This content is part of the Essential Guide: Should you migrate to Windows Server 2012 R2?

Q&A: Anderson talks BYOD management in Windows Server 2012 R2

Microsoft's Brad Anderson talks about changes to expect in Windows Server 2012 R2 features, including some to security and enterprise mobility.

This is part two of a two-part Q&A about the features in Windows Server 2012 R2. Part one can be found here.

In this interview with SearchWindowsServer, Microsoft's Brad Anderson discusses new features in Windows Server 2012 R2 for enterprise mobility, security, and cross-platform integration with Apple iOS and Android devices.

Which security features in Windows Server 2012 R2 can help you better manage Windows 8.X on the desktop?

Brad Anderson: There are a couple of things. One of the innovations in 2012 R2 is work folders. When I am working on files, I can save them and they are automatically replicated back to my file servers in my data center, then replicated back out to my other devices. So, IT now has a copy of all the corporate data I am working on and its security can be backed up in the data center, and it is also available to end users on all of their devices.

SkyDrive, you mean?

Anderson: It is the work folders. SkyDrive backs everything up to an Azure-based service. The No. 1 requirement we heard from customers is: Give us the ability to bring our users' files back to our data centers, better assuring that all personal files are secured. One of the innovations we delivered in Windows Server 2012 is DAC -- Dynamic Access Control. What that allows you to do is express a policy on your files so when certain words appear in a certain folder, it automatically encrypts that data and write-protects it. But we went a little further.

Say that a file gets sent in an email to someone that shouldn't receive it; you wouldn't be able to open it because you have to authenticate to Active Directory in order to see it. So, being able to protect things at the file level was one of the back-end pieces we added. We also added the ability to selectively wipe your Windows device but distinguish between your personal and corporate data. One of the jobs we have is to separate what is user vs. corporate data.

So, the BYOD phenomenon is making its influence felt? 

Anderson: That's right. If someone loses their device, IT has to wipe it to ensure protection of the corporate assets. But when they wipe it, it just wipes the corporate data but leaves the personal data in place.

This is for Windows-based devices only?

Anderson: Today it is Windows-based devices, but we will extend those capabilities out to iOS and Android.

Do you know when?

Anderson: I don't know what is coming in the V-next yet. I haven't quite finished the vision document yet [laughs]. It is interesting because there are some things we can do on Windows devices because we have the whole Windows ecosystem of Microsoft. And then there are certain things iOS allows you to do and some things they do not allow you to do. We work with Apple in terms of what they enable us to do, but we definitely have that desire.

It seems to make good business sense.

Anderson: Absolutely. When you talk about BYOD, you have to cover Windows devices, iOS devices and Android devices. And then when you say 'Android devices,' there are Android devices and then there are Samsung devices, because there is a difference. That ability to give users a consistent experience on their PCs, Windows devices, iOS devices and Android devices is something unique to what we are doing right now. PCs and devices are what organizations need.

Can you explain a little more about Workplace Join?

Anderson: Domain join has long been one of those requirements IT has needed to make sure the device is secure and ready for corporate work. IT wants to understand what devices are working because it wants to be able to set policy based first on the user, then the device and then on the network location.

So what we have done is -- and think of this as the modern domain join workplace join which allows the user to bring in their device, register it with Active Directory, and as part of registering the device the user accepts the ULA [user license agreement] in terms of what the corporation expects. But the user is in control of the device because it is the user's device, but now IT can set policy on it, but it is a lightweight set of policies compared to what domain join can do.

And that is only for a Windows-based device?

Anderson: No, it works with Windows, iOS, Android, you bet. 

How would that experience work on an iOS device?

Anderson: When you bring down the company portal, one of the things you are asked is to register yourself with the service. So Windows Intune requires authentication with Azure Active Directory, just like Office 365. So, as a part of getting all that configured, you register your device with the service.

Why don't you release Office for iOS? We know you have it stashed back there in the vaults.

Anderson: I have no idea what you are talking about [laughs].

Well, you are holding it back and using Office for Windows as a competitive leverage to sell more Surface devices.

Anderson: Well, that is certainly a nice advantage right now. 

Senior news writer Diana Hwang and associate site editor Jeremy Stanley contributed to this report.

Dig Deeper on

Cloud Computing
Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Virtual Desktop