Exchange ActiveSync – it’s the new domain join

If you have been following the development of Windows 8 – in particular as Windows RT – the variant of Windows destined for ARM-based processors, there’s a good chance you heard the collective weeping earlier this year about Windows RT, and what it meant to the manageability (or unmanageability, as the case may be) of Windows RT devices. The fact that Windows RT devices cannot be joined to a Windows Active Directory domain may at first glance seem like a horrible decision, and one that could cost the platform. But that isn’t the case, and in fact Microsoft made a wise decision to go the route they did with Windows RT. Follow along with me, and I’ll show you why.

When Windows NT was young, both before and after the arrival of Active Directory, most client computers were desktops, not laptops or any other sort of mobile device. A computer was practically a fixture in each office, whether shared between users or one per user. But the main thing is – the computer didn’t move that much, and for the longest time, before the Windows ZAK and ZAW tools/philosophies back in the 1990’s, Microsoft’s client management was relatively passive.

As Windows NT blossomed into Windows 2000, Active Directory and the Intellimirror client management technologies came along and assisted in the management of client device applications, user data and settings, and deeper into the management of the operating system itself. Myself, as Windows Whistler turned into Windows XP and Windows Server 2003, I owned Remote Installation Services (RIS), a cobbled-together piece of technology that enabled a naked PC to boot to the network and install an OS and applications. As a result, my focus was often around the client, the client, the client… But you know what? I realized a bit after we shipped XP that the client doesn’t matter. The most important thing was, and is, the user. Can the user get to the resources they need, whenever they need them? Can the user get the applications they need? Can they get up and running quickly if their device goes down? Active Directory became the central hub, machines were joined to the domain in order to enable single sign-on to Exchange, Windows File Servers, SQL Servers (even RIS) and the like.

While laptops were still good candidates to be joined to Active Directory, since they would connect to corporate networks more often, handheld devices (and eventually smartphones) were poor candidates because they were often not connected to the corporate network – but what they were connected to religiously was Exchange. While your phone may not need files from corporate shares, it did need email and calendar data – and it needed it often. When ActiveSync added the ability to wipe devices if lost, a new role for Exchange – a confusing one, some might say – was born. Exchange became the device management framework for non-Windows devices. With Windows RT, it became the management framework for a class of Windows devices, too.

Earlier today, I had to add my company email account on a new Samsung Slate running Windows 8. During the process, I was told to do that, certain policies would have to be enforced on the device. Much like Group Policy of old, I wasn’t told what these policies would be, just that I needed to let them be applied. Given that my data can be synchronized to SharePoint (through SkyDrive Pro), SkyDrive, and iCloud, and key security policies can be enforced through ActiveSync, we are gradually moving away from a world of “Active Directory Users and Computers” where all devices belong to Active Directory. We are also moving to a world where Exchange is increasingly hosted, and SharePoint and Lync are gradually as well, and where single sign-on means Active Directory on premises synchronized to the cloud, Microsoft Accounts used for local authentication and synchronization, and ActiveSync (plus Configuration Manager or Windows Intune) to perform broader management.

While Windows RT devices not joining Active Directory surely came as a shock to Windows administrators, and it will require some retraining, the reality is that Windows RT devices are now set up to compete more equitably against the iPad, as a sealed, secure device with fixed management functionality provided through the mobile management framework Windows administrators have become accustomed to over the last 10 years.