Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

Planned work on 4/2 for home and group directories

A service outage is planned for all Managed Workstation home (H:) and group (I:\groups) directories.

What and When:

On Sunday, April 2, 2017, all Managed Workstation home (H:) and group (I:\groups) directories will be unavailable from 8am to 9am, for planned maintenance.

More info:

This work is required to switch the underlying authentication mechanisms for the file servers that provide the home and group directories as part of the migration to the NETID domain.  During this work, there will be no access to files and folders in both user home directories (H:) and group directories (i:\groups).

If you have questions about this planned work, please send email to help@uw.edu with “MWS: Planned file server work” in the subject line.

Windows 8.1 will move to retirement

The Managed Workstation Service is moving Windows 8.1 into retirement on May 1, 2017.

What and When:

Starting on May 1, 2017, Managed Workstation support for Windows 8.1 will be done on a consulting hours basis only.

What does this mean?

Managed Workstation will continue to provide automatic fixes, security updates, and technical assistance for Windows 8.1  as part of the Managed Workstation rate through April 30, 2017.  After May 1, 2017, all support for Windows 8.1 will be done on a consulting hours basis only.

See our Operating System lifecycle and support page for additional info.

What You Need to Do:

If you have a computer running Windows 8.1, we recommend that you upgrade to Windows 10 soon, following the instructions at Upgrading to Windows 10.  We will be sending targeted announcements to department contacts with more info next week.

Windows 7 moves to containment

Every operating system has a support life-cycle determined by the software publisher, and the Managed Workstation service places each operating system into a support life-cycle.

The Managed Workstation Service is moving Windows 7 into containment.

What and When:

Managed Workstation will continue to support Windows 7, however we no longer provide an image using Lite-touch deployment or through CDW-G. On February 28, 2017, Windows 7 will move into containment.

What does this mean?

Managed Workstation will continue to provide automatic fixes, security updates, and technical assistance for Windows 7 operating system as part of the Managed Workstation rate. Microsoft will continue to support the Windows 7 operating system through 1/2020.

What You Need to Do:

If you have a Windows 7 operating system, we recommend that you upgrade to Windows 10. Below is a link with instructions for upgrading your workstation.

https://it.uw.edu/wares/nebula/managed-workstation-service-design/operating-system-support/upgrading-to-windows-10/

Microsoft Infrastructure to add Preferred Name data: 3/1/2017

The Microsoft Infrastructure service will add the Preferred Name data source to its existing identity data.

 

What and When

 

On Wednesday March 1 2017, Microsoft Infrastructure will replace its existing identity data agent with a new one. The new system will add the Preferred Name data source to the existing name algorithm, giving Preferred Name preference over other data sources. We will also drop our specialized character casing for non-personal UW NetIDs like Shared UW NetIDs. These changes will result in display name changes on a broad set of user accounts in the NETID Active Directory and the uw.edu Azure Active Directory tenant. Because there are many applications leveraging those user accounts, this will also result in name changes in a large set of applications.

 

There should be no noticeable interruption to implement this change—we have staged the replacement system so it can immediately take over for the old one.

 

What This Means For You

 

Your Microsoft Infrastructure user account’s display name value may change if you have set a Preferred Name via the https://identity.uw.edu portal. If you do not like the resulting display name value for your personal UW NetID, you can use that portal to set or update a Preferred Name.

If you want a change to a non-personal UW NetID name, you can use https://uwnetid.washington.edu/manage and the Name field exposed there to change the value yourself. You do not need to contact the UW-IT service desk for those changes.

In the past, we applied an algorithm to only upper case the first character of “words” from that data source. This would often result in a display name like “Uw Pottery Department” instead of “UW Pottery Department”. This has been a source of frustration for some customers, so we are removing the case adjustments and using the value as input by the UW-IT Service Desk (which is based on your input). If the display name changes to non-personal UW NetIDs are undesired, you can contact the UW-IT Service Desk to make changes.

 

**NOTE: Exchange, Sharepoint, Skype for Business, and other applications in the Office 365 suite leverage the display name on the Microsoft Infrastructure user account, so this change affects your name in all of those applications. There are many other applications which do their UW NetID identity integration via Microsoft Infrastructure user accounts, and those applications will also be affected.**

 

More Info

 

The approach to name data at the UW is complicated because there are many different user populations with a different data source for each population. And of course, each of those data sources has different methods to make changes to the data. This means that any given application (and infrastructure like ours), must make a number of complex decisions about which name data to use, which can be especially complicated when a given identity has multiple affiliations. In contrast, the Preferred Name data source is unique in that it is a single central authority for name data for UW identities, and provides a self-service mechanism for changes.

 

Because of this complex background, Microsoft Infrastructure has always documented the algorithm behind our naming logic, so everyone can understand what we are doing and how they might change what they see. This documentation continues to be at https://it.uw.edu/wares/msinf/design/arch/id-data-mapping/#name, and has been updated to reflect this change with deeper details than noted here. Up until this change, there have been a number of scenarios where there was literally nothing you could do to change the display name on an identity. I’m happy to report that is no longer the case.

 

Via a customer survey 8 years ago, you indicated this was your top desired change for this service, and we have been advocating for this type of solution for that entire time, so we are very pleased to be able to implement this.

 

If you have questions about this change, please send an email to help@uw.edu with “Microsoft Infrastructure Preferred Name change” in the subject.

 

Brian Arkills

Microsoft Infrastructure service manager

UW-IT

 

Entra ID application identities: risk mitigation

What is happening and when:

 

This notice is to make you aware that UW-IT’s Entra ID service design is changing fundamentally, providing risk mitigation processes as well as new capabilities.

 

On Wednesday, February 15, UW-IT will change its approach to Entra ID application identities to make them easier for users to obtain and use, while addressing potential risk to UW confidential data. The UW-IT Microsoft Infrastructure service will:

  • Monitor for risks of integration with UW confidential data
  • Disable any Entra ID application identity that presents risk to UW confidential data

 

Note that if you choose to add or consent to an Entra ID application provided by a third party, there is a risk that UW confidential data may intentionally or unintentionally be accessed, collected, or used by the third party. UW organizations are responsible for evaluating the risk and implementing controls for their unique technical deployments.

 

If you’ve evaluated the risk and decided to use a third party application, then it should meet the UW data security and privacy goals for contracting with vendors. This may include the need for a Data Security and Privacy Agreement or a Business Associate Agreement. Additional responsibilities may be required by UW Medicine for use of Entra ID applications with protected health information.

 

If you’d like help analyzing third party applications, adding an Entra ID application, or understanding the Entra ID change, please contact UW-IT at help@uw.edu.

 

Monitoring and mitigation by UW-IT: We will monitor for applications that require tenant admin permissions to approve. Tenant admin permissions generally correspond to those permissions that cross a single user resource boundary, e.g., the ability to read all Skype user contacts and groups. More examples of these kinds of permissions are described under More Details on our Risky Entra ID application permissions page. We will disable any application identity discovered to have admin permissions that have not otherwise been explicitly approved via a risk evaluation or acceptance by the appropriate data steward.

 

We will not provide automatic mitigations for permissions that individual users grant to applications, but you can find out what permissions have been granted by a given user.

 

New capabilities for Entra ID application identities:

  • Users can self-integrate some third party cloud-based apps, resulting in UW NetID based authentication.
  • Users can consent to allow or deny an Entra ID application to access their data in other Entra ID based applications.
  • Developers can self-provision identities for their application, so that it is integrated with UW NetID based authentication. Developers also can ask users to consent to access other Entra ID based applications.
  • Business stakeholders can request that UW-IT monitor for and block applications that require a specific set of permissions because of concerns about confidential data related to those permissions.
  • Business stakeholders can find which application permissions a given user has consented to, in order to meet regulatory or audit needs. Business stakeholders may consider actions taken by individuals risky, and this capability provides the ability to find out what permissions have been granted by a given user.

 

Details on IT Connect:

 

If you have questions about this change, please contact UW-IT via help@uw.edu.

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

Windows 10 upgrades coming next week

We will start upgrading all computers running Windows 10 to the latest version, 1607 – also known as Anniversary Edition, starting next week (2/6/2017).

What and when

As we recently announced, all computers running Windows 10 will be upgraded to version 1607, which is also known as the Anniversary Edition. This upgrade is mandatory as Microsoft will stop supporting versions of Windows 10 older than 1607 in March.

The upgrade will be done automatically in the evenings, requires no user interaction, and will not impact any user settings or files. We will start the process on 2/6/2017, and upgrade 50-100 computers each night. Each computer will take approximately 1-2 hours to complete.

While we cannot provide a specific date of when any given computer will be upgraded, individual users can choose to start the process any time using the ‘Software Center’ or via the shortcut on their desktop..

We will also be sending a separate notice to the primary user of each computer

What you need to do

This message is for your info only; there is no action required.

If you have any questions or concerns, send an email to help@uw.edu and in the subject line reference ‘MWS – Upgrades coming to Windows 10 computers’.

Brown bag lunch January 30th 2017

Join us January 30, 2017 from 12:00pm – 1:00pm for an awesome open discussion on the Windows 10 Anniversary Edition upgrade. Grab your lunch and join us in the Visitors Dining Room on the 4th floor in the UW Tower.

 

Agenda

 

  1. Newsletter highlights – Brian Arkills
  2. Nebula  to NetID Domain migration – Brian Arkills
  3. Windows 10 Anniversary Edition upgrade – Brian Smith
  4. New features (start menu, dark theme, Edge, Search/Cortana, etc.
  5. Better Security (how vulnerable is Windows 10 compared to older versions, How to get your system infected (what NOT to do), how to protect your data).
  6. Your privacy and Windows 10
  7. Upgrading from Windows 7, 8.1, or older versions of Windows 10.
  8. What’s coming in 2017

Azure Active Directory application identity availability

This change is being rescheduled to allow for further review and testing.  The new release date is planned for February 15th, and a reminder will be sent before the change is made.    

If you have any questions or concerns regarding this change,  Azure Active Directory, or managing confidential data in any of your systems, please let us know by contacting help@uw.edu. Thank you. 

Brian

 

Entra ID application identity availability

What and when

On Wednesday, January 11, UW-IT will change its approach to Entra ID application identities to make them significantly easier for users to obtain and use. This change also provides:

  • Mitigation where there may be risks due to integration with UW confidential data
  • New capabilities you may wish to leverage

 

What you need to do

Nothing—this notice is to make you aware that UW-IT’s Entra ID service design is changing fundamentally, and that it provides new capabilities that may interest you.

 

More information on the changes

 

Monitoring and mitigation by UW-IT: Initially, we will monitor for applications that require tenant admin permissions to approve. Examples of these kinds of permissions are described under Admin permissions for Microsoft Graph API in our Entra ID Application Identities wiki page. We will disable any application identity discovered to have “risky permissions” that hasn’t otherwise been explicitly approved via a risk evaluation or acceptance by the appropriate data steward.

 

New capabilities for Entra ID application identities:

  • Users can self-integrate some third party cloud-based apps, resulting in UW NetID-based authentication.
  • Users can consent to allow or deny an Entra ID application to access their data in other Entra ID applications.
  • Developers can self-provision identities for their application, so that it is integrated with UW NetID-based authentication; developers also can ask users to consent to access other Entra ID applications.

 

New capabilities to be available in the future:

  • Business stakeholders can request that UW-IT monitor for and block applications that require a specific set of permissions because of concerns about confidential data related to those permissions.
  • Business stakeholders can find which application permissions a given user has consented to, in order to meet regulatory or audit needs.

 

We will let you know when you can take advantage of these forthcoming capabilities.

 

Details on IT Connect:

 

Questions about this change or Azure Active Directory can be directed to help@uw.edu.

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

Entra ID user and group info sync outage

Entra ID user and group info sync outage

 

What and When

Today through Monday morning, January 9th, UW-IT is replacing the infrastructure which provisions user and group information to Azure Active Directory, which Exchange, Sharepoint, Skype for Business, and some other applications leverage.

 

The primary expected customer impacts are:

-delayed user name changes or user creations,

-delayed group membership changes or group creations.

 

To be clear, existing users and groups already present in Azure Active Directory will remain fully operational. Changes to existing objects or new objects will be delayed until Monday.

 

What you need to do

There is no action you can take. This message is informational to let you know that delayed changes are expected through the weekend.

 

More info

This change is required because the existing infrastructure will not be supported by Microsoft soon. Because of the large number of users and groups at the UW, replacement requires a 2-3 day period. No user or group changes will be lost–they are just delayed. We expect the replacement provisioning component to be operational on Sunday sometime, but are advising customers to not expect full operations until Monday morning, January 9. We apologize for any inconvenience this causes.

 

Behind the scenes, the infrastructure we’re replacing is Entra ID DirSync with Entra ID Connect. This will open up some interesting new capabilities in the future, which we’ll share separately.

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT