The REAL reason Microsoft Windows RT devices won't be able to join AD domains.

By now you've probably heard that the final name of the version of Windows 8 that will run on ARM-based systems will be called "Windows RT." (I have no idea what the "RT" stands for or why there's no "8" in the name like the x86 versions.)

By now you've probably heard that the final name of the version of Windows 8 that will run on ARM-based systems will be called "Windows RT." (I have no idea what the "RT" stands for or why there's no "8" in the name like the x86 versions.) Also you've probably heard that Windows RT will not support the ability for the devices to be added to Windows domains.

Windows RT's lack of domain support has launched a firestorm of complaints and speculation, including a conversation on Slashdot suggesting that Microsoft simply ran out of time. Others have suggested that this is the final nail in the coffin that confirms that Windows RT-based tablets will be aimed at the consumer, while x86-based tablets (with their domain-joining capabilities) will be aimed at businesses.

But neither of these is true.

There are several perfectly logical reasons why Windows RT doesn't have (or doesn't need to have) the capability to join an AD domain.

Reason No. 1: "No domain join" does not mean "no way to manage"

First, the whole concept of a domain join is pretty antiquated. Sure, Windows 8 machines will be able to join AD domains hosted by Windows Server 2012 servers—I'm not saying that domain joins won't exist. I'm saying that the concept of a domain join isn't needed in today's world.

Domain joining is a 20 year-old concept when "managing the computer" was the same thing as "managing the user experience." Back in those days you had one computer per user per copy of software. The entire user environment was that single computer. But we live in a different world now. Every day we hear more about how we want to "manage the user, not the device." So if we're not managing the device, who cares if it's in a domain or not?

Nowadays we have virtual applications that we can stream and provide on demand. We have virtual user environments that we can stream on demand. And we have SSL-VPNs and other security scanners that ensure that our users' devices meet some kind of minimal level of functionality.

We also have years of providing a rich user experience to users connecting from their own computers at home—computers that we don't manage at all. So I'd flip this question around—if we can get away without managing the users' devices, why would we want to?

Think about what domain joining does anyway? It lets you push out software, updates, configurations, and patches to devices. Bleh! Who wants to manage devices?

There's a parallel conversation going on in the mobile world right now. People used to be all hopped up on this "Mobile Device Management (MDM)" concept which allowed corporations to takeover and control mobile devices. But now we realize that's pretty old school. Corporations don't want to actually manage the entire devices—they just want to manage the corporate apps and make sure that their data is safe. (Now MDM is evolving into "MAM"—Mobile Application Management.

The same is true with computers. Managing and owning an entire computer? No thanks! I'll just make sure the user can use it to have the apps and data he or she needs. So when it comes to Windows RT, why even bother building in domain join support?

Reason No. 2: Windows RT users don't have the same freewheeling abilities as Windows x86 users

Another thing to keep in mind about Windows RT is that the only way users will be able to install apps on it will be if they download them from the official Windows Store. (Remember the "desktop mode" in Windows RT will not be available for general applications and user-installed apps. Users can only install Windows Metro-style apps from the Windows Store.)

So that right there means that most of the crapware that IT admins need to clean off isn't even going to be an issue on Windows RT. Now combine that with the fact that Blackberries, iOS devices, and Android devices are all manageable via the various MAM products and you realize that Windows RT can be managed in the same way too! So you'll get the benefits of domain management without the hassle of joining a domain. Super!

Reason No. 3: Active Directory isn't about systems management anymore

The final reason Microsoft isn't including AD support in Windows RT is because AD isn't about systems management anymore. The long term direction of AD is for it to be about identity management, single-sign on, federation, and authorization—not about managing systems. (If you want proof of that, look at the capabilities Microsoft implemented with their Azure-based "AD in the cloud." (This is something we talked about on our radio show last week. Here's a video of that segment if you're interested.)

I'm not saying that AD is dead and going away, rather, I'm saying that tomorrow's AD will not the same AD you studied when you got your MCSE ten years ago. The old school on-premise AD was as much about computer accounts, Group Policy, and systems management as it was about user authentication and authorization. And things like federated identity were a joke.

Moving forward, AD will evolve into a cloud-based (on premise or off) user directory, single-sign on, federated identity management platform. And it will have nothing to do with pushing out configurations to freaking Windows PCs. (And, thankfully, it will have nothing to do with pushing out configuration policies to Windows RT devices.)

The bottom line

It was smart for Microsoft not to allow Windows RT devices to join the domain. Domain joins are such antiquated ways of thinking. Good riddance!

(This also means, by the way, that it's possible that corporations will still buy Windows RT-based tablets for their employees, especially given the fact that Windows RT tablets will have an "extended VDA" license built-in.)



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: