Windows 8 deployment planningA guide for education

July 2013

Table of contents

2 Windows 8 in education2 ITbenefits2 Facultybenefits3 Studentbenefits

4 Windows 8 purchase and licensing

6 Volume Activation

9 Network infrastructure9 Internetingressandegress10 Networkbandwidth11 Wirelessnetworking

14 Accessibility

15 Printers

17 Security and privacy19 Internetaccess20 Applicationaccess20 Deviceaccess

22 Windows Store apps

23 User accounts

25 Deployment27 Institution-owneddevices28 Personallyowneddevices29 VirtualDesktopInfrastructure30 WindowsToGo

32 Device roaming and multiple devices34 WindowsFolderRedirection35 WindowsOfflineFiles35 WindowsRoamingUserProfiles36 Defaultuserprofiles36 UserExperienceVirtualization37 MicrosoftApplicationVirtualization

38 Configuration and management40 GroupPolicy41 WindowsPowerShell41 ConfigurationManager41 WindowsIntune

1WINDOWS 8 DEPLOYMENT PLANNING

Windows 8 deployment planningA guide for education

This guide is designed for IT pros, school administrators, and other faculty members who are responsible for the deployment of devices running Windows 8 in educational institutions. This guide covers the key considerations and questions that should be answered as a part of a typical Windows 8 deployment.

SomeofthekeystosuccessinaWindows8(oranytechnologydeployment)thatwewillcoverineachsectionareasfollows:

• DevelopandcommunicateyourWindows8deploymentplanbeforeyoudeploydevices.

• Starttheplanningprocessandvalidateyourdesignasearlyinyourdeploymentprojectaspossible,becausebaddesigndecisionsbecomedifficulttocorrectthelateryoudiscoverthemintheprocess.

• Includerepresentativesfromcurriculumandtechnologyleadership(inadditiontothosewhoareresponsibleforperformingtheactualdeployment)tohelpensurethatthefinalsolutionmeetsorexceedscurriculumandlearningoutcomerequirements.

Eachsectioninthisguideliststhekeyplanningconsiderationsandquestionsforthetopicscoveredinthatsection.EachsectionalsoincludeslinkstoadditionalresourcestohelpintheWindows8deploymentplanningprocessdiscussedinthatsection.

NOTE

Classroomcurriculumdesignisoutsidethescopeofthisdocument.Inaddition,althoughmostoftheplanningdecisionsinthisguideareapplicabletoWindowsRT,thisguidefocusesonWindows8deploymentonly.

2WINDOWS 8 DEPLOYMENT PLANNING

Windows 8 in educationWindows8provideanincredibleopportunityforeducatorsandstudentstotakeadvantageofthenewworldofdigitaleducationandexcitingnewdevices,leveragingtheworldwidestandardMicrosoftplatformandcloudservicestoensureseamlessmanageability,robustsecurity,backwardcompatibility,andcosteffectiveness.RunningWindows8ondevicesdesignedforWindows8canhelpyoumeetthechallengesandmaximizethebenefitsofusingWindows8ineducation.

IT benefits

ManyITorganizationswithineducationalinstitutionsalreadysupportaMicrosoftinfrastructure.Inmanyinstances,theITstaffcanusethesametoolstheyarealreadyfamiliarwithtomanageWindows8devices.Institutionscanalsooutsourcethisworktopartnerswhoareabletoleveragethepartner’sWindows8managementexperienceandskillsets.

YoucanmanageWindows8devicesandappsautomaticallybyemployingon-premisesandoff-premisesmanagementsolutions.ThesesolutionsdramaticallyreducetheeffortrequiredfromITprostokeepdevicescurrentwithsoftwareandsecurityupdatesandtoperformcommonITadministrativetasks.Inmanyinstances,educationalinstitutionscancreateself-serviceportalsthatallowuserstosolvemanycommonproblemsthemselves(suchasresettingapassword,deployinganapp,orinstallingsoftwareupdates).ThismeansthatITproscanspendfewerhoursmanaginghardware,software,andservicestoprovidehigher-qualityserviceswiththesameorlesslevelofeffort.

Faculty benefits

Windows8hasalargeecosystemofprovidersandservices,providingeducatorstheflexibilitytochoosethedevicesandservicestheyprefer–sotheycanteachthewaytheywant.Windows8alsohelpsteachersmanagetheclassroombylimitingavailabilityofdistractingapplications(suchasinstantmessagingorsocialnetworking)duringclassandviewingandsharingstudentscreenstoimproveclassroomparticipation.

MostinstructorsandfacultymembersarefamiliarwiththeWindowsoperatingsystemandusuallyhaveanexistingdevicerunningWindowsintheclassroomorathome.FacultymembershaveavastlibraryofexistingWindowssoftwareandperipheralstoincorporateintotheirlearningcurriculum.DevicesrunningWindows8supportWindowsStoreappsanddesktopapplications,whichallowseducatorstohavetheultimateinflexibilityanddiversitywhenselectingtechnologyresourcesfortheclassroom.IfapplicationsandperipheralsworkedinWindows7,theywilloftenworkjustaswellinWindows8,decreasingbothcostanddeploymenttime.

3WINDOWS 8 DEPLOYMENT PLANNING

ThismeansthatinstructorsandfacultymemberswillbeabletorealizethebenefitofusingWindows8intheclassroommorequicklythanotheroperatingsystems.

Student benefits

Learningisaboutconsuming,collaboration,andcreation.MostWindowsdeviceshaveamultitouchuserinterfacethatprovidesanimmersiveuserexperienceforconsumingandcollaborating,buttheyalsocomewithafull-functioningkeyboardthatisessentialforcontentcreation.Nowthereistheadditionofafluidandimmersiveuserexperiencethatenablestabletsandtouchscreensaswell.Withthehugeinterestintabletsforthestudentmarket,Windows8isabletoprovideaconsistentuserexperienceacrossformfactors.Inaddition,studentshaveaccesstothevastlibraryofexistingsoftwarecreatedforWindows—includingWindowsStoreappsandWindowsdesktopapplications—andmostapplicationsthatrunontheWindows7orWindowsXPoperatingsystemwillalsorunonWindows8.

MoststudentsalreadyknowhowtousedevicesrunningaWindowsoperatingsystem.TheytypicallyhaveaccesstodevicesrunningWindowsathome,aswell,whichallowsstudentstocontinuetheireducationathomewithoutadditionalcostonthepartoftheeducationalinstitutionorthestudent’sfamily.

4WINDOWS 8 DEPLOYMENT PLANNING

Windows 8 purchase and licensingNotethefollowingkeyWindows8purchaseandlicensingplanningconsiderations:

• Howmanyusersdoyouneedtoenable?

• HowmanynewdeviceswillyoubuywithWindows8preinstalled?

• HowmanyWindows8licensesdoyouneedtopurchasetoupgradeexistingdevices(notethatsomeproductswillrequirelicenseupgrades,suchasWindows8Enterpriseedition)?

• HowdoesyourinstitutionhandleWindow8licensingforpersonallyowneddevices?

• HowcanfacultyandstudentspurchaseWindows8licensesateducationalprices?

• Whateducationalpricingandlicensingprogramsareavailableforeducationalinstitutions?

Eachphysicaldeviceorvirtualmachine(VM)runningWindows8musthaveavalidlicense.MostdevicehardwarevendorsprovideaWindows8licenseforeachdevicetheinstitutionpurchases.However,youmustobtainWindows8licensesforanyexistingdevicesrunningpreviousversionsofWindowsthatwillbeupgradedtoWindows8(suchasdevicesrunningWindows7).

ThelistbelowprovidestheWindows8licensingconsiderationsfordevicesbasedontheirownership:

• Institution owned EducationalinstitutionscanacquirelicensesforWindows8(andotherMicrosoftproducts)throughtheMicrosoftEnrollmentforEducationSolutions(EES)program.TheMicrosoftEESprogramisaneasy,cost-effectiveofferthatprovidesqualifiedacademiccustomersasimplifiedwaytoacquireMicrosoftsoftwareandservicesunderasingle

NOTE

MicrosoftworkswithorganizationsinthepublicsectorthroughtheShapetheFutureprogram.FormoreinformationabouttheShapetheFutureprogram,seehttp://www.microsoft.com/shapethefuture.

5WINDOWS 8 DEPLOYMENT PLANNING

subscriptionagreement.Formoreinformation,see“EESlicensing:MicrosoftEnrollmentforEducationSolution”athttp://www.microsoft.com/education/en-us/buy/licensing/Pages/enrollmentforeducationsolutions.aspx.

• Personally owned FacultyandstudentsareresponsibleforhavingtheappropriateWindows8licensesfortheirdevices.InadditiontopotentiallybeingabletopurchaseMicrosoftsoftwarethroughtheeducationalinstitution,facultyandstudentscanindividuallypurchaseMicrosoftproductsateducationaldiscountsthroughresellerssuchas:

• JourneyEdathttp://www.journeyed.com/dept/Brands/Microsoft/284074

• OnTheHubathttp://www.onthehub.com

UsethisinformationtodeterminethenumberofWindows8licensesyoumustobtainforyoureducationalinstitution.Also,usetheinformationtodetermineinstitution-sponsoredMicrosofteducationalbenefitprogramsforfacultyandstudents.

INFO

Formoreinformation,see“Academicsavings:HoweducatorsandstudentscansaveonMicrosoftsoftware”athttp://www.microsoft.com/education/en-us/buy/Pages/academicsavings.aspx.

6WINDOWS 8 DEPLOYMENT PLANNING

Volume ActivationNotethefollowingkeyMicrosoftVolumeActivationplanningconsiderations:

• WhichlicensingmodelsareavailableforWindows8andMicrosoftOfficeProfessionalPlus2013?

• Whattechnologiesareavailabletoactivatevolumelicenses?

• Whattypeofconnectivityisavailablefordevicestoperformactivation?

ThefollowinglistshowstheVolumeActivationtechnologiesandprovidesabriefdescriptionofeach:

• Active Directory-Based Activation (ADBA) ADBAisaroleservicethatallowsyoutouseActiveDirectoryDomainServices(ADDS)tostoreactivationobjects,whichcanfurthersimplifythetaskofmaintainingVolumeActivationservicesforanetwork.WithADBA,noadditionalhostserverisneeded,andactivationrequestsareprocessedduringcomputerstartup.ADBAworksonlyfordevicesrunningWindows8thataredomainjoined.

• Key Management Service (KMS) KMSisaroleservicethatallowsorganizationstoactivatesystemswithintheirnetworkfromaserveronwhichaKMShosthasbeeninstalled.WithKMS,ITproscancompleteactivationsontheirlocalnetwork,eliminatingtheneedforindividualcomputerstoconnecttoMicrosoftforproductactivation.KMSdoesnotrequireadedicatedsystem,anditcanbecohostedonasystemthatprovidesotherservices.Bydefault,volumeeditionsofWindows8connecttoasystemthathoststheKMSservicetorequestactivation.Noactionisrequiredfromtheuser.

• Multiple Activation Key (MAK) AMAKisavolumelicensekeythatisusedforone-timeactivationwithactivationservicesthatMicrosofthosts.YoucanactivateMAKsovertheInternetorbytelephone.

Table1onpage7liststheVolumeActivationtechnologiesandtheinformationnecessaryforselectingtheappropriatetechnologiesforyourinstitution.YoucanselectanycombinationofthesetechnologiestodesignacompleteVolumeActivationsolution.

7WINDOWS 8 DEPLOYMENT PLANNING

ADBA KMS MAK

Device must be domain joined Yes No No

Devices must connect to the network at least once

every 180 daysYes Yes No

Supports Volume Activation of Windows 8 Yes Yes Yes

Supports Volume Activation of Windows 7 No Yes Yes

Supports Volume Activation of Microsoft

Office

Yes(Office2013only,notMicrosoftOffice365orpreviousversionsofOffice)

Yes Yes

Can use Volume Activation services in Windows Server 2012

Yes Yes N/A

Can use Volume Activation services in

operating systems prior to Windows Server 2012

Yes,butrequiresthattheActiveDirectoryschemabeupdatedtoWindowsServer2012

Yes N/A

Microsoft Volume Licensing information is

stored in AD DSYes No No

Can be activated with Internet access only No No Yes

Can be activated by telephone No No Yes

Required infrastructure AD DS

KMSserver,howeverhavingAD DS

makesKMSmanagement

easier

Internetaccessortelephone

TABLE 1 VolumeActivationTechnologySelection

8WINDOWS 8 DEPLOYMENT PLANNING

Additionalinformation:

• “PlanforVolumeActivation”athttp://technet.microsoft.com/library/jj134042.aspx

• “VolumeLicensing”athttp://www.microsoft.com/licensing/about-licensing/windows8.aspx

• “IntroductiontoVAMT3.0”athttp://technet.microsoft.com/library/hh825141.aspx

• Volume Licensing Guide for Windows 8athttp://download.microsoft.com/download/9/4/3/9439A928-A0D1-44C2-A099-26A59AE0543B/Windows_8_Licensing_Guide.pdf

• “MicrosoftLicensingfortheConsumerizationofIT”athttp://www.microsoft.com/licensing/about-licensing/briefs/consumerization-it.aspx

• “MicrosoftLicensingfortheConsumerizationofIT-AcademicLicensingScenarios”athttp://www.microsoft.com/licensing/about-licensing/briefs/consumerization-it-academic.aspx

• “LicensingWindowsdesktopoperatingsystemforusewithvirtualmachines”athttp://download.microsoft.com/download/3/D/4/3D42BDC2-6725-4B29-B75A-A5B04179958B/Licensing_Windows_Desktop_OS_for_Virtual_Machines.pdf

• “VolumeactivationmethodsinOffice2013”athttp://technet.microsoft.com/library/jj219430.aspx

9WINDOWS 8 DEPLOYMENT PLANNING

Network infrastructureBecauseWindows8devicesarenotjustcloud-connecteddevices(theyworkofflinetoo),yourexistingnetworkinfrastructurewilloftenbeadequatetosupportWindows8.Aspartoftheplanningprocess,determineanynetworkinfrastructureremediationthatyoumustperformpriortodeployingWindows8devices.

Internet ingress and egress

NotethefollowingkeyInternetingressandegressplanningconsiderations:

• WhatTCPandUserDatagramProtocol(UDP)trafficmustbeallowedtoandfromtheInternet?

• Whichwebsitesmustbeaddedtotheapprovedsiteslistforedge-of-networkappliances?

• WhataretherequirementsforbeingcompliantwiththeChildren’sInternetProtectionAct(CIPA)?

• Whichfirewallsshouldyouuse(firewallappliancesandWindowsfirewall)?

OneofthekeyfeaturesinWindows8istheintegrationwithInternet-basedcontentandservices,especiallytheWindowsStore.YoumustplananynecessarychangestoyourInternetingressandegresstoprovideaccesstosuchcontentandservices,asdescribedinthefollowinglist:

• TCP and UDP traffic PlantheTCPandUDPtrafficthatmustbeallowedtoandfromtheInternet.Specifically,allowthetrafficrequiredforanynewWindowsStoreappordesktopapplicationsthatwillbeaddedaspartoftheWindows8deploymentprocess.

• Approved website list Manyedge-of-networkappliances(suchasfirewallsorwebproxies)supportalistofapprovedwebsites.Inyourplan,specifythatthelistincludestheWindowsStoreandothersupportingsites.

• CIPA compliance YoureducationalinstitutionmayneedtocomplywithCIPA,whichimposescertainrequirementsonschoolsorlibrariesthatreceivediscountsforInternetaccessorinternalconnectionsthroughtheE-rateprogram,whichmakescertaincommunicationsservicesandproductsmoreaffordableforeligibleschoolsandlibraries.FormoreinformationaboutCIPA,see“Children’sInternetProtectionAct”athttp://www.fcc.gov/guides/childrens-internet-protection-act.

10WINDOWS 8 DEPLOYMENT PLANNING

• Firewall usage YoucanusefirewallappliancesandWindowsFirewalltoprotectdevicesandprovidesecuritydefenseindepth.Ifyouuseboth,ensurethatyouprovidetheappropriateaccesstotheWindowsStoreandotherInternet-basedcontentandservicesbyconfiguringbothfirewalls.YoucanspecifythattheWindowsFirewallbeconfiguredbyusingGroupPolicyfirewallsettings.FormoreinformationonusingGroupPolicytoconfigureWindowsFirewall,seetheMicrosoftTechNetarticle,“ConfigureFirewallPortRequirementsforGroupPolicy,”athttp://technet.microsoft.com/library/jj572986.aspx.

Network bandwidth

Notethefollowingkeynetworkbandwidthplanningconsiderations:

• CantheLANandWi-Finetworksupportahighdensityofdevices?

• Doesthenecessaryavailablenetworkbandwidthexistforconnectingtoon-premisesresources?

• DoesthenecessaryavailablenetworkbandwidthexistforInternetaccess?

TheuseoftechnologyinmostcurriculumplansrequiresaccesstolocalandInternet-basedresourcesandcontent(suchasdocumentstoragelibraries,multimediafiles,oronlinestudyresources).Thefollowingisalistofplanningconsiderationsthatrelatetonetworkbandwidth:

• Support for a high density of devices Educationalenvironmentstendtohaveahighconcentrationofdevicesinasmallgeographicarea.Facultyandstudentsrequirenetworkaccessfromclassrooms,labs,andcommonareas.Thesenumberscanrangefrom20–30devicesinaclassroomtohundredsofdevicesinacommonarea(suchasalibraryorstudentcenter).Typically,thisnumberimpliesthateachclassroommayrequireadedicatednetworkconnectiontotheon-premisesnetwork,andcommonareasmayrequiremultiplededicatednetworkconnectiontotheon-premisesnetworktosupportthenumberofdevicesinagivengeographicarea.

• On-premises available network bandwidth Alldevicestypicallyneedhigh-speed,persistentconnectionstoon-premisescontentandresources(suchasprinters,fileservices,orintranet-basedsites).Ensurethattheon-premisesnetworkhassufficientbandwidthtoprovidereasonableresponsetimeswhenaccessingtheon-premisesresources.Also,includeInternettrafficwhenevaluatingyouron-premisesnetwork,becausedevicesconnecttotheInternetthroughtheon-premisesnetwork.Youcanestimatethistrafficbyobservingthetypicalintranettrafficadevicegenerates,thenmultiplyingthatbythenumberofdeviceswithinagivengeographicarea.

11WINDOWS 8 DEPLOYMENT PLANNING

• Internet available network bandwidth AlldevicestypicallyneedaccesstoInternet-basedcontentandresources(suchastheWindowsStoreandotherInternet-basedwebsites).EnsurethattheInternetconnectionhassufficientbandwidthtoprovidereasonableresponsetimeswhenaccessingtheInternet.YoucanestimatethisresponsetimebyobservingthetypicalInternettrafficadevicegenerates,thenmultiplyingthatbythenumberofdeviceswithinagivengeographicarea.

Thephysicalnetworkdesignisspecifictothetypeofdevicesandthevendorspecificationsforeachdevice.Contactthenetworkinfrastructurevendorsforplanningtoolsandresourcestohelpindeterminingnetworkbandwidth.

Wireless networking

Notethefollowingkeywirelessnetworkplanningconsiderations:

• HowmanyWi-Fiwirelessdeviceswillbeusedwithineachclassroomandincommonareas(devicedensity)?

• WhatWi-Fitechnologiesdoyouneedtosupport(suchasInstituteofElectricalandElectronicsEngineers[IEEE]802.11n,802.11g,or802.11b)?

• Willbroadband(cellular)deviceconnectivitybesupported?

Mostmoderndevicesuseawirelessconnectiontoaccessnetworks.Althoughwirelessconnectionreducestheclutterandproblemsassociatedwithwirednetworkconnections,itaddstothecomplexityofplanningandsupportingnetworks.

• Wi-Fi–supported standards MostdevicessupportavarietyoftheIEEE802.11XWi-Fistandards,suchas802.11n,802.11g,or802.11b.Ensurethatthewirelessaccesspoints(WAPs)supportthehighestspeedstandardthedevicesupports.Supporttheslowerspeedstandardstoprovidecompatibilitywitholderdevices.Forexample,mostnewdevicessupportIEEE802.11n,butolderdevicesmayonlysupportIEEE802.11b.

• Network frequency IEEE802.11Xwirelessstandardsusethe2.4gigahertz(GHz)and5.0GHzfrequenciesforcommunicationbasedonthestandardused.MostmodernWAPssupportbothfrequencies.Mostnewdevicessupport5.0GHzfrequencies,whileolderdevicesonlysupportthe2.4GHzfrequencies.EnsurethatyourWAPssupportthecorrectfrequenciestosupporttheplanneddevicepopulation.

• Wireless device density Thisconsiderationissimilartotheplanningdecisionsforwirednetworks.Fromthewirelessperspective,determinethenumberandplacementofWAPs.Mostenterprise-classWAPscansupportupto50devices;however,wirelessnetwork

12WINDOWS 8 DEPLOYMENT PLANNING

performancewilldegradedramaticallyasthenumberofdevicesapproachesthemaximumvalue.AWAPtypicallyhasasinglewirednetworkconnect,whichmeansthatalldevicesconnectingthroughtheWAPsharethatsinglewirednetworkconnection.Forexample,ifyouhaveaWAPthatsupports30studentsandhasagigabitwirednetworkconnection,those30studentssharethatsinglegigabitnetworkconnection.Inareaswithalargeconcentrationofdevices,multipleWAPsmayberequired.

• Wireless coverage Ensurethateachdevicehaswirelessconnectivitywithintheareaswherethedevicesareused(classroomsandcommonareas)byproperlyplacingWAPs.PlacingWAPstoofarfromeachotherresultsinareaswheredeviceswillnotbeabletoconnect.PlacingtheWAPstooclosetoeachothercanincreaseyourcostbycreatingunnecessaryWAPs.EnsurethatthecoverageareasforWAPsoverlapslightly.WAPsthatoverlapeachothershoulduseauniquechannel(frequency).

• Hidden service set identifier (SSID) YoucanconfigureWAPsnottobroadcasttheirSSIDs,alsoknownasahidden SSID.HiddenSSIDsaretypicallyusedasasecuritymeasure;however,avoidtheuseofhiddenSSIDs,becauseitismoredifficultforadevicetojoinahiddenSSID,andthereisminimalsecuritybenefitinhidingSSIDsineducationalsolutions.Becauseuserstendtoroam,hiddenSSIDscanleadtopooruserexperienceanddelaysinwirelessnetworkassociationtime.

• Broadband cellular support ManydevicesmayhavebroadbandcellularnetworkadaptersthatprovideInternetconnectivity.BroadbandcellularconnectivitycanreducethenetworkcongestiononyourwirelessWi-Finetworks.However,broadbandcellularconnectivityalsorequiresacontractwithacellularprovider.

• Rogue Wi-Fi hotspots ManyusersmaybringWi-Fi–enableddevicesthatcanactasWi-Fihotspots(suchashotspotsprovidedbycellularprovidersorsmartphones).EnsurethatyouspecifyalistofpublishedSSIDsinyourdesignforthefacultyandstudents.Also,specifypoliciesandproceduresthatdiscouragefacultyandstudentsfromstartinganunauthorizedWi-Fihotspot.

YoucanspecifytheuseofGroupPolicytoconfigurethewirelessnetworkadaptersettingsfordevices.Doingsoallowsyoutoprovideconsistentwirelessconfigurationsettingsfordomain-joineddevices.

13WINDOWS 8 DEPLOYMENT PLANNING

Additionalinformation:

• “Configure802.1XWirelessAccessClientsbyusingGroupPolicyManagement”athttp://technet.microsoft.com/library/dd759173.aspx

• “IdentifyingtheAreasofCoverageforWirelessUsers”athttp://technet.microsoft.com/library/cc780260(v=ws.10).aspx

• “DeterminingHowManyWirelessAPstoDeploy”athttp://technet.microsoft.com/library/cc782947(v=ws.10).aspx

• “DeterminingWheretoPlaceWirelessAPs”athttp://technet.microsoft.com/en-us/library/cc739928(v=ws.10).aspx

• “SelectingChannelFrequenciesforWirelessAPs”athttp://technet.microsoft.com/library/cc783011(v=WS.10).aspx

14WINDOWS 8 DEPLOYMENT PLANNING

AccessibilityNotethefollowingplanningconsiderationsforuserswithspecialaccessibilityneeds:

• WhatEaseofAccessandPersonalizationoptionsdofacultyandstudentsrequire?

• Whatassistivetechnologiesdofacultyandstudentsrequire?

Windows8providesessentialaccessibilitytocomputersforthosewithsignificantvision,hearing,dexterity,language,orlearningneeds.ThesefeaturesareavailableinWindows8,Windows8Pro,andWindowsRT.

NotethefollowingplanningconsiderationsforWindows8accessibility:

• Ease of Access and Personalization options TheseoptionsinWindows8makedeviceseasiertosee,hear,anduse;theyincludescreenmagnification,speechrecognition,narration,on-screenkeyboard,keyboardshortcuts,stickykeys,andvisualnotifications.

• Assistive technologies Thebuilt-inassistivetechnologiesinWindows8workwithbothWindowsStoreappsandWindowsdesktopsoftwaretoprovideseamlessaccesstotheentireWindowsexperience.DevicesrunningWindows8alsoallowyoutouseassistivetechnologysoftwarefromspecialtyassistivetechnologyvendors.

Additionalinformation:

• “AccessibilityinWindows8” athttp://www.microsoft.com/enable/products/windows8

• “AssistiveTechnologyProducts”athttp://www.microsoft.com/enable/at/

• “Windows8VoluntaryProductAccessibilityTemplate(VPAT)”athttp://download.microsoft.com/download/8/5/1/851D1C6F-025C-4945-B4FB-CFB99384FE16/Windows_8_Client_VPAT.docx

15WINDOWS 8 DEPLOYMENT PLANNING

PrintersNotethefollowingkeyprinterplanningconsiderations:

• WhichprinterdriversdoesWindows8support?

• WhatisneededtosupportWindowsStoreappsandAdvancedPrintSettingsforWindowsStoreapps?

• Howwillusersconnecttoprinters?

Facultyandstudentsneedtoconnecttoprinterresources.Youneedtoplanforuserconnectivitytoinstitution-ownedprinters.Typically,theseprintersarenetwork-based(throughwirelessorwirednetworks).However,insomeinstances,theseprintersmaybeconnectedtotheWindows8devicesbyUSBcables.

NotethefollowingplanningconsiderationsforWindows8printerconnectivity:

• Printer drivers Windows8supportsthev3printerdrivermodel(usedinWindows7)andthev4printerdrivermodel(newtoWindows8).PrintersthatareconnectedtoWindows8deviceswithv3printerdriversinstalledwillcontinuetoworkastheycurrentlydowithdesktopapplications.Somelimitationsexisttousingprinterdriversbasedonthev3printerdrivermodelforWindowsStoreapps.

• Windows Store device app and Advance Print Settings support Thev4printerdrivermodelsupportstheinstallationofaWindowsStoredeviceapp.AWindows Store device appisavendor-specificappthatprovidestheAdvancedPrintSettingsUIandsupportinformationthatarespecifictotheprintermanufacturerandmodel.Forexample,ifaprintermanufacturercanwriteaWindowsStoredeviceappforaprinterthattheymanufacture.TheWindowsStoredeviceappwouldprovideadditionalinformation,diagnostics,andtroubleshootingtoolsforthatspecificprinter.

• User connection to printers FormanyWindows8–certifiedprinters(v4printerdrivermodel),Windows8automatically

NOTE

EnsureyouhaveWindows8-certifiedprinterdevicedriversforasmanyprintersaspossible.

16WINDOWS 8 DEPLOYMENT PLANNING

discovertheprintersandinstallsthenecessarydrivers.Otherwise,youcanspecifytheGroupPolicysettingsforprintersfordomain-joineddevices.YoucanalsospecifythatusersmanuallyaddandconfigureprintersastheydidinWindows7.Ensurethatyouspecifyalistofavailableprinters(includinganynecessaryIPinformation)tostudentsandfaculty.

• Security for printing Insomeinstances,youmaywanttolimitprinterusagetoauthenticatedusers.DoingsorequiresthatthosewhoneedtousetheseprintershaveaccountsinanADDSdomainsothattheappropriatepermissionscanbeappliedtoeachprinter.

Additionalinformation:

• “PrintersExtension”athttp://technet.microsoft.com/library/cc731562.aspx

• “DeployingPrintersbyUsingGroupPolicy”athttp://technet.microsoft.com/library/cc754699.aspx

• “OverviewofPrintinginWindows8”athttp://msdn.microsoft.com/library/windows/hardware/hh852373.aspx

17WINDOWS 8 DEPLOYMENT PLANNING

Security and privacyNotethefollowingInternetplanningconsiderations:

• WhicheditionofWindows8isnecessarytosupportthedesiredsecurityandprivacyfeatures?

• HowareusersanddevicesprotectedwhenconnectedtotheInternet?

• Whatmethodsareavailabletopreventusersfrominstallingorrunningunauthorizedapps?

• WhatmethodsareavailabletoprotectuserprivacywhenrunningWindowsStoreapps?

• Whatmethodsareavailabletoprotectdevicesandtheinformationonthem?

• Whatpoliciesshouldyouconsiderimplementingwithstudents,parentsandfaculty?

Windows8includesseveralnewsecurityandprivacyfeatures.Table2liststhesecurityandprivacytechnologiesbyWindows8edition.UsethislisttodeterminewhicheditionofWindows8youneedtosupportthesecurityandprivacytechnologiesyouwanttouse.SelecttheappropriateWindows8editionthatprovidesacompletesecurityandprivacysolutionthatyoucanthencustomizeforeachuser.

WinDoWS 8 WinDoWS 8 Pro

WinDoWS 8 EntErPriSE

Windows Store App privacy Yes Yes Yes

Family Safety Yes Yes Yes

Unified Extensible Firmware Interface (UEFI)

Secure BootYes Yes Yes

SmartScreen Filter Yes Yes Yes

TABLE 2 SecurityandPrivacyTechnologiesbyWindows8Edition

18WINDOWS 8 DEPLOYMENT PLANNING

WinDoWS 8 WinDoWS 8 Pro

WinDoWS 8 EntErPriSE

Windows Defender (malware protection) Yes Yes Yes

Windows Firewall Yes Yes Yes

Picture Password Yes Yes Yes

BitLocker Drive Encryption and BitLocker

To GoNo Yes Yes

Encrypting File System (EFS) No Yes Yes

Domain membership No Yes Yes

Group Policy objects (GPOs) No Yes Yes

AppLocker No No Yes

Microsoft DirectAccess No No Yes

Windows To Go No No Yes

Forinstitution-owneddevices,Windows8ProorEnterpriseisrecommended(dependingonthefeaturesdesired)forinstitutionsthatrequiremanagementofdevicesbyusingMicrosoftmanagementproductsandtechnologies,suchasGroupPolicyandMicrosoftSystemCenter2012ConfigurationManagerwithServicePack(SP)1.InmanagedenvironmentsWindows8shouldbeafactorforpersonallyowneddevicesinBringYourOwnDevice(BYOD)scenarios.

ThesubsequentsectionswilllookathowthesefeaturesareusedforInternetaccess,applicationaccess,anddeviceaccess.FormoreinformationaboutthefeaturesinTable2onpage17,seethefollowingresources:

• Windows Store App privacy Seesection4,“WindowsStoreappsputthecustomerincontrol,”inthetopic,“Windows8appcertificationrequirements,”athttp://msdn.microsoft.com/en-us/library/windows/apps/hh694083.aspx

• Family Safety Seethetopic,“What’sNewinWindows8FamilySafety,”athttp://msdn.microsoft.com/en-us/library/windows/desktop/jj155495(v=vs.85).aspx

• UEFI Secure Boot Seethetopic,“SecuringtheWindows8BootProcess,”athttp://technet.microsoft.com/en-US/windows/dn168167.aspx

19WINDOWS 8 DEPLOYMENT PLANNING

• SmartScreen Filter Seethetopic,“WindowsDefenderandWindowsSmartScreenfightvirusesandothermalware,”athttp://windows.microsoft.com/is-is/windows-8/windows-defender#1TC=t1andthetopic,“SmartScreenFilter:FAQ,”athttp://windows.microsoft.com/is-is/internet-explorer/use-smartscreen-filter#ie=ie-10

• Windows Defender Seethetopic,“WindowsDefenderandWindowsSmartScreenfightvirusesandothermalware,”athttp://windows.microsoft.com/is-is/windows-8/windows-defender#1TC=t1

• Windows Firewall Seethetopic,“WindowsFirewallfromstarttofinish,”athttp://windows.microsoft.com/en-US/windows-8/Windows-Firewall-from-start-to-finish

• Picture Password Seethetopic,“Signinwithapicturepassword,”athttp://windows.microsoft.com/is-is/windows-8/picture-passwords#1TC=t1

• BitLocker and BitLocker To Go Seethetopic,“HelpprotectyourfileswithBitLockerDriveEncryption,”athttp://windows.microsoft.com/is-is/windows-8/using-bitlocker-drive-encryptionandthetopic,“LockupyourdatausingBitLockerDriveEncryption,”athttp://windows.microsoft.com/en-US/windows-8/bitlocker#1TC=t1

• EFS Seethetopic,“Encryptordecryptafolderorfile,”athttp://windows.microsoft.com/en-US/windows-vista/Encrypt-or-decrypt-a-folder-or-file

• Domain membership Seethetopic,“ActiveDirectoryDomainServicesOverview,”athttp://technet.microsoft.com/en-us/library/hh831484.aspx

• GPOs Seethetopic,“GroupPolicyOverview,”athttp://technet.microsoft.com/en-us/library/hh831791.aspx

• AppLocker Seethetopic,“AppLockerOverview,”athttp://technet.microsoft.com/en-us/library/hh831409.aspx

• DirectAccess Seethetopic,“UsingDirectAccess,”athttp://technet.microsoft.com/en-us/windows/dn168168.aspx

• Windows To Go Seethetopic,“WindowsToGo:FeatureOverview,”athttp://technet.microsoft.com/en-us/library/hh831833.aspx

Internet access

WhenusersconnecttotheInternet,theyareattheirgreatestriskofhavingsecurityattacksfrommalicioususersandsoftware.Windows8includesseveralbuilt-infeaturesthathelpprotectusers

20WINDOWS 8 DEPLOYMENT PLANNING

duringaccess.YoucanenableandenforcemanyofthesefeaturesbyusingGroupPolicy.Forexample,youcanuseGroupPolicytoenableWindowsDefenderandWindowsFirewall.ThesesecurityfeaturesareenabledinWindows8bydefault.

SpecifysecuritypoliciesthatimplementsafetyfeatureswhenconnectingtotheInternet,whereapplicable.Forexample,guardiansofstudentscanusetheFamilySafetyfeaturetorestrictaccesstowebsitesbasedonuserage(suchasrestrictingthetypesofappsthatuserscanviewinandinstallfromtheWindowsStore).

Application access

Application-relatedsecurityandprivacyaredividedintocontrolling:

• The installation and running of approved apps only Forinstitution-owneddevices,ensurethatusersrunonlyapprovedapps.Youcanenforcewhichappscanbeinstalledandrunoninstitution-owneddevicesbyusingtechnologiessuchasFamilySafety,AppLocker,andGroupPolicy.Forpersonallyowneddevices,educatefacultymembers,students,andguardiansonhowtouseFamilySafetyfeaturestoshowage-appropriatecontentonly.

• Any personal information the apps collect while it is running SomeWindowsStoreappscancollectprivateinformationwhiletheappisrunning(suchaslocationoroptionsselectedintheapp).WindowsStoreappsincludetheabilityforuserstooptinorprovideconsenttocollectsuchinformationbydesigntopassWindowsStoreappcertification.Becausetheusermustprovideconsent,educateusersontheinformationthatcouldpotentiallybecollectedandtherisksofprovidingtheinformation.Thiswouldbetrueforinstitution-owneddevicesandpersonallyowneddevices.

Device access

Devicesecurityandaccessrepresentoneofthelargestopportunitiesfordataloss,forgottenpasswords,andothersecurity-relatedissues.HelpusersmitigatetherisksofdeviceaccessbyusingWindows8

NOTE

ThereisnocentralizedmanagementoftheFamilySafetyfeaturebyusingGroupPolicies.TheMicrosoftaccountshouldbeviewedasapersonalaccountforusebystudentsortheirguardians.

21WINDOWS 8 DEPLOYMENT PLANNING

features.Forexample,youcanuseBitLockertopreventconfidentialdatabeingobtainedfromalostorstolendevice.Thisisparticularlyimportantfordevicesthatstorefacultyorstudentinformationonthedevice.

Table3liststhedeviceaccesssecurityandprivacytechnologiesandthenecessaryinformationforselectingtheappropriatetechnologiesforyourinstitution.Youcanselectanycombinationofthesetechnologiestodesignacompletesolution.

EFS BitLocKEr AnD

BitLocKEr to Go

PicturE PASSWorD

WinDoWS to Go

Encrypts confidential information

Yes(individualfilesandfolders)

Yes(entirefixedorremovable

diskvolumes)

N/A N/A

Reduces the complexity of

signing onN/A N/A Yes N/A

Reduces the risk of information

loss when a device is lost or

stolen

Yes Yes Yes

Yes(ifencryptedwith

BitLocker)

Reduces the cost of

replacement when a device is

lost or stolen

N/A N/A N/A Yes

Infrastructure None None None None

Ownership scenarios

Personallyor

institution-owned

Personallyor

institution-owned

Personallyor

institution-owned

Institution-owned

Domain membership

requiredNo

No(butrecoverykeyscanbestoredinADDSfordomain-joineddevices)

No

No,butrequiresWindows8Enterpriseedition

TABLE 3 DeviceAccessSecurityandPrivacyTechnologySelection

22WINDOWS 8 DEPLOYMENT PLANNING

Windows Store appsNotethefollowingWindowsStoreappplanningconsiderations:

• WhichuseraccountsarerequiredtoaccesstheWindowsStore?

• HowcanWindowsStoreappsbedeployed?

• HowcanWindowsStoreappsbemanagedintheclassroom?

• Howdoessinglesign-on(SSO)workwithWindowStoreapps?

• WhatchangesmustyoumaketothenetworkinfrastructuretosupporttheWindowsStore?

• HowareWindowsStoreappsobtained?

TheWindows8operatingsystemincludesmanynewfeatureandcapabilities,butoneprominentfeatureisWindowsStoreapps.EducationalinstitutionscanpurchaseorcreateappsforWindows8thatusethenewUI.

INFO

WindowsStoreappplanningconsiderationsarediscussedinWindows Store apps: A deployment guide for educationathttp://go.microsoft.com/?linkid=9835091.

23WINDOWS 8 DEPLOYMENT PLANNING

User accountsNotethefollowingkeyuseraccountplanningconsiderations:

• WhenareMicrosoftandWindowsaccountsrequired?

• Doagerestrictionsexistforaccounts?

• HowcanOffice365orWindowsAzureActiveDirectory(AD)accountsbeused?

• WhatistherelationshipamongMicrosoft,Windows,andWindowsAzureADaccounts?

• HowcanyouprovideanSSOexperienceforusers?

FacultyandstudentsneeduseraccountstologontotheirWindows8devices,accesstheWindowsStore,accesson-premisesresources,andaccessInternetresources.Asapartoftheplanningprocess,determinetheuseraccountsthatfacultyandstudentswilluse,theagerestrictionsforaccounts,andhowtoprovidethebestSSOexperienceforusers.

Notethefollowingplanningconsiderationsforuseraccounts:

• Determine the user accounts to use Table4onpage24liststheuseraccounttypesavailableforuseinWindows8.UsetheinformationinTable4todeterminewhichuseraccounttypesfacultyandstudentswilluse.

• Account management Youcancentrallymanagedomain-basedWindowsaccountsandWindowsAzureADaccounts.YoucannotcentrallymanageMicrosoftaccountsandlocalWindowsaccounts(forexample,youcannotmanageaMicrosoftaccountthatastudentorfacultymembercreates).However,userscanmanagetheirrespectiveMicrosoftaccountswithoutrequiringassistancefromITresources.Usetheseconsiderationsasyouselectuseraccounts.

• Determine account age restrictions MicrosoftaccountsintheUnitedStatescomplywiththeChildren’sOnlinePrivacyProtectionAct(COPPA)regardingonlineaccountcreationforchildrenunder13yearsofage.ToverifythatanadultisgivingachildpermissiontocreateanewMicrosoftaccount,COPPArequiresthatasmallamountbechargedtotheadult’screditcard(foraU.S.account).AlthoughyoudonotneedadultpermissiontocreateWindowsaccountsandWindowsAzureADaccounts,itisrecommendedthatadultsbenotifiedandpermissionobtained,asnecessary.

24WINDOWS 8 DEPLOYMENT PLANNING

Account tyPE DEScriPtion

Windows account ThisaccountisstoredlocallyontheWindows8device(localWindowsaccount)orinanon-premisesADDSdomain.ThisaccountisidenticaltotheuseraccountsthatWindows7uses.YoucanassociateaMicrosoftaccountwithaWindowsaccounttoprovideaccesstoresourcesthatuseaMicrosoftaccount(suchastheWindowsStoreorSkyDrive).ThisaccountisalwaysrequiredtologontoaWindows8device.

Microsoft account ThisaccountisanInternet-basedaccountusedtoaccesstheWindowsStoreorotherservicesthatuseMicrosoftaccounts(previouslyknownasWindows Live ID).YoucanassociateaMicrosoftaccountwithanexistingWindowsaccount.ThisaccountistypicallyrequiredbutcouldbeoptionalifnoservicesthatuseMicrosoftaccountsareused(suchasnotaccessingtheWindowsStore).

Windows Azure AD account

ThisaccountisanInternet-basedaccountstoredinWindowsAzureADservices(whichmayhavebeenmigratedfromorintegratedwithanon-premisesADDSinfrastructure).Office365usesWindowsAzureADservicestostoreOffice365credentials.Thisaccountisrequiredifemailandotherservicesusethistypeofaccount(suchasusingemailorMicrosoftSharePointOnlineinOffice365).

Guardiansshouldbeinvolvedintheaccountcreationprocessandtheprovisioningofdevicestochildrenunder13yearsofage.InstructtheguardiansonhowtheFamilySafetyfeaturecanhelpintegratethemintotheirchild’sdigitallearningexperience.

Additionalinformation:

• “Microsoftaccount”athttp://windows.microsoft.com/en-US/windows-live/microsoft-account-help#microsoft-account=tab1

• “WindowsAzure:IdentityandAccessManagement”athttp://www.windowsazure.com/en-us/home/features/identity

• Children’sOnlinePrivacyProtectionathttp://www.coppa.org

• Windows Store apps: A deployment guide for educationathttp://go.microsoft.com/?linkid=9835091

TABLE 4 UserAccountTypesandDescriptions

25WINDOWS 8 DEPLOYMENT PLANNING

DeploymentNotethefollowingkeydeploymentplanningconsiderations:

• WhatdeploymentscenariosareavailableforWindows8ineducation?

• Whatarethedeploymenttechnologiesandtoolsavailableforinstitution-owneddevices?

• Whatarethedeploymenttechnologiesandtoolsavailableforpersonallyowneddevices?

• WhatroledoesvirtualizationplayindeployingWindows8ineducation?

• Whattypeofconnectivityisavailablefordevicesafterdeployment?

Windows8providesawiderangeofflexibilityindeploymentoptions.ThisflexibilityallowsyoutodesignadeploymentsolutionthatprovidesWindows8toallusers,regardlessofthedevicetheyuseorwheretheyarelocated.

Table5somecommonWindows8deploymentscenariosandtheinformationnecessaryforselectingtheappropriatescenariosforyourinstitution.YoucanselectanycombinationofthesescenariostodesignacompleteWindows8deploymentsolution.Eachscenarioisdiscussedinasubsequentsection.

TABLE 5 DeploymentScenarioSelection

inStitution-oWnED DEvicES

PErSonALLy oWnED DEvicES

virtuAL DESKtoP inFrAStructurE

(vDi)

WinDoWS to Go

Can be domain joined (requires Windows 8 Pro

or Enterprise editions)Yes

Yes(butmanyuserswillnotwanttheir

personaldevicestobedomain

joined)

Yes Yes

Institution has full control of the device Yes No Yes Yes

Can manage operating system deployment Yes No Yes Yes

26WINDOWS 8 DEPLOYMENT PLANNING

inStitution-oWnED DEvicES

PErSonALLy oWnED DEvicES

virtuAL DESKtoP inFrAStructurE

(vDi)

WinDoWS to Go

Deployment tools available for deployment

MicrosoftDeploymentToolkit(MDT)

MicrosoftSystemCenterConfigurationManager

WindowsDeploymentServices

Interactive(manual)

N/A

MDT

SystemCenterConfigurationManager

WindowsDeploymentServices

Interactive(manual)

Interactive(manual)

WindowsPowerShellscripts

InfrastructureDeployment

toolsrequirements

None

Deploymenttools

requirements

VDIrequirements

None

Can support devices running operating

systems prior to Windows 8

Yes(byusingVDIorWindows

ToGo)

Yes(byusingVDIorWindows

ToGo)Yes

Yes(butdevicemustmeetWindowsToGohardwarerequirements)

Windows 8 licenses required by institution

Yes,mostoftenpurchasedwithanewdevice

No(exceptVDIsessionsthatusersaccess)

Yes Yes

Requires system hardware upgrades for existing devices by institution

Notoften(Windows8requirementsaresameasWindows7)

No No

Notoften(WindowsToGosupportsanydevicethatiscertifiedforWindows7)

Required full-time connectivity to institution

intranetNo No Yes No

27WINDOWS 8 DEPLOYMENT PLANNING

Institution-owned devices

Institution-owneddevicesrepresentthelargestareaofdeploymentresponsibility.Thesedevicescanbedividedintodevicesthatcurrentlyrun:

• Windows 8 ThesedeviceswilltypicallybenewdevicesthatarepurchasedwithWindows8installed.ThechallengeshereareensuringthatthedeviceshavethecorrectWindows8editionandalsohaveastandardoperatingsystemimage.

• Operating systems prior to Windows 8 Tousethesedevices,performoneofthefollowingtasks:

• Upgrade to Windows 8 ThesystemresourcesforthesedevicesmustbesufficienttosupportWindows8.Iftheexistingsystemresourcesareinadequate,thenmustbeupgradedasapartoftheWindows8upgrade.UpgradesfrompriorversionsofWindows(suchasWindows7)areavailableforeducationalinstitutions.Formoreinformation,seethesection,“Windows8purchaseandlicensing”onpage4,earlierinthisguide.

YoucandetermineifanexistingdevicecanrunWindows8byusingtheMicrosoftAssessmentandPlanning(MAP)Toolkit.TheMAPToolkitisafreesolutionacceleratoravailableathttp://technet.microsoft.com/en-us/library/bb977556.aspx.

• Connect to Windows 8 in VDI Ifthesystemresourcesareinadequateorthecostofupgradeisprohibitive,thesedevicescanrunWindows8inaVDIenvironment.ThishastheadvantageofallowinguserstocontinuetouseexistingdeviceswhilerunningthelatestappsinWindows8.

• Operating systems other than Windows 8 Thesedevices(suchasdevicesrunningAppleiOSorGoogleAndroidoperatingsystems)canrunWindows8andappsinaVDIenvironment.Thishastheadvantageofallowinguserstocontinuetouseexisting,institution-owneddeviceswhilerunningthelatestappsinWindows8.

NOTE

ItispossibletorunWindowslocallyoncertainApplecomputersortorunWindowsinavirtualizedenvironmentontheMacoperatingsystem.Intheseinstances,thesecomputerscanbemanagedandsupportedasWindows8devices.

28WINDOWS 8 DEPLOYMENT PLANNING

YoucanautomateWindows8deploymenttoinstitution-owneddevicesbyusingtheMDT2012Update1,MicrosoftSystemCenter2012ConfigurationManagerwithServicePack1(SP1),orWindowsDeploymentServicesinWindowsServer2012.YoucanalsoperformmanualdeploymentofWindows8fromthedistributionmedia.

Additionalinformation:

• Windows 8 deployment to PCs: A guide for educationathttp://go.microsoft.com/?linkid=9835096

• VDI for institution-owned devices: A deployment guide for educationathttp://go.microsoft.com/?linkid=9835092

Personally owned devices

BYODscenariosarecommonineducationalinstitutions.Personallyowneddevicesrepresenttheleastamountofdeploymentresponsibility.Thesedevicescanbedividedintodevicesthatcurrentlyrun:

• Windows 8 ThesedeviceswilltypicallybenewdevicesthatarepurchasedwithWindows8installed.ThefeaturesavailableonthesedeviceswillbedeterminedbytheWindows8edition.

• Operating systems prior to Windows 8 Tousethesedevices,performoneofthefollowingtasks:

• Upgrade to Windows 8 ThesystemresourcesforthesedevicesmustbesufficienttosupportWindows8.Also,thepersonwhoownsthedevice(suchasafacultymember,student,orstudentguardian)mustpurchasetheupgrade.EducationaldiscountsareavailableforupgradesfrompriorversionsofWindows(suchasWindows7)forfacultyandstudents.Formoreinformation,seethesection,“Windows8purchaseandlicensing”onpage4,earlierinthisguide.

• Connect to Windows 8 in VDI Ifthesystemresourcesareinadequateorthecostofupgradeisprohibitive,thesedevicescanrunWindows8inaVDIenvironment.Thishastheadvantageofallowinguserstocontinuetouseexistingdevices(withoutupgrade)whilerunningthelatestappsinWindows8.However,itmayrequireuserstojointheirdevicestodomainsandwillalsorequireaninstitution-issuedWindowsaccount.

• Operating systems other than Windows 8 Thesedevices(suchasdevicesrunningiOSorAndroid)canrunWindows8andappsinaVDIenvironment.Thishastheadvantage

29WINDOWS 8 DEPLOYMENT PLANNING

ofallowinguserstocontinuetouseexisting,personallyowneddeviceswhilerunningthelatestappsinWindows8.

Additionalinformation:

• BYOD devices: A deployment guide for educationathttp://go.microsoft.com/?linkid=9835094

• VDI for personally owned devices: A deployment guide for educationathttp://go.microsoft.com/?linkid=9835093

Virtual Desktop Infrastructure

YoucandesignaVDIbyusingtheHyper-VandRemoteDesktopServicesserverrolesinWindowsServer2012orbyusingWindowsMultiPointServer2012.

Table6liststheVDItechnologiesandtheinformationnecessaryforselectingtheappropriatetechnologiesforyourinstitution.YoucanselectanycombinationofthesetechnologiestodesignacompleteVDIsolution.

HyPEr-v AnD rEMotE DESKtoP SErvicES SErvEr roLES in WinDoWS SErvEr 2012

WinDoWS MuLtiPoint SErvEr 2012

Infrastructure Managed ManagedbyWindowsMultiPointServer2012

Scaling Multipleserverdeployment(asrequiredforscaling)

Singleserverdeploymentonly(limitof20usersinPremiumedition)

Availability Multipleserverdeploymentinclusters(asrequiredforavailability)

Singleserverdeploymentonly

TABLE 6 VDITechnologySelection

30WINDOWS 8 DEPLOYMENT PLANNING

HyPEr-v AnD rEMotE DESKtoP SErvicES SErvEr roLES in WinDoWS SErvEr 2012

WinDoWS MuLtiPoint SErvEr 2012

Supported devices • DevicesusingRemoteDesktopProtocol(RDP)version5

• MicrosoftRemoteFXcapableasrequired

• Directvideoconnected

• USBzeroclients

• DevicesusingRDP

• RemoteFXcapable(asrequiredandavailableonlyforRDPconnections)

AVDIsolutionthatyoucreatebyusingHyper-VandRemoteDesktopServicesserverrolesinWindowsServer2012worksbycreatingaVMtemplateofWindows8,andthenrunninginstancesoftheWindows8templateinHyper-V.UsersremotelyaccesstheVMsrunningWindows8byusingRemoteDesktopServices.

Additionalinformation:

• “MicrosoftVirtualDesktopInfrastructure(VDI)”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/vdi.aspx

• “PlanningaWindowsMultiPointServer2012Deployment”athttp://technet.microsoft.com/library/jj916408.aspx

• VDI for institution-owned devices: A deployment guide for educationathttp://go.microsoft.com/?linkid=9835092

• VDI for personally owned devices: A deployment guide for educationathttp://go.microsoft.com/?linkid=9835093

Windows To Go

WindowsToGoisafeatureinWindows8EnterpriseeditionthatenablesuserstobootfromashareddevicewithaUSBflashdriveandhaveaccesstoalltheirusersettings,apps,anddata.Youcanboot

NOTE

Althoughnotrequired,MicrosoftstronglyrecommendsthattheUSB-connectedexternaldrivebeconnectedtoaUSB3.0port.Also,theUSB-connectedexternaldriveshouldbeonthecertifiedlistofdevices,whichcanbefoundathttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/devices/windowstogo.aspx.

31WINDOWS 8 DEPLOYMENT PLANNING

theWindowsToGoworkspaceonanydevicethatmeettheWindows7orWindows8certificationrequirements,regardlessoftheoperatingsystemcurrentlyrunningonthedevice.

WindowsToGoworkspacescanusethesameWindows8Enterpriseimagethateducationalinstitutionsuseforotherdevices.Youcanmanagetheworkspacesthesameway.WindowsToGoisnotintendedtoreplaceotherphysicaldevicesorsupplantothermobilityofferings.Rather,itprovidessupportforefficientuseofresourcesforalternativeworkplacescenarios,suchasprovidingastudentwithaWindowsToGoworkspacetoperformclassroomactivities.

FormoreinformationaboutWindowsToGodesignanddeployment,see“WindowsToGo:FeatureOverview”athttp://technet.microsoft.com/library/hh831833.aspx.

32WINDOWS 8 DEPLOYMENT PLANNING

Device roaming and multiple devicesNotethefollowingkeyusageplanningconsiderationsforusingmultipledevices:

• Whathappenstouserandapplicationsettingsifauserusesmultipledevices?

• WhathappenstouserandapplicationsettingsifauserusesbothWindows8andWindows7?

• Whathappenstouserandapplicationdataifauserusesmultipledevices?

• Whatlevelofcontrolcanbeusedfortheuserandapplicationsettingsthatfollowauser?

• HowcanthenecessaryWindowsStoreappsanddesktopappsbeinstalledonmultipledevices?

OneofthekeyfeaturesofWindows8istheabilitytocustomizetheuserexperience.Inmanyinstances,WindowsStoreappsanddesktopapplicationsalsostoreapplication-specificusersettingsandpreferences(suchasthemes,backgrounds,orspellingdictionariesinOfficeProfessionalPlus2013).Userstypicallysavedocuments,photos,andotherfilestofoldersondevices(suchastheDocuments,Music,Pictures,orVideosfolders).Andfinally,userswillinstallWindowsStoreappsanddesktopapplicationsondevices.

Iffacultymembersandstudentsalwaysusethesamedevice,thenalltheuserandapplicationsettings,userdata,andappsarealwaysavailabletothem.Butwhathappenswhentheyusedifferentdevices?Somehow,theuserandapplicationsettings,userdata,andappsneedtobeavailableonmultipledevices(alsoknownasdevice roaming).

Inaddition,someusersmayuseWindows8deviceswhileoncampusbutmayhaveWindows7devicesathome.TheuserandapplicationssettingsneedtobetranslatedbetweenWindows8andWindows7.Table7onpage33liststhetechnologiesavailabletohelpmanageuser,operatingsystem,application,andapplicationsettingsonmultipledevices.Youcanselectanycombinationofthesetechnologiestodesignacompletemultipledeviceusagesolution.Eachtechnologyisdiscussedinasubsequentsection.

33WINDOWS 8 DEPLOYMENT PLANNING

TABLE 7 MultipleDeviceUsageTechnologySelection

WinDoWS FoLDEr

rEDirEction + oFFLinE FiLES

WinDoWS roAMinG uSEr

ProFiLES

DEFAuLt uSEr ProFiLES

MicroSoFt uSEr ExPEriEncE virtuALizAtion

(uE-v)

MicroSoFt APPLicAtion

virtuALizAtion (APP-v)

Works across multiple devices Yes Yes No Yes Yes

Works across multiple operating

systemsYes No No Yes Yes

Included as a part of Windows 8 Yes Yes Yes No No

Provides granular management of user, operating

system, and application settings

No No No Yes No

Provides centralized management of user experience

Yes(withGroupPolicy)

Yes(withGroupPolicy) No Yes Yes

Works with Remote Desktop Services Yes

Yes(butlogonandlogofftimescanbeslowbecausetheprofileneedstobecopiedto

andfromtheserver)

N/A Yes Yes

Works with VDI scenarios Yes Yes Yes Yes Yes

Works with Windows To Go Yes Yes Yes Yes Yes

Devices must be domain joined

Yes(ifcentrallymanaged)

Yes No Yes Yes

Can be used on institution-owned

devicesYes Yes Yes Yes Yes

Can be used personally owned

devicesNo No Yes No No

34WINDOWS 8 DEPLOYMENT PLANNING

WinDoWS FoLDEr

rEDirEction + oFFLinE FiLES

WinDoWS roAMinG uSEr

ProFiLES

DEFAuLt uSEr ProFiLES

MicroSoFt uSEr ExPEriEncE virtuALizAtion

(uE-v)

MicroSoFt APPLicAtion

virtuALizAtion (APP-v)

Can be used to manage Windows

Store appsNo No No Yes No

Can be used to manage desktop

applicationsNo No No Yes Yes

Can be used in recovery scenarios

(such as new or lost device)

Yes Yes No Yes Yes

Assists with desktop application

deploymentNo No No No Yes

Assists with desktop application compatibility issues

No No No No Yes

Requires Microsoft Software Assurance

(SA) subscriptionNo No No Yes Yes

Infrastructure requirements

AD DS

Networksharedfolders

AD DS

Networksharedfolders

None

Managednetwork

UE-Vinfrastructure

Managednetwork

App-Vinfrastructure

Windows Folder Redirection

TheFolderRedirectionfeatureinWindows8redirectsthepathofaknownfolder(suchastheDocuments,Pictures,orVideofolderinauserprofile)toanewlocationmanuallyorbyusingGroupPolicy.Thenewlocationcanbeafolderonthelocaldeviceoradirectoryonafileshare.Usersinteractwithfilesintheredirectedfolderasifitstillexistedonthelocaldrive.Forexample,youcanredirecttheDocumentsfolderonadomain-joineddevice(whichisusuallystoredonalocaldrive)toanetworksharedfolder.Thefolderwillberedirectedonanydomain-joinedcomputeronwhichtheusersignsonandreceivestheGroupPolicysettings.ThefolderisalsoaccessibledirectlyfromthenetworksharedfolderindependentoftheFolderRedirectionGroupPolicysettings.

35WINDOWS 8 DEPLOYMENT PLANNING

WhenusedinconjunctionwithUE-V,theFolderRedirectionfeaturehelpsprovideacomprehensivesolutionforuserswhologontomultipledevices.FormoreinformationaboutincludingtheFolderRedirectionfeatureinyourdesign,see“FolderRedirection,OfflineFiles,andRoamingUserProfilesoverview”athttp://technet.microsoft.com/library/hh848267.aspx.

Windows Offline Files

TheOfflineFilesfeatureinWindows8makesnetworkfilesavailabletoauser,evenifthenetworkconnectiontotheserverisunavailableorslow.Whenworkingonline,fileaccessperformanceisatthespeedofthenetworkandserver.Whenworkingoffline,filesareretrievedfromtheOfflineFilesfolderatlocalaccessspeeds.Whentheconnectiontotheserverisrestored,theofflinecopyofthefilesissynchronizedtotheserver.

YoucanusetheOfflineFilesfeatureinconjunctionwiththeFolderRedirectionfeatureinWindows8andUE-V.TheOfflineFilesfeaturehelpsensurethatuserscanaccessfilesstoredinthelocalfoldersthatareredirectedtonetworksharedfoldersbyusingtheFolderRedirectionfeature.TheFolderRedirectionfeatureisoftenusedwithUE-Vtohelpimproveuserexperiencewhenroaming.

FormoreinformationaboutincludingtheOfflineFilesfeatureinyourdesign,see“FolderRedirection,OfflineFiles,andRoamingUserProfilesoverview”athttp://technet.microsoft.com/library/hh848267.aspx.

Windows Roaming User Profiles

TheRoamingUserProfilesfeatureinWindows8redirectsuserprofilestoafilesharesothatusersreceivethesameoperatingsystemandapplicationsettingsonmultiplecomputers.Whenauserlogsontoacomputerbyusinganaccountthatissetupwithafileshareastheprofilepath,theuser’sprofileisdownloadedtothelocalcomputerandmergedwiththelocalprofile(ifpresent).Whentheuserlogsoffofthecomputer,thelocalcopyoftheirprofile,includinganychanges,ismergedwiththeservercopyoftheprofile.RoamingUserProfilesistypicallyenabledondomainaccountsbyanetworkadministrator.

BeforechoosingtodeployRoamingUserProfiles,considerthefollowing:

• RoamingUserProfilescanimpactlogonandlogoffperformance,especiallyifusers’profilescontainmanylargefiles(e.g.,videosandimages).

• RoamingUserProfilesdonotworkacrossfulldesktopexperiencesandsession-basedVDI.

• Inmixedenvironments,Windows7andWindows8userprofilesareincompatible.

36WINDOWS 8 DEPLOYMENT PLANNING

BecauseoftheseRoamingUserProfilesconsiderations,UE-Visrecommendedformanaginguserexperience.FormoreinformationaboutincludingtheRoamingUserProfilesfeatureinyourdesign,see“FolderRedirection,OfflineFiles,andRoamingUserProfilesoverview”athttp://technet.microsoft.com/library/hh848267.aspx.

Default user profiles

Whenauserlogsontoadeviceforthefirsttime,Windowsmustprovidetheuserwithauserprofile.IftheuserprofileiscentrallymanagedthroughUE-VorRoamingUserProfiles,theuserprofileisobtainedfromthesetechnologies.However,iftheuserprofileisnotcentrallymanaged,thenWindowscreatesthenewuserprofilebasedonthedefaultuserprofileonthatdevice.Thedefaultuserprofileisusedasatemplatewhencreatinganewuserprofile.YoucanuseCopyProfilesettingintheMicrosoftSystemPreparationTooltocustomizeauserprofile,andthencopythatprofiletothedefaultuserprofile.

Becauseofdefaultuserprofilelimitations,MicrosoftrecommendsUE-Vformanaginguserexperience.Formoreinformationaboutincludingdefaultuserprofilesinyourdesign,see“HowtoCustomizetheDefaultUserProfilebyUsingCopyProfile”athttp://technet.microsoft.com/library/hh825135.aspx.

User Experience Virtualization

UE-Visanenterprise-scaleuserstatevirtualizationsolutionthatthatkeepsusers’experiencewiththem.UE-VprovidesusersthechoiceofchangingtheirdeviceandkeeptheirexperiencesothattheydonothavetoreconfigureapplicationseachtimetheylogontodifferentWindows7orWindows8computers.UE-VintegrateswiththeFolderRedirectionfeatureinWindows8tohelpmakeuserfoldersaccessiblefrommultiplephysicalorvirtualdevices.UE-Vsupportsdesktopapplicationsthataredeployedusingdifferentmethods(suchaslocallyinstalledapps,App-Vsequencedapplications,orRemoteDesktopapplications).UE-VisatechnologyintheMicrosoftDesktopOptimizationPack(MDOP),whichisasuiteoftechnologiesavailablethroughSAsubscriptions.

Additionalinformation:

• “MicrosoftUserExperienceVirtualization(UE-V)”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/UE-V.aspx

• UE-Vresourcesanddemonstrationvideosathttp://technet.microsoft.com/windows/hh943107

37WINDOWS 8 DEPLOYMENT PLANNING

• Microsoft User Experience Virtualization Deployment Guide athttp://www.microsoft.com/en-us/download/details.aspx?id=35495

Microsoft Application Virtualization

App-Vvirtualizesdesktopapplicationssothattheybecomecentrallymanagedservicesdeployedtoavirtualizeddesktopapplicationenvironmentondeviceswithoutusingtraditionalinstallationmethods(knownasapplication sequencing).Thesequenceddesktopapplicationsrunintheirownself-containedvirtualenvironmentandareisolatedfromeachother,whicheliminatesapplicationconflictsbutallowsdesktopapplicationstointeractwiththedevice.

App-VintegrateswithSystemCenter2012ConfigurationManagerwithSP1,soyoucanmanagevirtualandphysicaldesktopapplicationsalongwithhardwareandsoftwareinventory,operatingsystemandpatchdeployment,andmore.App-VisatechnologyintheMDOP.

Additionalinformation:

• “MicrosoftApplicationVirtualization(App-V)”athttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/app-v.aspx

• App-Vresourcesanddemonstrationvideosathttp://technet.microsoft.com/windows/hh826068

NOTE

App-Vworksonlyfordesktopapplications,notforWindowsStoreapps.

38WINDOWS 8 DEPLOYMENT PLANNING

Configuration and managementNotethefollowingkeyWindows8configurationandmanagementplanningconsiderations:

• Whichmethodsareavailableforconfiguringandmanagingdomain-joinedandnon–domain-joinedWindows8devicesafterdeployment?

• Whataretheadvantagesanddisadvantagesofon-premisesandoff-premisesdevicemanagement?

• WhatmethodsareavailabletomanagedevicesandsoftwarethroughouttheentireITlifecycle?

• Whatconfigurationandmanagementmethodscanbeusedforinstitution-andpersonallyowneddevices?

OngoingWindows8deviceconfigurationandmanagementisanessentialpartofyourWindows8deploymentplan.Windows8supportsbothon-premisesandoff-premisesmanagement.YoucanalsomanageWindows8locallyorremotely.Theconfigurationandmanagementmethodsdifferonthelevelofautomationandthemethodcompleteness.Forexample,GroupPolicyworksfordomain-joineddevicesbutisineffectualforstand-alonedevices.YoucanuseWindowsPowerShellcmdletstoautomatecommonITtasks,butbyitself,WindowsPowerShelldoesnotprovideacomprehensivesolution.

Table8onpage39listssomeofthetechnologiesavailableforperformingWindows8configurationandmanagement.ThelistinTable8isonlyafewofthemanyproducts,tools,andutilitiesthatareavailableforconfiguringandmanagingWindows8.Youcanselectanycombinationofthesetechnologiestodesignacompleteconfigurationandmanagementsolution.Eachtechnologyisdiscussedinasubsequentsection.

39WINDOWS 8 DEPLOYMENT PLANNING

TABLE 8 ConfigurationandManagementTechnologySelection

GrouP PoLicy WinDoWS PoWErSHELL

SyStEM cEntEr 2012 conFiGurAtion

MAnAGEr WitH SP1

WinDoWS intunE

Control (turn on or off) Windows Store

accessYes No Yes Yes

Control installation of specific apps (by using whitelists or

blacklists)

Yes(withAppLocker) No

Yes(inconjunctionwithGroupPolicyandAppLocker)

No

Operating system setting

managementYes Yes Yes Yes

User setting management Yes Yes Yes Yes

App setting management

Yes(ifregistrybased) App-specific Yes,butscripting

mayberequiredYes,butscriptingmayberequired

Centralized administration

modelYes No Yes Yes

On or off-premises On-premises On-premises On-premises Off-premises

On-premises infrastructure AD DS None

Managednetworks

SystemCenter2012Configuration

ManagerwithSP1

None

Devices must be domain joined Yes No

No,butchallengesexistfornative

support;WindowsIntuneintegrationisrecommended

No

Supports self-service model No No Yes Yes

Supports push model Yes Yes Yes Yes

Can be used to create enterprise

app storeNo No Yes Yes

40WINDOWS 8 DEPLOYMENT PLANNING

GrouP PoLicy WinDoWS PoWErSHELL

SyStEM cEntEr 2012 conFiGurAtion

MAnAGEr WitH SP1

WinDoWS intunE

User interaction

ITprodoesback-endconfiguration

Userperformsnoactions

ITproperformsalltasks

ITprodoesback-endconfiguration

Userhasnointeractionforpushmodelandlimitedinteractionforself-service

model

ITprodoesback-endconfiguration

Userhasnointeractionforpushmodelandlimitedinteractionforself-service

model

Provided with Windows 8

InWindows8ProandEnterprise,butrequiresADDS

Yes No No

Provides unified solution for the

entire software life cycle, including

installation, updates,

supersedence, and removal

No No Yes Yes

Can be used for operating system

deploymentNo No Yes No

Requires additional cost

Yes(unlessADDSisalreadyinstalled) No

Yes(ifnoSystemCenterConfigurationManager

infrastructureisinstalled)

Yes(subscriptionmodel)

Group Policy

YoucanuseGroupPolicytomanageuser,Windowsoperatingsystem,andapplicationsettings.Ultimately,youcanuseGroupPolicytomanageanyconfigurationsettingsstoredintheWindowsregistry.Microsoftprovidesbuilt-inGroupPolicytemplatesformostcommonconfigurationsettings.Inaddition,youcancreatecustomGroupPolicytemplatesthatallowyoutomanageconfigurationsettingsthatthebuilt-intemplatesdonotprovide.UseGroupPolicytocontrolWindowsStoreaccessandtheinstallationandrunningofappsondevices(whenusedinconjunctionwithAppLocker).

41WINDOWS 8 DEPLOYMENT PLANNING

Additionalinformation:

• “GroupPolicy”athttp://technet.microsoft.com/windowsserver/bb310732.aspx

• “ManagingClientAccesstotheWindowsStore”athttp://technet.microsoft.com/en-us/library/hh832040.aspx

Windows PowerShell

ManycommonWindows8administrativetaskscanbeperformedbyusingWindowsPowerShell,includingWindowsStoreappmanagementandoperatingsystemconfiguration.YoucanuseWindowsPowerShellinteractivelyortocreatescriptsthatcanberuntoperformmorecomplextasks.FormoreinformationaboutusingWindowsPowerShellforconfigurationandmanagement,gotohttp://technet.microsoft.com/library/bb978526.aspx.

Configuration Manager

SystemCenter2012ConfigurationManagerwithSP1automatesdeployingappstoadeviceduringoraftertheoperatingsystemdeploymentprocess.SystemCenter2012ConfigurationManagerallowsyoutocreatealistofapplicationsthatcanbeselectedduringthedeploymentprocessatthetimeofdeploymentordeployedthroughtheApplicationCatalog.SystemCenter2012ConfigurationManagerprovidesaunifiedconsoleformanagingappsandcanoptionallyintegratewithWindowsIntunetohelpmanagedevicesthatarenotconnectedtotheeducationalinstitution’sintranet.FormoreinformationaboutusingSystemCenter2012ConfigurationManagerwithSP1forconfigurationandmanagement,gotohttp://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx.

Windows Intune

WindowsIntuneisanoff-premises,cloud-basedmanagementsolutionthatprovidesdevicemanagement,softwareinstallation,andsoftwareupdatemanagement.WindowsIntunecanintegratewithSystemCenter2012ConfigurationManagerwithSP1toprovideaunifiedmanagementsolution.

WindowsIntunehelpsmanageITenvironmentstohelpkeepdevicessecure,includingsoftwareandpatchdistribution,policy-basedmanagement,andEndpointProtectionforPCs.WindowsIntunealsosupportsBYODscenariosbyprovidingaself-serviceportaltoinstallapps,personalizedappdelivery,andsupportformultipleplatformsanddevices.

42WINDOWS 8 DEPLOYMENT PLANNING

FormoreinformationaboutusingWindowsIntuneforconfigurationandmanagement,gotohttp://www.microsoft.com/en-us/windows/windowsintune/pc-management.aspx.

©2013MicrosoftCorporation.Allrightsreserved.

Thisdocumentisforinformationalpurposesonlyandisprovided“asis.”Viewsexpressedinthisdocument,includingURLandanyotherInternetWebsitereferences,maychangewithoutnotice.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISDOCUMENT.