Business Enhancements For Surface Pro 3 & Windows 8.1

On a day where most were expecting a small announcement, Microsoft had something big to tell the world.  Weighing in at under 800 grams, the Surface Pro 3 has been designed specifically for professionals and students who are looking for the power of a laptop, with the look and feel of a tablet. IT professionals will especially take interest in the fourth generation i5 and new i7 models when running any of the provided Step-By-Step labs in Hyper-V natively on Windows 8.1. With that being said, alongside the TPM Bitlocker enabling chipset ensuring FIPS 140-2 compliance for security, much to do around touch and scribe were enhanced on the sharp 2160x1440, 3:2 aspect ratio, 12 inch Surface Pro 3 display.  This enablement has peaked the interest of companies such as BMW Group, The Coca-Cola Company and LVMH - Moët Hennessy Louis Vuitton who have already committed to deploying the Surface Pro 3 as one of the choices from within their organization. Windows 8.1 completes the business offering as it can offer businesses the ability to securely enable its people to be more successful in their tasks.

Microsoft is currently maneuvering itself to better address needs around Mobility Security, and Modern User Interface experiences.  It was a tall order to fill when Microsoft released Windows 8 and with the launch of Windows 8.1 and Windows 8.1 update 1 shortly there after, Microsoft does even more to address what is important to those currently using or considering deploying Windows 8 for business.

Enhancements brought forward to further enable business in Windows 8.1 update 1 include:

  • Workplace Join – This feature allows a middle ground between all or nothing access, allowing a user to work on the device of their choice and still have access to corporate resources. IT administrators are now given the ability to offer finer-grained control to corporate resources. If a user registers their device, IT can grant some access while still enforcing some governance parameters on the device to ensure the security of corporate assets.

  • Work Folders - This feature allows a user to sync data to their device from their user folder located in the corporation’s data center. Files created locally will sync back to the file server in the corporate environment. This syncing is natively integrated into the file system and happens outside of the firewall client sync support.  With Work Folders, Users can keep local copies of their work files on their devices, with automatic synchronization to your data center, and for access from other devices. IT can enforce Dynamic Access Control policies on the Work Folder Sync Share (including automated Rights Management) and require Workplace Join to be in place.

  • Open MDM- While many organizations have investments with System Center and will continue to leverage these investments we also know that many organizations want to manage certain classes of devices, like tablets and BYOD devices, as mobile devices. With Windows 8.1, you can use an OMA-DM API agent to allow management of Windows 8.1 devices with mobile device management products, like Mobile Iron or Air Watch.

    Download and trial MDM on System Center Configuration Manager

  • NFC tap-to-pair printing – Tap your Windows 8.1 device against an NFC-enabled printer and you’re all set to print without hunting on your network for the correct printer. You also don’t need to buy new printers to take advantage of this; you can simply put an NFC tag on your existing printers to enable this functionality.

  • Wi-Fi Direct printing – Connect to Wi-Fi Direct printers without adding additional drivers or software on your Windows 8.1 device, forming a peer-to-peer network between your device and any Wi-Fi enabled printer.

  • Native Miracast wireless display – Present your work wirelessly with no connection cords or dongles needed; just pair with project to a Miracast-enabled projector through Bluetooth or NFC and Miracast will use Wi-Fi to let you project wire-free.

  • Mobile Device Management - When a user enrolls their device, they are joining the device to the Windows Intune management service. They get access to the Company Portal which provides a consistent experience for access to their applications, data and to manage their own devices. This allows a deeper management experience with existing tools like Windows Intune. IT administrators now have more comprehensive policy management for Windows RT devices, and can manage Windows 8.1 PCs as mobile devices without having to deploy a full management client.

  • Web Application Proxy - The Web Application Proxy is a new role service in the Windows Server Remote Access role. It provides the ability to publish access to corporate resources, and enforce multi-factor authentication as well as apply conditional access policies to verify both the user’s identity and the device they are using resources, and enforce multi-factor authentication as well as verify the device being used before access is granted.

  • RDS Enhancements - Enhanced VDI in Server 2012 R2 which delivers improvements in Management, Value, and User Experience. Session Shadowing allows Admins to view and remotely control active user sessions in an RDSH server. Disk dedupe and storage tiering allow for lower cost storage options. User experience for RemoteApps, network connectivity and multiple display support has been improved. Administrators can now easily support users with session desktops to provide helpdesk style support. Administrators now have even more flexible storage options to support a VDI environment without expensive SAN investments. End users will find RemoteApp behavior is more like local apps, and the experience in low-bandwidth is better, with faster reconnects and improved compression, and support for multiple monitors.


Mobility is one of the major enablers taken into consideration as of late and is amplified via the announcement of the upcoming Surface Pro 3.  The traditional workstation and desktop computer are being replaced in favour of the latest Surface Pro or other notebooks, tablets and even in some cases smartphones to allow workers to work from anywhere and anytime.  Microsoft adheres to end user mobility needs by including the following into Windows 8.1:

  • VPN - Added support for a wider range of VPN clients in both Windows and Windows RT devices and the ability to have an app automatically trigger VPN connections.
  • Mobile Broadband - Support for embedded wireless radio, which provides increased power savings, longer battery life, also enables thinner form factors and lower cost devices.
  • Broadband tethering – Enabling the use of a mobile broadband-enabled PC or tablet into a personal Wi-Fi hotspot, allowing other devices to connect and access the internet.
  • Auto-triggered VPN –When selecting an app or resource that requires access through the inbox VPN, Windows 8.1 will automatically prompt you to sign in with one click. This feature will be available with Microsoft and third-party inbox VPN clients.


Security is also always top of mind for IT administrator and managers alike when deploying devices to be utilized in field.  Microsoft further enhances security in Windows 8.1 by offering:

  • Remote Business Data Removal - Corporations now have more control over corporate content which can be marked as corporate, encrypted, and then be wiped when the relationship between the corporation and user has ended. Corporate data can now be identified as corporate vs. user, encrypted, and wiped on command using EAS or EAS + OMA-DM protocol. This capability is requires implementation in the client application and in the server application (Mail + Exchange Server). The client application determines if the wipe simply makes the data inaccessible or actually deletes it.
  • Improved Biometrics - All SKU’s will include end to end biometric capabilities that enable authenticating with your biometric identity anywhere in Windows (Windows sign-in, remote access, UAC, etc.). Windows 8.1 will be optimized for fingerprint based biometrics and will include a common fingerprint enrollment experience that will work with a variety of readers (touch, swipe). Modern readers are capacitive touch based rather than swipe and include liveliness detection that prevents spoofing (e.g.: silicon emulated fingerprints). Access to Windows Store Apps, functions within them, and certificate release can be gated based on verification of a user’s biometric identity.
  • Pervasive Device Encryption - Device encryption previously found on Windows RT and Windows Phone 8 is now available in all editions of Windows. It is enabled out of the box and can be configured with additional BitLocker protection and management capability on Pro and Enterprise SKU. Consumer devices are automatically encrypted and protected when using a Microsoft account. Data on any Windows connected standby device is automatically protected (encrypted) with device encryption. Organizations that need to manage encryption can easily take add additional BitLocker protection options and manageability to these devices.
  • Internet Explorer 11 -  Improvements include faster page load times, side-by-side browsing of your sites, enhanced pinned site notifications, and app settings like favorites, tabs and settings sync across all your Windows 8.1 PCs. Internet Explorer 11 also now includes capability that enables an antimalware solution to scan the input for a binary extension before it’s passed onto the extension for execution.
  • Malware Resistance –Windows Defender, Microsoft’s free antivirus solution in Windows 8, will include network behavior monitoring to help detect and stop the execution of known and unknown malware. Internet Explorer will scan binary extensions (e.g. ActiveX) using the antimalware solution before potentially harmful code is executed.
  • Assigned Access- With Assigned Access, a new feature offered in Windows 8.1 RT, Windows 8.1 Pro and Windows 8.1 Enterprise, you can enable a single Windows Store application experience on the device.  This can be things like a learning application for kids in an educational setting or a Customer Service application at a boutique, Assigned Access can ensure the device is delivering the intended experience. In our Windows Embedded 8.1 Industry product, we deliver additional lockdown capabilities to meet the needs of Industry devices like Point of Sale Systems, ATMs, and Digital Signs.


Last but not least , experience enhancements were also a critical part of Windows 8.1's development.  Changes to the user interface include:

  • Variable, continuous size of snap views -  Provides more ways to see multiple apps on the screen at once. Apps can be resized to nearly infinite sized windows, share the screen between two apps, or have up to three apps on each monitor depending on resolution.
  • Boot to Desktop -  The availability to allow users to boot directly to the desktop in Windows 8.1.
  • Desktop and Start screen – Improvements made to better support users who prefer a mouse and keyboard experience to access applications.


Please note that Windows Server 2012 R2 may be required in order for some of these features to be available.

Windows 8.1 update 1 coupled with the Surface Pro 3 will change mindsets in most businesses as to further enable its people.  Be sure to visit Microsoft Virtual Academy to learn more as to what this empowerment can mean for your organization. Courses such as What is New in Windows 8.1 Security are a great starting point when deciding how to further enable your business.