Microsoft Surface and Group Policy don't mix -- now what?

Policy management in the post-PC world will be different -- and inferior for a while -- than for traditional Windows PCs

Is Microsoft joining Apple and Google in divorcing mobile devices from the standard management systems IT relies on? It sure seems that way.

On Friday, Microsoft will ship its Surface tablet running Windows RT -- the Metro-based operating system that doesn't include the traditional Windows Desktop environment (as Windows 8 does). Windows RT can't join an Active Directory domain, which means IT can't manage Surface tablets using Active Directory domain settings such as those managed by the Group Policy engine. Microsoft will ship Surface tablets with Windows 8, but not for another three months. You can expect Windows RT tablets to enter the enterprise, posing the same kind of challenges the iPhone and iPad first did.

[ J. Peter Bruzzese shows that Microsoft has now joined the BYOD revolution it enabled. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]

Maybe it's not so much of a challenge. For quite some time, we've seen the acceptance of iOS and, to a lesser extent, Android and Windows Phone, none of which can join domains but can be controlled through Exchange ActiveSync policies, whether via Exchange or, more recently, System Center Configuration Manager (SCCM) or Intune.

Although not popular with users, a VDI infrastructure or a Microsoft Terminal Services configuration with remote desktop service (RDS) connections on tablets is often put in place by administrators. This provides controlled desktop environments that let users connect to the domain and access domain resources in a controlled way, while still allowing users to bring their own device. No doubt someone will extend the remote-desktop technologies to Windows RT.

An increasingly number of organizations are also turning to enterprise versions of cloud storage tools such as Dropbox and Box to manage tablet access to data that has historically been stored in domain-managed file servers. The use of public cloud storage services, which can't be managed by IT, scares many IT organizations. IBM, for example, has banned their use. But Windows RT, like Windows 8, comes, with a SkyDrive cloud storage app preinstalled, and Microsoft expects tablet owners to use that Microsoft cloud storage service routinely.

What does this indicate about the future of traditional IT infrastructure even in the Microsoft world? Will we see a full shift away from traditional management of devices as a result of the BYOD movement and the emergence of a whole new method? Is Group Policy dead?

Not quite, according to Jeremy Moskowitz, a Group Policy MVP and founder of PolicyPak Software (which makes desktop management tools):

It's pretty clear Microsoft will support Group Policy while introducing Group Policy-like functionality into other products. Windows Intune is Microsoft's "manage computers as a service" offering, and it has some rudimentary Group Policy-like functionality to control firewall settings, updates, patch settings, and antivirus settings. And Microsoft SCCM has some Group Policy-like functionality to manage power settings, and with its upcoming System Center 2012 SP1 will soon overlap some settings for offline files with how profiles are managed.

With Windows 8 and Windows Server 2012, Microsoft keeps pumping more resources into Group Policy, enhancing the underpinnings for reliability, troubleshooting, and reporting. That being said, Windows RT devices today appear to be manageable only by Windows Intune today. But tomorrow, it will be by Windows Intune and SCCM.

Moskowitz says IT needs to treat Windows RT and Windows 8 separately. Where traditional full management is needed, it should support Windows 8 devices instead of Windows RT hardware. Windows RT devices should be treated like iPads and related items -- to be managed by other tools, such as mobile device management (MDM), for uses that don't touch the core enterprise assets.

In the years ahead, we may see management tools that provide Group Policy-like settings but do not require domain-join capabilities. Already, tools from Centrify and Meraki for iOS provide Group Policy-based Active Directory authentication. Given the reliance on so many mobie platforms of EAS for basic management, it's a likely conduit to take on that expanded role.

Until then, enterprise admins will have to wear two hats in their organizations. When wearing the traditional one, they'll use Active Directory domains with Windows PCs and tablets that have group policies applied. When wearing the post-PC hat, they'll use creativity and separate tools to accomplish similar tasks across new-gen devices running operating systems from Apple, Google, and -- yes -- Microsoft.

This story, "Microsoft Surface and Group Policy don't mix -- now what?," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.