configure other user accounts (or user groups) for this access, click Select Users. Then, in the Remote Desktop Users window shown in Figure 14-17, add the users and/or groups you want via the Add button.
Figure 14-17: Adding additional users to RDH with Remote Desktop Users
Note that these users must be already configured for use on the PC, as they will sign in to their custom environment when they access the PC remotely.
To test that Remote Desktop Host is working properly, use the Remote Desktop client on another PC on your network to try and connect to your PC.
Features Exclusive to Windows 8 Enterprise
In addition to the Windows Pro-based business features that were discussed in this chapter, Microsoft is also providing a unique set of features for users of the Windows 8 Enterprise edition. This high-end Windows 8 product edition is available only to corporate customers that subscribe to Microsoft’s Software Assurance volume licensing program. So while it doesn’t make sense to spend too much time describing each feature, we can at least provide a rundown of what most of us are missing.
Unique features in Windows 8 Enterprise include the following:
• Windows To Go: This feature lets you deploy a new, fully manageable Windows 8 environment on a bootable external USB flash drive, enabling the “Bring Your Own PC” (BYOPC) usage scenario. Employees can use Windows To Go on any company PC as well as from their home PC, securely accessing corporate resources on an encrypted device that would be useless in the hands of others. Windows To Go is a feature we hope to see ported to other Windows editions in the future, and it would be a huge boon to lab environments of all kinds, including those used by educational institutions.
• DirectAccess: This is a more modern take on VPN functionality, letting remote users seamlessly access corporate network resources without dealing with the hassles common to VPN solutions. DirectAccess is based on the proven HTTPS (secure HTTP) tunneling technology Microsoft first used with Exchange Server. There’s no VPN configuring, connecting, and reconnecting. In fact, there’s no VPN at all. Instead, DirectAccess-enabled PCs are simply always connected, securely, to the corporate network. As long as you have an Internet connection, you’re in. And for the end user, there’s nothing to see or configure. You’re simply connected. And on the administrative side, IT pros and admins can configure which corporate resources are available to which users, and they can direct Internet-based network traffic as they see fit.
• BranchCache: Aimed at distributed corporations, BranchCache lets servers and users’ PCs in branch offices cache files, websites, and other content that is sent from a central office over the WAN, so that it is not repeatedly downloaded at great cost by different users in the same location. With more and more corporate mergers and acquisitions, and larger companies maintaining separate physical offices in different locales, this is a real need.
• AppLocker: Introduced with Windows 7 as a replacement for Software Restriction Policies (SRP), AppLocker is more flexible and malleable but offers the same basic functionality: It uses Group Policy-based rules to determine which applications users can and cannot access. But it goes deeper than SRP by introducing the concept of publisher rules, where admins can specify which application versions are allowed or disallowed. For example, suppose there’s a known vulnerability in an out-of-date version of Adobe Reader, the popular PDF viewer utility. With AppLocker, you could specify that users are allowed to install and use Adobe Reader 10.01 (or whatever) or newer, only. Problem solved: Users retain the ability to view PDFs and you, the administrator, don’t need to worry that they’re doing so with obsolete and potentially dangerous versions of the software.
• VDI enhancements: With updates to RemoteFX and Windows Server 2012, users can access virtualized instances of Windows 8 Enterprise from the data center and receive rich desktop experiences via thin clients, including, interestingly, Windows RT-based tablets. (See the following section for more information about Windows RT in the enterprise.)
• Windows 8 (Metro-style) app deployment: Domain-joined PCs and tablets running Windows 8 Enterprise will automatically be enabled to “side-load” internal, Windows 8 Metro-style apps, bypassing the Windows Store.
Windows RT and Business: A Tablet for All Seasons
While ARM-based Windows RT tablets and devices are aimed squarely at the consumer market, Microsoft also knows that these devices will be hugely popular at work, because they’re deployed by the employer or because users will simply choose to use them to get work done. There’s just one problem: Windows RT, like the basic version of Windows 8, doesn’t support domain join, so you can’t integrate your Windows sign-in with your employer’s Active Directory environment. Fortunately, Windows RT has two things going for it that will somewhat mitigate this issue.
First, Windows RT, like all versions of Windows 8, fully supports the Exchange ActiveSync (EAS) management protocol, the same technology that businesses use to manage devices all of kinds, including Windows Phones, Apple iPhones and iPads, Android handsets and tablets, and many other devices. EAS provides a ton of management functionality, including:
• Push-based corporate e-mail, calendaring, tasks, and contacts: And these all integrate with the appropriate Metro-style apps on Windows RT, including Mail, Calendar, and People.
• Password: Your workplace can specify a minimum password length, that a password is required to use the device, that an alphanumeric password is required, and password reset intervals. After a failed number of sign-in attempts, the device can be remote wiped or disabled. And many, many more password policies are available.
• Timeout: Your workplace can specify that if the device is left unused for a set period of time, it will be locked automatically.
• Device encryption: Your employer can require that any disks attached to the device be encrypted. This can include the primary storage device (the internal hard disk or SSD) as well as external storage. Windows RT provides this support with device encryption.
• Hardware device disabling: Your workplace can specify that certain devices in the Windows RT tablet be disabled, including the camera, Bluetooth, IrDA, and more.
• Software disabling: Your employer can specify that certain types of software be disabled, including consumer e-mail, POP3/IMAP e-mail, web browser, and more.
Second, Microsoft is providing a special Windows RT management client that will allow users to connect to a self-service portal on their employer’s servers and browse and install Metro-style line of business (LOB) apps that would otherwise require a domain connection, as well as perform other duties. Key among these is the ability of the employer to specify compliance around certain EAS-type policies such as device encryption, the enabling of Auto Updates, and the configuration of antivirus and anti-spyware solutions.
While these capabilities don’t quite amount to domain join, they do remove most of the pain with using a Windows RT-based device for work in a managed environment. It remains to be seen how many companies will be forward leaning enough to implement this in the years ahead, however.
Summary
There’s no doubt that Windows 8 is a huge upgrade for consumers, a revolutionary new version of Windows