Microsoft's Surface Pro is designed to deliver an enterprise-class user experience in a tablet form factor. In his review of the Surface Pro, Joel Santo Domingo points out: "It's one of the fastest Ultrabook-class devices out there," and that it can handle "the Windows XP/Vista/7/8 programs your household or business needs to run." But what about using the Surface Pro in a business context? Sure, it can run Office 365, but will it work with an established Windows domain?
To answer this question, I tested how well the tablet integrates into an existing Windows domain. I can definitely say that whatever business features a desktop client running Windows 7 Professional or Windows 8 can run, the Surface Pro can run, too. The tablet form leads to some awkwardness in the performance of some administrative duties – for instance, trying to tap precisely on a network adapter setting to open it can get a bit frustrating – and this is where the stylus comes in handy. And the on-screen keyboard only pops open automatically when tapping text fields within the Windows 8 modern interface.
Therefore, if you need to go into the Control Panel and change the device's name, for example, you'll have to invoke the on-screen keyboard by tapping the icon at the bottom of the screen, or use a physical keyboard. Also, I noted some lethargy once the device was wirelessly joined to the domain.
It's clear, however, that for business networks with Windows domains deployed, the Surface Pro is the most compatible ultraportable device there is.
I tested Surface Pro by stepping through some of the more common administrative Windows domain tasks a network admin would perform with any business client. Here are my observations and tips on integrating Surface Pro with specific Windows domain features. Note: I tested Surface Pro running Windows 8 Pro.
Joining a domain
I have a Windows Server 2012-level testing domain. This domain has a Windows Server 2012 Domain Controller plus three Member Servers; a physical Windows Server 2008 R2 box, and two additional Windows Server 2012 servers – one physical, the other a virtual machine.
Of course, you have to connect Surface Pro to your Windows network in order to join it to a domain. To keep the device slim and easy to carry, there is no Ethernet port. If you want to connect the tablet to the network via a wired connection, you'll need to get an Ethernet USB dongle or, better yet, a device like StarTech's USB 3.0 to Gigabit Ethernet NIC Network Adapter (which boasts USB 3.0 speeds, as opposed to 2.0, for a faster network connection). Fortunately, the Surface Pro has a USB 3.0 port.
Yet, the main purpose of a tablet is to travel light, so I connected the Surface Pro wirelessly to my network. I manually joined the tablet to my Windows domain as I would any Windows desktop, by going into Control Panel > System, changing settings and entering my domain's name and the credentials of an account with domain-joining permissions.
As with a Windows desktop, Windows 8 on Surface Pro has the native firewall on by default, so you'll need to make an exception to allow the tablet to join the domain.
I joined the Surface Pro to my domain and then logged in as a typical domain user, meaning no domain admin permissions. Since this was the user's first time logging into the domain with the Surface Pro, the tablet went through that initial Windows 8 welcome screen which shows users how to move the mouse around and other orientation tips.
I can see this welcome screen as a potential inconvenience for a user who may already have a Surface tablet set up. They have to take the tablet into the office, log into the network, and then have to go through the orientation again.
After joining my domain I did notice some lag while browsing shared folders on the network. Of course, I was connected wirelessly, and there is a lot of Wi-Fi interference in my testing space. I was more concerned when Surface Pro simply froze on me when I tried to turn on the Network Discovery feature. A reboot got the tablet going again.
As with a domain user logged into a workstation, domain policies associated with user accounts flowed to the Surface Pro. I have my domain set up to auto-create a user's home directory, and to map a drive to a publicly shared folder upon first login. I saw the appropriate folders and mappings on the Surface Pro after logging in as a domain user.
One feature that's bound to be used often with Surface Pro devices is Remote App. This is a Windows Server feature (introduced in Server 2008 and honed in Server 2012) that allows administrators to publish applications to an IIS server for end users to access remotely. Applications run on the client device using Remote Desktop Services. I see Remote App as a great way for Surface Pro users to access line-of-business apps that admins may not want to install locally on a tablet.
I have Remote App and the required Remote Desktop Services and roles set up in my domain. From the Surface Pro, I was easily able to browse to the URL I set up for end users to access applications. I tested connectivity by simply publishing Microsoft's Paint app to my server and then accessing it from the Surface Pro.
Oddly, Windows on the Surface Pro popped up a message that Paint's publisher (Microsoft) could not be verified! Yet, I could still open Paint remotely and use it on the tablet as well as the locally installed Paint app.
Remote App is a good way for Surface Pro users to run heavy processing applications like video editors or CAD that would likely run slowly locally, provided they have a speedy connection to the Remote App server, of course.
Nestled in the Windows 8 Control Panel on Surface Pro is the Windows Credentials feature. Because tablets are shuttled between personal and business use, a tablet owner may have many passwords and usernames to remember. With Windows Credentials, that data is easily managed. I was able to add and store a domain user's credentials locally.
Once I had entered this information, the domain credentials were immediately associated as a persistent enterprise connection, so there is good communication between my domain and this tablet-side feature
Storage Spaces is another business-class feature in Windows 8 on the Surface Pro, and another feature I believe many users will find handy. With Storage Spaces, you can add an external USB drive to the Surface Pro and create a storage pool either to extend your storage capacity (the Surface Pro comes with a 128GB SSD) or to create a mirror to protect data stored on the local drive.
You do need to run the account as a user with local admin permissions. You'll also need a USB flash or external drive with at least 7GB of storage. The feature runs well on Surface Pro and, of course, is a capability of Windows 8, not Surface Pro.
BitLocker is another business-class feature, allowing Surface Pro users to secure data on the tablet using AES encryption. I wanted to test this feature out because domain administrators may not want to give users with Surface Pro tablets connected to the network the ability to encrypt the tablet's drive.
Fortunately, using Group Policy in Server 2012, administrators can control BitLocker access. For example, you can give domain users the ability to only use BitLocker on their own removable USB drives, or disable the feature altogether.
Getting down to business
These are just a few of the many capabilities of a Surface Pro tablet integrated with a Windows domain. Based on my testing, I can confidently state that Windows desktop users transitioning over to a Surface Pro tablet will not miss any of the capabilities of a Windows workstation, although they may need to get used to the modern (formerly known as "Metro") interface. Windows system administrators will find the Surface Pro tablet as easy to integrate into a domain as any workstation.