Here's how Windows 8 will allow administrators to sideload and manage apps

Here's how Windows 8 will allow administrators to sideload and manage apps

Summary: Microsoft slowly but surely is fleshing out some more Windows 8 details of potential interest to IT admins and business users.


Last week, with the rollout of the Windows 8 Consumer Preview, Microsoft officials focused on the consumer features and applications for its next-generation Windows client. But on March 6 (at 10 am CET/4 am ET), the business features are slated to be in the limelight.

Microsoft plans to show off some of the business features in Windows 8 this week at the CeBIT show in Germany. Specifically, the Softies are planning to use Chief Operating Officer Kevin Turner's keynote as another venue for demonstrating Microsoft's coming Windows client.

Microsoft posted for download last week a business-focused version of its Windows 8 Consumer Preview guide -- which seemed to indicate that  Windows 8 on ARM (WOA) tablets won't be enabled to join Active Directory domains.

But the Softies also are slowly but surely posting more content on the company's Web site that may be of interest to business users and administrators charged with supporting Windows 8 in the coming months. Among the new content are articles on using the Assessment and Deployment Kit (ADK) and additional Microsoft deployment tools with Windows 8. There is a placeholder page for "managing Windows 8" but no content there yet beyond managing Windows Store.

The new Windows Store managability content does provide some details beyond what Microsoft officials shared at the company's Build conference in September 2011. It adds more details regarding the ability of IT administrators and developers to sideload line-of-business (LOB) applications. (Sideloading, enabled in both the Windows 8 Consumer Preview and the Windows Server 8 beta, allows the installation of apps directly to a device without going through the Windows Store. From that guidance:

"LOB apps do not need to be certified by Microsoft and cannot be installed through the Windows Store but they must be signed with a certificate chained to a trusted root certificate. It is recommended that IT administrators use the same technical certification that is done by the Windows Store on LOB apps."

Microsoft officials already have said that the Windows 8 Store will allow users to purchase and download Metro-style/WinRT apps. Desktop apps may findable from within in the store, but won't be downloadable or purchasable from inside it.

The latest Windows Store manageability article notes that IT administrators can turn off access to the Windows Store for specific groups of users and/or individual machines. Admins also can use group policy to fine-tune the automatic downloading of updates and apps that their users acquire from the Windows Store, and to "manage the abilities of sideloading app installations." The article notes that IT admins can only provide this level of Store manageability to Windows 8 devices which are domain-joined, so this may mean that WOA tablets cannot be regulated this way -- though we're still awaiting final official word from Microsoft on that one.

A few more tidbits:

  • Admins can control access to which Metro style apps can be installed by using App Locker. These policies can be enabled on apps from the Windows Store or Metro style LOB apps that have been sideloaded by the admin
  • App updates from the Windows Store cannot be managed by the IT admin
  • All updates to apps that come from the Windows Store must be initiated by the user
  • Admins can configure the ability of the Windows Store to auto download (but not install) available updates via group policy

The Windows 8 Consumer Preview has gotten a lot of positive public feedback from consumers and some press. But some business users and IT admins have expressed qualms about the mouse and keyboard navigation -- even with the Consumer Preview improvements; a desire to circumvent the tiled Metro interface; and early worries about the amount of retraining that will be required with the much-different-looking OS.

Topics: Apps, Microsoft, Operating Systems, Software, Windows


Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Great. Just great. Now individual developers have to be expert in...

    ...Active Directory?

    Another proprietary technology to be locked in to. The MS deadly embrace. Sigh.
    marc van hoff
    • Did you actually read the article?

      The only mention of Active Directory in this article was saying that WOA probably won't be able to join domains.
      How do you get from that to individual developers needing to be experts in Active Directory?
      • So, basically they are limiting the functionality

        And forcing people to stay away from ARM if they wish to join domains? Boneheaded move on Microsoft's part there.
      • Looks like you didn't read it...

        ...see what reidar76 wrote, too.
    • Developers don't need to

      They just need to sign the apps with a certificate, supposedly one that is issued by the Active directory certificate authority. AD administrators will provide the relevant certificate and these administrators will handle all relevant administration.
      • Active Directory adminstrators? Nope, not... my house.

        That's what I was saying: More proprietary crap to deal with to be a one-person development shop.
    • proprietary proprietary proprietary

      Android is proprietary, too. Remember that.
      • Android is proprietary, too. Remember that.

        Yeah but who's greedier? ;)
  • So Enterprises get control

    of their PC's, but you Joe Average PC owner, you do not deserve to have control of your PC that you bought and paid for.
    • Que? Where does it say that?

      • Oh But It Does Say Exactly That

        Enterprise users will be provided with a method to produce signed Metro/WinRT custom business applications for use in their own shops. Average joes with PC's must buy ALL WinRT/Metro applications from the Windows Store. All applications in the Windows Store must pass through MSFT's approval process. Just like AAPL and iOS, if MSFT does not approve of an application you will not be able to load it on your computer. QED you no longer have control of your PC because you no longer have a say in which applications may be loaded on it.
  • Why Metro is likeable?

    Here is a great article that summarizes the principles and influences of Metro design:
    • No.

      This is why its pretty, not why its a good UI (which it is not for desktop/laptops).
      • ?

        you really care about Windows 8 no?.. always commenting, replying to people. if you dont like it why just dont ignore it?

        you dont like it??? you dont think it Works for desktop and laptops... even though I AM using it as my main os and it Works perfectly fine. yeah with my mouse and keyboard, and using desktop software and it Works so much better than old start menu in alot of stuff.

        why dont you help yourself alittle and mature??? maybe? move on and keep using your current OS, and then maybe get a life in the process?.
        Emi Cyberschreiber
      • It is.

        This ui also works great on a pc or laptop, It works well sith mouse and keyboard, but only if you are open to change. I love the snap feature, especially snapping desktop and for instance a metro app. Works great on my desktop and laptop, can't wait to use this on a tablet, wish I could load win8 on my ipad2.
  • No sideloading to WOA?

    The most interesting part:
    [i]"We offer support for enterprises that want direct control over the deployment of Metro style LOB apps. Enterprises can choose to deploy Metro style LOB apps directly to the Windows 8 PCs they manage without going through the Windows Store infrastructure."[/i]

    So if Windows on ARM (WOA) devices can't join a domain in order to come in under IT admins management, then there will be a lot of metro-style applications that can't be installed to WOA PCs.

    Why would anyone develop processor architecture independent apps if the apps will only be allowed to run on x86 anyway? This sounds so silly that it makes me believe that WOA PCs can join a domain and have metro-style LOB apps installed on them.
    • Because there will a sh!tload of apps that won't be used on ADs

      "Why would anyone develop processor architecture independent apps if the apps will only be allowed to run on x86 anyway?"
      Practically any app that currently runs on iOS or Android could be ported to run on WOA without needing to hook into ADs. That's a lot of apps that could be targeted to ARM and x86/x64 Win8 devices.
  • Also locks out Open Source applications

    As there will be no way MS will allow a trust signature to be applied to them.

    No more home development for the same reason.
    • I'm not following...

      If you create an app with an open-source license and then follow the rules to submit it to the Windows Store, then you can get it accepted. I'm pretty sure that the Windows Store policies allow FOSS licenses (as does the WP7 store).

      There is or will likely be a mechanism to allow any apps you develop to be side loaded onto your box (or perhaps any developer box - the way WP7 devs can side-load apps). Without that, developing an app would be *very* difficult.
    • Riiiiiiiiiiiiight.

      Do you think before you type?

      Firstly, ANYONE can develop apps for Windows 8 - just go download Visual Studio 2011 Beta (or updated dev tools from other vendors) and get going. If you were unable to side-load and test your own code on your dev & test machines, how on earth would you ever manage to test your apps?

      The certification and signing process described above is all about making sure that packages which are certified by Microsoft and published to the store are cryptographically "signed with a certificate chained to a trusted root certificate". This means that the signing cert must be issued by one of the officially recognized certificate authorities and/or in the case of enterprises the corporation's trusted cert service. The aim of this is to ensure that packages installed on your PC are signed by someone you can find should you need to contact them for some reason, and that the package has not been tampered with since it was created.

      This will prevent, for example, users being tricked into downloading hacked apps and drivers which have been modified to carry a toxic payload that is installed behind the scenes and which can reap havoc on your machine/device.

      This has NOTHING to do with Microsoft trying to kill open-source. Nothing could be further from the truth. Microsoft is already contributes to several open source projects including Linux Kernel, jQuery, nodeJS, etc. and ships several open-source projects of its own e.g. ASP.NET MVC, IISNode, etc.