Every system administrator with even a few gray hairs has a
playbook full of tips and tricks for tweaking Windows machines. With every new release, it’s
important to revisit that personal knowledge base and determine which
techniques are still valid and which need to be discarded.

Windows 8 brought impressive new capabilities to desktops, notebooks, and
tablets, and Windows 8.1
is a significant (and free) upgrade. In this article, I’ve listed some
do’s and don’ts for fine-tuning the Windows 8.1 configuration on new devices
you’re planning to deploy.

1: Choose the right
hardware

You’re
familiar with the traditional tradeoffs when choosing a conventional desktop or
portable. The mix of CPU, memory, and storage is based on your needs, as
defined by price, performance, battery life, and mobility. If you’re upgrading
a fleet of existing machines, you just need to ensure that they can handle the
standard workloads. That might involve memory or storage upgrades (especially
replacing conventional rotating disk drives with solid-state drives).

If
you’re specifying new hardware, avoid the temptation to go with last year’s
model and look for devices that are certified for Windows 8.1. Those devices
may include three new factors to throw into the mix:

  • Universal Extensible Firmware Interface (UEFI) is the
    replacement for the ancient BIOS standard. Having a UEFI-equipped machine is a
    prerequisite for the Secure Boot feature in Windows 8.x, which protects PCs
    from being attacked by rootkits and other advanced forms of malware.
  • Trusted Platform Module (TPM) 2.0 supports hardware-based
    device encryption, which I’ll discuss later in this article.
  • InstantGo is the new name for a feature previously known as
    Connected Standby. You won’t find this feature on conventional PCs that use
    CPUs from the Intel Core series. It’s available only on devices powered by
    System-on-a-Chip architecture (ARM or Atom, for example), and it allows advanced
    power management and encryption on mobile devices.

2: Use a standard image

Ideally, you should use a standard Windows image that
includes customizations and applications specific to your organization. Having
a standard image makes support much easier. Your help desk doesn’t have to
guess about what programs are available when an employee calls in with a
problem, and in the event of a hardware failure you can replace the image
quickly.

To avoid violating Microsoft’s license agreements, you need
to know which imaging techniques are allowed. Your rights vary, depending on
whether you have a volume license (VL) agreement.

If your organization
has a current VL agreement for Windows
, you automatically have “reimaging
rights,” which means that you can create a standard image using your VL
media and apply that image to any machine in your organization, even if its
license was originally part of an OEM or retail installation. So if you buy a
batch of new PCs from Dell or HP with Windows 8.1 Pro preinstalled, you can
wipe those machines and use the Microsoft Deployment Toolkit to install your standard image. Similarly, you can use a
VL upgrade license to quickly migrate a Windows 7 Professional machine using
your standard Windows 8.1 image.

If your organization
doesn’t have a current VL agreement for Windows
, your options are
different. Depending on your purchase volume, you have two options:

  • Talk to your hardware vendor and set up a Custom
    Factory Image (CFI) agreement. You work with the OEM to create the image, which
    they install on every new PC you purchase. When you unbox a new device, it’s
    ready to go, with the right drivers and your standard applications
    preconfigured.
  • For existing PCs, or if you don’t want to set up
    a CFI agreement, you can customize the OEM configuration using the Windows Assessment and Deployment Kit. The downside is that you have to perform this
    procedure individually on each PC; you can’t automate it with a standard image.

The
option you want to avoid at all costs is performing a clean installation from
Windows media on a new PC. Besides being tedious and time-consuming, that
process practically guarantees that you’ll run into driver hassles and
inconsistent images.

3: Encrypt your business
data

The
need for encryption has little to do with the NSA. It has everything to do with
what happens if one of your PCs (desktop, notebook, hybrid, or tablet) is lost
or stolen and falls into the hands of someone who knows the potential value of
saved data, passwords, and so on. If your organization’s data is covered by
regulatory requirements, such as HIPAA or Sarbanes-Oxley, encryption is probably
legally required. But as long as you’re creating a standard Windows 8.1 image,
you should insist on robust encryption, using BitLocker full drive encryption.

If
you have painful memories of deploying this feature on previous Windows
versions, you’ll be relieved to know that BitLocker in Windows 8.x is
dramatically improved. (For details, see the TechNet article “What’s New in BitLocker for Windows 8 and Windows Server 2012.”) It can be provisioned during installation instead of after
setup, and the encryption process is much faster. You can also configure the
system to unlock automatically when it’s connected to a wired network, which eliminates
a source of friction for workers who are in the office.

Here’s
a quick encryption checklist:

  • Encrypt the system drive with BitLocker using the TPM and a PIN.
    You’ll be able to manage encryption keys and TPM services using Active Directory
    Domain Services.
  • Encrypt fixed data drives with a password (or a smart card
    if you have that infrastructure in place) and set up automatic unlock.
  • Encrypt removable drives using BitLocker To Go and a strong
    password. You can configure those drives to unlock automatically when they’re
    inserted into a known, trusted machine and the user has signed in with the
    proper credentials. If the device is lost or stolen, its data will be
    protected.

For
more details on deploying BitLocker, see “Prepare your organization for BitLocker: Planning and Policies.”

Don’t
forget to take advantage of encryption in online services in well, so that data
is protected as it travels across the Internet.

4: Connect to the
cloud (or don’t)

All
editions of Windows include support for Microsoft’s SkyDrive, a consumer-grade
cloud storage service. The SkyDrive sync client is built into Windows 8.1, and it’s handy
in terms of roaming settings and allowing access (on supported hardware) to
recovery keys for
encrypted drives that aren’t managed in Active Directory. Your employees
are likely to use their own personal cloud storage services as well, including
the most popular consumer service of all, Dropbox.

If
you’re concerned about information traveling outside your organization, you
should use Group Policy to disable SkyDrive integration.
If your organization is standardized on Windows 7 or
later, you can use AppLocker to whitelist and blacklist
unwanted applications. You can use third-party software like PolicyPak to prevent employees from using Dropbox,
Google Drive, and other services.

An
even better strategy is to provide a robust, officially supported cloud
solution along with a well-designed policy for using it. For some alternatives,
see “Six business-class cloud storage services: Which one is right for you?”

5: Use a virtual
machine for untrusted apps

The
business editions of Windows 8.1 (Pro and Enterprise) include Hyper-V
virtualization as an optional feature. For employees who need to use
applications that don’t run on Windows 8.1 or who frequently do demos of your
company’s products or services, you should set up Hyper-V and train them in its
proper use. For step-by-step instructions, see “Using Windows 8 Client Hyper-V.”

6: Don’t fall for
bogus performance-enhancing tricks

If
you’ve put together a clean, well-managed Windows image and installed it on
modern hardware, you shouldn’t need to do much tweaking to improve its
performance. In fact, the most important advice I can offer is to avoid falling
for common system configuration changes that do more harm than good.

Here
are the four most commonly cited pieces of bad advice:

  • Adjusting
    the size and location of the Windows pagefile.
    Back in the Dark Ages of
    Windows, this might have made a difference. On modern Windows versions, the
    system-managed pagefile does a perfectly adequate job. You should consider
    adjusting this value only on workstations that do advanced image and video
    editing — and then only after you’ve used Performance Monitor and other tools
    to see how much pagefile usage you really need.
  • Using
    registry cleaners.
    These tools are, almost without exception, snake oil. In
    years of monitoring these utilities, I’ve never found a verifiable claim of
    performance improvement and have heard countless stories of systems that were
    rendered unusable by an overly aggressive registry cleaner. Train your users to
    steer clear.
  • Turning
    off unneeded services.
    It’s true that third-party services can have an impact
    on performance and can introduce security risks. That’s why you should
    investigate any third-party app carefully before deploying it, and you should
    look at the security implications of built-in services as part of your standard
    image. But turning off built-in services rarely makes a noticeable difference
    in performance, despite what some popular websites claim.
  • Separating
    data and system drives.
    The switch from rotating disk
    drives to SSDs has meant that system drives are smaller than they used to be.
    For packrats, that can cause unexpected problems when free disk space suddenly
    shrinks to zero. On desktop PCs and portables that support a second drive, it’s
    possible to move a user’s data folders to a dedicated drive. But don’t try to
    go too far by moving program files and the entire Profiles directory to another
    drive. That’s an unsupported configuration and one that will likely cause you
    heartache later. For details, see “Don’t move your Windows user profiles folder to another drive.”