As Microsoft prepares to release Windows 8.1 to manufacturing later this summer, the software maker has focused on the enterprise with its flagship desktop operating system. In an era when employees no longer exclusively use corporate-issued desktops and laptops, Windows 8.1 security is especially important. The following top five Windows 8.1 security features address the protection of devices and enterprise data.
Remote business data removal: This Windows 8.1 feature allows administrators to perform a partial wipe of PCs participating in bring-your-own-device (BYOD) programs.
Some devices running Windows 8.1 may not be owned by the company and may contain personal data not needing corporate safeguards.Data can be classified as "corporate" or "user" to partition information that should or shouldn't be involved in wipe requests. Administrators can also classify data to be encrypted, as well as whether certain data should be removed from a device when the user's employment or contractual relationship with any entity has ended. IT can also use the Exchange ActiveSync protocol to instruct Windows to wipe corporate data either by destructive rewrites or simply marking the data as "inaccessible," but not deleting it.
Workplace Join: You can think of this Windows 8.1 feature as essentially a domain join "lite." In Workplace Join, a device owner subscribes his or her computer to a set of security policies that allow a Windows Server 2012 R2-based domain to control the presence of certain data and, perhaps most importantly, perform a limited wipe as described above.
Users who join a workplace can use their domain accounts to access published resources on the network, such as file shares and applications, without giving domain administrators total control over their device. Domain admins can now apply minimum standards for access to sensitive resources without allowing anonymous access with no control. Workplace Join attempts to strike a balance between information integrity and the sovereignty of personally owned devices.
Assigned Access: This new feature in Windows 8.1 is really designed for kiosk, call center or academic environments (and for home users on the consumer side). It locks a workstation down to one Windows Store-based application and actively prevents the user from accessing any other application or part of the system.
More on Windows 8 security features
Microsoft targets the enterprise with Windows 8.1 security enhancements
Windows 8 leaves gaps in security
Pros among Windows 8 features include BYOD security
Getting to the truth about Windows 8 features
Any review of desktop security should include Windows 8
Security features improve in Windows 8, but vulnerabilities persist
This unfortunately does not work with desktop-based applications, so its use in enterprise settings is currently pretty limited. As your organization develops Windows Store apps for internal use, you might find this feature compelling as a security solution.
Biometric Folder and Authentication Security: With this feature, you give your device the finger, and it lets you in. Well, a fingerprint, to be more exact. Users can control access to specific folders based on a fingerprint rather than a password or smartcard, which significantly increases total system security.
Windows 8.1 works with a variety of fingerprint readers, both traditional swipe and newer touch-based readers that can detect a live human being's fingerprint as opposed to an emulated print that may be used nefariously.
But the story extends to organization control -- administrators can control Windows 8 Pro and Enterprise editions so fingerprint authentication is required before personal certificates are used in transactions as well, and they can also control access to Windows Store (originally Metro) apps.
Windows 8.1 Device Encryption: Much has been written about the easy-to-use and fully secure BitLocker drive-encryption product, which was first introduced with Windows Vista, but improved over each successive version of the operating system.
In the Windows 8.1 era, Windows RT tablets are automatically encrypted when a Microsoft account is used for login. And, for the first time, all editions of Windows -- Windows RT, 8.1, Consumer or Enterprise -- can use BitLocker.
On Windows 8.1 Pro and Enterprise devices, you get additional configuration flexibility through more Group Policy options than those that existed in Windows 8. In addition, devices that use Microsoft's connected standby feature, which leaves devices almost off, but maintains their persistent connection to the Internet -- have their data encrypted while at rest to prevent unauthorized access to unattended devices.
This was first published in August 2013