Continuing my series of peeks at compelling, forward-leaning sessions from TechEd 2013, this week's entry is about new security features in Windows 8.1. If you've written off Windows 8 (or RT) already, this might be enough to trigger a second look, or at least get you to start thinking about the future.
If you're curious about checking out the original Windows 8.1 security presentation, you can find it on the Channel 9 website. I didn't attend the actual presentation while at TechEd, but I did attend group and 1:1 meetings about Windows 8.1 features for the enterprise, which was what got me originally interested in this topic.
In case you're not aware, Windows 8 is by far the most secure version of Windows yet created. By way of comparison, the latest release of Microsoft's Security Intelligence Report indicates that Windows 7-based PCs are fully six times more likely to be infected by malware than those running Windows 8. And the picture is must worse for Windows XP, as you might expect: Windows 8 is 20 time more secure than XP.
As an evolution of the existing code base, Windows 8.1 of course builds on the security successes in Windows 8 while providing glimpses at a future in which even more pervasive security is possible. Let's look at three examples of this: device encryption, selective wipe, and support for a new generation of biometric interfaces.
Where Windows 8 provides excellent BitLocker-based encryption capabilities, with the Windows RT variant offering a simpler, unmanaged full-disk encryption feature, Windows 8.1 nudges things forward. BitLocker is easier to provision and deploys roughly 20 times faster. If you're using next-generation encrypted hard drives, it takes less than 1 second.
Best of all, however, full-disk encryption is now automatic for all versions of Windows going forward (Windows 8 and RT with the Windows 8.1 update installed, and newer). What this means is that, by default, every new Windows installation going forward will ship with automatic encryption applied to the OS volume, as is the case with Windows RT (and Windows Phone 8) today. (It works as it does in Windows RT today: The encryption is applied when you first sign in with an administrator-class user account.)
BitLocker and BitLocker To Go will still be available on Windows 8 Pro and Enterprise, as is the case today, providing managed encryption capabilities. But the push here is obvious: a future in which all devices are simply encrypted out of the box.
Windows 8.1 will also introduce a necessary evolution to the remote wipe capabilities you might be familiar with in Exchange ActiveSync (EAS). Called Selective Wipe, this new form of remote wipe only removes corporate data from a Windows device, while retaining personal data. The notion here is that users are increasingly using their own devices for work—the so-called Bring Your Own Device (BYOD) movement—and that providing such a capability is less traumatic for everyone involved.
You can trigger Selective Wipe via EAS as with Remote Wipe today, but also with the newer Open Mobile Alliance Device Management (OMA-DM) standard. (This is used by Windows Intune as well as several third-party device management solutions.)
As with the other security features mentioned here, Selective Wipe is just a step to a more elegant future. In this case, what we're seeing in this initial release is the ability to wipe corporate information from email and Work Folders (the latter of which is another new feature that requiresR2 on the server). Future updates will add more capabilities to Selective Wipe.
Microsoft is also starting to move past passwords with modern access control technologies. This, too, is a multi-step process, with virtual smart cards—a new form of software-based multi-factor authentication—first debuting in Windows 8. But in Windows 8.1, Microsoft is adding support for a new generation of biometrics that could change everything.
Fingerprint readers have been available in PCs for years, of course, but few PC makers have rolled them out very broadly (with the notable exception of Lenovo). If you've used such a device, you know they're painful to configure and often balky in use, requiring multiple swipes of your finger in many cases before it authenticates you.
This year, new fingerprint readers are coming that will literally require just a quick tap of the finger. The reliability, allegedly, is amazing, and for you CSI types—we've all seen the movie and TV thrillers where a severed hand, finger, or eye is used to bypass a computerized security system—it won't work if the finger's owner is dead. (Yes, we asked: Within seconds after death, the finger is useless as a security key.)
The fact that Windows 8.1 would support new fingerprint reader technology isn't surprising. But Microsoft has also gone the distance by integrating this capability deeper into the OS as well. It will support "Touch to Buy" capabilities for Windows Store apps, Xbox Music and Xbox Video movie and TV rental and purchases in addition to the expected integration with Windows and remote access sign-ins, as well as any UAC prompts. And when you use a fingerprint reader-based PC, you can just tap the reader while looking at the lock screen: Windows will simply sign in the correct user without requiring you to manually open the lock screen first. And yes, third-party apps can hook into the new APIs as well.
There's so much more going on in Windows 8.1 with regard to security, including a coming provable PC health service that will improve over time, a new network behavior monitoring feature for Windows Defender, and a new way to handle ActiveX controls or other binary browser extensions in Internet Explorer 11 that prevents exploits. But you get the idea: With Windows 8.1, Microsoft is pushing ever forward from a security perspective, of course. But some of the security improvements in this release are quite forward leaning and a great peek at what we can expect after this release.