Again, a bit of a type-while-we-talk, so feel free to ask questions. This was very much an open forum, and we pounded the panelists with some tough questions- here's the jist of the dialogue:


Panelists: Brad McCabe, Stephen Rose, Chris Hallum, Craig Ashley, Michael Niehaus

Their favorite features? Mobile device management, the UI guy likes the Start Screen. The mobile guy likes the mobile inbox and VPN capabilities. Steven likes the boot to desktop feature in 8.1

Are you guys able to talk about embedded? "A large retailer" is looking to deploy 2500 lenovo tablets this week. How do I put LOB apps front and center instead of bing/espn? What sort of POS Ready approach are you taking? That's being created by the embedded team, and yet the win8 team is talking to the embedded team to get these things working for kiosks and POS terminals.

Can I turn off automatic updates from Windows? Yes- you can turn it off in GPO; Users say: No you can't- Presenters say- okay we'll check on it. 

From an overall support perspective, we want to better manage controls; we don't want to link to a MS account for our users; This is not required. You can go into a customization tool in 8.1; then push it with GPO  See  

We're testing 8 for hidden access points. When they switch profiles the users are having to recreate the SSID- let's talk this offline.

Will the offensive malware approach be in 8.1? Yes, this is the culmination of 10 years of work on security to help be more offensive than defensive, blocking those attack vectors before they are attacked at scale. Using PKI defenses is part of this.

My mobile workers are using Win8 3G tablets, and after sleep cellular isn't coming back up. They have to reboot  to get the connection back. Seems to be a common issue across multiple users, customers, devices, etc.

Can you  explain the thinking to include bit locker in RT, but not Pro? RT is running an almost bit locker and integrates to skydive. Full bit locker has much more features, and is now being made available to all versions of windows 8. TPM is a critical component.

Is the windows defender and cloud going to be a charged solution? Fee based? No- these are available at no cost for all Win8. Still recommend a local resource, but the cloud offering is looking for very specific vectors of attack.

For imaging, should we go do DISM instead of imageX? Microsoft looked at how people do imaging, and if you're still using disk based imaging it doesn't matter what tools you use- just use WIM. DISM is the command line tool that includes the most options. ImageX will be deprecated in future. Powershell is being exposed for DISM also.

Has there been anything done with video scaling for external monitors for Surface- it goes to 150%? A third party tool may be best here. 

I'm using sysprep; With win8 the app store updates are breaking sysprep. Can you comment on the connection between the App Store and how it impacts common IT practices? "Theres a few levels of issues" Keep in mind sys prep is meant to build a new machine, not migrate users. The way windows store apps are installed, they are per user. This will break sysprep intentionally since it doesn't support local user apps. 

So you see Windows moving towards a more aggressive release model? If we look at what we do with 8.1, Microsoft is trying to look at market needs and release as necessary. They'll continue to be agile and offer app improvements, battery life updates, general performance, bios updates, all sorts of things. There's monthly update rollups that now include more than just security.

Why do we force people to sign out to change resolution? We don't know, we'll take a look.

University is deploying Win8 and wants few points of failure. Is defender built in? And will it be more robust from the client and/or the command console? It's built in, and with SCEP it's manageable, but no plans for the local defender enhancements for user tweaking.

Windows store is breaking after imaging and joining the domain? There may be a GPO security template that could easily break the store given that there are new SIDs for the store.

Thanks for bringing back the start menu, but have you thought about how this impacts training the end users? We've heard the feedback, we're bringing it back, and we think you'll be back .

Why is there no on-screen keyboard for bitlocker? If we rollback and ask why there's pre-boot authentication in the first place? DMA Ports (like firewire) can be exploited. Another attack vector would be freezing memory. That being said, with new devices we don't need preauth since the devices are now secure.

I have multiple users sharing machines. They have multiple app store updates per user- can I automate updates? With 8.1 and above we can tell it to automatically update.

When I use explorer to browse user, logged in as domain admin, i get UAC prompts.Why? UAC working as designed. We have changed some of the default policy actions; now by default UAC is still on even if degraded. It could still be turned off by policy.

I like my Surface Pro, but there's a folder (WinFX?) that grows a lot. On a tablet that could be bad. This folder is being cleaned up more properly. During imaging you can clean it up during DISM. Win8.1 allows us to clear original base components also. The upgrade to 8.1 will also do a lot of cleanup. You can also use portable media to offload. The scheduling of DISM cleanup could be useful.

Training for end users? Windows 8 Handbook App (free);, Microsoft Stores are doing free classes.  

Why should we overcome inertia and move to Win8? Go straight to 8.1 if you haven't already begun a migration. For tablets, windows is secure, manageable, and highly supported. Many companies will be handling Win7/8; Windows to go is also a great platform. BYOD is a huge driver for us these days. Win7 is not touch friendly, and many new devices are touch enabled. When it comes to security with 8- we're applying much more dramatic investment in security than all other OS's combined. XP is 21x less secure than 8. You can also rollout your own app store.

We've got a problem getting app store updates when I'm logged in as domain admin? Proxy, firewall, and other config issues may impact this. 

Is there going to be any capability to control more about the public app store? Not sure we'll be able to include that in 8.1

Where's my wireless configuration manager in win8, it was useful in win7? Netsh is meant to be the only way to manage in win8 now. Given that there wasn't a huge number of people doing the management per PC, they moved the functionality to a more secure and automated way to manage. There's some KB articles on this.