Because he likes to look at and contemplate his planned purchase — my wife and I have decided to provide a matching grant, where every dollar he saves will be matched by an equal contribution from the family exchequer — we drop in on the Microsoft store once or twice a month these days, so he can play with (and on) the demo versions of this system that they make available to prospective shoppers.

After we finished dinner at a nearby restaurant last Saturday night, we made the pilgrimage to the Microsoft Store so he could play with an XPS 27. While he was running through some Xbox games for the PC, I had a chance to chat with one of the senior sales staff in the store. We started talking about the Surface Pro, and I expressed my frustration that the units only came equipped with 4 GB of RAM and didn’t include a 256 GB SSD. Much to my surprise, my interlocutor informed me that one could indeed purchase a Surface Pro with 8 GB of RAM (it has a single SO-DIMM slot, apparently, and can be equipped with an 8 GB module) and a 256 GB SSD, on special order at a price of around $1,200.

If you're smart enough to ask, you can get upmarket versions of the Surface Pro from the Microsoft Store.

If you’re smart enough to ask, you can get upmarket Surface Pro models from the Microsoft Store.

That’s when I also learned that MS has recently given the sales staff more latitude to make deals with customers through their stores, and to offer more options on hardware configurations, bundles and packages, and even volume purchases for enterprises or organizations seeking to acquire Windows 8 computing platforms in bulk. It seems that for some time, the staff was prevented from engaging in “real sales” with bigger buyers or well-heeled customers, but that is apparently no longer the case. The recent mark-down on the Windows RT model of the Surface has also been accompanied by a more sales-oriented approach to wheeling and dealing in Microsoft’s retail arm. It will be interesting to see how Microsoft plans to let word on this change of philosophy make itself known to the marketplace. I have to believe I’m not the only person unaware of this recent development.

As for myself, I might have already bought a Surface Pro had I been able to get what I thought was unavailable earlier on. Given that Haswell-based Surface Pro units should be available by year’s end (or perhaps in tandem with the Windows 8.1 GA release in mid to late October), I may just decide to see how much of an additional mark-down I can wangle on a previous generation unit with the specs I wanted all along, and buy one of those instead. Only time will tell!

August 2, 2013  10:27 AM

Windows 8.1 OEM Release Scheduled before End of August ’13

Ed Tittel Ed Tittel Profile: Ed Tittel

Although the exact date isn’t yet known, the OEM release for Windows 8.1 is likely to occur during the final week of the month. Given that the 26th of August is a Monday, it’s not impossible that this date could follow the OEM release for Windows 8 by exactly one year. OTOH, everybody hates Mondays, so the OEM release could easily fall a bit later in the week instead. But at least one source — Russian language site — has claimed that the RTM (OEM release) date could fall as early as August 16th. In two to four weeks, we’ll know for sure!


The OEM release will be made public soon, probably during the final week of August (just like Windows 8 itself was).

What does the OEM release signal?
1. That the OS is final enough to hand over to equipment makers, who will start converting their OS builds to new images, and create the infrastructure necessary to pre-install lots of copies of 8.1 as part of their normal manufacturing process.
2. That the OS will be made available through MSDN and the Windows Store to those who wish to upgrade on a onsie-twosie basis, or for organizations that might conceivably wish to start working on their own infrastructure changes to build and distribute Windows 8.1 images (not likely to be a common occurrence, though some early adopters are likely to start digging into the newest desktop version, perhaps including some laggards who are being forced to give up on XP with the end of all support scheduled for next year).
3. That we’ll have a pretty darn good idea of what the final release of Windows 8.1 is going to look like: MS will release updates to the RTM version when the GA (General Availability) release goes public in October, but it’s unlikely to see any major changes after the RTM release gets into the OEMs’ hands.

July 29, 2013  12:13 PM

Compelling Win8.1 Feature: Device-Friendly App Development

Ed Tittel Ed Tittel Profile: Ed Tittel

Though Windows 8.1 offers some very nice features and functions — and in some cases, ones that are absolutely vital (as with a reworked Start menu, and improved desktop access) to any hopes the OS might have for success and commercial uptake — so far, it’s been hard to find any truly compelling reasons to make the move to the latest and presumptively greatest entry in the ongoing series of Microsoft desktop operating systems. But here’s something to ponder along those lines, as discussion in the July 26, 2013 posting to the Windows App Builder Blog. Entitled “Building apps that connect with devices,” this post lays out the mechanics of bringing apps and devices together in very interesting ways to take advantage of touch on the PC side and all kinds of focused capability on the device said. Here’s a block diagram of what this new approach looks like:


As it turns out, it’s the layers in the middle that make this incredibly interesting — and potentially quite valuable, for device makers and vendors — because they depend on what MS calls either device scenario or device protocol APIs. Here’s how the blog post explains these things: they “…allow a Windows Store app to talk to a device over industry standard protocols like USB, HID, Bluetooth (and Bluetooth Smart), as well as Wi-Fi Direct As a developer, all you need to do is simply identify the device (leveraging metadata) and then open a communication channel to the device. Opening a channel prompts for user consent.” And if such consent is granted (it’s required to prevent apps from accidentally or maliciously communicating with devices behind the scenes, without users being informed or aware of such activity), apps can communicate with devices — even those involving large data transfers, which can proceed even after a user changes focus to another app — as and when they need to.

This finally explains what MS was getting at when they disclosed that Windows 8.1 includes built-in facilities for driving 3-D printers (which have previously required dedicated device drivers for earlier versions of Windows). It also explains how MS can claim that “home developers can create their own apps to communicate with non-standard devices. The post concludes with pointers to a series of videos that dig into these subjects in more detail:

Interested readers will want to check out one or more of these items, depending on where their hardware and interface interests lie. Great stuff though, all around!

July 26, 2013  12:02 PM

Tweak Win8.1 UI, or Switch to Start Replacement?

Ed Tittel Ed Tittel Profile: Ed Tittel

I am a big fan of Ed Bott’s ZDNet blog posts, which often deal with Windows topics, under the general heading of The Ed Bott Report. Earlier this week (July 23) he posted a little gem entitled “The Metro hater’s guide to the Windows 8.1 Preview,” wherein he steps readers through a series of six UI tweaking steps needed to make the Windows 8.1 Preview get as far away as possible from the Modern UI Start menu and all of its appurtenances. I’ll spare you the details (please read the original for nice step-by-step instructions), and simply summarize those steps by name here:

1. Uninstall unwanted apps (he’s referring to non-desktop tile-based apps).
2. Adjust the look of the Start screen.
3. Tweak the Start screen settings to suit your preferences.
4. Arrange the Apps screen.
5. Pin your favorite desktop programs to the taskbar.
6. Set your default apps (to avoid invoking non-desktop tile-based apps, which Win8.1 — like its predecessor — still does by default).

Good stuff, and eminently helpful for those who want to stick to the built-in Windows 8.1 capabilities. But alas, taking this approach still means that some access to the Windows 8.1 Start screen is both inevitable and necessary.

Let’s consider some alternatives, shall we? As I indicated in my previous blog post (“Now I Know Where There’s a Start8 1.17 Beta: For Win8.1“) I’m still sold on the notion of using a so-called Start Menu replacement program instead, even with Win8.1. The Start8 1.17 beta (still my personal favorite, recent comments from blog readers about other alternatives — much appreciated, BTW — notwithstanding) is one good choice for this role, and the SourceForge project Classic Shell is another. And in that connection, I just learned this morning that there’s a new Classic Shell 3.9.0 beta available, which has been further tweaked to make itself more at home in the Windows 8.1 environment; see this Softpedia article for more info and a download link). If you want to see a reasonably complete list of ALL the Windows 8 Start menu replacements out there — 19 in total — check Wikipedia’s “List of Start Menu Replacements for Windows 8.” There is certainly no shortage of options, which tells me there’s a strong need for them, too! Things are indeed better with Windows 8.1 than its predecessor, but this need has by no means disappeared — at least not IMO.

July 24, 2013  1:08 PM

Now I Know Why There’s a Start8 1.17 Beta: For Win8.1

Ed Tittel Ed Tittel Profile: Ed Tittel

Anybody who’s been reading this blog for the last year knows that I’m a big fan of the $5 Stardock software utility known as Start8. While it’s not free (and for those who want to spend absolutely nothing on a Win8 start menu replacement, I recommend Classic Shell instead), it’s not exactly expensive, either, and I find it to be the best option out of the nearly two dozen start menu replacements I’ve been able to find out there on the Internet. Thus, as I’ve started digging into the Windows 8.1 Preview and exploring lots of features and functions — thanks in large part to a Sybex book I’m tech-editing on the MCSA: Windows 8 exams (70-687 and 70-688) — I found myself struggling to get the production version of Start 8 working on the new 8.1 version. That’s when I remembered seeing a forum post about a new beta version on the Stardock forums:


After a couple of unsuccessful tries to get the production version working on Win8.1 Preview, I remembered there was a new beta version available…

And indeed, my suspicions and hopes were confirmed once I perused said post, entitled “Start 8 1.17 Beta Available for Download” (if you’d rather, you can just go straight for the download link instead). Download in hand, I ran the installer (which also removed the previous production 1.16 version before installing the new beta) and once again found myself in possession of a workable start menu replacement for Windows 8.1. If you try the 8.1 Preview, you may want to do likewise as well. And while 8.1 stays in Preview, the beta is free — though you should expect to have to “license up” as soon as a commercial version of Windows 8.1 becomes available.


It doesn’t say “Beta” anywhere, but the version number is indisputably 1.17.

July 22, 2013  1:34 PM

More frequent versions also means more “rapid update cadence” for Windows 8.1

Ed Tittel Ed Tittel Profile: Ed Tittel

Late last week, Microsoft pushed out a batch of new fixes for the Windows 8.1 Preview for x86, x64, and RT versions. This comes about a week after Patch Tuesday, and includes five fixes — one labeled “Important,” with four others “Recommended” — that are separate and distinct from the Patch Tuesday fixes that appeared on July 9. This signals an apparent departure from Microsoft’s prior practice of holding most patches and fixes until the second Tuesday of the month (aka “Patch Tuesday”). According to Ed Bott’s recent story for ZDnet, Microsoft calls this a “rapid update cadence.”


More frequent updates mean more time spent evaluating updates, and probably also more time in the test lab, checking for adverse or unwanted side effects.

That story also provides some interesting information about the specific updates pushed, which include an app compatibility roll-up, plus a welcome fix that addresses jerky scrolling behavior in the Windows 8.1 Preview (see story for details). But what I find interesting about this approach is that it apparently signals a move from a “periodic update” regime to a “as needed” update regime. This is all well and good for individual and small business operations where updates will be applied automatically in most such situations. But this may mean more work for larger organizations and enterprises, where updates must be tested and vetted, and only those that don’t cause problems integrated into periodic pushes dictated by internal schedules — typically, on a once-a-month or a once-per-quarter planned refresh/update basis, over a three-day weekend or holiday if possible, so as to minimize potential productivity impacts.

What does this signify for enterprise admins, especially those who manage change control for updates, patches, and fixes? Let me speculate that it will mean more frequent attention to incoming patches and fixes, and perhaps also more frequent scheduling for test lab work to assess the need for and impact of pending patches and updates. I doubt that it can affect internal refresh/update cycles themselves, but it will have at least some impact on the activities that lead up to approval of pending changes for each “next cycle” and will probably require more time and effort in the test lab to keep playing catch-up.

July 22, 2013  12:33 PM

First-ever CCIE, Stuart Briggs, Has Passed Away

Ed Tittel Ed Tittel Profile: Ed Tittel

It’s a little known fact that the first CCIE number issued was CCIE #1025 (210+1). Apparently, Cisco didn’t want to start the program with number 1, so they started it with one more than two raised to the tenth power — a fitting designation for a technical arena where manipulating binary numbers and managing IP addresses matters so much. In trolling over the Cisco website this morning, I noticed with some sadness that Stuart Briggs, who not only earned the very first CCIE, but who also helped to develop the program and its credential starting twenty years ago in 1993, passed away at age 53 on June 24, 2013.


Here’s the banner from the Cisco announcement page about Mr. Briggs (he ran a small farm in northern CA in his spare time, which is why he’s shown driving a tractor in the right-hand photo).

Mr. Briggs endeared himself to his peers and colleagues by not only helping to design and improve the CCIE program during his tenure with that group, but also by organizing a team of Cisco professionals who created a knowledge base about Cisco products for use by its customers. The announcement pays homage to him by saying “…Stuart quickly made a name for himself not only as a keenly intelligent and imaginative contributor but also as a revered colleague and peer always willing to help and by extension teach, those who were in need.”

Paul MacNamara of NetworkWorld, also wrote a short obit about Mr. Briggs on June 27, entitled “Stuart Biggs, first Cisco CCIE, dies at age 53.” The piece is very well worth reading because of its recitation of the early days of the CCIE program, and Briggs’ instrumental role in helping to bring it to life. So here’s a request to all my readers who are also CCIEs — or who aspire to earn that august credential: the next time you raise a glass, please toast Mr. Stuart Biggs, who helped to make your nonpareil certification possible.

July 19, 2013  4:43 PM

Windows 8.1 Brings Added Security to the Table

Ed Tittel Ed Tittel Profile: Ed Tittel

It’s probably part of Microsoft’s push to extend uptake of Windows 8.1 beyond the enthusiast/home user level, but I’m seeing some very interesting security improvements in Windows 8.1. Some of them appear designed specifically to appeal to corporate/enterprise users. Here’s a partial list, lifted from a TechEd presentation by Chris Hallum, Senior Product Manager for Windows Client Security at MS (Madrid, 6/26/2013), entitled “What’s New in Blue Security?


Title slide from the pre-recorded version of Hallum’s presentation.

Here’s an abbreviated list of what Windows 8.1 adds to its security arsenal, with some brief discussion for each item:

  • Device encryption, which uses BitLocker encryption technology to encrypt entire devices or storage volumes, as well as sub-containers, for all versions of Windows 8.1. Also works with SkyDrive to store encryption keys securely on the Internet.
  • Direct, native support for fingerprint readers: instead of relying on third-party drivers and pass-throughs, Windows 8.1 will interact directly with fingerprint scanners and other biometric devices for which native Windows 8.1 drivers are available. Thus, you’ll be able to use the fingerprint scanner throughout OS operation, instead of as a login feature for UAC prompts, Windows Store access, and other password- or access-protected Windows features.
  • Remote business data removal supports partial wipes of personal laptops or devices, to remove corporate data while leaving personal data alone (valuable for situations where BYOB devices are used, as is increasingly common these days). Admins can use this to schedule deletion of specific data assets on a PC whenever it checks in with a server on the Internet.
  • Support for a wider range of VPN clients, including the ability for third-party apps to initiate VPN sessions automatically (a list of supported elements isn’t yet available, or I simply can’t find it).
  • Windows Defender adds network behavior monitoring, so it can detect and stop execution of known malware, or software behaving suspiciously (presumably, unrecognized malware).
  • Improved security software tie-ins for Internet Explorer 11, especially for anti-malware programs, plus default enablement of the Enhanced Protected Mode (EPM) operation introduced with IE10.

Looking over this list of features, I see them aimed much more toward business and enterprise operations than toward single or family user situations, or even the lower end of the SMB spectrum. If Microsoft gets the desired results from these additions, those results would have to include increased adoption in the business computing space.

July 19, 2013  3:09 PM

How Microsoft is like a woodpecker

Eugene Demaitre Eugene Demaitre Profile: Eugene Demaitre

By Diana Hwang

As I sit on my friend’s porch in New Hampshire staring at a lake, I can see and hear the woodpeckers as they drum on various trees around her property in search of food.

Microsoft reminds me of a woodpecker as it hops from tree to tree pecking to find the one with the treasure trove of food. Microsoft has enough money to pick the tree it wants, work on it for a while and see if it likes the results. If not, it can fly away. If Microsoft does, it can stick with it and see how it can mark it as their own territory.

Microsoft has done this as it has come out with a host of new products such as Windows 8, Surface, Office 365 and the Azure cloud platform as the company transitions into a devices and services organization. Microsoft is playing in all spaces and deciding which one is best and building its strategy around it.

Indeed, as the $77 billion company wends its way through a changing technology landscape, Microsoft disclosed its fourth-quarter earnings and fiscal year’s end this week, following a sweeping reorganization of its business.

The industry has eagerly awaited the results.

The biggest winner? Office 365. The company is now on track to do a $1.5 billion run rate. As expected, the Windows business was down but still grew by 5% during the fiscal year. Like Intel, this was reflected by a sagging traditional PC market.

“This quarter, the Windows business declined as the market evolves beyond traditional PCs,” said Amy Hood, in her first earnings call as chief financial officer upon Peter Klein’s retirement at the end of June. “We’re working to transition the market to new computing with Windows 8. The journey will take time.”

And that journey will be long indeed, especially since customers are still moving off of Windows XP. Hood noted that three quarters of Windows users are now on Windows 7. If enterprises recently moved to Windows 7, why would they go to Windows 8 unless the new operating system makes sense for specific departments or use in a company?

Microsoft has taken a more conservative stance with Windows 8 after trying to innovate too fast with the modern interface and alienating its enterprise customers. This is too bad, given that the company has finally begun to turn Windows 8 around with more enterprise-level features and management capabilities in the Windows 8.1 version.

But does Microsoft have time to turn Windows into the one interface and OS the customers will use across all mobile devices? Net MarketShare recently noted Windows 8 surpassed Vista in operating system market share with just over 5% (not exactly a high point since nobody seems to like Vista anyway).

And speaking of devices, what about the Surface tablet?

“Surface is one part of our journey to bring innovative and compelling devices in the modern era of computing,” Hood said. “[Microsoft will] fine tune our action plan as needed.”

They need to, and fast, especially for Surface RT. It’s a device in no man’s land despite Microsoft’s attempts to get the product into the enterprise. Microsoft just slashed the price of the RT by $150 this week, but is this really going to be enough to stimulate adoption? I doubt it. I don’t think Microsoft will give Surface RT up yet, but if people are truly waiting to buy a Windows 8 tablet, they’re going to go after it this fall when Windows 8 Bay Trail-based tablets come out with price points that are expected to be $199 and below.

We’ve already seen the first 8-in. Windows-based tablet come to market by Acer for only $350, and Hood hinted at more to come.

Microsoft recently launched a commercial channel program for Surface, enabling enterprises to buy the product through authorized distributors and resellers. Hood promised more would be coming in the following months. Microsoft should have had this out at the beginning if it knew that Surface, especially the Surface Pro, was going to be aimed squarely at the business user.

Nowadays, it’s all about the apps for mobile devices, and if Microsoft can’t get developers to create more compelling apps for Windows 8, buyers won’t be satisfied. Microsoft sits somewhere between Apple and Google — both are strong in the consumer market. Those consumers are enterprise users too, and they buy apps. If apps sell devices, then there had better be some good apps for Windows mobile devices. It’s a vicious cycle, but it’s part of the bigger ecosystem.

It will be interesting to see how Microsoft moves going forward. Terry Myerson is at the head of the Windows operating system team for all products, while Julie Larson-Green heads up the devices and entertainment team. That’s good news because everyone can now “talk” to one another without feeling that they’re working in competitive silos.

But doing this on paper doesn’t mean it’s going to work in practice. It’s collaboration in a big way, and that’s not easy. It’s kind of like that “one interface across all mobile devices” strategy, a la the Modern UI. The leaders of all engineering groups need to make sure they can pull their teams together. It’s the three C’s: create, collaborate and communicate. All C’s intertwine, and Microsoft needs its new senior leaders to do so to take the company forward.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: