windows 8.1 deployment planning - a guide for education
DESCRIPTION
Microsoft Press eBook: "Windows 8.1 Deployment Planning - A Guide for Education"TRANSCRIPT
Windows 8.1 deployment planningA guide for education
January 2014
Table of contents
2 Windows 8.1 in education2 ITbenefits2 Facultybenefits3 Studentbenefits
4 Windows 8.1 purchase and licensing
6 Volume Activation
10 Network infrastructure10 Internetingressandegress11 Networkbandwidth12 Wirelessnetworking
15 Accessibility
16 Printers
18 Security and privacy21 Internetaccess21 Applicationaccess21 Deviceaccess22 Remoteconnectivity24 DirectAccess25 Virtualprivatenetwork
26 Windows Store apps
27 User accounts
29 Deployment31 Institution-owneddevices32 Personallyowneddevices33 VirtualDesktopInfrastructure34 WindowsToGo
36 Device roaming and multiple devices39 WindowsWorkFoldersandWorkplaceJoin40 WindowsFolderRedirection41 WindowsOfflineFiles41 WindowsRoamingUserProfiles42 Defaultuserprofiles42 UserExperienceVirtualization43 MicrosoftApplicationVirtualization
44 Configuration and management46 GroupPolicy47 WindowsPowerShell47 ConfigurationManager47 WindowsIntune
1WINDOWS 8.1 DEPLOYMENT PLANNING
Windows 8.1 deployment planningA guide for education
This guide is designed for IT pros, school administrators, and other faculty members who are responsible for the deployment of devices running Windows 8.1 in educational institutions. This guide covers the key considerations and questions that should be answered as a part of a typical Windows 8.1 deployment.
SomeofthekeystosuccessinaWindows8.1(oranytechnologydeployment)thatwewillcoverineachsectionareasfollows:
• DevelopandcommunicateyourWindows8.1deploymentplanbeforeyoudeploydevices.
• Starttheplanningprocessandvalidateyourdesignasearlyinyourdeploymentprojectaspossible,becausebaddesigndecisionsbecomedifficulttocorrectthelateryoudiscoverthemintheprocess.
• Includerepresentativesfromcurriculumandtechnologyleadership(inadditiontothosewhoareresponsibleforperformingtheactualdeployment)tohelpensurethatthefinalsolutionmeetsorexceedscurriculumandlearningoutcomerequirements.
Eachsectioninthisguideliststhekeyplanningconsiderationsandquestionsforthetopicscoveredinthatsection.EachsectionalsoincludeslinkstoadditionalresourcestohelpintheWindows8.1deploymentplanningprocessdiscussedinthatsection.
NOTE
Classroomcurriculumdesignisoutsidethescopeofthisdocument.Inaddition,althoughmostoftheplanningdecisionsinthisguideareapplicabletoWindowsRT8.1,WindowsRT,andWindows8,thisguidefocusesonWindows8.1deploymentonly.
2WINDOWS 8.1 DEPLOYMENT PLANNING
Windows 8.1 in educationWindows8.1providesanincredibleopportunityforeducatorsandstudentstotakeadvantageofthenewworldofdigitaleducationandexcitingnewdevices,leveragingtheworldwidestandardMicrosoftplatformandcloudservicestoensureseamlessmanageability,robustsecurity,backwardcompatibility,andcosteffectiveness.RunningWindows8.1ondevicesdesignedforWindows8.1canhelpyoumeetthechallengesandmaximizethebenefitsofusingWindows8.1ineducation.
IT benefits
ManyITorganizationswithineducationalinstitutionsalreadysupportaMicrosoftinfrastructure.Inmanyinstances,theITstaffcanusethesametoolstheyarealreadyfamiliarwithtomanageWindows8.1devices.Institutionscanalsooutsourcethisworktopartnerswhoareabletoleveragethepartner’sWindows8.1managementexperienceandskillsets.
YoucanmanageWindows8.1devicesandappsautomaticallybyemployingon-premisesandoff-premisesmanagementsolutions.ThesesolutionsdramaticallyreducetheeffortrequiredfromITprostokeepdevicescurrentwithsoftwareandsecurityupdatesandtoperformcommonITadministrativetasks.Inmanyinstances,educationalinstitutionscancreateself-serviceportalsthatallowuserstosolvemanycommonproblemsthemselves(suchasresettingapassword,deployinganapp,orinstallingsoftwareupdates).ThismeansthatITproscanspendfewerhoursmanaginghardware,software,andservicestoprovidehigher-qualityserviceswiththesameorlesslevelofeffort.
Faculty benefits
Windows8.1hasalargeecosystemofprovidersandservices,providingeducatorstheflexibilitytochoosethedevicesandservicestheyprefer–sotheycanteachthewaytheywant.Windows8alsohelpsteachersmanagetheclassroombylimitingavailabilityofdistractingapplications(suchasinstantmessagingorsocialnetworking)duringclassandviewingandsharingstudentscreenstoimproveclassroomparticipation.
MostinstructorsandfacultymembersarefamiliarwiththeWindowsoperatingsystemandusuallyhaveanexistingdevicerunningWindowsintheclassroomorathome.FacultymembershaveavastlibraryofexistingWindowssoftwareandperipheralstoincorporateintotheirlearningcurriculum.DevicesrunningWindows8.1supportWindowsStoreappsanddesktopapplications,whichallowseducatorstohavetheultimateinflexibilityanddiversitywhenselectingtechnologyresourcesfortheclassroom.IfapplicationsandperipheralsworkedinWindows8andWindows7,theywilloftenworkjustaswellinWindows8.1,decreasingbothcostanddeploymenttime.
3WINDOWS 8.1 DEPLOYMENT PLANNING
ThismeansthatinstructorsandfacultymemberswillbeabletorealizethebenefitofusingWindows8intheclassroommorequicklythanotheroperatingsystems.
Student benefits
Learningisaboutconsuming,collaboration,andcreation.MostWindowsdeviceshaveamultitouchuserinterfacethatprovidesanimmersiveuserexperienceforconsumingandcollaborating,buttheyalsocomewithafull-functioningkeyboardthatisessentialforcontentcreation.Nowthereistheadditionofafluidandimmersiveuserexperiencethatenablestabletsandtouchscreensaswell.Withthehugeinterestintabletsforthestudentmarket,Windows8.1isabletoprovideaconsistentuserexperienceacrossformfactors.Inaddition,studentshaveaccesstothevastlibraryofexistingsoftwarecreatedforWindows—includingWindowsStoreappsandWindowsdesktopapplications—andmostapplicationsthatrunontheWindows8,Windows7,orWindowsXPoperatingsystemwillalsorunonWindows8.1.
MoststudentsalreadyknowhowtousedevicesrunningaWindowsoperatingsystem.TheytypicallyhaveaccesstodevicesrunningWindowsathome,aswell,whichallowsstudentstocontinuetheireducationathomewithoutadditionalcostonthepartoftheeducationalinstitutionorthestudent’sfamily.
4WINDOWS 8.1 DEPLOYMENT PLANNING
Windows 8.1 purchase and licensingNotethefollowingkeyWindows8.1purchaseandlicensingplanningconsiderations:
• Howmanyusersdoyouneedtoenable?
• HowmanynewdeviceswillyoubuywithWindows8.1preinstalled?
• HowwillyouupgradeexistingWindows8devicestoWindows8.1?
• HowmanyWindows8.1licensesdoyouneedtopurchasetoupgradeexistingdevices(notethatsomeproductswillrequirelicenseupgrades,suchasWindows8.1Enterpriseedition)?
• HowdoesyourinstitutionhandleWindow8.1licensingforpersonallyowneddevices?
• HowcanfacultyandstudentspurchaseWindows8.1licensesateducationalprices?
• Whateducationalpricingandlicensingprogramsareavailableforeducationalinstitutions?
Eachphysicaldeviceorvirtualmachine(VM)runningWindows8.1musthaveavalidlicense.MostdevicehardwarevendorsprovideaWindows8.1licenseforeachdevicetheinstitutionpurchases.However,youmustobtainWindows8.1licensesforanyexistingdevicesrunningpreviousversionsofWindowsthatwillbeupgradedtoWindows8.1(suchasdevicesrunningWindows7).
ThelistbelowprovidestheWindows8.1licensingconsiderationsfordevicesbasedontheirownership:
• Institution owned EducationalinstitutionscanacquirelicensesforWindows8(andotherMicrosoftproducts)throughtheMicrosoftEnrollmentforEducationSolutions(EES)program.TheMicrosoftEESprogramisaneasy,cost-
NOTE
ExistingWindows8licensescanbeupgradedtoWindows8.1licenseswithoutadditionallicensingfeesforthesameeditionofWindows8.1.Forexample,aWindows8ProlicensecanbeupgradedtoWindows8.1Prowithoutadditionallicensingfees.However,upgradingaWindows8licensetoWindows8.1ProwouldrequiretheWindows8Prolicensepriortoupgrading.
NOTE
MicrosoftworkswithorganizationsinthepublicsectorthroughtheShapetheFutureprogram.FormoreinformationabouttheShapetheFutureprogram,seehttp://www.microsoft.com/shapethefuture.
5WINDOWS 8.1 DEPLOYMENT PLANNING
effectiveofferthatprovidesqualifiedacademiccustomersasimplifiedwaytoacquireMicrosoftsoftwareandservicesunderasinglesubscriptionagreement.Formoreinformation,see“ProgramsforEducationalInstitutions”athttp://www.microsoft.com/education/en-us/buy/licensing/Pages/enrollmentforeducationsolutions.aspx.
• Personally owned FacultyandstudentsareresponsibleforhavingtheappropriateWindows8licensesfortheirdevices.InadditiontopotentiallybeingabletopurchaseMicrosoftsoftwarethroughtheeducationalinstitution,facultyandstudentscanindividuallypurchaseMicrosoftproductsateducationaldiscountsthroughresellerssuchas:
• JourneyEdathttp://www.journeyed.com/dept/Brands/Microsoft/284074
• OnTheHubathttp://www.onthehub.com
UsethisinformationtodeterminethenumberofWindows8.1licensesyoumustobtainforyoureducationalinstitution.Also,usetheinformationtodetermineinstitution-sponsoredMicrosofteducationalbenefitprogramsforfacultyandstudents.
INFO
Formoreinformation,see“MicrosoftinEducation”athttp://www.microsoft.com/education/en-us/buy/Pages/academicsavings.aspx.
6WINDOWS 8.1 DEPLOYMENT PLANNING
Volume ActivationNotethefollowingkeyMicrosoftVolumeActivationplanningconsiderations:
• WhichlicensingmodelsareavailableforWindows8.1andMicrosoftOfficeProfessionalPlus2013?
• Whattechnologiesareavailabletoactivatevolumelicenses?
• Whattypeofconnectivityisavailablefordevicestoperformactivation?
ThefollowinglistshowstheVolumeActivationtechnologiesandprovidesabriefdescriptionofeach:
• Active Directory-Based Activation (ADBA) ADBAisaroleservicethatallowsyoutouseActiveDirectoryDomainServices(ADDS)tostoreactivationobjects,whichcanfurthersimplifythetaskofmaintainingVolumeActivationservicesforanetwork.WithADBA,noadditionalhostserverisneeded,andactivationrequestsareprocessedduringcomputerstartup.ADBAworksonlyfordevicesrunningWindows8thataredomainjoined.
• Key Management Service (KMS) KMSisaroleservicethatallowsorganizationstoactivatesystemswithintheirnetworkfromaserveronwhichaKMShosthasbeeninstalled.WithKMS,ITproscancompleteactivationsontheirlocalnetwork,eliminatingtheneedforindividualcomputerstoconnecttoMicrosoftforproductactivation.KMSdoesnotrequireadedicatedsystem,anditcanbecohostedonasystemthatprovidesotherservices.Bydefault,volumeeditionsofWindows8connecttoasystemthathoststheKMSservicetorequestactivation.Noactionisrequiredfromtheuser.
• Multiple Activation Key (MAK) AMAKisavolumelicensekeythatisusedforone-timeactivationwithactivationservicesthatMicrosofthosts.YoucanactivateMAKsovertheInternetorbytelephone.
Table1onpage7liststheVolumeActivationtechnologiesandtheinformationnecessaryforselectingtheappropriatetechnologiesforyourinstitution.YoucanselectanycombinationofthesetechnologiestodesignacompleteVolumeActivationsolution.
7WINDOWS 8.1 DEPLOYMENT PLANNING
ADBA KMS MAK
Device must be domain joined Yes No No
Devices must connect to the network at least once
every 180 daysYes Yes No
Supports Volume Activation of Windows 8.1
and Windows 8Yes Yes Yes
Supports Volume Activation of Windows 7 No Yes Yes
Supports Volume Activation of Microsoft
Office
Yes(Office2013only,notMicrosoftOffice365orpreviousversionsofOffice)
Yes Yes
Can use Volume Activation services in
Windows Server 2012 R2 and Windows Server 2012
Yes Yes N/A
Can use Volume Activation services in
operating systems prior to Windows Server
2012 R2 and Windows Server 2012
Yes,butrequiresthattheActiveDirectoryschemabeupdatedtoWindows
Server 2012 orWindowsServer 2012
R2
Yes N/A
Microsoft Volume Licensing information is
stored in AD DSYes No No
Can be activated with Internet access only No No Yes
Can be activated by telephone No No Yes
TABLE 1 VolumeActivationTechnologySelection
8WINDOWS 8.1 DEPLOYMENT PLANNING
ADBA KMS MAK
Required infrastructure AD DS
KMSserver,howeverhavingAD DS
makesKMSmanagement
easier
Internetaccessortelephone
9WINDOWS 8.1 DEPLOYMENT PLANNING
Additionalinformation:
• “PlanforVolumeActivation”athttp://technet.microsoft.com/library/jj134042.aspx
• “VolumeLicensing”athttp://www.microsoft.com/licensing/about-licensing/windows8.aspx
• “IntroductiontoVAMT”athttp://technet.microsoft.com/library/hh825141.aspx
• Volume Licensing Guide for Windows 8.1 and Windows RT 8.1athttp://download.microsoft.com/download/9/4/3/9439A928-A0D1-44C2-A099-26A59AE0543B/Windows_8-1_Licensing_Guide.pdf
• “MicrosoftLicensingfortheConsumerizationofIT”athttp://www.microsoft.com/licensing/about-licensing/briefs/consumerization-it.aspx
• “MicrosoftLicensingfortheConsumerizationofIT-AcademicLicensingScenarios”athttp://www.microsoft.com/licensing/about-licensing/briefs/consumerization-it-academic.aspx
• “LicensingWindowsdesktopoperatingsystemforusewithvirtualmachines”athttp://www.microsoft.com/en-in/licensing/about-licensing/briefs/win8-virtual.aspx
• “VolumeactivationofOffice2013”athttp://technet.microsoft.com/en-US/library/ee705504.aspx
10WINDOWS 8.1 DEPLOYMENT PLANNING
Network infrastructureBecauseWindows8.1devicesarenotjustcloud-connecteddevices(theyworkofflinetoo),yourexistingnetworkinfrastructurewilloftenbeadequatetosupportWindows8.1.Aspartoftheplanningprocess,determineanynetworkinfrastructureremediationthatyoumustperformpriortodeployingWindows8devices.
Internet ingress and egress
NotethefollowingkeyInternetingressandegressplanningconsiderations:
• WhatTCPandUserDatagramProtocol(UDP)trafficmustbeallowedtoandfromtheInternet?
• Whichwebsitesmustbeaddedtotheapprovedsiteslistforedge-of-networkappliances?
• WhataretherequirementsforbeingcompliantwiththeChildren’sInternetProtectionAct(CIPA)?
• Whichfirewallsshouldyouuse(firewallappliancesandWindowsfirewall)?
OneofthekeyfeaturesinWindows8.1istheintegrationwithInternet-basedcontentandservices,especiallytheWindowsStore.YoumustplananynecessarychangestoyourInternetingressandegresstoprovideaccesstosuchcontentandservices,asdescribedinthefollowinglist:
• TCP and UDP traffic PlantheTCPandUDPtrafficthatmustbeallowedtoandfromtheInternet.Specifically,allowthetrafficrequiredforanynewWindowsStoreappordesktopapplicationsthatwillbeaddedaspartoftheWindows8.1deploymentprocess.
• Approved website list Manyedge-of-networkappliances(suchasfirewallsorwebproxies)supportalistofapprovedwebsites.Inyourplan,specifythatthelistincludestheWindowsStoreandothersupportingsites.
• CIPA compliance YoureducationalinstitutionmayneedtocomplywithCIPA,whichimposescertainrequirementsonschoolsorlibrariesthatreceivediscountsforInternetaccessorinternalconnectionsthroughtheE-rateprogram,whichmakescertaincommunicationsservicesandproductsmoreaffordableforeligibleschoolsandlibraries.FormoreinformationaboutCIPA,see“Children’sInternetProtectionAct”athttp://www.fcc.gov/guides/childrens-internet-protection-act.
11WINDOWS 8.1 DEPLOYMENT PLANNING
• Firewall usage YoucanusefirewallappliancesandWindowsFirewalltoprotectdevicesandprovidesecuritydefenseindepth.Ifyouuseboth,ensurethatyouprovidetheappropriateaccesstotheWindowsStoreandotherInternet-basedcontentandservicesbyconfiguringbothfirewalls.YoucanspecifythattheWindowsFirewallbeconfiguredbyusingGroupPolicyfirewallsettings.FormoreinformationonusingGroupPolicytoconfigureWindowsFirewall,seetheMicrosoftTechNetarticle,“ConfigureFirewallPortRequirementsforGroupPolicy,”athttp://technet.microsoft.com/library/jj572986.aspx.
Network bandwidth
Notethefollowingkeynetworkbandwidthplanningconsiderations:
• CantheLANandWi-Finetworksupportahighdensityofdevices?
• Doesthenecessaryavailablenetworkbandwidthexistforconnectingtoon-premisesresources?
• DoesthenecessaryavailablenetworkbandwidthexistforInternetaccess?
TheuseoftechnologyinmostcurriculumplansrequiresaccesstolocalandInternet-basedresourcesandcontent(suchasdocumentstoragelibraries,multimediafiles,oronlinestudyresources).Thefollowingisalistofplanningconsiderationsthatrelatetonetworkbandwidth:
• Support for a high density of devices Educationalenvironmentstendtohaveahighconcentrationofdevicesinasmallgeographicarea.Facultyandstudentsrequirenetworkaccessfromclassrooms,labs,andcommonareas.Thesenumberscanrangefrom20–30devicesinaclassroomtohundredsofdevicesinacommonarea(suchasalibraryorstudentcenter).Typically,thisnumberimpliesthateachclassroommayrequireadedicatednetworkconnectiontotheon-premisesnetwork,andcommonareasmayrequiremultiplededicatednetworkconnectiontotheon-premisesnetworktosupportthenumberofdevicesinagivengeographicarea.
• On-premises available network bandwidth Alldevicestypicallyneedhigh-speed,persistentconnectionstoon-premisescontentandresources(suchasprinters,fileservices,orintranet-basedsites).Ensurethattheon-premisesnetworkhassufficientbandwidthtoprovidereasonableresponsetimeswhenaccessingtheon-premisesresources.Also,includeInternettrafficwhenevaluatingyouron-premisesnetwork,becausedevicesconnecttotheInternetthroughtheon-premisesnetwork.Youcanestimatethistrafficbyobservingthetypicalintranettrafficadevicegenerates,thenmultiplyingthatbythenumberofdeviceswithinagivengeographicarea.
12WINDOWS 8.1 DEPLOYMENT PLANNING
• Internet available network bandwidth AlldevicestypicallyneedaccesstoInternet-basedcontentandresources(suchastheWindowsStoreandotherInternet-basedwebsites).EnsurethattheInternetconnectionhassufficientbandwidthtoprovidereasonableresponsetimeswhenaccessingtheInternet.YoucanestimatethisresponsetimebyobservingthetypicalInternettrafficadevicegenerates,thenmultiplyingthatbythenumberofdeviceswithinagivengeographicarea.
Thephysicalnetworkdesignisspecifictothetypeofdevicesandthevendorspecificationsforeachdevice.Contactthenetworkinfrastructurevendorsforplanningtoolsandresourcestohelpindeterminingnetworkbandwidth.
Wireless networking
Notethefollowingkeywirelessnetworkplanningconsiderations:
• HowmanyWi-Fiwirelessdeviceswillbeusedwithineachclassroomandincommonareas(devicedensity)?
• WhatWi-Fitechnologiesdoyouneedtosupport(suchasInstituteofElectricalandElectronicsEngineers[IEEE]802.11n,802.11g,or802.11b)?
• Willbroadband(cellular)deviceconnectivitybesupported?
Mostmoderndevicesuseawirelessconnectiontoaccessnetworks.Althoughwirelessconnectionreducestheclutterandproblemsassociatedwithwirednetworkconnections,itaddstothecomplexityofplanningandsupportingnetworks.
• Wi-Fi–supported standards MostdevicessupportavarietyoftheIEEE802.11XWi-Fistandards,suchas802.11n,802.11g,or802.11b.Ensurethatthewirelessaccesspoints(WAPs)supportthehighestspeedstandardthedevicesupports.Supporttheslowerspeedstandardstoprovidecompatibilitywitholderdevices.Forexample,mostnewdevicessupportIEEE802.11n,butolderdevicesmayonlysupportIEEE802.11b.
• Network frequency IEEE802.11Xwirelessstandardsusethe2.4gigahertz(GHz)and5.0GHzfrequenciesforcommunicationbasedonthestandardused.MostmodernWAPssupportbothfrequencies.Mostnewdevicessupport5.0GHzfrequencies,whileolderdevicesonlysupportthe2.4GHzfrequencies.EnsurethatyourWAPssupportthecorrectfrequenciestosupporttheplanneddevicepopulation.
• Wireless device density Thisconsiderationissimilartotheplanningdecisionsforwirednetworks.Fromthewirelessperspective,determinethenumberandplacementofWAPs.Mostenterprise-classWAPscansupportupto50devices;however,wirelessnetwork
13WINDOWS 8.1 DEPLOYMENT PLANNING
performancewilldegradedramaticallyasthenumberofdevicesapproachesthemaximumvalue.AWAPtypicallyhasasinglewirednetworkconnect,whichmeansthatalldevicesconnectingthroughtheWAPsharethatsinglewirednetworkconnection.Forexample,ifyouhaveaWAPthatsupports30studentsandhasagigabitwirednetworkconnection,those30studentssharethatsinglegigabitnetworkconnection.Inareaswithalargeconcentrationofdevices,multipleWAPsmayberequired.
• Wireless coverage Ensurethateachdevicehaswirelessconnectivitywithintheareaswherethedevicesareused(classroomsandcommonareas)byproperlyplacingWAPs.PlacingWAPstoofarfromeachotherresultsinareaswheredeviceswillnotbeabletoconnect.PlacingtheWAPstooclosetoeachothercanincreaseyourcostbycreatingunnecessaryWAPs.EnsurethatthecoverageareasforWAPsoverlapslightly.WAPsthatoverlapeachothershoulduseauniquechannel(frequency).
• Hidden service set identifier (SSID) YoucanconfigureWAPsnottobroadcasttheirSSIDs,alsoknownasahidden SSID.HiddenSSIDsaretypicallyusedasasecuritymeasure;however,avoidtheuseofhiddenSSIDs,becauseitismoredifficultforadevicetojoinahiddenSSID,andthereisminimalsecuritybenefitinhidingSSIDsineducationalsolutions.Becauseuserstendtoroam,hiddenSSIDscanleadtopooruserexperienceanddelaysinwirelessnetworkassociationtime.
• Broadband cellular support ManydevicesmayhavebroadbandcellularnetworkadaptersthatprovideInternetconnectivity.BroadbandcellularconnectivitycanreducethenetworkcongestiononyourwirelessWi-Finetworks.However,broadbandcellularconnectivityalsorequiresacontractwithacellularprovider.
• Rogue Wi-Fi hotspots ManyusersmaybringWi-Fi–enableddevicesthatcanactasWi-Fihotspots(suchashotspotsprovidedbycellularprovidersorsmartphones).EnsurethatyouspecifyalistofpublishedSSIDsinyourdesignforthefacultyandstudents.Also,specifypoliciesandproceduresthatdiscouragefacultyandstudentsfromstartinganunauthorizedWi-Fihotspot.
YoucanspecifytheuseofGroupPolicytoconfigurethewirelessnetworkadaptersettingsfordevices.Doingsoallowsyoutoprovideconsistentwirelessconfigurationsettingsfordomain-joineddevices.
14WINDOWS 8.1 DEPLOYMENT PLANNING
Additionalinformation:
• “Configure802.1XWirelessAccessClientsbyusingGroupPolicyManagement”athttp://technet.microsoft.com/library/dd759173.aspx
• “IdentifyingtheAreasofCoverageforWirelessUsers”athttp://technet.microsoft.com/library/cc780260(v=ws.10).aspx
• “DeterminingHowManyWirelessAPstoDeploy”athttp://technet.microsoft.com/library/cc782947(v=ws.10).aspx
• “DeterminingWheretoPlaceWirelessAPs”athttp://technet.microsoft.com/en-us/library/cc739928(v=ws.10).aspx
• “SelectingChannelFrequenciesforWirelessAPs”athttp://technet.microsoft.com/library/cc783011(v=WS.10).aspx
15WINDOWS 8.1 DEPLOYMENT PLANNING
AccessibilityNotethefollowingplanningconsiderationsforuserswithspecialaccessibilityneeds:
• WhatEaseofAccessandPersonalizationoptionsdofacultyandstudentsrequire?
• Whatassistivetechnologiesdofacultyandstudentsrequire?
Windows8.1providesessentialaccessibilitytocomputersforthosewithsignificantvision,hearing,dexterity,language,orlearningneeds.ThesefeaturesareavailableinWindows8.1,Windows8.1Pro,Windows8.1Enterprise,andWindowsRT8.1.
NotethefollowingplanningconsiderationsforWindows8accessibility:
• Ease of Access and Personalization options TheseoptionsinWindows8.1makedeviceseasiertosee,hear,anduse;theyincludescreenmagnification,speechrecognition,narration,on-screenkeyboard,keyboardshortcuts,stickykeys,andvisualnotifications.
• Assistive technologies Thebuilt-inassistivetechnologiesinWindows8.1workwithbothWindowsStoreappsandWindowsdesktopsoftwaretoprovideseamlessaccesstotheentireWindowsexperience.DevicesrunningWindows8.1alsoallowyoutouseassistivetechnologysoftwarefromspecialtyassistivetechnologyvendors.
Additionalinformation:
• “AccessibilityinWindows8” athttp://www.microsoft.com/enable/products/windows8
• “AssistiveTechnologyProducts”athttp://www.microsoft.com/enable/at/
• “Windows8.1VoluntaryProductAccessibilityTemplate(VPAT)”athttp://download.microsoft.com/download/B/1/B/B1BDCD6D-4EBC-4D92-9405-5E81AAE159D0/Remote_Server_Administration_Tools_for_Windows_8_1_VPAT.docx
16WINDOWS 8.1 DEPLOYMENT PLANNING
PrintersNotethefollowingkeyprinterplanningconsiderations:
• WhichprinterdriversdoesWindows8.1support?
• WhatisneededtosupportWindowsStoreappsandAdvancedPrintSettingsforWindowsStoreapps?
• Howwillusersconnecttoprinters?
• Whichwillrequiresecuredaccess?
Facultyandstudentsneedtoconnecttoprinterresources.Youneedtoplanforuserconnectivitytoinstitution-ownedprinters.Typically,theseprintersarenetwork-based(throughwirelessorwirednetworks).However,insomeinstances,theseprintersmaybeconnectedtotheWindows8devicesbyUSBcables.
NotethefollowingplanningconsiderationsforWindows8printerconnectivity:
• Printer drivers Windows8.1supportsthev3printerdrivermodel(usedinWindows7)andthev4printerdrivermodel(usedinWindows8.1andWindows8).PrintersthatareconnectedtoWindows8.1deviceswithv3printerdriversinstalledwillcontinuetoworkastheycurrentlydowithdesktopapplications.Somelimitationsexisttousingprinterdriversbasedonthev3printerdrivermodelforWindowsStoreapps.
• Windows Store device app and Advance Print Settings support FormanyWindows8.1—andWindows8—certifiedprinters(v4printerdrivermodel),Windows8.1automaticallydiscovertheprintersandinstallsthenecessarydrivers.Otherwise,youcanspecifytheGroupPolicysettingsforprintersfordomain-joineddevices.YoucanalsospecifythatusersmanuallyaddandconfigureprintersastheydidinWindows7.Ensurethatyouspecifyalistofavailableprinters(includinganynecessaryIPinformation)tostudentsandfaculty.
NOTE
EnsureyouhaveWindows8.1-certifiedprinterdevicedriversforasmanyprintersaspossible.
17WINDOWS 8.1 DEPLOYMENT PLANNING
• User connection to printers FormanyWindows8–certifiedprinters(v4printerdrivermodel),Windows8automaticallydiscovertheprintersandinstallsthenecessarydrivers.Otherwise,youcanspecifytheGroupPolicysettingsforprintersfordomain-joineddevices.YoucanalsospecifythatusersmanuallyaddandconfigureprintersastheydidinWindows7.Ensurethatyouspecifyalistofavailableprinters(includinganynecessaryIPinformation)tostudentsandfaculty.
• Security for printing Insomeinstances,youmaywanttolimitprinterusagetoauthenticatedusers.DoingsorequiresthatthosewhoneedtousetheseprintershaveaccountsinanADDSdomainsothattheappropriatepermissionscanbeappliedtoeachprinter.
• Protected printing Windows8.1includessupportforprotectedprinting,whichallowsuserstospecifyaPINthatisthenusedattheprinterpriortothejobbeingprinted.Windows8.1alsoallowsyoutospecifyadefaultPINtoreducewastefulpaperconsumptionrelatedtocontentthatisprintedbutneverretrieved.
Additionalinformation:
• “PrintersExtension”athttp://technet.microsoft.com/library/cc731562.aspx
• “DeployingPrintersbyUsingGroupPolicy”athttp://technet.microsoft.com/library/cc754699.aspx
• “OverviewofPrintinginWindows8”athttp://msdn.microsoft.com/library/windows/hardware/hh852373.aspx
• “DriverSupportforProtectedPrinting”athttp://msdn.microsoft.com/library/windows/hardware/dn265277(v=vs.85).aspx
18WINDOWS 8.1 DEPLOYMENT PLANNING
Security and privacyNotethefollowingInternetplanningconsiderations:
• WhicheditionofWindows8.1isnecessarytosupportthedesiredsecurityandprivacyfeatures?
• HowareusersanddevicesprotectedwhenconnectedtotheInternet?
• Whatmethodsareavailabletopreventusersfrominstallingorrunningunauthorizedapps?
• WhatmethodsareavailabletoprotectuserprivacywhenrunningWindowsStoreapps?
• Whatmethodsareavailabletoprotectdevicesandtheinformationonthem?
• Whatpoliciesshouldyouconsiderimplementingwithstudents,parentsandfaculty?
Windows8.1includesseveralnewsecurityandprivacyfeatures.Table 2liststhesecurityandprivacytechnologiesbyWindows8.1edition.UsethislisttodeterminewhicheditionofWindows8.1youneedtosupportthesecurityandprivacytechnologiesyouwanttouse.SelecttheappropriateWindows8.1editionthatprovidesacompletesecurityandprivacysolutionthatyoucanthencustomizeforeachuser.
WinDoWS 8.1 WinDoWS 8.1 Pro
WinDoWS 8.1 EntErPriSE
Windows Store App privacy Yes Yes Yes
Family Safety Yes Yes Yes
Unified Extensible Firmware Interface (UEFI)
Secure BootYes Yes Yes
SmartScreen Filter Yes Yes Yes
Windows Defender (malware protection) Yes Yes Yes
Windows Firewall Yes Yes Yes
Picture Password Yes Yes Yes
TABLE 2 SecurityandPrivacyTechnologiesbyWindows8.1Edition
19WINDOWS 8.1 DEPLOYMENT PLANNING
WinDoWS 8.1 WinDoWS 8.1 Pro
WinDoWS 8.1 EntErPriSE
BitLocker Drive Encryption and BitLocker
To GoNo Yes Yes
Encrypting File System (EFS) No Yes Yes
Domain membership No Yes Yes
Group Policy objects (GPOs) No Yes Yes
AppLocker No No Yes
Microsoft DirectAccess No No Yes
Auto-triggered VPN Yes Yes Yes
Windows To Go No No Yes
Forinstitution-owneddevices,Windows8.1ProorEnterpriseisrecommended(dependingonthefeaturesdesired)forinstitutionsthatrequiremanagementofdevicesbyusingMicrosoftmanagementproductsandtechnologies,suchasGroupPolicyandMicrosoftSystemCenter2012R2ConfigurationManager.InmanagedenvironmentsWindows8.1shouldbeafactorforpersonallyowneddevicesinBringYourOwnDevice(BYOD)scenarios.
ThesubsequentsectionswilllookathowthesefeaturesareusedforInternetaccess,applicationaccess,anddeviceaccess.FormoreinformationaboutthefeaturesinTable2onpage18,seethefollowingresources:
• Windows Store App privacy Seesection4,“WindowsStoreappsputthecustomerincontrol,”inthetopic,“AppcertificationrequirementsfortheWindowsStore,”athttp://msdn.microsoft.com/en-us/library/windows/apps/hh694083.aspx
• Family Safety Seethetopic,“What’sNewinWindows8FamilySafety,”athttp://msdn.microsoft.com/en-us/library/windows/desktop/jj155495(v=vs.85).aspx
NOTE
ThereisnocentralizedmanagementoftheFamilySafetyfeaturebyusingGroupPolicies.TheMicrosoftaccountshouldbeviewedasapersonalaccountforusebystudentsortheirguardians.
20WINDOWS 8.1 DEPLOYMENT PLANNING
• UEFI Secure Boot Seethetopic,“SecuringtheWindows8BootProcess,”athttp://technet.microsoft.com/en-US/windows/dn168167.aspx
• SmartScreen Filter and Windows Defender Seethetopic,“HowdoIfindandremoveavirus,”athttp://windows.microsoft.com/is-is/windows-8/windows-defender#1TC=t1andthetopic,“SmartScreenFilter:FAQ,”athttp://windows.microsoft.com/is-is/internet-explorer/use-smartscreen-filter#ie=ie-10
• Windows Firewall Seethetopic,“WindowsFirewallfromstarttofinish,”athttp://windows.microsoft.com/en-US/windows-8/Windows-Firewall-from-start-to-finish
• Picture Password Seethetopic,“Signinginwithapicturepassword,”athttp://windows.microsoft.com/is-is/windows-8/picture-passwords#1TC=t1
• BitLocker and BitLocker To Go Seethetopic,“HelpprotectyourfileswithBitLockerDriveEncryption,”athttp://windows.microsoft.com/is-is/windows-8/using-bitlocker-drive-encryptionandthetopic,“HelpprotectyourfileswithBitLocker,”athttp://windows.microsoft.com/en-US/windows-8/bitlocker#1TC=t1
• EFS Seethetopic,“Encryptordecryptafolderorfile,”athttp://windows.microsoft.com/en-US/windows-vista/Encrypt-or-decrypt-a-folder-or-file
• Domain membership Seethetopic,“ActiveDirectoryDomainServicesOverview,”athttp://technet.microsoft.com/en-us/library/hh831484.aspx
• GPOs Seethetopic,“GroupPolicyOverview,”athttp://technet.microsoft.com/en-us/library/hh831791.aspx
• AppLocker Seethetopic,“AppLockerOverview,”athttp://technet.microsoft.com/en-us/library/hh831409.aspx
• DirectAccess Seethetopic,“UsingDirectAccess,”athttp://technet.microsoft.com/en-us/windows/dn168168.aspx
• Auto-triggered VPN Seethetopic,“What’sNewinRemoteAccessinWindowsServer2012R2,”athttp://technet.microsoft.com/en-us/library/dn383589.aspx
• Windows To Go Seethetopic,“WindowsToGo:FeatureOverview,”athttp://technet.microsoft.com/en-us/library/hh831833.aspx
21WINDOWS 8.1 DEPLOYMENT PLANNING
Internet access
WhenusersconnecttotheInternet,theyareattheirgreatestriskofhavingsecurityattacksfrommalicioususersandsoftware.Windows8.1includesseveralbuilt-infeaturesthathelpprotectusersduringaccess.YoucanenableandenforcemanyofthesefeaturesbyusingGroupPolicy.Forexample,youcanuseGroupPolicytoenableWindowsDefenderandWindowsFirewall.ThesesecurityfeaturesareenabledinWindows8.1bydefault.
SpecifysecuritypoliciesthatimplementsafetyfeatureswhenconnectingtotheInternet,whereapplicable.Forexample,guardiansofstudentscanusetheFamilySafetyfeaturetorestrictaccesstowebsitesbasedonuserage(suchasrestrictingthetypesofappsthatuserscanviewinandinstallfromtheWindowsStore).
Application access
Application-relatedsecurityandprivacyaredividedintocontrolling:
• The installation and running of approved apps only Forinstitution-owneddevices,ensurethatusersrunonlyapprovedapps.Youcanenforcewhichappscanbeinstalledandrunoninstitution-owneddevicesbyusingtechnologiessuchasFamilySafety,AppLocker,andGroupPolicy.Forpersonallyowneddevices,educatefacultymembers,students,andguardiansonhowtouseFamilySafetyfeaturestoshowage-appropriatecontentonly.
• Any personal information the apps collect while it is running SomeWindowsStoreappscancollectprivateinformationwhiletheappisrunning(suchaslocationoroptionsselectedintheapp).WindowsStoreappsincludetheabilityforuserstooptinorprovideconsenttocollectsuchinformationbydesigntopassWindowsStoreappcertification.Becausetheusermustprovideconsent,educateusersontheinformationthatcouldpotentiallybecollectedandtherisksofprovidingtheinformation.Thiswouldbetrueforinstitution-owneddevicesandpersonallyowneddevices.
Device access
Devicesecurityandaccessrepresentoneofthelargestopportunitiesfordataloss,forgottenpasswords,andothersecurity-relatedissues.HelpusersmitigatetherisksofdeviceaccessbyusingWindows8features.Forexample,youcanuseBitLockertopreventconfidentialdatabeingobtainedfromalostorstolendevice.Thisisparticularlyimportantfordevicesthatstorefacultyorstudentinformationonthedevice.
22WINDOWS 8.1 DEPLOYMENT PLANNING
Table 3liststhedeviceaccesssecurityandprivacytechnologiesandthenecessaryinformationforselectingtheappropriatetechnologiesforyourinstitution.Youcanselectanycombinationofthesetechnologiestodesignacompletesolution.
TABLE 3 DeviceAccessSecurityandPrivacyTechnologySelection
EFS BitLocKEr AnD BitLocKEr to Go
PicturE PASSWorD WinDoWS to Go
Encrypts confidential information
Yes(individualfilesandfolders)
Yes(entirefixedorremovabledisk
volumes)N/A N/A
Reduces the complexity of
signing onN/A N/A Yes N/A
Reduces the risk of information loss when a device is
lost or stolen
Yes Yes Yes Yes(ifencryptedwithBitLocker)
Reduces the cost of replacement when
a device is lost or stolen
N/A N/A N/A Yes
Infrastructure None None None None
Ownership scenarios
Personallyorinstitution-owned
Personallyorinstitution-owned
Personallyorinstitution-owned Institution-owned
Domain join required No
No(butrecoverykeyscanbestoredinADDSfordomain-joined
devices)
NoNo,butrequiresWindows8.1
Enterpriseedition
Remote connectivity
Notethefollowingremoteconnectivityappplanningconsiderations:
• Whichusersrequireremoteconnectivitytoresourcesontheinstitution’sintranet?
• Howcanusersaccessintranetresources?
• Whattypesofdevicesrequireremoteconnectivity?
23WINDOWS 8.1 DEPLOYMENT PLANNING
• Whatleveloftechnicalexpertisedotheusershave?
• Whatchangesmustyoumaketothenetworkinfrastructuretosupportremoteconnectivity?
Table 4liststheremoteconnectivitytechnologiesincludedinWindows8.1.Thesetechnologiesallowuserstoaccessresourcesonyourinstitution’sintranet.Selecttherightcombinationofremoteconnectivitytechnologiestocreateyoursolution.
DirEctAccESS VirtuAL PriVAtE nEtWorK (VPn)
Works across multiple operating systems
Yes(onlyWindows7andWindowsServer2008R2orlateroperatingsystems)
Yes(includingWindowsXPandlaterWindowsoperatingsystems,AppleiOS,MacOSXoperatingsystems,andAndroid
Included as part of Windows 8.1 Yes Yes
Provides automatic connections Yes
Yes(byusingtheAuto-TriggeredVPNfeature
inWindows8.1)
Supports server endpoints from other
vendorsNo
Yes(VPNsupportforCheckPointVPN,F5VPN,JuniperNetworksJunosPulse,Microsoft,andSonicWallMobileConnectVPNserverendpointsincludedin
Windows8.1)
Supports “manage-out” remote
management scenarios
Yes No
Supports offline domain join Yes No
Works with Windows To Go Yes Yes
Devices must be domain joined Yes No
Can be used on institution-owned
devicesYes Yes
TABLE 4 RemoteConnectivityTechnologySelection
24WINDOWS 8.1 DEPLOYMENT PLANNING
DirEctAccESS VirtuAL PriVAtE nEtWorK (VPn)
Can be used on personally owned
devicesNo Yes
Infrastructure requirements
AD DS
RemoteAccessServerconfiguredfor
DirectAccess
AD DS
VPNserverendpoint(couldbeMicrosoftRemoteAccessServerorpartnerVPNserver
solution)
Can be managed by Windows PowerShell Yes Yes
DirectAccess
DirectAccessprovidesintranetconnectivitytodeviceswhentheyareconnectedtotheInternet,muchlikeaVPN.DirectAccessinitiatestheconnectiontotheintranetassoonasthedeviceconnectstotheInternet(unliketraditionalVPNconnections,whichusersmustexplicitlyinitiateandterminate).DirectAccesscanworkinIPversion4(IPv4)–onlynetworks,IPversion6(IPv6)–onlynetworks,oracombinationofIPv4andIPv6networks.SupportforIPv4-onlynetworksrequiresWindowsServer2012R2.
DirectAccessalsosupportsperforminganoffline domain join.AnofflinedomainjoindoesnotrequirethedevicetobephysicallyconnectedtoyourintranettojoinyourADDSdomain;instead,youcreateafilethatisprovidedtousersalongwiththeinformationneededtoconfigureDirectAccess.WhentheuserconfiguresDirectAccess,theinformationforperformingtheofflinedomainjoinisusedtojointhedevicetothedomain.Forexample,theofflinedomainjoinfeaturewouldallowfacultymemberstodomain-joincomputersattheirhomewithoutrequiringthemtobringthecomputerstocampus.
DirectAccessalsosupports“manage-out”remotemanagementscenarios,whichallowyoutodeploysoftwareupdates,collectsoftwareanddeviceinventoryinformation,andperformothermanagementoperationsanytimethedeviceisconnectedtotheInternet.YoucanperformalloftheseactionsinthebackgroundwithoutinterruptingtheuserorrequiringuserinteractionbyusingtechnologiessuchasSystemCenter2012R2ConfigurationManagerandGroupPolicy.
FormoreinformationonDirectAccess,see“RemoteAccess(DirectAccess,RoutingandRemoteAccess)Overview”athttp://technet.microsoft.com/library/hh831416.
25WINDOWS 8.1 DEPLOYMENT PLANNING
Virtual private network
VPNhasbeenacommonremoteconnectivitytechnologyfordecades.MostremoteconnectivityvendorsprovidesupportforVPN.Windows8.1andWindowsServer2012R2providesupportformostindustry-standardVPNsolutions,includingL2TP,PPTP,andSSTPVPNconnections.
Windows8.1includesthenewAuto-TriggeredVPNfeature,whichallowsWindowstoautomaticallyinitiateaVPNconnectionby:
• ReferencingaDomainNameSystem(DNS)domainnamesuffix.ThisallowsyoutoconfigureWindows8.1toautomaticallyinitiateaVPNconnectionwhenauserattemptstoaccessaresourcewiththeDNSdomainsuffix.Forexample,youcouldconfigureWindows8.1toautomaticallyinitiateaVPNconnectionanytimetheuserattemptstoaccessaresourcewithaDNSsuffixofcorp.contoso.com(suchasdc.corp.contoso.comorintranet.corp.contoso.com).
• StartingaspecificWindowsStoreordesktopapp.ThisallowsyoutoconfigureWindows8.1toautomaticallyinitiateaVPNconnectionwhentheuserstartsanapp.Forexample,youcouldconfigureWindows8.1toautomaticallyinitiateaVPNconnectionwhentheuserstartstheBingFinanceapportheWeatherapp.YoucanalsoconfigureWindows8.1toautomaticallyinitiateaVPNconnectionfordesktopapps,suchasWord.exeorExcel.exe.
TheAuto-TriggeredVPNfeatureworkswithanyoftheVPNserverendpointsthatWindows8.1supports,includingCheckPointVPN,F5VPN,JuniperNetworksJunosPulse,Microsoft,andSonicWallMobileConnectVPNserverendpoints.
FormoreinformationaboutVPNsandtheAuto-TriggeredVPNfeatureinWindows8.1,see“RemoteAccess(DirectAccess,RoutingandRemoteAccess)Overview”athttp://technet.microsoft.com/library/hh831416.aspxandWindowsServer2012R2TestLabGuide:DemonstrateVPNAutotriggerathttp://technet.microsoft.com/en-us/library/dn383580.aspx.
26WINDOWS 8.1 DEPLOYMENT PLANNING
Windows Store appsNotethefollowingWindowsStoreappplanningconsiderations:
• WhichuseraccountsarerequiredtoaccesstheWindowsStore?
• HowcanWindowsStoreappsbedeployed?
• HowcanWindowsStoreappsbemanagedintheclassroom?
• Howdoessinglesign-on(SSO)workwithWindowStoreapps?
• WhatchangesmustyoumaketothenetworkinfrastructuretosupporttheWindowsStore?
• HowareWindowsStoreappsobtained?
TheWindows8.1operatingsystemincludesmanynewfeatureandcapabilities,butoneprominentfeatureisWindowsStoreapps.EducationalinstitutionscanpurchaseorcreateappsforWindows8thatusethenewUI.
INFO
WindowsStoreappplanningconsiderationsarediscussedinWindows Store apps: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39685.
27WINDOWS 8.1 DEPLOYMENT PLANNING
User accountsNotethefollowingkeyuseraccountplanningconsiderations:
• WhenareMicrosoftandWindowsaccountsrequired?
• Doagerestrictionsexistforaccounts?
• HowcanOffice365orWindowsAzureActiveDirectory(AD)accountsbeused?
• WhatistherelationshipamongMicrosoft,Windows,andWindowsAzureADaccounts?
• HowcanyouprovideanSSOexperienceforusers?
FacultyandstudentsneeduseraccountstologontotheirWindows8devices,accesstheWindowsStore,accesson-premisesresources,andaccessInternetresources.Asapartoftheplanningprocess,determinetheuseraccountsthatfacultyandstudentswilluse,theagerestrictionsforaccounts,andhowtoprovidethebestSSOexperienceforusers.
Notethefollowingplanningconsiderationsforuseraccounts:
• Determine the user accounts to use Table5onpage28liststheuseraccounttypesavailableforuseinWindows8.UsetheinformationinTable 5todeterminewhichuseraccounttypesfacultyandstudentswilluse.
• Account management Youcancentrallymanagedomain-basedWindowsaccountsandWindowsAzureADaccounts.YoucannotcentrallymanageMicrosoftaccountsandlocalWindowsaccounts(forexample,youcannotmanageaMicrosoftaccountthatastudentorfacultymembercreates).However,userscanmanagetheirrespectiveMicrosoftaccountswithoutrequiringassistancefromITresources.Usetheseconsiderationsasyouselectuseraccounts.
• Determine account age restrictions MicrosoftaccountsintheUnitedStatescomplywiththeChildren’sOnlinePrivacyProtectionAct(COPPA)regardingonlineaccountcreationforchildrenunder13yearsofage.ToverifythatanadultisgivingachildpermissiontocreateanewMicrosoftaccount,COPPArequiresthatasmallamountbechargedtotheadult’screditcard(foraU.S.account).AlthoughyoudonotneedadultpermissiontocreateWindowsaccountsandWindowsAzureADaccounts,itisrecommendedthatadultsbenotifiedandpermissionobtained,asnecessary.
28WINDOWS 8.1 DEPLOYMENT PLANNING
Account tyPE DEScriPtion
Windows account ThisaccountisstoredlocallyontheWindows8.1device(localWindowsaccount)orinanon-premisesADDSdomain.ThisaccountisidenticaltotheuseraccountsthatWindows7uses.YoucanassociateaMicrosoftaccountwithaWindowsaccounttoprovideaccesstoresourcesthatuseaMicrosoftaccount(suchastheWindowsStoreorSkyDrive).ThisaccountisalwaysrequiredtologontoaWindows8.1device.
Microsoft account ThisaccountisanInternet-basedaccountusedtoaccesstheWindowsStoreorotherservicesthatuseMicrosoftaccounts(previouslyknownasWindows Live ID).YoucanassociateaMicrosoftaccountwithanexistingWindowsaccount.ThisaccountistypicallyrequiredbutcouldbeoptionalifnoservicesthatuseMicrosoftaccountsareused(suchasnotaccessingtheWindowsStore).
Windows Azure AD account
ThisaccountisanInternet-basedaccountstoredinWindowsAzureADservices(whichmayhavebeenmigratedfromorintegratedwithanon-premisesADDSinfrastructure).Office365usesWindowsAzureADservicestostoreOffice365credentials.Thisaccountisrequiredifemailandotherservicesusethistypeofaccount(suchasusingemailorMicrosoftSharePointOnlineinOffice365).
Guardiansshouldbeinvolvedintheaccountcreationprocessandtheprovisioningofdevicestochildrenunder13yearsofage.InstructtheguardiansonhowtheFamilySafetyfeaturecanhelpintegratethemintotheirchild’sdigitallearningexperience.
Additionalinformation:
• “Microsoftaccount”athttp://windows.microsoft.com/en-US/windows-live/microsoft-account-help#microsoft-account=tab1
• “WindowsAzure:IdentityandAccessManagement”athttp://www.windowsazure.com/en-us/home/features/identity
• Children’sOnlinePrivacyProtectionathttp://www.coppa.org
• Windows Store apps: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39685
TABLE 5 UserAccountTypesandDescriptions
29WINDOWS 8.1 DEPLOYMENT PLANNING
DeploymentNotethefollowingkeydeploymentplanningconsiderations:
• WhatdeploymentscenariosareavailableforWindows8.1ineducation?
• Whatarethedeploymenttechnologiesandtoolsavailableforinstitution-owneddevices?
• Whatarethedeploymenttechnologiesandtoolsavailableforpersonallyowneddevices?
• WhatroledoesvirtualizationplayindeployingWindows8ineducation?
• Whattypeofconnectivityisavailablefordevicesafterdeployment?
Windows8.1providesawiderangeofflexibilityindeploymentoptions.ThisflexibilityallowsyoutodesignadeploymentsolutionthatprovidesWindows8.1toallusers,regardlessofthedevicetheyuseorwheretheyarelocated.
Table 6describessomecommonWindows8.1deploymentscenariosandtheinformationnecessaryforselectingtheappropriatescenariosforyourinstitution.YoucanselectanycombinationofthesescenariostodesignacompleteWindows8.1deploymentsolution.Eachscenarioisdiscussedinasubsequentsection.
TABLE 6 DeploymentScenarioSelection
inStitution-oWnED DEVicES
PErSonALLy oWnED DEVicES
VirtuAL DESKtoP inFrAStructurE
(VDi)
WinDoWS to Go
Can be domain joined (requires Windows 8.1 Pro
or Enterprise editions)Yes
Yes(butmanyuserswillnotwanttheir
personaldevicestobedomain
joined)
Yes Yes
Institution has full control of the device Yes No Yes Yes
Can manage operating system deployment Yes No Yes Yes
30WINDOWS 8.1 DEPLOYMENT PLANNING
inStitution-oWnED DEVicES
PErSonALLy oWnED DEVicES
VirtuAL DESKtoP inFrAStructurE
(VDi)
WinDoWS to Go
Deployment tools available for deployment
MicrosoftDeploymentToolkit(MDT)
MicrosoftSystemCenterConfigurationManager
WindowsDeploymentServices
Interactive(manual)
N/A
MDT
SystemCenterConfigurationManager
WindowsDeploymentServices
Interactive(manual)
Interactive(manual)
WindowsPowerShellscripts
InfrastructureDeployment
toolsrequirements
None
Deploymenttools
requirements
VDIrequirements
None
Can support devices running operating
systems prior to Windows 8.1
Yes(byusingVDIorWindows
ToGo)
Yes(byusingVDIorWindows
ToGo)Yes
Yes(butdevicemustmeetWindowsToGohardwarerequirements)
Windows 8.1 licenses required by institution
Yes,mostoftenpurchasedwithanewdevice
No(exceptVDIsessionsthatusersaccess)
Yes Yes
Requires system hardware upgrades for existing devices by institution
Notoften(Windows8requirementsaresameasWindows7)
No No
Notoften(WindowsToGosupportsanydevicethatiscertifiedforWindows7)
Required full-time connectivity to institution
intranetNo No Yes No
31WINDOWS 8.1 DEPLOYMENT PLANNING
Institution-owned devices
Institution-owneddevicesrepresentthelargestareaofdeploymentresponsibility.Thesedevicescanbedividedintodevicesthatcurrentlyrun:
• Windows 8.1 ThesedeviceswilltypicallybenewdevicesthatarepurchasedwithWindows8.1installed.ThechallengeshereareensuringthatthedeviceshavethecorrectWindows8.1editionandalsohaveastandardoperatingsystemimage.
• Operating systems prior to Windows 8.1 Tousethesedevices,performoneofthefollowingtasks:
• Upgrade to Windows 8.1 ThesystemresourcesforthesedevicesmustbesufficienttosupportWindows8.1.Iftheexistingsystemresourcesareinadequate,thenmustbeupgradedasapartoftheWindows8.1upgrade.UpgradesfromWindow8areavailableatnoadditionallicensingfee.UpgradesfrompriorversionsofWindows(suchasWindows7)areavailableforeducationalinstitutions.Formoreinformation,seethesection,“Windows8.1purchaseandlicensing”onpage4,earlierinthisguide.
YoucandetermineifanexistingdevicecanrunWindows8.1byusingtheMicrosoftAssessmentandPlanning(MAP)Toolkit.TheMAPToolkitisafreesolutionacceleratoravailableathttp://technet.microsoft.com/en-us/library/bb977556.aspx.
• Connect to Windows 8.1 in VDI Ifthesystemresourcesareinadequateorthecostofupgradeisprohibitive,thesedevicescanrunWindows8.1inaVDIenvironment.ThishastheadvantageofallowinguserstocontinuetouseexistingdeviceswhilerunningthelatestappsinWindows8.1.
• Operating systems other than Windows 8.1 Thesedevices(suchasdevicesrunningiOSorGoogleAndroidoperatingsystems)canrunWindows8.1andappsinaVDIenvironment.Thishastheadvantageofallowinguserstocontinuetouseexisting,institution-owneddeviceswhilerunningthelatestappsinWindows8.1.
NOTE
ItispossibletorunWindowslocallyoncertainApplecomputersortorunWindowsinavirtualizedenvironmentontheMacoperatingsystem.Intheseinstances,thesecomputerscanbemanagedandsupportedasWindows8.1devices.
32WINDOWS 8.1 DEPLOYMENT PLANNING
YoucanautomateWindows8.1deploymenttoinstitution-owneddevicesbyusingtheMDT2013,MicrosoftSystemCenter2012R2ConfigurationManager,orWindowsDeploymentServicesinWindowsServer2012R2.YoucanalsoperformmanualdeploymentofWindows8.1fromthedistributionmedia.YoucanupgradetoWindows8.1fromdistributionmediaorbydownloadingtheupdatefromtheWindowsStore.
Additionalinformation:
• Windows 8.1 deployment to PCs: A guide for educationathttp://www.microsoft.com/download/details.aspx?id=39684
• VDI: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39687
Personally owned devices
BYODscenariosarecommonineducationalinstitutions.Personallyowneddevicesrepresenttheleastamountofdeploymentresponsibility.Thesedevicescanbedividedintodevicesthatcurrentlyrun:
• Windows 8.1 ThesedeviceswilltypicallybenewdevicesthatarepurchasedwithWindows8.1installed.ThefeaturesavailableonthesedeviceswillbedeterminedbytheWindows8.1edition.
• Operating systems prior to Windows 8.1 Tousethesedevices,performoneofthefollowingtasks:
• Upgrade to Windows 8.1 from Windows 8 TheupgradetoWindows8.1requiresnoadditionalpurchase.UserscanupgradetheirdevicesfromWindows8toWindows8.1fromtheWindowsStoreorfromdistributionmedia.Formoreinformation,seethesection“Windows8.1purchaseandlicensing”onpage4.
• Upgrade to Windows 8.1 from Windows 7 or earlier operating systems ThesystemresourcesforthesedevicesmustbesufficienttosupportWindows8.Also,thepersonwhoownsthedevice(suchasafacultymember,student,orstudentguardian)mustpurchasetheupgrade.EducationaldiscountsareavailableforupgradesfrompriorversionsofWindows(suchasWindows7)forfacultyandstudents.Formoreinformation,seethesection,“Windows8.1purchaseandlicensing”onpage4,earlierinthisguide.
• Connect to Windows 8.1 in VDI Ifthesystemresourcesareinadequateorthecostofupgradeisprohibitive,thesedevicescanrunWindows8.1inaVDIenvironment.Thishastheadvantageofallowinguserstocontinuetouseexistingdevices(withoutupgrade)
33WINDOWS 8.1 DEPLOYMENT PLANNING
whilerunningthelatestappsinWindows8.1.However,itmayrequireuserstojointheirdevicestodomainsandwillalsorequireaninstitution-issuedWindowsaccount.
• Operating systems other than Windows 8.1 Thesedevices(suchasdevicesrunningiOSorAndroid)canrunWindows8.1andappsinaVDIenvironment.Thishastheadvantageofallowinguserstocontinuetouseexisting,personallyowneddeviceswhilerunningthelatestappsinWindows8.1.
Additionalinformation:
• BYOD devices: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39681
• VDI: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39687
Virtual Desktop Infrastructure
YoucandesignaVDIbyusingtheHyper-VandRemoteDesktopServicesserverrolesinWindowsServer2012R2orbyusingWindowsMultiPointServer2012.
Table 7liststheVDItechnologiesandtheinformationnecessaryforselectingtheappropriatetechnologiesforyourinstitution.YoucanselectanycombinationofthesetechnologiestodesignacompleteVDIsolution.
HyPEr-V AnD rEMotE DESKtoP SErVicES SErVEr roLES in WinDoWS SErVEr 2012 r2
WinDoWS MuLtiPoint SErVEr 2012
Infrastructure Managed ManagedbyWindowsMultiPointServer2012
Scaling Multipleserverdeployment(asrequiredforscaling)
Singleserverdeploymentonly(limitof20usersinPremiumedition)
Availability Multipleserverdeploymentinclusters(asrequiredforavailability)
Singleserverdeploymentonly
TABLE 7 VDITechnologySelection
34WINDOWS 8.1 DEPLOYMENT PLANNING
HyPEr-V AnD rEMotE DESKtoP SErVicES SErVEr roLES in WinDoWS SErVEr 2012 r2
WinDoWS MuLtiPoint SErVEr 2012
Supported devices • DevicesusingRemoteDesktopProtocol(RDP)version5
• MicrosoftRemoteFXcapableasrequired
• Directvideoconnected
• USBzeroclients
• DevicesusingRDP
• RemoteFXcapable(asrequiredandavailableonlyforRDPconnections)
AVDIsolutionthatyoucreatebyusingHyper-VandRemoteDesktopServicesserverrolesinWindowsServer2012R2worksbycreatingaVMtemplateofWindows8.1,andthenrunninginstancesoftheWindows8.1templateinHyper-V.UsersremotelyaccesstheVMsrunningWindows8.1byusingRemoteDesktopServices.
Additionalinformation:
• “MicrosoftVirtualDesktopInfrastructure(VDI)”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/vdi.aspx
• “PlanningaWindowsMultiPointServer2012Deployment”athttp://technet.microsoft.com/library/jj916408.aspx
• VDI: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39687
Windows To Go
WindowsToGoisafeatureinWindows8.1EnterpriseeditionthatenablesuserstobootfromashareddevicewithaUSBflashdriveandhaveaccesstoalltheirusersettings,apps,anddata.YoucanboottheWindowsToGoworkspaceonanydevicethatmeettheWindows7orWindows8certificationrequirements,regardlessoftheoperatingsystemcurrentlyrunningonthedevice.
NOTE
Althoughnotrequired,MicrosoftstronglyrecommendsthattheUSB-connectedexternaldrivebeconnectedtoaUSB3.0port.Also,theUSB-connectedexternaldriveshouldbeonthecertifiedlistofdevices,whichcanbefoundathttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/devices/windowstogo.aspx.
35WINDOWS 8.1 DEPLOYMENT PLANNING
WindowsToGoworkspacescanusethesameWindows8.1Enterpriseimagethateducationalinstitutionsuseforotherdevices.Youcanmanagetheworkspacesthesameway.WindowsToGoisnotintendedtoreplaceotherphysicaldevicesorsupplantothermobilityofferings.Rather,itprovidessupportforefficientuseofresourcesforalternativeworkplacescenarios,suchasprovidingastudentwithaWindowsToGoworkspacetoperformclassroomactivities.
FormoreinformationaboutWindowsToGodesignanddeployment,see“WindowsToGo:FeatureOverview”athttp://technet.microsoft.com/library/hh831833.aspx.
36WINDOWS 8.1 DEPLOYMENT PLANNING
Device roaming and multiple devicesNotethefollowingkeyusageplanningconsiderationsforusingmultipledevices:
• Whathappenstouserandapplicationsettingsifauserusesmultipledevices?
• WhathappenstouserandapplicationsettingsifauserusesbothWindows8.1andWindows7?
• Whathappenstouserandapplicationdataifauserusesmultipledevices?
• Whatlevelofcontrolcanbeusedfortheuserandapplicationsettingsthatfollowauser?
• HowcanthenecessaryWindowsStoreappsanddesktopappsbeinstalledonmultipledevices?
OneofthekeyfeaturesofWindows8.1istheabilitytocustomizetheuserexperience.Inmanyinstances,WindowsStoreappsanddesktopapplicationsalsostoreapplication-specificusersettingsandpreferences(suchasthemes,backgrounds,orspellingdictionariesinOfficeProfessionalPlus2013).Userstypicallysavedocuments,photos,andotherfilestofoldersondevices(suchastheDocuments,Music,Pictures,orVideosfolders).Andfinally,userswillinstallWindowsStoreappsanddesktopapplicationsondevices.
Iffacultymembersandstudentsalwaysusethesamedevice,thenalltheuserandapplicationsettings,userdata,andappsarealwaysavailabletothem.Butwhathappenswhentheyusedifferentdevices?Somehow,theuserandapplicationsettings,userdata,andappsneedtobeavailableonmultipledevices(alsoknownasdevice roaming).
Inaddition,someusersmayuseWindows8.1deviceswhileoncampusbutmayhaveWindows8orWindows7devicesathome.TheuserandapplicationssettingsneedtobetranslatedbetweenWindows8.1,Windows8,andWindows7.Table8onpage37liststhetechnologiesavailabletohelpmanageuser,operatingsystem,application,andapplicationsettingsonmultipledevices.Youcanselectanycombinationofthesetechnologiestodesignacompletemultipledeviceusagesolution.Eachtechnologyisdiscussedinasubsequentsection.
37WINDOWS 8.1 DEPLOYMENT PLANNING
TABLE 8 MultipleDeviceUsageTechnologySelection
WorK FoLDErS + WorKPLAcE
Join
WinDoWS FoLDEr
rEDirEction + oFFLinE FiLES
WinDoWS roAMinG uSEr
ProFiLES
MicroSoFt uSEr ExPEriEncE VirtuALizAtion
(uE-V)
MicroSoFt APPLicAtion
VirtuALizAtion (APP-V)
Works across multiple devices
Yes(onlyWindows8.1orWindowsRT8.1)
Yes Yes Yes Yes
Works across multiple operating
systems
Yes(onlyWindows8.1orWindowsRT8.1)
Yes No Yes Yes
Included as a part of Windows 8.1 Yes Yes Yes No No
Provides granular management of user, operating
system, and application settings
No No No Yes No
Provides centralized management of user experience
Yes Yes(withGroupPolicy)
Yes(withGroupPolicy) Yes Yes
Works with Remote Desktop Services Yes Yes
Yes(butlogonandlogofftimescanbeslowbecausetheprofileneedstobecopiedto
andfromtheserver)
Yes Yes
Works with VDI scenarios Yes Yes Yes Yes Yes
Works with Windows To Go Yes Yes Yes Yes Yes
Devices must be domain joined
No(ifusingWorkplaceJoinwith
WorkFolders)
Yes(ifcentrallymanaged)
Yes Yes Yes
Can be used on institution-owned
devicesYes Yes Yes Yes Yes
38WINDOWS 8.1 DEPLOYMENT PLANNING
WorK FoLDErS + WorKPLAcE
Join
WinDoWS FoLDEr
rEDirEction + oFFLinE FiLES
WinDoWS roAMinG uSEr
ProFiLES
MicroSoFt uSEr ExPEriEncE VirtuALizAtion
(uE-V)
MicroSoFt APPLicAtion
VirtuALizAtion (APP-V)
Can be used personally owned
devicesYes No No No No
Can be used to manage Windows
Store appsNo No No Yes No
Can be used to manage desktop
applicationsNo No No Yes Yes
Can be used in recovery scenarios
(such as new or lost device)
Yes Yes Yes Yes Yes
Assists with desktop application
deploymentNo No No No Yes
Assists with desktop application compatibility issues
No No No No Yes
Requires Microsoft Software Assurance
(SA) subscriptionNo No No Yes Yes
Infrastructure requirements
AD DS
ActiveDirectoryFederationServices(ADFS)inWindows
Server 2012 R2
WorkFoldersinWindows
Server 2012 R2
AD DS
Networksharedfolders
AD DS
Networksharedfolders
Managednetwork
UE-Vinfrastructure
Managednetwork
App-Vinfrastructure
39WINDOWS 8.1 DEPLOYMENT PLANNING
Windows Work Folders and Workplace Join
TheWorkFoldersfeaturecreatessharedworkfoldersthatbehavesimilarlytotheWindowsOfflineFilesfeatureorSkyDrivefeatures(wherefilesaresynchronizedbetweenthedeviceandthesharedfolder).Whileoffline,changestoeitherthesharedworkfolderortheofflinecopyofthefilesonthedevicearesynchronizedthenexttimetheuserconnectsthedevicetothesharedworkfolder.Table 9containsinformationthatcanhelpyoudeterminewhenWorkFoldersistherightsolutioncomparedwithotherMicrosoftfilesynchronizationtechnologies.
TABLE 9 MicrosoftFileSynchronizationTechnologySelection
WorK FoLDErS oFFLinE FiLES SKyDriVE Pro SKyDriVE
Summary
Syncsfilesthatarestoredonafile
serverwithPCsanddevices
Syncsfilesthatarestoredonafile
serverwithPCsthathaveaccesstothecorporatenetwork(canbereplacedby
WorkFiles)
SyncsfilesthatarestoredinOffice365orinSharePointwithPCsand
devicesinsideoroutsideacorporate
networkandprovidesdocumentcollaborationfunctionality
SyncspersonalfilesthatarestoredinSkyDrivewithPCs,Maccomputers,and
devices
Provides user
access to institution-
managed storage
Yes Yes Yes No
Provided as a cloud
serviceNo No Yes(Office365) Yes(SkyDrive)
Provided as on-premises
solution
Yes(onfileserversrunningWindowsServer2012R2)
Yes(onfileserversrunningWindowsServer2008orlateroperatingsystems)
Yes(onserversrunningSharePoint) No
Supported clients
PCsanddevicesinsideoroutsideacorporatenetwork
PCsinacorporatenetworkor
connectedthroughDirectAccess,VPNs,orotherremote
accesstechnologies
PCs,WindowsPhone,iOS,andAndroiddevices
PCs,WindowsPhone,Mac
computers,iOS,andAndroiddevices
40WINDOWS 8.1 DEPLOYMENT PLANNING
Youcanassignpermissionstothesharedworkfolder,justaswithtraditionalservermessageblocknetworksharedfolders.UserscanaccessthesharedworkfolderswhileconnectedtotheintranetorontheInternet(ifconfiguredtodoso).
TheWorkFoldersfeaturecanalsoworkwiththeWorkplaceJoinfeaturetoallownondomain-joineddevicestosecurelyaccesssharedworkfoldersonserversrunningWindowsServer2012R2.TheWorkplaceJoinfeatureallowsnondomain-joineddevicestoberegisteredinADDSthroughtheDeviceRegistrationServicesfeatureinADFS.WhenaWindows8.1deviceisworkplacejoined,acertificateisinstalledonthedeviceandalsostoredinADDS.ThedevicecanthenbeauthenticatedbyusingADFSandADDS.
YoucanalsoconfigurethelevelofauthenticationrequiredtoaccessthesharedworkfoldersbyusingADFS.Forexample,youcouldrequireuserauthentication,deviceauthentication,orboth.
Additionalinformation:
• “WorkFoldersOverview”athttp://technet.microsoft.com/library/dn265974.aspx
• “WorkFoldersTestLabDeployment”athttp://blogs.technet.com/b/filecab/archive/2013/07/10/work-folders-test-lab-deployment.aspx
• Walkthrough Guide: Workplace Join with a Windows Deviceathttp://technet.microsoft.com/library/dn280938.aspx
Windows Folder Redirection
TheFolderRedirectionfeatureinWindows8.1redirectsthepathofaknownfolder(suchastheDocuments,Pictures,orVideofolderinauserprofile)toanewlocationmanuallyorbyusingGroupPolicy.Thenewlocationcanbeafolderonthelocaldeviceoradirectoryonafileshare.Usersinteractwithfilesintheredirectedfolderasifitstillexistedonthelocaldrive.Forexample,youcanredirecttheDocumentsfolderonadomain-joineddevice(whichisusuallystoredonalocaldrive)toanetworksharedfolder.Thefolderwillberedirectedonanydomain-joinedcomputeronwhichtheusersigns
NOTE
YoucanuseWorkFolderswithoutWorkplaceJoin,butdoingsorequiresthatthedevicesbedomainjoined.
41WINDOWS 8.1 DEPLOYMENT PLANNING
onandreceivestheGroupPolicysettings.ThefolderisalsoaccessibledirectlyfromthenetworksharedfolderindependentoftheFolderRedirectionGroupPolicysettings.
WhenusedinconjunctionwithUE-V,theFolderRedirectionfeaturehelpsprovideacomprehensivesolutionforuserswhologontomultipledevices.FormoreinformationaboutincludingtheFolderRedirectionfeatureinyourdesign,see“FolderRedirection,OfflineFiles,andRoamingUserProfilesoverview”athttp://technet.microsoft.com/library/hh848267.aspx.
Windows Offline Files
TheOfflineFilesfeatureinWindows8.1makesnetworkfilesavailabletoauser,evenifthenetworkconnectiontotheserverisunavailableorslow.Whenworkingonline,fileaccessperformanceisatthespeedofthenetworkandserver.Whenworkingoffline,filesareretrievedfromtheOfflineFilesfolderatlocalaccessspeeds.Whentheconnectiontotheserverisrestored,theofflinecopyofthefilesissynchronizedtotheserver.
YoucanusetheOfflineFilesfeatureinconjunctionwiththeFolderRedirectionfeatureinWindows8.1andUE-V.TheOfflineFilesfeaturehelpsensurethatuserscanaccessfilesstoredinthelocalfoldersthatareredirectedtonetworksharedfoldersbyusingtheFolderRedirectionfeature.TheFolderRedirectionfeatureisoftenusedwithUE-Vtohelpimproveuserexperiencewhenroaming.
FormoreinformationaboutincludingtheOfflineFilesfeatureinyourdesign,see“FolderRedirection,OfflineFiles,andRoamingUserProfilesoverview”athttp://technet.microsoft.com/library/hh848267.aspx.
Windows Roaming User Profiles
TheRoamingUserProfilesfeatureinWindows8.1redirectsuserprofilestoafilesharesothatusersreceivethesameoperatingsystemandapplicationsettingsonmultiplecomputers.Whenauserlogsontoacomputerbyusinganaccountthatissetupwithafileshareastheprofilepath,theuser’sprofileisdownloadedtothelocalcomputerandmergedwiththelocalprofile(ifpresent).Whentheuserlogsoffofthecomputer,thelocalcopyoftheirprofile,includinganychanges,ismergedwiththeservercopyoftheprofile.RoamingUserProfilesistypicallyenabledondomainaccountsbyanetworkadministrator.
BeforechoosingtodeployRoamingUserProfiles,considerthefollowing:
• RoamingUserProfilescanimpactlogonandlogoffperformance,especiallyifusers’profilescontainmanylargefiles(e.g.,videosandimages).
42WINDOWS 8.1 DEPLOYMENT PLANNING
• RoamingUserProfilesdonotworkacrossfulldesktopexperiencesandsession-basedVDI.
• Inmixedenvironments,Windows8.1andWindows7userprofilesareincompatible.
BecauseoftheseRoamingUserProfilesconsiderations,UE-Visrecommendedformanaginguserexperience.FormoreinformationaboutincludingtheRoamingUserProfilesfeatureinyourdesign,see“FolderRedirection,OfflineFiles,andRoamingUserProfilesoverview”athttp://technet.microsoft.com/library/hh848267.aspx.
Default user profiles
Whenauserlogsontoadeviceforthefirsttime,Windowsmustprovidetheuserwithauserprofile.IftheuserprofileiscentrallymanagedthroughUE-VorRoamingUserProfiles,theuserprofileisobtainedfromthesetechnologies.However,iftheuserprofileisnotcentrallymanaged,thenWindowscreatesthenewuserprofilebasedonthedefaultuserprofileonthatdevice.Thedefaultuserprofileisusedasatemplatewhencreatinganewuserprofile.YoucanuseCopyProfilesettingintheMicrosoftSystemPreparationTooltocustomizeauserprofile,andthencopythatprofiletothedefaultuserprofile.
Becauseofdefaultuserprofilelimitations,MicrosoftrecommendsUE-Vformanaginguserexperience.Formoreinformationaboutincludingdefaultuserprofilesinyourdesign,see“HowtoCustomizetheDefaultUserProfilebyUsingCopyProfile”athttp://technet.microsoft.com/library/hh825135.aspx.
User Experience Virtualization
UE-Visanenterprise-scaleuserstatevirtualizationsolutionthatthatkeepsusers’experiencewiththem.UE-VprovidesusersthechoiceofchangingtheirdeviceandkeeptheirexperiencesothattheydonothavetoreconfigureapplicationseachtimetheylogontodifferentWindows8.1orWindows7computers.UE-VintegrateswiththeFolderRedirectionfeatureinWindows8.1tohelpmakeuserfoldersaccessiblefrommultiplephysicalorvirtualdevices.UE-Vsupportsdesktopapplicationsthataredeployedusingdifferentmethods(suchaslocallyinstalledapps,App-Vsequencedapplications,orRemoteDesktopapplications).UE-VisatechnologyintheMicrosoftDesktopOptimizationPack(MDOP),whichisasuiteoftechnologiesavailablethroughSAsubscriptions.
Additionalinformation:
• “MicrosoftUserExperienceVirtualization(UE-V)”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/UE-V.aspx
43WINDOWS 8.1 DEPLOYMENT PLANNING
• UE-Vresourcesanddemonstrationvideosathttp://technet.microsoft.com/windows/hh943107
• Microsoft User Experience Virtualization Deployment Guide athttp://www.microsoft.com/en-us/download/details.aspx?id=35495
Microsoft Application Virtualization
App-Vvirtualizesdesktopapplicationssothattheybecomecentrallymanagedservicesdeployedtoavirtualizeddesktopapplicationenvironmentondeviceswithoutusingtraditionalinstallationmethods(knownasapplication sequencing).Thesequenceddesktopapplicationsrunintheirownself-containedvirtualenvironmentandareisolatedfromeachother,whicheliminatesapplicationconflictsbutallowsdesktopapplicationstointeractwiththedevice.
App-VintegrateswithSystemCenter2012R2ConfigurationManager,soyoucanmanagevirtualandphysicaldesktopapplicationsalongwithhardwareandsoftwareinventory,operatingsystemandpatchdeployment,andmore.App-VisatechnologyintheMDOP.
Additionalinformation:
• “MicrosoftApplicationVirtualization(App-V)”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/app-v.aspx
• App-Vresourcesanddemonstrationvideosathttp://technet.microsoft.com/windows/hh826068
NOTE
App-Vworksonlyfordesktopapplications,notforWindowsStoreapps.
44WINDOWS 8.1 DEPLOYMENT PLANNING
Configuration and managementNotethefollowingkeyWindows8.1configurationandmanagementplanningconsiderations:
• Whichmethodsareavailableforconfiguringandmanagingdomain-joinedandnon–domain-joinedWindows8.1devicesafterdeployment?
• Whataretheadvantagesanddisadvantagesofon-premisesandoff-premisesdevicemanagement?
• WhatmethodsareavailabletomanagedevicesandsoftwarethroughouttheentireITlifecycle?
• Whatconfigurationandmanagementmethodscanbeusedforinstitution-andpersonallyowneddevices?
OngoingWindows8.1deviceconfigurationandmanagementisanessentialpartofyourWindows8.1deploymentplan.Windows8.1supportsbothon-premisesandoff-premisesmanagement.YoucanalsomanageWindows8.1locallyorremotely.Theconfigurationandmanagementmethodsdifferonthelevelofautomationandthemethodcompleteness.Forexample,GroupPolicyworksfordomain-joineddevicesbutisineffectualforstand-alonedevices.YoucanuseWindowsPowerShellcmdletstoautomatecommonITtasks,butbyitself,WindowsPowerShelldoesnotprovideacomprehensivesolution.
Table10onpage45listssomeofthetechnologiesavailableforperformingWindows8configurationandmanagement.ThelistinTable 10isonlyafewofthemanyproducts,tools,andutilitiesthatareavailableforconfiguringandmanagingWindows8.1.Youcanselectanycombinationofthesetechnologiestodesignacompleteconfigurationandmanagementsolution.Eachtechnologyisdiscussedinasubsequentsection.
45WINDOWS 8.1 DEPLOYMENT PLANNING
TABLE 10 ConfigurationandManagementTechnologySelection
GrouP PoLicy WinDoWS PoWErSHELL
SyStEM cEntEr 2012 r2 conFiGurAtion
MAnAGEr
WinDoWS intunE
Control (turn on or off) Windows Store
accessYes No Yes Yes
Control installation of specific apps (by using whitelists or
blacklists)
Yes(withAppLocker) No
Yes(inconjunctionwithGroupPolicyandAppLocker)
No
Operating system setting
managementYes Yes Yes Yes
User setting management Yes Yes Yes Yes
App setting management
Yes(ifregistrybased) App-specific Yes,butscripting
mayberequiredYes,butscriptingmayberequired
Centralized administration
modelYes No Yes Yes
On or off-premises On-premises On-premises On-premises Off-premises
On-premises infrastructure AD DS None
Managednetworks
SystemCenter2012R2ConfigurationManager
None
Devices must be domain joined Yes No
No,butchallengesexistfornative
support;WindowsIntuneintegrationisrecommended
No
Supports self-service model No No Yes Yes
Supports push model Yes Yes Yes Yes
Can be used to create enterprise
app storeNo No Yes Yes
46WINDOWS 8.1 DEPLOYMENT PLANNING
GrouP PoLicy WinDoWS PoWErSHELL
SyStEM cEntEr 2012 r2 conFiGurAtion
MAnAGEr
WinDoWS intunE
User interaction
ITprodoesback-endconfiguration
Userperformsnoactions
ITproperformsalltasks
ITprodoesback-endconfiguration
Userhasnointeractionforpushmodelandlimitedinteractionforself-service
model
ITprodoesback-endconfiguration
Userhasnointeractionforpushmodelandlimitedinteractionforself-service
model
Provided with Windows 8
InWindows8ProandEnterprise,butrequiresADDS
Yes No No
Provides unified solution for the
entire software life cycle, including
installation, updates,
supersedence, and removal
No No Yes Yes
Can be used for operating system
deploymentNo No Yes No
Requires additional cost
Yes(unlessADDSisalreadyinstalled) No
Yes(ifnoSystemCenterConfigurationManager
infrastructureisinstalled)
Yes(subscriptionmodel)
Group Policy
YoucanuseGroupPolicytomanageuser,Windowsoperatingsystem,andapplicationsettings.Ultimately,youcanuseGroupPolicytomanageanyconfigurationsettingsstoredintheWindowsregistry.Microsoftprovidesbuilt-inGroupPolicytemplatesformostcommonconfigurationsettings.Inaddition,youcancreatecustomGroupPolicytemplatesthatallowyoutomanageconfigurationsettingsthatthebuilt-intemplatesdonotprovide.UseGroupPolicytocontrolWindowsStoreaccessandtheinstallationandrunningofappsondevices(whenusedinconjunctionwithAppLocker).
47WINDOWS 8.1 DEPLOYMENT PLANNING
Additionalinformation:
• “GroupPolicy”athttp://technet.microsoft.com/windowsserver/bb310732.aspx
• “ManagingClientAccesstotheWindowsStore”athttp://technet.microsoft.com/en-us/library/hh832040.aspx
Windows PowerShell
ManycommonWindows8administrativetaskscanbeperformedbyusingWindowsPowerShell,includingWindowsStoreappmanagementandoperatingsystemconfiguration.YoucanuseWindowsPowerShellinteractivelyortocreatescriptsthatcanberuntoperformmorecomplextasks.FormoreinformationaboutusingWindowsPowerShellforconfigurationandmanagement,gotohttp://technet.microsoft.com/library/bb978526.aspx.
Configuration Manager
SystemCenter2012R2ConfigurationManagerautomatesdeployingappstoadeviceduringoraftertheoperatingsystemdeploymentprocess.SystemCenter2012R2ConfigurationManagerallowsyoutocreatealistofapplicationsthatcanbeselectedduringthedeploymentprocessatthetimeofdeploymentordeployedthroughtheApplicationCatalog.SystemCenter2012R2ConfigurationManagerprovidesaunifiedconsoleformanagingappsandcanoptionallyintegratewithWindowsIntunetohelpmanagedevicesthatarenotconnectedtotheeducationalinstitution’sintranet.FormoreinformationaboutusingSystemCenter2012R2ConfigurationManagerwithSP1forconfigurationandmanagement,gotohttp://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx.
Windows Intune
WindowsIntuneisanoff-premises,cloud-basedmanagementsolutionthatprovidesdevicemanagement,softwareinstallation,andsoftwareupdatemanagement.WindowsIntunecanintegratewithSystemCenter2012R2ConfigurationManagertoprovideaunifiedmanagementsolution.
WindowsIntunehelpsmanageITenvironmentstohelpkeepdevicessecure,includingsoftwareandpatchdistribution,policy-basedmanagement,andEndpointProtectionforPCs.WindowsIntunealsosupportsBYODscenariosbyprovidingaself-serviceportaltoinstallapps,personalizedappdelivery,andsupportformultipleplatformsanddevices.
48WINDOWS 8.1 DEPLOYMENT PLANNING
FormoreinformationaboutusingWindowsIntuneforconfigurationandmanagement,gotohttp://www.microsoft.com/en-us/windows/windowsintune/pc-management.aspx.
©2014MicrosoftCorporation.Allrightsreserved.
Thisdocumentisforinformationalpurposesonlyandisprovided“asis.”Viewsexpressedinthisdocument,includingURLandanyotherInternetWebsitereferences,maychangewithoutnotice.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISDOCUMENT.