Windows 8.1 deployment planning a guide for education

Windows 8.1 deployment planningA guide for education

January 2014

Table of contents

2 Windows 8.1 in education2 ITbenefits2 Facultybenefits3 Studentbenefits

4 Windows 8.1 purchase and licensing

6 Volume Activation

10 Network infrastructure10 Internetingressandegress11 Networkbandwidth12 Wirelessnetworking

15 Accessibility

16 Printers

18 Security and privacy21 Internetaccess21 Applicationaccess21 Deviceaccess22 Remoteconnectivity24 DirectAccess25 Virtualprivatenetwork

26 Windows Store apps

27 User accounts

29 Deployment31 Institution-owneddevices32 Personallyowneddevices33 VirtualDesktopInfrastructure34 WindowsToGo

36 Device roaming and multiple devices39 WindowsWorkFoldersandWorkplaceJoin40 WindowsFolderRedirection41 WindowsOfflineFiles41 WindowsRoamingUserProfiles42 Defaultuserprofiles42 UserExperienceVirtualization43 MicrosoftApplicationVirtualization

44 Configuration and management46 GroupPolicy47 WindowsPowerShell47 ConfigurationManager47 WindowsIntune

1WINDOWS 8.1 DEPLOYMENT PLANNING

Windows 8.1 deployment planningA guide for education

This guide is designed for IT pros, school administrators, and other faculty members who are responsible for the deployment of devices running Windows 8.1 in educational institutions. This guide covers the key considerations and questions that should be answered as a part of a typical Windows 8.1 deployment.

SomeofthekeystosuccessinaWindows8.1(oranytechnologydeployment)thatwewillcoverineachsectionareasfollows:

• DevelopandcommunicateyourWindows8.1deploymentplanbeforeyoudeploydevices.

• Starttheplanningprocessandvalidateyourdesignasearlyinyourdeploymentprojectaspossible,becausebaddesigndecisionsbecomedifficulttocorrectthelateryoudiscoverthemintheprocess.

• Includerepresentativesfromcurriculumandtechnologyleadership(inadditiontothosewhoareresponsibleforperformingtheactualdeployment)tohelpensurethatthefinalsolutionmeetsorexceedscurriculumandlearningoutcomerequirements.

Eachsectioninthisguideliststhekeyplanningconsiderationsandquestionsforthetopicscoveredinthatsection.EachsectionalsoincludeslinkstoadditionalresourcestohelpintheWindows8.1deploymentplanningprocessdiscussedinthatsection.

NOTE

Classroomcurriculumdesignisoutsidethescopeofthisdocument.Inaddition,althoughmostoftheplanningdecisionsinthisguideareapplicabletoWindowsRT8.1,WindowsRT,andWindows8,thisguidefocusesonWindows8.1deploymentonly.

2WINDOWS 8.1 DEPLOYMENT PLANNING

Windows 8.1 in educationWindows8.1providesanincredibleopportunityforeducatorsandstudentstotakeadvantageofthenewworldofdigitaleducationandexcitingnewdevices,leveragingtheworldwidestandardMicrosoftplatformandcloudservicestoensureseamlessmanageability,robustsecurity,backwardcompatibility,andcosteffectiveness.RunningWindows8.1ondevicesdesignedforWindows8.1canhelpyoumeetthechallengesandmaximizethebenefitsofusingWindows8.1ineducation.

IT benefits

ManyITorganizationswithineducationalinstitutionsalreadysupportaMicrosoftinfrastructure.Inmanyinstances,theITstaffcanusethesametoolstheyarealreadyfamiliarwithtomanageWindows8.1devices.Institutionscanalsooutsourcethisworktopartnerswhoareabletoleveragethepartner’sWindows8.1managementexperienceandskillsets.

YoucanmanageWindows8.1devicesandappsautomaticallybyemployingon-premisesandoff-premisesmanagementsolutions.ThesesolutionsdramaticallyreducetheeffortrequiredfromITprostokeepdevicescurrentwithsoftwareandsecurityupdatesandtoperformcommonITadministrativetasks.Inmanyinstances,educationalinstitutionscancreateself-serviceportalsthatallowuserstosolvemanycommonproblemsthemselves(suchasresettingapassword,deployinganapp,orinstallingsoftwareupdates).ThismeansthatITproscanspendfewerhoursmanaginghardware,software,andservicestoprovidehigher-qualityserviceswiththesameorlesslevelofeffort.

Faculty benefits

Windows8.1hasalargeecosystemofprovidersandservices,providingeducatorstheflexibilitytochoosethedevicesandservicestheyprefer–sotheycanteachthewaytheywant.Windows8alsohelpsteachersmanagetheclassroombylimitingavailabilityofdistractingapplications(suchasinstantmessagingorsocialnetworking)duringclassandviewingandsharingstudentscreenstoimproveclassroomparticipation.

MostinstructorsandfacultymembersarefamiliarwiththeWindowsoperatingsystemandusuallyhaveanexistingdevicerunningWindowsintheclassroomorathome.FacultymembershaveavastlibraryofexistingWindowssoftwareandperipheralstoincorporateintotheirlearningcurriculum.DevicesrunningWindows8.1supportWindowsStoreappsanddesktopapplications,whichallowseducatorstohavetheultimateinflexibilityanddiversitywhenselectingtechnologyresourcesfortheclassroom.IfapplicationsandperipheralsworkedinWindows8andWindows7,theywilloftenworkjustaswellinWindows8.1,decreasingbothcostanddeploymenttime.

3WINDOWS 8.1 DEPLOYMENT PLANNING

ThismeansthatinstructorsandfacultymemberswillbeabletorealizethebenefitofusingWindows8intheclassroommorequicklythanotheroperatingsystems.

Student benefits

Learningisaboutconsuming,collaboration,andcreation.MostWindowsdeviceshaveamultitouchuserinterfacethatprovidesanimmersiveuserexperienceforconsumingandcollaborating,buttheyalsocomewithafull-functioningkeyboardthatisessentialforcontentcreation.Nowthereistheadditionofafluidandimmersiveuserexperiencethatenablestabletsandtouchscreensaswell.Withthehugeinterestintabletsforthestudentmarket,Windows8.1isabletoprovideaconsistentuserexperienceacrossformfactors.Inaddition,studentshaveaccesstothevastlibraryofexistingsoftwarecreatedforWindows—includingWindowsStoreappsandWindowsdesktopapplications—andmostapplicationsthatrunontheWindows8,Windows7,orWindowsXPoperatingsystemwillalsorunonWindows8.1.

MoststudentsalreadyknowhowtousedevicesrunningaWindowsoperatingsystem.TheytypicallyhaveaccesstodevicesrunningWindowsathome,aswell,whichallowsstudentstocontinuetheireducationathomewithoutadditionalcostonthepartoftheeducationalinstitutionorthestudent’sfamily.

4WINDOWS 8.1 DEPLOYMENT PLANNING

Windows 8.1 purchase and licensingNotethefollowingkeyWindows8.1purchaseandlicensingplanningconsiderations:

• Howmanyusersdoyouneedtoenable?

• HowmanynewdeviceswillyoubuywithWindows8.1preinstalled?

• HowwillyouupgradeexistingWindows8devicestoWindows8.1?

• HowmanyWindows8.1licensesdoyouneedtopurchasetoupgradeexistingdevices(notethatsomeproductswillrequirelicenseupgrades,suchasWindows8.1Enterpriseedition)?

• HowdoesyourinstitutionhandleWindow8.1licensingforpersonallyowneddevices?

• HowcanfacultyandstudentspurchaseWindows8.1licensesateducationalprices?

• Whateducationalpricingandlicensingprogramsareavailableforeducationalinstitutions?

Eachphysicaldeviceorvirtualmachine(VM)runningWindows8.1musthaveavalidlicense.MostdevicehardwarevendorsprovideaWindows8.1licenseforeachdevicetheinstitutionpurchases.However,youmustobtainWindows8.1licensesforanyexistingdevicesrunningpreviousversionsofWindowsthatwillbeupgradedtoWindows8.1(suchasdevicesrunningWindows7).

ThelistbelowprovidestheWindows8.1licensingconsiderationsfordevicesbasedontheirownership:

• Institution owned EducationalinstitutionscanacquirelicensesforWindows8(andotherMicrosoftproducts)throughtheMicrosoftEnrollmentforEducationSolutions(EES)program.TheMicrosoftEESprogramisaneasy,cost-

NOTE

ExistingWindows8licensescanbeupgradedtoWindows8.1licenseswithoutadditionallicensingfeesforthesameeditionofWindows8.1.Forexample,aWindows8ProlicensecanbeupgradedtoWindows8.1Prowithoutadditionallicensingfees.However,upgradingaWindows8licensetoWindows8.1ProwouldrequiretheWindows8Prolicensepriortoupgrading.

NOTE

MicrosoftworkswithorganizationsinthepublicsectorthroughtheShapetheFutureprogram.FormoreinformationabouttheShapetheFutureprogram,seehttp://www.microsoft.com/shapethefuture.

5WINDOWS 8.1 DEPLOYMENT PLANNING

effectiveofferthatprovidesqualifiedacademiccustomersasimplifiedwaytoacquireMicrosoftsoftwareandservicesunderasinglesubscriptionagreement.Formoreinformation,see“ProgramsforEducationalInstitutions”athttp://www.microsoft.com/education/en-us/buy/licensing/Pages/enrollmentforeducationsolutions.aspx.

• Personally owned FacultyandstudentsareresponsibleforhavingtheappropriateWindows8licensesfortheirdevices.InadditiontopotentiallybeingabletopurchaseMicrosoftsoftwarethroughtheeducationalinstitution,facultyandstudentscanindividuallypurchaseMicrosoftproductsateducationaldiscountsthroughresellerssuchas:

• JourneyEdathttp://www.journeyed.com/dept/Brands/Microsoft/284074

• OnTheHubathttp://www.onthehub.com

UsethisinformationtodeterminethenumberofWindows8.1licensesyoumustobtainforyoureducationalinstitution.Also,usetheinformationtodetermineinstitution-sponsoredMicrosofteducationalbenefitprogramsforfacultyandstudents.

INFO

Formoreinformation,see“MicrosoftinEducation”athttp://www.microsoft.com/education/en-us/buy/Pages/academicsavings.aspx.

6WINDOWS 8.1 DEPLOYMENT PLANNING

Volume ActivationNotethefollowingkeyMicrosoftVolumeActivationplanningconsiderations:

• WhichlicensingmodelsareavailableforWindows8.1andMicrosoftOfficeProfessionalPlus2013?

• Whattechnologiesareavailabletoactivatevolumelicenses?

• Whattypeofconnectivityisavailablefordevicestoperformactivation?

ThefollowinglistshowstheVolumeActivationtechnologiesandprovidesabriefdescriptionofeach:

• Active Directory-Based Activation (ADBA) ADBAisaroleservicethatallowsyoutouseActiveDirectoryDomainServices(ADDS)tostoreactivationobjects,whichcanfurthersimplifythetaskofmaintainingVolumeActivationservicesforanetwork.WithADBA,noadditionalhostserverisneeded,andactivationrequestsareprocessedduringcomputerstartup.ADBAworksonlyfordevicesrunningWindows8thataredomainjoined.

• Key Management Service (KMS) KMSisaroleservicethatallowsorganizationstoactivatesystemswithintheirnetworkfromaserveronwhichaKMShosthasbeeninstalled.WithKMS,ITproscancompleteactivationsontheirlocalnetwork,eliminatingtheneedforindividualcomputerstoconnecttoMicrosoftforproductactivation.KMSdoesnotrequireadedicatedsystem,anditcanbecohostedonasystemthatprovidesotherservices.Bydefault,volumeeditionsofWindows8connecttoasystemthathoststheKMSservicetorequestactivation.Noactionisrequiredfromtheuser.

• Multiple Activation Key (MAK) AMAKisavolumelicensekeythatisusedforone-timeactivationwithactivationservicesthatMicrosofthosts.YoucanactivateMAKsovertheInternetorbytelephone.

Table1onpage7liststheVolumeActivationtechnologiesandtheinformationnecessaryforselectingtheappropriatetechnologiesforyourinstitution.YoucanselectanycombinationofthesetechnologiestodesignacompleteVolumeActivationsolution.

7WINDOWS 8.1 DEPLOYMENT PLANNING

ADBA KMS MAK

Device must be domain joined Yes No No

Devices must connect to the network at least once

every 180 daysYes Yes No

Supports Volume Activation of Windows 8.1

and Windows 8Yes Yes Yes

Supports Volume Activation of Windows 7 No Yes Yes

Supports Volume Activation of Microsoft

Office

Yes(Office2013only,notMicrosoftOffice365orpreviousversionsofOffice)

Yes Yes

Can use Volume Activation services in

Windows Server 2012 R2 and Windows Server 2012

Yes Yes N/A

Can use Volume Activation services in

operating systems prior to Windows Server

2012 R2 and Windows Server 2012

Yes,butrequiresthattheActiveDirectoryschemabeupdatedtoWindows

Server 2012 orWindowsServer 2012

R2

Yes N/A

Microsoft Volume Licensing information is

stored in AD DSYes No No

Can be activated with Internet access only No No Yes

Can be activated by telephone No No Yes

TABLE 1 VolumeActivationTechnologySelection

8WINDOWS 8.1 DEPLOYMENT PLANNING

ADBA KMS MAK

Required infrastructure AD DS

KMSserver,howeverhavingAD DS

makesKMSmanagement

easier

Internetaccessortelephone

9WINDOWS 8.1 DEPLOYMENT PLANNING

Additionalinformation:

• “PlanforVolumeActivation”athttp://technet.microsoft.com/library/jj134042.aspx

• “VolumeLicensing”athttp://www.microsoft.com/licensing/about-licensing/windows8.aspx

• “IntroductiontoVAMT”athttp://technet.microsoft.com/library/hh825141.aspx

• Volume Licensing Guide for Windows 8.1 and Windows RT 8.1athttp://download.microsoft.com/download/9/4/3/9439A928-A0D1-44C2-A099-26A59AE0543B/Windows_8-1_Licensing_Guide.pdf

• “MicrosoftLicensingfortheConsumerizationofIT”athttp://www.microsoft.com/licensing/about-licensing/briefs/consumerization-it.aspx

• “MicrosoftLicensingfortheConsumerizationofIT-AcademicLicensingScenarios”athttp://www.microsoft.com/licensing/about-licensing/briefs/consumerization-it-academic.aspx

• “LicensingWindowsdesktopoperatingsystemforusewithvirtualmachines”athttp://www.microsoft.com/en-in/licensing/about-licensing/briefs/win8-virtual.aspx

• “VolumeactivationofOffice2013”athttp://technet.microsoft.com/en-US/library/ee705504.aspx

10WINDOWS 8.1 DEPLOYMENT PLANNING

Network infrastructureBecauseWindows8.1devicesarenotjustcloud-connecteddevices(theyworkofflinetoo),yourexistingnetworkinfrastructurewilloftenbeadequatetosupportWindows8.1.Aspartoftheplanningprocess,determineanynetworkinfrastructureremediationthatyoumustperformpriortodeployingWindows8devices.

Internet ingress and egress

NotethefollowingkeyInternetingressandegressplanningconsiderations:

• WhatTCPandUserDatagramProtocol(UDP)trafficmustbeallowedtoandfromtheInternet?

• Whichwebsitesmustbeaddedtotheapprovedsiteslistforedge-of-networkappliances?

• WhataretherequirementsforbeingcompliantwiththeChildren’sInternetProtectionAct(CIPA)?

• Whichfirewallsshouldyouuse(firewallappliancesandWindowsfirewall)?

OneofthekeyfeaturesinWindows8.1istheintegrationwithInternet-basedcontentandservices,especiallytheWindowsStore.YoumustplananynecessarychangestoyourInternetingressandegresstoprovideaccesstosuchcontentandservices,asdescribedinthefollowinglist:

• TCP and UDP traffic PlantheTCPandUDPtrafficthatmustbeallowedtoandfromtheInternet.Specifically,allowthetrafficrequiredforanynewWindowsStoreappordesktopapplicationsthatwillbeaddedaspartoftheWindows8.1deploymentprocess.

• Approved website list Manyedge-of-networkappliances(suchasfirewallsorwebproxies)supportalistofapprovedwebsites.Inyourplan,specifythatthelistincludestheWindowsStoreandothersupportingsites.

• CIPA compliance YoureducationalinstitutionmayneedtocomplywithCIPA,whichimposescertainrequirementsonschoolsorlibrariesthatreceivediscountsforInternetaccessorinternalconnectionsthroughtheE-rateprogram,whichmakescertaincommunicationsservicesandproductsmoreaffordableforeligibleschoolsandlibraries.FormoreinformationaboutCIPA,see“Children’sInternetProtectionAct”athttp://www.fcc.gov/guides/childrens-internet-protection-act.

11WINDOWS 8.1 DEPLOYMENT PLANNING

• Firewall usage YoucanusefirewallappliancesandWindowsFirewalltoprotectdevicesandprovidesecuritydefenseindepth.Ifyouuseboth,ensurethatyouprovidetheappropriateaccesstotheWindowsStoreandotherInternet-basedcontentandservicesbyconfiguringbothfirewalls.YoucanspecifythattheWindowsFirewallbeconfiguredbyusingGroupPolicyfirewallsettings.FormoreinformationonusingGroupPolicytoconfigureWindowsFirewall,seetheMicrosoftTechNetarticle,“ConfigureFirewallPortRequirementsforGroupPolicy,”athttp://technet.microsoft.com/library/jj572986.aspx.

Network bandwidth

Notethefollowingkeynetworkbandwidthplanningconsiderations:

• CantheLANandWi-Finetworksupportahighdensityofdevices?

• Doesthenecessaryavailablenetworkbandwidthexistforconnectingtoon-premisesresources?

• DoesthenecessaryavailablenetworkbandwidthexistforInternetaccess?

TheuseoftechnologyinmostcurriculumplansrequiresaccesstolocalandInternet-basedresourcesandcontent(suchasdocumentstoragelibraries,multimediafiles,oronlinestudyresources).Thefollowingisalistofplanningconsiderationsthatrelatetonetworkbandwidth:

• Support for a high density of devices Educationalenvironmentstendtohaveahighconcentrationofdevicesinasmallgeographicarea.Facultyandstudentsrequirenetworkaccessfromclassrooms,labs,andcommonareas.Thesenumberscanrangefrom20–30devicesinaclassroomtohundredsofdevicesinacommonarea(suchasalibraryorstudentcenter).Typically,thisnumberimpliesthateachclassroommayrequireadedicatednetworkconnectiontotheon-premisesnetwork,andcommonareasmayrequiremultiplededicatednetworkconnectiontotheon-premisesnetworktosupportthenumberofdevicesinagivengeographicarea.

• On-premises available network bandwidth Alldevicestypicallyneedhigh-speed,persistentconnectionstoon-premisescontentandresources(suchasprinters,fileservices,orintranet-basedsites).Ensurethattheon-premisesnetworkhassufficientbandwidthtoprovidereasonableresponsetimeswhenaccessingtheon-premisesresources.Also,includeInternettrafficwhenevaluatingyouron-premisesnetwork,becausedevicesconnecttotheInternetthroughtheon-premisesnetwork.Youcanestimatethistrafficbyobservingthetypicalintranettrafficadevicegenerates,thenmultiplyingthatbythenumberofdeviceswithinagivengeographicarea.

12WINDOWS 8.1 DEPLOYMENT PLANNING

• Internet available network bandwidth AlldevicestypicallyneedaccesstoInternet-basedcontentandresources(suchastheWindowsStoreandotherInternet-basedwebsites).EnsurethattheInternetconnectionhassufficientbandwidthtoprovidereasonableresponsetimeswhenaccessingtheInternet.YoucanestimatethisresponsetimebyobservingthetypicalInternettrafficadevicegenerates,thenmultiplyingthatbythenumberofdeviceswithinagivengeographicarea.

Thephysicalnetworkdesignisspecifictothetypeofdevicesandthevendorspecificationsforeachdevice.Contactthenetworkinfrastructurevendorsforplanningtoolsandresourcestohelpindeterminingnetworkbandwidth.

Wireless networking

Notethefollowingkeywirelessnetworkplanningconsiderations:

• HowmanyWi-Fiwirelessdeviceswillbeusedwithineachclassroomandincommonareas(devicedensity)?

• WhatWi-Fitechnologiesdoyouneedtosupport(suchasInstituteofElectricalandElectronicsEngineers[IEEE]802.11n,802.11g,or802.11b)?

• Willbroadband(cellular)deviceconnectivitybesupported?

Mostmoderndevicesuseawirelessconnectiontoaccessnetworks.Althoughwirelessconnectionreducestheclutterandproblemsassociatedwithwirednetworkconnections,itaddstothecomplexityofplanningandsupportingnetworks.

• Wi-Fi–supported standards MostdevicessupportavarietyoftheIEEE802.11XWi-Fistandards,suchas802.11n,802.11g,or802.11b.Ensurethatthewirelessaccesspoints(WAPs)supportthehighestspeedstandardthedevicesupports.Supporttheslowerspeedstandardstoprovidecompatibilitywitholderdevices.Forexample,mostnewdevicessupportIEEE802.11n,butolderdevicesmayonlysupportIEEE802.11b.

• Network frequency IEEE802.11Xwirelessstandardsusethe2.4gigahertz(GHz)and5.0GHzfrequenciesforcommunicationbasedonthestandardused.MostmodernWAPssupportbothfrequencies.Mostnewdevicessupport5.0GHzfrequencies,whileolderdevicesonlysupportthe2.4GHzfrequencies.EnsurethatyourWAPssupportthecorrectfrequenciestosupporttheplanneddevicepopulation.

• Wireless device density Thisconsiderationissimilartotheplanningdecisionsforwirednetworks.Fromthewirelessperspective,determinethenumberandplacementofWAPs.Mostenterprise-classWAPscansupportupto50devices;however,wirelessnetwork

13WINDOWS 8.1 DEPLOYMENT PLANNING

performancewilldegradedramaticallyasthenumberofdevicesapproachesthemaximumvalue.AWAPtypicallyhasasinglewirednetworkconnect,whichmeansthatalldevicesconnectingthroughtheWAPsharethatsinglewirednetworkconnection.Forexample,ifyouhaveaWAPthatsupports30studentsandhasagigabitwirednetworkconnection,those30studentssharethatsinglegigabitnetworkconnection.Inareaswithalargeconcentrationofdevices,multipleWAPsmayberequired.

• Wireless coverage Ensurethateachdevicehaswirelessconnectivitywithintheareaswherethedevicesareused(classroomsandcommonareas)byproperlyplacingWAPs.PlacingWAPstoofarfromeachotherresultsinareaswheredeviceswillnotbeabletoconnect.PlacingtheWAPstooclosetoeachothercanincreaseyourcostbycreatingunnecessaryWAPs.EnsurethatthecoverageareasforWAPsoverlapslightly.WAPsthatoverlapeachothershoulduseauniquechannel(frequency).

• Hidden service set identifier (SSID) YoucanconfigureWAPsnottobroadcasttheirSSIDs,alsoknownasahidden SSID.HiddenSSIDsaretypicallyusedasasecuritymeasure;however,avoidtheuseofhiddenSSIDs,becauseitismoredifficultforadevicetojoinahiddenSSID,andthereisminimalsecuritybenefitinhidingSSIDsineducationalsolutions.Becauseuserstendtoroam,hiddenSSIDscanleadtopooruserexperienceanddelaysinwirelessnetworkassociationtime.

• Broadband cellular support ManydevicesmayhavebroadbandcellularnetworkadaptersthatprovideInternetconnectivity.BroadbandcellularconnectivitycanreducethenetworkcongestiononyourwirelessWi-Finetworks.However,broadbandcellularconnectivityalsorequiresacontractwithacellularprovider.

• Rogue Wi-Fi hotspots ManyusersmaybringWi-Fi–enableddevicesthatcanactasWi-Fihotspots(suchashotspotsprovidedbycellularprovidersorsmartphones).EnsurethatyouspecifyalistofpublishedSSIDsinyourdesignforthefacultyandstudents.Also,specifypoliciesandproceduresthatdiscouragefacultyandstudentsfromstartinganunauthorizedWi-Fihotspot.

YoucanspecifytheuseofGroupPolicytoconfigurethewirelessnetworkadaptersettingsfordevices.Doingsoallowsyoutoprovideconsistentwirelessconfigurationsettingsfordomain-joineddevices.

14WINDOWS 8.1 DEPLOYMENT PLANNING

Additionalinformation:

• “Configure802.1XWirelessAccessClientsbyusingGroupPolicyManagement”athttp://technet.microsoft.com/library/dd759173.aspx

• “IdentifyingtheAreasofCoverageforWirelessUsers”athttp://technet.microsoft.com/library/cc780260(v=ws.10).aspx

• “DeterminingHowManyWirelessAPstoDeploy”athttp://technet.microsoft.com/library/cc782947(v=ws.10).aspx

• “DeterminingWheretoPlaceWirelessAPs”athttp://technet.microsoft.com/en-us/library/cc739928(v=ws.10).aspx

• “SelectingChannelFrequenciesforWirelessAPs”athttp://technet.microsoft.com/library/cc783011(v=WS.10).aspx

15WINDOWS 8.1 DEPLOYMENT PLANNING

AccessibilityNotethefollowingplanningconsiderationsforuserswithspecialaccessibilityneeds:

• WhatEaseofAccessandPersonalizationoptionsdofacultyandstudentsrequire?

• Whatassistivetechnologiesdofacultyandstudentsrequire?

Windows8.1providesessentialaccessibilitytocomputersforthosewithsignificantvision,hearing,dexterity,language,orlearningneeds.ThesefeaturesareavailableinWindows8.1,Windows8.1Pro,Windows8.1Enterprise,andWindowsRT8.1.

NotethefollowingplanningconsiderationsforWindows8accessibility:

• Ease of Access and Personalization options TheseoptionsinWindows8.1makedeviceseasiertosee,hear,anduse;theyincludescreenmagnification,speechrecognition,narration,on-screenkeyboard,keyboardshortcuts,stickykeys,andvisualnotifications.

• Assistive technologies Thebuilt-inassistivetechnologiesinWindows8.1workwithbothWindowsStoreappsandWindowsdesktopsoftwaretoprovideseamlessaccesstotheentireWindowsexperience.DevicesrunningWindows8.1alsoallowyoutouseassistivetechnologysoftwarefromspecialtyassistivetechnologyvendors.

Additionalinformation:

• “AccessibilityinWindows8” athttp://www.microsoft.com/enable/products/windows8

• “AssistiveTechnologyProducts”athttp://www.microsoft.com/enable/at/

• “Windows8.1VoluntaryProductAccessibilityTemplate(VPAT)”athttp://download.microsoft.com/download/B/1/B/B1BDCD6D-4EBC-4D92-9405-5E81AAE159D0/Remote_Server_Administration_Tools_for_Windows_8_1_VPAT.docx

16WINDOWS 8.1 DEPLOYMENT PLANNING

PrintersNotethefollowingkeyprinterplanningconsiderations:

• WhichprinterdriversdoesWindows8.1support?

• WhatisneededtosupportWindowsStoreappsandAdvancedPrintSettingsforWindowsStoreapps?

• Howwillusersconnecttoprinters?

• Whichwillrequiresecuredaccess?

Facultyandstudentsneedtoconnecttoprinterresources.Youneedtoplanforuserconnectivitytoinstitution-ownedprinters.Typically,theseprintersarenetwork-based(throughwirelessorwirednetworks).However,insomeinstances,theseprintersmaybeconnectedtotheWindows8devicesbyUSBcables.

NotethefollowingplanningconsiderationsforWindows8printerconnectivity:

• Printer drivers Windows8.1supportsthev3printerdrivermodel(usedinWindows7)andthev4printerdrivermodel(usedinWindows8.1andWindows8).PrintersthatareconnectedtoWindows8.1deviceswithv3printerdriversinstalledwillcontinuetoworkastheycurrentlydowithdesktopapplications.Somelimitationsexisttousingprinterdriversbasedonthev3printerdrivermodelforWindowsStoreapps.

• Windows Store device app and Advance Print Settings support FormanyWindows8.1—andWindows8—certifiedprinters(v4printerdrivermodel),Windows8.1automaticallydiscovertheprintersandinstallsthenecessarydrivers.Otherwise,youcanspecifytheGroupPolicysettingsforprintersfordomain-joineddevices.YoucanalsospecifythatusersmanuallyaddandconfigureprintersastheydidinWindows7.Ensurethatyouspecifyalistofavailableprinters(includinganynecessaryIPinformation)tostudentsandfaculty.

NOTE

EnsureyouhaveWindows8.1-certifiedprinterdevicedriversforasmanyprintersaspossible.

17WINDOWS 8.1 DEPLOYMENT PLANNING

• User connection to printers FormanyWindows8–certifiedprinters(v4printerdrivermodel),Windows8automaticallydiscovertheprintersandinstallsthenecessarydrivers.Otherwise,youcanspecifytheGroupPolicysettingsforprintersfordomain-joineddevices.YoucanalsospecifythatusersmanuallyaddandconfigureprintersastheydidinWindows7.Ensurethatyouspecifyalistofavailableprinters(includinganynecessaryIPinformation)tostudentsandfaculty.

• Security for printing Insomeinstances,youmaywanttolimitprinterusagetoauthenticatedusers.DoingsorequiresthatthosewhoneedtousetheseprintershaveaccountsinanADDSdomainsothattheappropriatepermissionscanbeappliedtoeachprinter.

• Protected printing Windows8.1includessupportforprotectedprinting,whichallowsuserstospecifyaPINthatisthenusedattheprinterpriortothejobbeingprinted.Windows8.1alsoallowsyoutospecifyadefaultPINtoreducewastefulpaperconsumptionrelatedtocontentthatisprintedbutneverretrieved.

Additionalinformation:

• “PrintersExtension”athttp://technet.microsoft.com/library/cc731562.aspx

• “DeployingPrintersbyUsingGroupPolicy”athttp://technet.microsoft.com/library/cc754699.aspx

• “OverviewofPrintinginWindows8”athttp://msdn.microsoft.com/library/windows/hardware/hh852373.aspx

• “DriverSupportforProtectedPrinting”athttp://msdn.microsoft.com/library/windows/hardware/dn265277(v=vs.85).aspx

18WINDOWS 8.1 DEPLOYMENT PLANNING

Security and privacyNotethefollowingInternetplanningconsiderations:

• WhicheditionofWindows8.1isnecessarytosupportthedesiredsecurityandprivacyfeatures?

• HowareusersanddevicesprotectedwhenconnectedtotheInternet?

• Whatmethodsareavailabletopreventusersfrominstallingorrunningunauthorizedapps?

• WhatmethodsareavailabletoprotectuserprivacywhenrunningWindowsStoreapps?

• Whatmethodsareavailabletoprotectdevicesandtheinformationonthem?

• Whatpoliciesshouldyouconsiderimplementingwithstudents,parentsandfaculty?

Windows8.1includesseveralnewsecurityandprivacyfeatures.Table 2liststhesecurityandprivacytechnologiesbyWindows8.1edition.UsethislisttodeterminewhicheditionofWindows8.1youneedtosupportthesecurityandprivacytechnologiesyouwanttouse.SelecttheappropriateWindows8.1editionthatprovidesacompletesecurityandprivacysolutionthatyoucanthencustomizeforeachuser.

WinDoWS 8.1 WinDoWS 8.1 Pro

WinDoWS 8.1 EntErPriSE

Windows Store App privacy Yes Yes Yes

Family Safety Yes Yes Yes

Unified Extensible Firmware Interface (UEFI)

Secure BootYes Yes Yes

SmartScreen Filter Yes Yes Yes

Windows Defender (malware protection) Yes Yes Yes

Windows Firewall Yes Yes Yes

Picture Password Yes Yes Yes

TABLE 2 SecurityandPrivacyTechnologiesbyWindows8.1Edition

19WINDOWS 8.1 DEPLOYMENT PLANNING

WinDoWS 8.1 WinDoWS 8.1 Pro

WinDoWS 8.1 EntErPriSE

BitLocker Drive Encryption and BitLocker

To GoNo Yes Yes

Encrypting File System (EFS) No Yes Yes

Domain membership No Yes Yes

Group Policy objects (GPOs) No Yes Yes

AppLocker No No Yes

Microsoft DirectAccess No No Yes

Auto-triggered VPN Yes Yes Yes

Windows To Go No No Yes

Forinstitution-owneddevices,Windows8.1ProorEnterpriseisrecommended(dependingonthefeaturesdesired)forinstitutionsthatrequiremanagementofdevicesbyusingMicrosoftmanagementproductsandtechnologies,suchasGroupPolicyandMicrosoftSystemCenter2012R2ConfigurationManager.InmanagedenvironmentsWindows8.1shouldbeafactorforpersonallyowneddevicesinBringYourOwnDevice(BYOD)scenarios.

ThesubsequentsectionswilllookathowthesefeaturesareusedforInternetaccess,applicationaccess,anddeviceaccess.FormoreinformationaboutthefeaturesinTable2onpage18,seethefollowingresources:

• Windows Store App privacy Seesection4,“WindowsStoreappsputthecustomerincontrol,”inthetopic,“AppcertificationrequirementsfortheWindowsStore,”athttp://msdn.microsoft.com/en-us/library/windows/apps/hh694083.aspx

• Family Safety Seethetopic,“What’sNewinWindows8FamilySafety,”athttp://msdn.microsoft.com/en-us/library/windows/desktop/jj155495(v=vs.85).aspx

NOTE

ThereisnocentralizedmanagementoftheFamilySafetyfeaturebyusingGroupPolicies.TheMicrosoftaccountshouldbeviewedasapersonalaccountforusebystudentsortheirguardians.

20WINDOWS 8.1 DEPLOYMENT PLANNING

• UEFI Secure Boot Seethetopic,“SecuringtheWindows8BootProcess,”athttp://technet.microsoft.com/en-US/windows/dn168167.aspx

• SmartScreen Filter and Windows Defender Seethetopic,“HowdoIfindandremoveavirus,”athttp://windows.microsoft.com/is-is/windows-8/windows-defender#1TC=t1andthetopic,“SmartScreenFilter:FAQ,”athttp://windows.microsoft.com/is-is/internet-explorer/use-smartscreen-filter#ie=ie-10

• Windows Firewall Seethetopic,“WindowsFirewallfromstarttofinish,”athttp://windows.microsoft.com/en-US/windows-8/Windows-Firewall-from-start-to-finish

• Picture Password Seethetopic,“Signinginwithapicturepassword,”athttp://windows.microsoft.com/is-is/windows-8/picture-passwords#1TC=t1

• BitLocker and BitLocker To Go Seethetopic,“HelpprotectyourfileswithBitLockerDriveEncryption,”athttp://windows.microsoft.com/is-is/windows-8/using-bitlocker-drive-encryptionandthetopic,“HelpprotectyourfileswithBitLocker,”athttp://windows.microsoft.com/en-US/windows-8/bitlocker#1TC=t1

• EFS Seethetopic,“Encryptordecryptafolderorfile,”athttp://windows.microsoft.com/en-US/windows-vista/Encrypt-or-decrypt-a-folder-or-file

• Domain membership Seethetopic,“ActiveDirectoryDomainServicesOverview,”athttp://technet.microsoft.com/en-us/library/hh831484.aspx

• GPOs Seethetopic,“GroupPolicyOverview,”athttp://technet.microsoft.com/en-us/library/hh831791.aspx

• AppLocker Seethetopic,“AppLockerOverview,”athttp://technet.microsoft.com/en-us/library/hh831409.aspx

• DirectAccess Seethetopic,“UsingDirectAccess,”athttp://technet.microsoft.com/en-us/windows/dn168168.aspx

• Auto-triggered VPN Seethetopic,“What’sNewinRemoteAccessinWindowsServer2012R2,”athttp://technet.microsoft.com/en-us/library/dn383589.aspx

• Windows To Go Seethetopic,“WindowsToGo:FeatureOverview,”athttp://technet.microsoft.com/en-us/library/hh831833.aspx

21WINDOWS 8.1 DEPLOYMENT PLANNING

Internet access

WhenusersconnecttotheInternet,theyareattheirgreatestriskofhavingsecurityattacksfrommalicioususersandsoftware.Windows8.1includesseveralbuilt-infeaturesthathelpprotectusersduringaccess.YoucanenableandenforcemanyofthesefeaturesbyusingGroupPolicy.Forexample,youcanuseGroupPolicytoenableWindowsDefenderandWindowsFirewall.ThesesecurityfeaturesareenabledinWindows8.1bydefault.

SpecifysecuritypoliciesthatimplementsafetyfeatureswhenconnectingtotheInternet,whereapplicable.Forexample,guardiansofstudentscanusetheFamilySafetyfeaturetorestrictaccesstowebsitesbasedonuserage(suchasrestrictingthetypesofappsthatuserscanviewinandinstallfromtheWindowsStore).

Application access

Application-relatedsecurityandprivacyaredividedintocontrolling:

• The installation and running of approved apps only Forinstitution-owneddevices,ensurethatusersrunonlyapprovedapps.Youcanenforcewhichappscanbeinstalledandrunoninstitution-owneddevicesbyusingtechnologiessuchasFamilySafety,AppLocker,andGroupPolicy.Forpersonallyowneddevices,educatefacultymembers,students,andguardiansonhowtouseFamilySafetyfeaturestoshowage-appropriatecontentonly.

• Any personal information the apps collect while it is running SomeWindowsStoreappscancollectprivateinformationwhiletheappisrunning(suchaslocationoroptionsselectedintheapp).WindowsStoreappsincludetheabilityforuserstooptinorprovideconsenttocollectsuchinformationbydesigntopassWindowsStoreappcertification.Becausetheusermustprovideconsent,educateusersontheinformationthatcouldpotentiallybecollectedandtherisksofprovidingtheinformation.Thiswouldbetrueforinstitution-owneddevicesandpersonallyowneddevices.

Device access

Devicesecurityandaccessrepresentoneofthelargestopportunitiesfordataloss,forgottenpasswords,andothersecurity-relatedissues.HelpusersmitigatetherisksofdeviceaccessbyusingWindows8features.Forexample,youcanuseBitLockertopreventconfidentialdatabeingobtainedfromalostorstolendevice.Thisisparticularlyimportantfordevicesthatstorefacultyorstudentinformationonthedevice.

22WINDOWS 8.1 DEPLOYMENT PLANNING

Table 3liststhedeviceaccesssecurityandprivacytechnologiesandthenecessaryinformationforselectingtheappropriatetechnologiesforyourinstitution.Youcanselectanycombinationofthesetechnologiestodesignacompletesolution.

TABLE 3 DeviceAccessSecurityandPrivacyTechnologySelection

EFS BitLocKEr AnD BitLocKEr to Go

PicturE PASSWorD WinDoWS to Go

Encrypts confidential information

Yes(individualfilesandfolders)

Yes(entirefixedorremovabledisk

volumes)N/A N/A

Reduces the complexity of

signing onN/A N/A Yes N/A

Reduces the risk of information loss when a device is

lost or stolen

Yes Yes Yes Yes(ifencryptedwithBitLocker)

Reduces the cost of replacement when

a device is lost or stolen

N/A N/A N/A Yes

Infrastructure None None None None

Ownership scenarios

Personallyorinstitution-owned

Personallyorinstitution-owned

Personallyorinstitution-owned Institution-owned

Domain join required No

No(butrecoverykeyscanbestoredinADDSfordomain-joined

devices)

NoNo,butrequiresWindows8.1

Enterpriseedition

Remote connectivity

Notethefollowingremoteconnectivityappplanningconsiderations:

• Whichusersrequireremoteconnectivitytoresourcesontheinstitution’sintranet?

• Howcanusersaccessintranetresources?

• Whattypesofdevicesrequireremoteconnectivity?

23WINDOWS 8.1 DEPLOYMENT PLANNING

• Whatleveloftechnicalexpertisedotheusershave?

• Whatchangesmustyoumaketothenetworkinfrastructuretosupportremoteconnectivity?

Table 4liststheremoteconnectivitytechnologiesincludedinWindows8.1.Thesetechnologiesallowuserstoaccessresourcesonyourinstitution’sintranet.Selecttherightcombinationofremoteconnectivitytechnologiestocreateyoursolution.

DirEctAccESS VirtuAL PriVAtE nEtWorK (VPn)

Works across multiple operating systems

Yes(onlyWindows7andWindowsServer2008R2orlateroperatingsystems)

Yes(includingWindowsXPandlaterWindowsoperatingsystems,AppleiOS,MacOSXoperatingsystems,andAndroid

Included as part of Windows 8.1 Yes Yes

Provides automatic connections Yes

Yes(byusingtheAuto-TriggeredVPNfeature

inWindows8.1)

Supports server endpoints from other

vendorsNo

Yes(VPNsupportforCheckPointVPN,F5VPN,JuniperNetworksJunosPulse,Microsoft,andSonicWallMobileConnectVPNserverendpointsincludedin

Windows8.1)

Supports “manage-out” remote

management scenarios

Yes No

Supports offline domain join Yes No

Works with Windows To Go Yes Yes

Devices must be domain joined Yes No

Can be used on institution-owned

devicesYes Yes

TABLE 4 RemoteConnectivityTechnologySelection

24WINDOWS 8.1 DEPLOYMENT PLANNING

DirEctAccESS VirtuAL PriVAtE nEtWorK (VPn)

Can be used on personally owned

devicesNo Yes

Infrastructure requirements

AD DS

RemoteAccessServerconfiguredfor

DirectAccess

AD DS

VPNserverendpoint(couldbeMicrosoftRemoteAccessServerorpartnerVPNserver

solution)

Can be managed by Windows PowerShell Yes Yes

DirectAccess

DirectAccessprovidesintranetconnectivitytodeviceswhentheyareconnectedtotheInternet,muchlikeaVPN.DirectAccessinitiatestheconnectiontotheintranetassoonasthedeviceconnectstotheInternet(unliketraditionalVPNconnections,whichusersmustexplicitlyinitiateandterminate).DirectAccesscanworkinIPversion4(IPv4)–onlynetworks,IPversion6(IPv6)–onlynetworks,oracombinationofIPv4andIPv6networks.SupportforIPv4-onlynetworksrequiresWindowsServer2012R2.

DirectAccessalsosupportsperforminganoffline domain join.AnofflinedomainjoindoesnotrequirethedevicetobephysicallyconnectedtoyourintranettojoinyourADDSdomain;instead,youcreateafilethatisprovidedtousersalongwiththeinformationneededtoconfigureDirectAccess.WhentheuserconfiguresDirectAccess,theinformationforperformingtheofflinedomainjoinisusedtojointhedevicetothedomain.Forexample,theofflinedomainjoinfeaturewouldallowfacultymemberstodomain-joincomputersattheirhomewithoutrequiringthemtobringthecomputerstocampus.

DirectAccessalsosupports“manage-out”remotemanagementscenarios,whichallowyoutodeploysoftwareupdates,collectsoftwareanddeviceinventoryinformation,andperformothermanagementoperationsanytimethedeviceisconnectedtotheInternet.YoucanperformalloftheseactionsinthebackgroundwithoutinterruptingtheuserorrequiringuserinteractionbyusingtechnologiessuchasSystemCenter2012R2ConfigurationManagerandGroupPolicy.

FormoreinformationonDirectAccess,see“RemoteAccess(DirectAccess,RoutingandRemoteAccess)Overview”athttp://technet.microsoft.com/library/hh831416.

25WINDOWS 8.1 DEPLOYMENT PLANNING

Virtual private network

VPNhasbeenacommonremoteconnectivitytechnologyfordecades.MostremoteconnectivityvendorsprovidesupportforVPN.Windows8.1andWindowsServer2012R2providesupportformostindustry-standardVPNsolutions,includingL2TP,PPTP,andSSTPVPNconnections.

Windows8.1includesthenewAuto-TriggeredVPNfeature,whichallowsWindowstoautomaticallyinitiateaVPNconnectionby:

• ReferencingaDomainNameSystem(DNS)domainnamesuffix.ThisallowsyoutoconfigureWindows8.1toautomaticallyinitiateaVPNconnectionwhenauserattemptstoaccessaresourcewiththeDNSdomainsuffix.Forexample,youcouldconfigureWindows8.1toautomaticallyinitiateaVPNconnectionanytimetheuserattemptstoaccessaresourcewithaDNSsuffixofcorp.contoso.com(suchasdc.corp.contoso.comorintranet.corp.contoso.com).

• StartingaspecificWindowsStoreordesktopapp.ThisallowsyoutoconfigureWindows8.1toautomaticallyinitiateaVPNconnectionwhentheuserstartsanapp.Forexample,youcouldconfigureWindows8.1toautomaticallyinitiateaVPNconnectionwhentheuserstartstheBingFinanceapportheWeatherapp.YoucanalsoconfigureWindows8.1toautomaticallyinitiateaVPNconnectionfordesktopapps,suchasWord.exeorExcel.exe.

TheAuto-TriggeredVPNfeatureworkswithanyoftheVPNserverendpointsthatWindows8.1supports,includingCheckPointVPN,F5VPN,JuniperNetworksJunosPulse,Microsoft,andSonicWallMobileConnectVPNserverendpoints.

FormoreinformationaboutVPNsandtheAuto-TriggeredVPNfeatureinWindows8.1,see“RemoteAccess(DirectAccess,RoutingandRemoteAccess)Overview”athttp://technet.microsoft.com/library/hh831416.aspxandWindowsServer2012R2TestLabGuide:DemonstrateVPNAutotriggerathttp://technet.microsoft.com/en-us/library/dn383580.aspx.

26WINDOWS 8.1 DEPLOYMENT PLANNING

Windows Store appsNotethefollowingWindowsStoreappplanningconsiderations:

• WhichuseraccountsarerequiredtoaccesstheWindowsStore?

• HowcanWindowsStoreappsbedeployed?

• HowcanWindowsStoreappsbemanagedintheclassroom?

• Howdoessinglesign-on(SSO)workwithWindowStoreapps?

• WhatchangesmustyoumaketothenetworkinfrastructuretosupporttheWindowsStore?

• HowareWindowsStoreappsobtained?

TheWindows8.1operatingsystemincludesmanynewfeatureandcapabilities,butoneprominentfeatureisWindowsStoreapps.EducationalinstitutionscanpurchaseorcreateappsforWindows8thatusethenewUI.

INFO

WindowsStoreappplanningconsiderationsarediscussedinWindows Store apps: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39685.

27WINDOWS 8.1 DEPLOYMENT PLANNING

User accountsNotethefollowingkeyuseraccountplanningconsiderations:

• WhenareMicrosoftandWindowsaccountsrequired?

• Doagerestrictionsexistforaccounts?

• HowcanOffice365orWindowsAzureActiveDirectory(AD)accountsbeused?

• WhatistherelationshipamongMicrosoft,Windows,andWindowsAzureADaccounts?

• HowcanyouprovideanSSOexperienceforusers?

FacultyandstudentsneeduseraccountstologontotheirWindows8devices,accesstheWindowsStore,accesson-premisesresources,andaccessInternetresources.Asapartoftheplanningprocess,determinetheuseraccountsthatfacultyandstudentswilluse,theagerestrictionsforaccounts,andhowtoprovidethebestSSOexperienceforusers.

Notethefollowingplanningconsiderationsforuseraccounts:

• Determine the user accounts to use Table5onpage28liststheuseraccounttypesavailableforuseinWindows8.UsetheinformationinTable 5todeterminewhichuseraccounttypesfacultyandstudentswilluse.

• Account management Youcancentrallymanagedomain-basedWindowsaccountsandWindowsAzureADaccounts.YoucannotcentrallymanageMicrosoftaccountsandlocalWindowsaccounts(forexample,youcannotmanageaMicrosoftaccountthatastudentorfacultymembercreates).However,userscanmanagetheirrespectiveMicrosoftaccountswithoutrequiringassistancefromITresources.Usetheseconsiderationsasyouselectuseraccounts.

• Determine account age restrictions MicrosoftaccountsintheUnitedStatescomplywiththeChildren’sOnlinePrivacyProtectionAct(COPPA)regardingonlineaccountcreationforchildrenunder13yearsofage.ToverifythatanadultisgivingachildpermissiontocreateanewMicrosoftaccount,COPPArequiresthatasmallamountbechargedtotheadult’screditcard(foraU.S.account).AlthoughyoudonotneedadultpermissiontocreateWindowsaccountsandWindowsAzureADaccounts,itisrecommendedthatadultsbenotifiedandpermissionobtained,asnecessary.

28WINDOWS 8.1 DEPLOYMENT PLANNING

Account tyPE DEScriPtion

Windows account ThisaccountisstoredlocallyontheWindows8.1device(localWindowsaccount)orinanon-premisesADDSdomain.ThisaccountisidenticaltotheuseraccountsthatWindows7uses.YoucanassociateaMicrosoftaccountwithaWindowsaccounttoprovideaccesstoresourcesthatuseaMicrosoftaccount(suchastheWindowsStoreorSkyDrive).ThisaccountisalwaysrequiredtologontoaWindows8.1device.

Microsoft account ThisaccountisanInternet-basedaccountusedtoaccesstheWindowsStoreorotherservicesthatuseMicrosoftaccounts(previouslyknownasWindows Live ID).YoucanassociateaMicrosoftaccountwithanexistingWindowsaccount.ThisaccountistypicallyrequiredbutcouldbeoptionalifnoservicesthatuseMicrosoftaccountsareused(suchasnotaccessingtheWindowsStore).

Windows Azure AD account

ThisaccountisanInternet-basedaccountstoredinWindowsAzureADservices(whichmayhavebeenmigratedfromorintegratedwithanon-premisesADDSinfrastructure).Office365usesWindowsAzureADservicestostoreOffice365credentials.Thisaccountisrequiredifemailandotherservicesusethistypeofaccount(suchasusingemailorMicrosoftSharePointOnlineinOffice365).

Guardiansshouldbeinvolvedintheaccountcreationprocessandtheprovisioningofdevicestochildrenunder13yearsofage.InstructtheguardiansonhowtheFamilySafetyfeaturecanhelpintegratethemintotheirchild’sdigitallearningexperience.

Additionalinformation:

• “Microsoftaccount”athttp://windows.microsoft.com/en-US/windows-live/microsoft-account-help#microsoft-account=tab1

• “WindowsAzure:IdentityandAccessManagement”athttp://www.windowsazure.com/en-us/home/features/identity

• Children’sOnlinePrivacyProtectionathttp://www.coppa.org

• Windows Store apps: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39685

TABLE 5 UserAccountTypesandDescriptions

29WINDOWS 8.1 DEPLOYMENT PLANNING

DeploymentNotethefollowingkeydeploymentplanningconsiderations:

• WhatdeploymentscenariosareavailableforWindows8.1ineducation?

• Whatarethedeploymenttechnologiesandtoolsavailableforinstitution-owneddevices?

• Whatarethedeploymenttechnologiesandtoolsavailableforpersonallyowneddevices?

• WhatroledoesvirtualizationplayindeployingWindows8ineducation?

• Whattypeofconnectivityisavailablefordevicesafterdeployment?

Windows8.1providesawiderangeofflexibilityindeploymentoptions.ThisflexibilityallowsyoutodesignadeploymentsolutionthatprovidesWindows8.1toallusers,regardlessofthedevicetheyuseorwheretheyarelocated.

Table 6describessomecommonWindows8.1deploymentscenariosandtheinformationnecessaryforselectingtheappropriatescenariosforyourinstitution.YoucanselectanycombinationofthesescenariostodesignacompleteWindows8.1deploymentsolution.Eachscenarioisdiscussedinasubsequentsection.

TABLE 6 DeploymentScenarioSelection

inStitution-oWnED DEVicES

PErSonALLy oWnED DEVicES

VirtuAL DESKtoP inFrAStructurE

(VDi)

WinDoWS to Go

Can be domain joined (requires Windows 8.1 Pro

or Enterprise editions)Yes

Yes(butmanyuserswillnotwanttheir

personaldevicestobedomain

joined)

Yes Yes

Institution has full control of the device Yes No Yes Yes

Can manage operating system deployment Yes No Yes Yes

30WINDOWS 8.1 DEPLOYMENT PLANNING

inStitution-oWnED DEVicES

PErSonALLy oWnED DEVicES

VirtuAL DESKtoP inFrAStructurE

(VDi)

WinDoWS to Go

Deployment tools available for deployment

MicrosoftDeploymentToolkit(MDT)

MicrosoftSystemCenterConfigurationManager

WindowsDeploymentServices

Interactive(manual)

N/A

MDT

SystemCenterConfigurationManager

WindowsDeploymentServices

Interactive(manual)

Interactive(manual)

WindowsPowerShellscripts

InfrastructureDeployment

toolsrequirements

None

Deploymenttools

requirements

VDIrequirements

None

Can support devices running operating

systems prior to Windows 8.1

Yes(byusingVDIorWindows

ToGo)

Yes(byusingVDIorWindows

ToGo)Yes

Yes(butdevicemustmeetWindowsToGohardwarerequirements)

Windows 8.1 licenses required by institution

Yes,mostoftenpurchasedwithanewdevice

No(exceptVDIsessionsthatusersaccess)

Yes Yes

Requires system hardware upgrades for existing devices by institution

Notoften(Windows8requirementsaresameasWindows7)

No No

Notoften(WindowsToGosupportsanydevicethatiscertifiedforWindows7)

Required full-time connectivity to institution

intranetNo No Yes No

31WINDOWS 8.1 DEPLOYMENT PLANNING

Institution-owned devices

Institution-owneddevicesrepresentthelargestareaofdeploymentresponsibility.Thesedevicescanbedividedintodevicesthatcurrentlyrun:

• Windows 8.1 ThesedeviceswilltypicallybenewdevicesthatarepurchasedwithWindows8.1installed.ThechallengeshereareensuringthatthedeviceshavethecorrectWindows8.1editionandalsohaveastandardoperatingsystemimage.

• Operating systems prior to Windows 8.1 Tousethesedevices,performoneofthefollowingtasks:

• Upgrade to Windows 8.1 ThesystemresourcesforthesedevicesmustbesufficienttosupportWindows8.1.Iftheexistingsystemresourcesareinadequate,thenmustbeupgradedasapartoftheWindows8.1upgrade.UpgradesfromWindow8areavailableatnoadditionallicensingfee.UpgradesfrompriorversionsofWindows(suchasWindows7)areavailableforeducationalinstitutions.Formoreinformation,seethesection,“Windows8.1purchaseandlicensing”onpage4,earlierinthisguide.

YoucandetermineifanexistingdevicecanrunWindows8.1byusingtheMicrosoftAssessmentandPlanning(MAP)Toolkit.TheMAPToolkitisafreesolutionacceleratoravailableathttp://technet.microsoft.com/en-us/library/bb977556.aspx.

• Connect to Windows 8.1 in VDI Ifthesystemresourcesareinadequateorthecostofupgradeisprohibitive,thesedevicescanrunWindows8.1inaVDIenvironment.ThishastheadvantageofallowinguserstocontinuetouseexistingdeviceswhilerunningthelatestappsinWindows8.1.

• Operating systems other than Windows 8.1 Thesedevices(suchasdevicesrunningiOSorGoogleAndroidoperatingsystems)canrunWindows8.1andappsinaVDIenvironment.Thishastheadvantageofallowinguserstocontinuetouseexisting,institution-owneddeviceswhilerunningthelatestappsinWindows8.1.

NOTE

ItispossibletorunWindowslocallyoncertainApplecomputersortorunWindowsinavirtualizedenvironmentontheMacoperatingsystem.Intheseinstances,thesecomputerscanbemanagedandsupportedasWindows8.1devices.

32WINDOWS 8.1 DEPLOYMENT PLANNING

YoucanautomateWindows8.1deploymenttoinstitution-owneddevicesbyusingtheMDT2013,MicrosoftSystemCenter2012R2ConfigurationManager,orWindowsDeploymentServicesinWindowsServer2012R2.YoucanalsoperformmanualdeploymentofWindows8.1fromthedistributionmedia.YoucanupgradetoWindows8.1fromdistributionmediaorbydownloadingtheupdatefromtheWindowsStore.

Additionalinformation:

• Windows 8.1 deployment to PCs: A guide for educationathttp://www.microsoft.com/download/details.aspx?id=39684

• VDI: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39687

Personally owned devices

BYODscenariosarecommonineducationalinstitutions.Personallyowneddevicesrepresenttheleastamountofdeploymentresponsibility.Thesedevicescanbedividedintodevicesthatcurrentlyrun:

• Windows 8.1 ThesedeviceswilltypicallybenewdevicesthatarepurchasedwithWindows8.1installed.ThefeaturesavailableonthesedeviceswillbedeterminedbytheWindows8.1edition.

• Operating systems prior to Windows 8.1 Tousethesedevices,performoneofthefollowingtasks:

• Upgrade to Windows 8.1 from Windows 8 TheupgradetoWindows8.1requiresnoadditionalpurchase.UserscanupgradetheirdevicesfromWindows8toWindows8.1fromtheWindowsStoreorfromdistributionmedia.Formoreinformation,seethesection“Windows8.1purchaseandlicensing”onpage4.

• Upgrade to Windows 8.1 from Windows 7 or earlier operating systems ThesystemresourcesforthesedevicesmustbesufficienttosupportWindows8.Also,thepersonwhoownsthedevice(suchasafacultymember,student,orstudentguardian)mustpurchasetheupgrade.EducationaldiscountsareavailableforupgradesfrompriorversionsofWindows(suchasWindows7)forfacultyandstudents.Formoreinformation,seethesection,“Windows8.1purchaseandlicensing”onpage4,earlierinthisguide.

• Connect to Windows 8.1 in VDI Ifthesystemresourcesareinadequateorthecostofupgradeisprohibitive,thesedevicescanrunWindows8.1inaVDIenvironment.Thishastheadvantageofallowinguserstocontinuetouseexistingdevices(withoutupgrade)

33WINDOWS 8.1 DEPLOYMENT PLANNING

whilerunningthelatestappsinWindows8.1.However,itmayrequireuserstojointheirdevicestodomainsandwillalsorequireaninstitution-issuedWindowsaccount.

• Operating systems other than Windows 8.1 Thesedevices(suchasdevicesrunningiOSorAndroid)canrunWindows8.1andappsinaVDIenvironment.Thishastheadvantageofallowinguserstocontinuetouseexisting,personallyowneddeviceswhilerunningthelatestappsinWindows8.1.

Additionalinformation:

• BYOD devices: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39681

• VDI: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39687

Virtual Desktop Infrastructure

YoucandesignaVDIbyusingtheHyper-VandRemoteDesktopServicesserverrolesinWindowsServer2012R2orbyusingWindowsMultiPointServer2012.

Table 7liststheVDItechnologiesandtheinformationnecessaryforselectingtheappropriatetechnologiesforyourinstitution.YoucanselectanycombinationofthesetechnologiestodesignacompleteVDIsolution.

HyPEr-V AnD rEMotE DESKtoP SErVicES SErVEr roLES in WinDoWS SErVEr 2012 r2

WinDoWS MuLtiPoint SErVEr 2012

Infrastructure Managed ManagedbyWindowsMultiPointServer2012

Scaling Multipleserverdeployment(asrequiredforscaling)

Singleserverdeploymentonly(limitof20usersinPremiumedition)

Availability Multipleserverdeploymentinclusters(asrequiredforavailability)

Singleserverdeploymentonly

TABLE 7 VDITechnologySelection

34WINDOWS 8.1 DEPLOYMENT PLANNING

HyPEr-V AnD rEMotE DESKtoP SErVicES SErVEr roLES in WinDoWS SErVEr 2012 r2

WinDoWS MuLtiPoint SErVEr 2012

Supported devices • DevicesusingRemoteDesktopProtocol(RDP)version5

• MicrosoftRemoteFXcapableasrequired

• Directvideoconnected

• USBzeroclients

• DevicesusingRDP

• RemoteFXcapable(asrequiredandavailableonlyforRDPconnections)

AVDIsolutionthatyoucreatebyusingHyper-VandRemoteDesktopServicesserverrolesinWindowsServer2012R2worksbycreatingaVMtemplateofWindows8.1,andthenrunninginstancesoftheWindows8.1templateinHyper-V.UsersremotelyaccesstheVMsrunningWindows8.1byusingRemoteDesktopServices.

Additionalinformation:

• “MicrosoftVirtualDesktopInfrastructure(VDI)”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/vdi.aspx

• “PlanningaWindowsMultiPointServer2012Deployment”athttp://technet.microsoft.com/library/jj916408.aspx

• VDI: A deployment guide for educationathttp://www.microsoft.com/download/details.aspx?id=39687

Windows To Go

WindowsToGoisafeatureinWindows8.1EnterpriseeditionthatenablesuserstobootfromashareddevicewithaUSBflashdriveandhaveaccesstoalltheirusersettings,apps,anddata.YoucanboottheWindowsToGoworkspaceonanydevicethatmeettheWindows7orWindows8certificationrequirements,regardlessoftheoperatingsystemcurrentlyrunningonthedevice.

NOTE

Althoughnotrequired,MicrosoftstronglyrecommendsthattheUSB-connectedexternaldrivebeconnectedtoaUSB3.0port.Also,theUSB-connectedexternaldriveshouldbeonthecertifiedlistofdevices,whichcanbefoundathttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/devices/windowstogo.aspx.

35WINDOWS 8.1 DEPLOYMENT PLANNING

WindowsToGoworkspacescanusethesameWindows8.1Enterpriseimagethateducationalinstitutionsuseforotherdevices.Youcanmanagetheworkspacesthesameway.WindowsToGoisnotintendedtoreplaceotherphysicaldevicesorsupplantothermobilityofferings.Rather,itprovidessupportforefficientuseofresourcesforalternativeworkplacescenarios,suchasprovidingastudentwithaWindowsToGoworkspacetoperformclassroomactivities.

FormoreinformationaboutWindowsToGodesignanddeployment,see“WindowsToGo:FeatureOverview”athttp://technet.microsoft.com/library/hh831833.aspx.

36WINDOWS 8.1 DEPLOYMENT PLANNING

Device roaming and multiple devicesNotethefollowingkeyusageplanningconsiderationsforusingmultipledevices:

• Whathappenstouserandapplicationsettingsifauserusesmultipledevices?

• WhathappenstouserandapplicationsettingsifauserusesbothWindows8.1andWindows7?

• Whathappenstouserandapplicationdataifauserusesmultipledevices?

• Whatlevelofcontrolcanbeusedfortheuserandapplicationsettingsthatfollowauser?

• HowcanthenecessaryWindowsStoreappsanddesktopappsbeinstalledonmultipledevices?

OneofthekeyfeaturesofWindows8.1istheabilitytocustomizetheuserexperience.Inmanyinstances,WindowsStoreappsanddesktopapplicationsalsostoreapplication-specificusersettingsandpreferences(suchasthemes,backgrounds,orspellingdictionariesinOfficeProfessionalPlus2013).Userstypicallysavedocuments,photos,andotherfilestofoldersondevices(suchastheDocuments,Music,Pictures,orVideosfolders).Andfinally,userswillinstallWindowsStoreappsanddesktopapplicationsondevices.

Iffacultymembersandstudentsalwaysusethesamedevice,thenalltheuserandapplicationsettings,userdata,andappsarealwaysavailabletothem.Butwhathappenswhentheyusedifferentdevices?Somehow,theuserandapplicationsettings,userdata,andappsneedtobeavailableonmultipledevices(alsoknownasdevice roaming).

Inaddition,someusersmayuseWindows8.1deviceswhileoncampusbutmayhaveWindows8orWindows7devicesathome.TheuserandapplicationssettingsneedtobetranslatedbetweenWindows8.1,Windows8,andWindows7.Table8onpage37liststhetechnologiesavailabletohelpmanageuser,operatingsystem,application,andapplicationsettingsonmultipledevices.Youcanselectanycombinationofthesetechnologiestodesignacompletemultipledeviceusagesolution.Eachtechnologyisdiscussedinasubsequentsection.

37WINDOWS 8.1 DEPLOYMENT PLANNING

TABLE 8 MultipleDeviceUsageTechnologySelection

WorK FoLDErS + WorKPLAcE

Join

WinDoWS FoLDEr

rEDirEction + oFFLinE FiLES

WinDoWS roAMinG uSEr

ProFiLES

MicroSoFt uSEr ExPEriEncE VirtuALizAtion

(uE-V)

MicroSoFt APPLicAtion

VirtuALizAtion (APP-V)

Works across multiple devices

Yes(onlyWindows8.1orWindowsRT8.1)

Yes Yes Yes Yes

Works across multiple operating

systems

Yes(onlyWindows8.1orWindowsRT8.1)

Yes No Yes Yes

Included as a part of Windows 8.1 Yes Yes Yes No No

Provides granular management of user, operating

system, and application settings

No No No Yes No

Provides centralized management of user experience

Yes Yes(withGroupPolicy)

Yes(withGroupPolicy) Yes Yes

Works with Remote Desktop Services Yes Yes

Yes(butlogonandlogofftimescanbeslowbecausetheprofileneedstobecopiedto

andfromtheserver)

Yes Yes

Works with VDI scenarios Yes Yes Yes Yes Yes

Works with Windows To Go Yes Yes Yes Yes Yes

Devices must be domain joined

No(ifusingWorkplaceJoinwith

WorkFolders)

Yes(ifcentrallymanaged)

Yes Yes Yes

Can be used on institution-owned

devicesYes Yes Yes Yes Yes

38WINDOWS 8.1 DEPLOYMENT PLANNING

WorK FoLDErS + WorKPLAcE

Join

WinDoWS FoLDEr

rEDirEction + oFFLinE FiLES

WinDoWS roAMinG uSEr

ProFiLES

MicroSoFt uSEr ExPEriEncE VirtuALizAtion

(uE-V)

MicroSoFt APPLicAtion

VirtuALizAtion (APP-V)

Can be used personally owned

devicesYes No No No No

Can be used to manage Windows

Store appsNo No No Yes No

Can be used to manage desktop

applicationsNo No No Yes Yes

Can be used in recovery scenarios

(such as new or lost device)

Yes Yes Yes Yes Yes

Assists with desktop application

deploymentNo No No No Yes

Assists with desktop application compatibility issues

No No No No Yes

Requires Microsoft Software Assurance

(SA) subscriptionNo No No Yes Yes

Infrastructure requirements

AD DS

ActiveDirectoryFederationServices(ADFS)inWindows

Server 2012 R2

WorkFoldersinWindows

Server 2012 R2

AD DS

Networksharedfolders

AD DS

Networksharedfolders

Managednetwork

UE-Vinfrastructure

Managednetwork

App-Vinfrastructure

39WINDOWS 8.1 DEPLOYMENT PLANNING

Windows Work Folders and Workplace Join

TheWorkFoldersfeaturecreatessharedworkfoldersthatbehavesimilarlytotheWindowsOfflineFilesfeatureorSkyDrivefeatures(wherefilesaresynchronizedbetweenthedeviceandthesharedfolder).Whileoffline,changestoeitherthesharedworkfolderortheofflinecopyofthefilesonthedevicearesynchronizedthenexttimetheuserconnectsthedevicetothesharedworkfolder.Table 9containsinformationthatcanhelpyoudeterminewhenWorkFoldersistherightsolutioncomparedwithotherMicrosoftfilesynchronizationtechnologies.

TABLE 9 MicrosoftFileSynchronizationTechnologySelection

WorK FoLDErS oFFLinE FiLES SKyDriVE Pro SKyDriVE

Summary

Syncsfilesthatarestoredonafile

serverwithPCsanddevices

Syncsfilesthatarestoredonafile

serverwithPCsthathaveaccesstothecorporatenetwork(canbereplacedby

WorkFiles)

SyncsfilesthatarestoredinOffice365orinSharePointwithPCsand

devicesinsideoroutsideacorporate

networkandprovidesdocumentcollaborationfunctionality

SyncspersonalfilesthatarestoredinSkyDrivewithPCs,Maccomputers,and

devices

Provides user

access to institution-

managed storage

Yes Yes Yes No

Provided as a cloud

serviceNo No Yes(Office365) Yes(SkyDrive)

Provided as on-premises

solution

Yes(onfileserversrunningWindowsServer2012R2)

Yes(onfileserversrunningWindowsServer2008orlateroperatingsystems)

Yes(onserversrunningSharePoint) No

Supported clients

PCsanddevicesinsideoroutsideacorporatenetwork

PCsinacorporatenetworkor

connectedthroughDirectAccess,VPNs,orotherremote

accesstechnologies

PCs,WindowsPhone,iOS,andAndroiddevices

PCs,WindowsPhone,Mac

computers,iOS,andAndroiddevices

40WINDOWS 8.1 DEPLOYMENT PLANNING

Youcanassignpermissionstothesharedworkfolder,justaswithtraditionalservermessageblocknetworksharedfolders.UserscanaccessthesharedworkfolderswhileconnectedtotheintranetorontheInternet(ifconfiguredtodoso).

TheWorkFoldersfeaturecanalsoworkwiththeWorkplaceJoinfeaturetoallownondomain-joineddevicestosecurelyaccesssharedworkfoldersonserversrunningWindowsServer2012R2.TheWorkplaceJoinfeatureallowsnondomain-joineddevicestoberegisteredinADDSthroughtheDeviceRegistrationServicesfeatureinADFS.WhenaWindows8.1deviceisworkplacejoined,acertificateisinstalledonthedeviceandalsostoredinADDS.ThedevicecanthenbeauthenticatedbyusingADFSandADDS.

YoucanalsoconfigurethelevelofauthenticationrequiredtoaccessthesharedworkfoldersbyusingADFS.Forexample,youcouldrequireuserauthentication,deviceauthentication,orboth.

Additionalinformation:

• “WorkFoldersOverview”athttp://technet.microsoft.com/library/dn265974.aspx

• “WorkFoldersTestLabDeployment”athttp://blogs.technet.com/b/filecab/archive/2013/07/10/work-folders-test-lab-deployment.aspx

• Walkthrough Guide: Workplace Join with a Windows Deviceathttp://technet.microsoft.com/library/dn280938.aspx

Windows Folder Redirection

TheFolderRedirectionfeatureinWindows8.1redirectsthepathofaknownfolder(suchastheDocuments,Pictures,orVideofolderinauserprofile)toanewlocationmanuallyorbyusingGroupPolicy.Thenewlocationcanbeafolderonthelocaldeviceoradirectoryonafileshare.Usersinteractwithfilesintheredirectedfolderasifitstillexistedonthelocaldrive.Forexample,youcanredirecttheDocumentsfolderonadomain-joineddevice(whichisusuallystoredonalocaldrive)toanetworksharedfolder.Thefolderwillberedirectedonanydomain-joinedcomputeronwhichtheusersigns

NOTE

YoucanuseWorkFolderswithoutWorkplaceJoin,butdoingsorequiresthatthedevicesbedomainjoined.

41WINDOWS 8.1 DEPLOYMENT PLANNING

onandreceivestheGroupPolicysettings.ThefolderisalsoaccessibledirectlyfromthenetworksharedfolderindependentoftheFolderRedirectionGroupPolicysettings.

WhenusedinconjunctionwithUE-V,theFolderRedirectionfeaturehelpsprovideacomprehensivesolutionforuserswhologontomultipledevices.FormoreinformationaboutincludingtheFolderRedirectionfeatureinyourdesign,see“FolderRedirection,OfflineFiles,andRoamingUserProfilesoverview”athttp://technet.microsoft.com/library/hh848267.aspx.

Windows Offline Files

TheOfflineFilesfeatureinWindows8.1makesnetworkfilesavailabletoauser,evenifthenetworkconnectiontotheserverisunavailableorslow.Whenworkingonline,fileaccessperformanceisatthespeedofthenetworkandserver.Whenworkingoffline,filesareretrievedfromtheOfflineFilesfolderatlocalaccessspeeds.Whentheconnectiontotheserverisrestored,theofflinecopyofthefilesissynchronizedtotheserver.

YoucanusetheOfflineFilesfeatureinconjunctionwiththeFolderRedirectionfeatureinWindows8.1andUE-V.TheOfflineFilesfeaturehelpsensurethatuserscanaccessfilesstoredinthelocalfoldersthatareredirectedtonetworksharedfoldersbyusingtheFolderRedirectionfeature.TheFolderRedirectionfeatureisoftenusedwithUE-Vtohelpimproveuserexperiencewhenroaming.

FormoreinformationaboutincludingtheOfflineFilesfeatureinyourdesign,see“FolderRedirection,OfflineFiles,andRoamingUserProfilesoverview”athttp://technet.microsoft.com/library/hh848267.aspx.

Windows Roaming User Profiles

TheRoamingUserProfilesfeatureinWindows8.1redirectsuserprofilestoafilesharesothatusersreceivethesameoperatingsystemandapplicationsettingsonmultiplecomputers.Whenauserlogsontoacomputerbyusinganaccountthatissetupwithafileshareastheprofilepath,theuser’sprofileisdownloadedtothelocalcomputerandmergedwiththelocalprofile(ifpresent).Whentheuserlogsoffofthecomputer,thelocalcopyoftheirprofile,includinganychanges,ismergedwiththeservercopyoftheprofile.RoamingUserProfilesistypicallyenabledondomainaccountsbyanetworkadministrator.

BeforechoosingtodeployRoamingUserProfiles,considerthefollowing:

• RoamingUserProfilescanimpactlogonandlogoffperformance,especiallyifusers’profilescontainmanylargefiles(e.g.,videosandimages).

42WINDOWS 8.1 DEPLOYMENT PLANNING

• RoamingUserProfilesdonotworkacrossfulldesktopexperiencesandsession-basedVDI.

• Inmixedenvironments,Windows8.1andWindows7userprofilesareincompatible.

BecauseoftheseRoamingUserProfilesconsiderations,UE-Visrecommendedformanaginguserexperience.FormoreinformationaboutincludingtheRoamingUserProfilesfeatureinyourdesign,see“FolderRedirection,OfflineFiles,andRoamingUserProfilesoverview”athttp://technet.microsoft.com/library/hh848267.aspx.

Default user profiles

Whenauserlogsontoadeviceforthefirsttime,Windowsmustprovidetheuserwithauserprofile.IftheuserprofileiscentrallymanagedthroughUE-VorRoamingUserProfiles,theuserprofileisobtainedfromthesetechnologies.However,iftheuserprofileisnotcentrallymanaged,thenWindowscreatesthenewuserprofilebasedonthedefaultuserprofileonthatdevice.Thedefaultuserprofileisusedasatemplatewhencreatinganewuserprofile.YoucanuseCopyProfilesettingintheMicrosoftSystemPreparationTooltocustomizeauserprofile,andthencopythatprofiletothedefaultuserprofile.

Becauseofdefaultuserprofilelimitations,MicrosoftrecommendsUE-Vformanaginguserexperience.Formoreinformationaboutincludingdefaultuserprofilesinyourdesign,see“HowtoCustomizetheDefaultUserProfilebyUsingCopyProfile”athttp://technet.microsoft.com/library/hh825135.aspx.

User Experience Virtualization

UE-Visanenterprise-scaleuserstatevirtualizationsolutionthatthatkeepsusers’experiencewiththem.UE-VprovidesusersthechoiceofchangingtheirdeviceandkeeptheirexperiencesothattheydonothavetoreconfigureapplicationseachtimetheylogontodifferentWindows8.1orWindows7computers.UE-VintegrateswiththeFolderRedirectionfeatureinWindows8.1tohelpmakeuserfoldersaccessiblefrommultiplephysicalorvirtualdevices.UE-Vsupportsdesktopapplicationsthataredeployedusingdifferentmethods(suchaslocallyinstalledapps,App-Vsequencedapplications,orRemoteDesktopapplications).UE-VisatechnologyintheMicrosoftDesktopOptimizationPack(MDOP),whichisasuiteoftechnologiesavailablethroughSAsubscriptions.

Additionalinformation:

• “MicrosoftUserExperienceVirtualization(UE-V)”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/UE-V.aspx

43WINDOWS 8.1 DEPLOYMENT PLANNING

• UE-Vresourcesanddemonstrationvideosathttp://technet.microsoft.com/windows/hh943107

• Microsoft User Experience Virtualization Deployment Guide athttp://www.microsoft.com/en-us/download/details.aspx?id=35495

Microsoft Application Virtualization

App-Vvirtualizesdesktopapplicationssothattheybecomecentrallymanagedservicesdeployedtoavirtualizeddesktopapplicationenvironmentondeviceswithoutusingtraditionalinstallationmethods(knownasapplication sequencing).Thesequenceddesktopapplicationsrunintheirownself-containedvirtualenvironmentandareisolatedfromeachother,whicheliminatesapplicationconflictsbutallowsdesktopapplicationstointeractwiththedevice.

App-VintegrateswithSystemCenter2012R2ConfigurationManager,soyoucanmanagevirtualandphysicaldesktopapplicationsalongwithhardwareandsoftwareinventory,operatingsystemandpatchdeployment,andmore.App-VisatechnologyintheMDOP.

Additionalinformation:

• “MicrosoftApplicationVirtualization(App-V)”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/app-v.aspx

• App-Vresourcesanddemonstrationvideosathttp://technet.microsoft.com/windows/hh826068

NOTE

App-Vworksonlyfordesktopapplications,notforWindowsStoreapps.

44WINDOWS 8.1 DEPLOYMENT PLANNING

Configuration and managementNotethefollowingkeyWindows8.1configurationandmanagementplanningconsiderations:

• Whichmethodsareavailableforconfiguringandmanagingdomain-joinedandnon–domain-joinedWindows8.1devicesafterdeployment?

• Whataretheadvantagesanddisadvantagesofon-premisesandoff-premisesdevicemanagement?

• WhatmethodsareavailabletomanagedevicesandsoftwarethroughouttheentireITlifecycle?

• Whatconfigurationandmanagementmethodscanbeusedforinstitution-andpersonallyowneddevices?

OngoingWindows8.1deviceconfigurationandmanagementisanessentialpartofyourWindows8.1deploymentplan.Windows8.1supportsbothon-premisesandoff-premisesmanagement.YoucanalsomanageWindows8.1locallyorremotely.Theconfigurationandmanagementmethodsdifferonthelevelofautomationandthemethodcompleteness.Forexample,GroupPolicyworksfordomain-joineddevicesbutisineffectualforstand-alonedevices.YoucanuseWindowsPowerShellcmdletstoautomatecommonITtasks,butbyitself,WindowsPowerShelldoesnotprovideacomprehensivesolution.

Table10onpage45listssomeofthetechnologiesavailableforperformingWindows8configurationandmanagement.ThelistinTable 10isonlyafewofthemanyproducts,tools,andutilitiesthatareavailableforconfiguringandmanagingWindows8.1.Youcanselectanycombinationofthesetechnologiestodesignacompleteconfigurationandmanagementsolution.Eachtechnologyisdiscussedinasubsequentsection.

45WINDOWS 8.1 DEPLOYMENT PLANNING

TABLE 10 ConfigurationandManagementTechnologySelection

GrouP PoLicy WinDoWS PoWErSHELL

SyStEM cEntEr 2012 r2 conFiGurAtion

MAnAGEr

WinDoWS intunE

Control (turn on or off) Windows Store

accessYes No Yes Yes

Control installation of specific apps (by using whitelists or

blacklists)

Yes(withAppLocker) No

Yes(inconjunctionwithGroupPolicyandAppLocker)

No

Operating system setting

managementYes Yes Yes Yes

User setting management Yes Yes Yes Yes

App setting management

Yes(ifregistrybased) App-specific Yes,butscripting

mayberequiredYes,butscriptingmayberequired

Centralized administration

modelYes No Yes Yes

On or off-premises On-premises On-premises On-premises Off-premises

On-premises infrastructure AD DS None

Managednetworks

SystemCenter2012R2ConfigurationManager

None

Devices must be domain joined Yes No

No,butchallengesexistfornative

support;WindowsIntuneintegrationisrecommended

No

Supports self-service model No No Yes Yes

Supports push model Yes Yes Yes Yes

Can be used to create enterprise

app storeNo No Yes Yes

46WINDOWS 8.1 DEPLOYMENT PLANNING

GrouP PoLicy WinDoWS PoWErSHELL

SyStEM cEntEr 2012 r2 conFiGurAtion

MAnAGEr

WinDoWS intunE

User interaction

ITprodoesback-endconfiguration

Userperformsnoactions

ITproperformsalltasks

ITprodoesback-endconfiguration

Userhasnointeractionforpushmodelandlimitedinteractionforself-service

model

ITprodoesback-endconfiguration

Userhasnointeractionforpushmodelandlimitedinteractionforself-service

model

Provided with Windows 8

InWindows8ProandEnterprise,butrequiresADDS

Yes No No

Provides unified solution for the

entire software life cycle, including

installation, updates,

supersedence, and removal

No No Yes Yes

Can be used for operating system

deploymentNo No Yes No

Requires additional cost

Yes(unlessADDSisalreadyinstalled) No

Yes(ifnoSystemCenterConfigurationManager

infrastructureisinstalled)

Yes(subscriptionmodel)

Group Policy

YoucanuseGroupPolicytomanageuser,Windowsoperatingsystem,andapplicationsettings.Ultimately,youcanuseGroupPolicytomanageanyconfigurationsettingsstoredintheWindowsregistry.Microsoftprovidesbuilt-inGroupPolicytemplatesformostcommonconfigurationsettings.Inaddition,youcancreatecustomGroupPolicytemplatesthatallowyoutomanageconfigurationsettingsthatthebuilt-intemplatesdonotprovide.UseGroupPolicytocontrolWindowsStoreaccessandtheinstallationandrunningofappsondevices(whenusedinconjunctionwithAppLocker).

47WINDOWS 8.1 DEPLOYMENT PLANNING

Additionalinformation:

• “GroupPolicy”athttp://technet.microsoft.com/windowsserver/bb310732.aspx

• “ManagingClientAccesstotheWindowsStore”athttp://technet.microsoft.com/en-us/library/hh832040.aspx

Windows PowerShell

ManycommonWindows8administrativetaskscanbeperformedbyusingWindowsPowerShell,includingWindowsStoreappmanagementandoperatingsystemconfiguration.YoucanuseWindowsPowerShellinteractivelyortocreatescriptsthatcanberuntoperformmorecomplextasks.FormoreinformationaboutusingWindowsPowerShellforconfigurationandmanagement,gotohttp://technet.microsoft.com/library/bb978526.aspx.

Configuration Manager

SystemCenter2012R2ConfigurationManagerautomatesdeployingappstoadeviceduringoraftertheoperatingsystemdeploymentprocess.SystemCenter2012R2ConfigurationManagerallowsyoutocreatealistofapplicationsthatcanbeselectedduringthedeploymentprocessatthetimeofdeploymentordeployedthroughtheApplicationCatalog.SystemCenter2012R2ConfigurationManagerprovidesaunifiedconsoleformanagingappsandcanoptionallyintegratewithWindowsIntunetohelpmanagedevicesthatarenotconnectedtotheeducationalinstitution’sintranet.FormoreinformationaboutusingSystemCenter2012R2ConfigurationManagerwithSP1forconfigurationandmanagement,gotohttp://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx.

Windows Intune

WindowsIntuneisanoff-premises,cloud-basedmanagementsolutionthatprovidesdevicemanagement,softwareinstallation,andsoftwareupdatemanagement.WindowsIntunecanintegratewithSystemCenter2012R2ConfigurationManagertoprovideaunifiedmanagementsolution.

WindowsIntunehelpsmanageITenvironmentstohelpkeepdevicessecure,includingsoftwareandpatchdistribution,policy-basedmanagement,andEndpointProtectionforPCs.WindowsIntunealsosupportsBYODscenariosbyprovidingaself-serviceportaltoinstallapps,personalizedappdelivery,andsupportformultipleplatformsanddevices.

48WINDOWS 8.1 DEPLOYMENT PLANNING

FormoreinformationaboutusingWindowsIntuneforconfigurationandmanagement,gotohttp://www.microsoft.com/en-us/windows/windowsintune/pc-management.aspx.

©2014MicrosoftCorporation.Allrightsreserved.

Thisdocumentisforinformationalpurposesonlyandisprovided“asis.”Viewsexpressedinthisdocument,includingURLandanyotherInternetWebsitereferences,maychangewithoutnotice.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISDOCUMENT.