This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.
Before you deploy new Windows 8.1 devices, be sure they're configured to meet the needs of your organization. Here are some tips that will help – and a few steps you're better off skipping.
Windows 8 brought impressive new capabilities to desktops, notebooks, and tablets, and Windows 8.1 is a significant (and free) upgrade. In this article, I've listed some do's and don'ts for fine-tuning the Windows 8.1 configuration on new devices you're planning to deploy.
1: Choose the right hardware
Enjoying this article?
Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.Join Premium Today
You're familiar with the traditional tradeoffs when choosing a conventional desktop or portable. The mix of CPU, memory, and storage is based on your needs, as defined by price, performance, battery life, and mobility. If you're upgrading a fleet of existing machines, you just need to ensure that they can handle the standard workloads. That might involve memory or storage upgrades (especially replacing conventional rotating disk drives with solid-state drives).
If you're specifying new hardware, avoid the temptation to go with last year's model and look for devices that are certified for Windows 8.1. Those devices may include three new factors to throw into the mix:
- Universal Extensible Firmware Interface (UEFI) is the replacement for the ancient BIOS standard. Having a UEFI-equipped machine is a prerequisite for the Secure Boot feature in Windows 8.x, which protects PCs from being attacked by rootkits and other advanced forms of malware.
- Trusted Platform Module (TPM) 2.0 supports hardware-based device encryption, which I'll discuss later in this article.
- InstantGo is the new name for a feature previously known as Connected Standby. You won't find this feature on conventional PCs that use CPUs from the Intel Core series. It's available only on devices powered by System-on-a-Chip architecture (ARM or Atom, for example), and it allows advanced power management and encryption on mobile devices.
2: Use a standard image
Ideally, you should use a standard Windows image that includes customizations and applications specific to your organization. Having a standard image makes support much easier. Your help desk doesn't have to guess about what programs are available when an employee calls in with a problem, and in the event of a hardware failure you can replace the image quickly.
To avoid violating Microsoft's license agreements, you need to know which imaging techniques are allowed. Your rights vary, depending on whether you have a volume license (VL) agreement.
If your organization has a current VL agreement for Windows, you automatically have "reimaging rights," which means that you can create a standard image using your VL media and apply that image to any machine in your organization, even if its license was originally part of an OEM or retail installation. So if you buy a batch of new PCs from Dell or HP with Windows 8.1 Pro preinstalled, you can wipe those machines and use the Microsoft Deployment Toolkit to install your standard image. Similarly, you can use a VL upgrade license to quickly migrate a Windows 7 Professional machine using your standard Windows 8.1 image.
If your organization doesn't have a current VL agreement for Windows, your options are different. Depending on your purchase volume, you have two options:
- Talk to your hardware vendor and set up a Custom Factory Image (CFI) agreement. You work with the OEM to create the image, which they install on every new PC you purchase. When you unbox a new device, it's ready to go, with the right drivers and your standard applications preconfigured.
- For existing PCs, or if you don't want to set up a CFI agreement, you can customize the OEM configuration using the Windows Assessment and Deployment Kit. The downside is that you have to perform this procedure individually on each PC; you can't automate it with a standard image.
The option you want to avoid at all costs is performing a clean installation from Windows media on a new PC. Besides being tedious and time-consuming, that process practically guarantees that you'll run into driver hassles and inconsistent images.
3: Encrypt your business data
The need for encryption has little to do with the NSA. It has everything to do with what happens if one of your PCs (desktop, notebook, hybrid, or tablet) is lost or stolen and falls into the hands of someone who knows the potential value of saved data, passwords, and so on. If your organization's data is covered by regulatory requirements, such as HIPAA or Sarbanes-Oxley, encryption is probably legally required. But as long as you're creating a standard Windows 8.1 image, you should insist on robust encryption, using BitLocker full drive encryption.
If you have painful memories of deploying this feature on previous Windows versions, you'll be relieved to know that BitLocker in Windows 8.x is dramatically improved. (For details, see the TechNet article "What's New in BitLocker for Windows 8 and Windows Server 2012.") It can be provisioned during installation instead of after setup, and the encryption process is much faster. You can also configure the system to unlock automatically when it's connected to a wired network, which eliminates a source of friction for workers who are in the office.
Here's a quick encryption checklist:
- Encrypt the system drive with BitLocker using the TPM and a PIN. You'll be able to manage encryption keys and TPM services using Active Directory Domain Services.
- Encrypt fixed data drives with a password (or a smart card if you have that infrastructure in place) and set up automatic unlock.
- Encrypt removable drives using BitLocker To Go and a strong password. You can configure those drives to unlock automatically when they're inserted into a known, trusted machine and the user has signed in with the proper credentials. If the device is lost or stolen, its data will be protected.
For more details on deploying BitLocker, see "Prepare your organization for BitLocker: Planning and Policies."
Don't forget to take advantage of encryption in online services in well, so that data is protected as it travels across the Internet.
4: Connect to the cloud (or don't)
All editions of Windows include support for Microsoft's SkyDrive, a consumer-grade cloud storage service. The SkyDrive sync client is built into Windows 8.1, and it's handy in terms of roaming settings and allowing access (on supported hardware) to recovery keys for encrypted drives that aren't managed in Active Directory. Your employees are likely to use their own personal cloud storage services as well, including the most popular consumer service of all, Dropbox.
If you're concerned about information traveling outside your organization, you should use Group Policy to disable SkyDrive integration. If your organization is standardized on Windows 7 or later, you can use AppLocker to whitelist and blacklist unwanted applications. You can use third-party software like PolicyPak to prevent employees from using Dropbox, Google Drive, and other services.
An even better strategy is to provide a robust, officially supported cloud solution along with a well-designed policy for using it. For some alternatives, see "Six business-class cloud storage services: Which one is right for you?"
5: Use a virtual machine for untrusted apps
The business editions of Windows 8.1 (Pro and Enterprise) include Hyper-V virtualization as an optional feature. For employees who need to use applications that don't run on Windows 8.1 or who frequently do demos of your company's products or services, you should set up Hyper-V and train them in its proper use. For step-by-step instructions, see "Using Windows 8 Client Hyper-V."
6: Don't fall for bogus performance-enhancing tricks
If you've put together a clean, well-managed Windows image and installed it on modern hardware, you shouldn't need to do much tweaking to improve its performance. In fact, the most important advice I can offer is to avoid falling for common system configuration changes that do more harm than good.
Here are the four most commonly cited pieces of bad advice:
- Adjusting the size and location of the Windows pagefile. Back in the Dark Ages of Windows, this might have made a difference. On modern Windows versions, the system-managed pagefile does a perfectly adequate job. You should consider adjusting this value only on workstations that do advanced image and video editing — and then only after you've used Performance Monitor and other tools to see how much pagefile usage you really need.
- Using registry cleaners. These tools are, almost without exception, snake oil. In years of monitoring these utilities, I've never found a verifiable claim of performance improvement and have heard countless stories of systems that were rendered unusable by an overly aggressive registry cleaner. Train your users to steer clear.
- Turning off unneeded services. It's true that third-party services can have an impact on performance and can introduce security risks. That's why you should investigate any third-party app carefully before deploying it, and you should look at the security implications of built-in services as part of your standard image. But turning off built-in services rarely makes a noticeable difference in performance, despite what some popular websites claim.
- Separating data and system drives. The switch from rotating disk drives to SSDs has meant that system drives are smaller than they used to be. For packrats, that can cause unexpected problems when free disk space suddenly shrinks to zero. On desktop PCs and portables that support a second drive, it's possible to move a user's data folders to a dedicated drive. But don't try to go too far by moving program files and the entire Profiles directory to another drive. That's an unsupported configuration and one that will likely cause you heartache later. For details, see "Don't move your Windows user profiles folder to another drive."