Disabling all remaining NEBULA2 accounts

We will begin disabling all remaining NEBULA2 user accounts the week of 11/28.

What and when:

Starting the week of 11/28, we will begin disabling the remaining 221 NEBULA2 accounts that are still in use.

What you need to do:

If you are still using your NEBULA2 user account, you need to migrate to your NETID account. See https://it.uw.edu/wares/nebula/adding-users/nebula2-user-disables/ for information on how to do so.

More info:

For the last few years we have been encouraging users to use their NETID accounts rather than their NEBULA2 accounts as part of a migration of Managed Workstations services to use the NETID domain. This past April, we announced that we would be decommissioning the NEBULA2 domain on April 3, 2017 and would be working to get all users switched to using their NETID accounts. For reference, the announcement and additional info is also posted at https://it.uw.edu/wares/nebula/contact-us/news/20160425-nebula2-domain-end-of-life-april-3-2017/.

While most users are already using only their NETID account, not all users have made the switch. To complete the user account migration, we will be disabling the remaining NEBULA2 user accounts starting the week of 11/28, and will be retiring the process that allowed users to keep their NEBULA2 account enabled. We will be sending a message, later today, to department contacts with a list of users still using their NEBULA2 account. The week of 11/28, we will send an email to those users still using their NEBULA2 account advising them that we will soon disable their NEBULA2 account, and asking them to let us know if they need assistance in migrating to their NETID account. The first 30 minutes of such assistance is available at no cost.

Nebula2 Account Disables

We will begin disabling all remaining NEBULA2 user accounts the week of 11/28.

What and when:

The week of 11/28, we will begin disabling the remaining 221 NEBULA2 accounts that are still in use.

What you need to do:

If you are still using your NEBULA2 user account, you need to migrate to your NETID account. See https://it.uw.edu/wares/nebula/adding-users/nebula2-user-disables/ for information on how to do so.

More info:

2016 September

Here’s our newsletter update on recent happenings with the Microsoft Infrastructure. This is usually semi-annual, but we’re late by 3 months this time around. Sorry!

==== New Capabilities and Improvements ====

* Entra ID application approval process. There is now a way to request Entra ID application identities. To find out more, we suggest you start at: https://it.uw.edu/wares/msinf/aad/apps/.

* Service rename. We’ve changed our name from UW Windows Infrastructure (UWWI) to Microsoft Infrastructure (MI) to better reflect what is provided. Most everything that had the old name has now been updated.

* Our customer documentation has moved into IT Connect.

* The ‘Per OU Computers’ group feature we’ve provided since 2008 has changed so that all of these groups are in the Group service. This allows these groups to be referenced as members of other groups in the Group service.

* Significant addition of Entra ID documentation:

–When should a new Entra ID tenant be created?

–Entra ID Apps

–FAQ: Entra ID terminology (e.g. you find out what that tenant term used above means)

–MI Architecture Guide: Entra ID Architecture

–MI Architecture Guide: Entra ID Sync

* Addition of additional UW-IT service catalog entries provided by the Microsoft Infrastructure service offering:

–Delegated OUs

–Entra ID

* In 2016Q1, we worked with Microsoft to turn off the ability for UW users to create new Microsoft Accounts in the accepted domains of our Entra ID tenant (lots of terms here you can look up in the above FAQ link). Last week, Microsoft applied this change comprehensively to affect everyone, not just our domains: https://blogs.technet.microsoft.com/enterprisemobility/2016/09/15/cleaning-up-the-azure-ad-and-microsoft-account-overlap/. That link does a good job of explaining the poor user experience issues that this change helps address.

====Spotlights====

* We’ve done some proof of concept work around the Entra ID Application Proxy capability, but haven’t found a customer in need of this solution. This enables on-premises applications to use Entra ID based authentication without making any changes to their existing Integrated Windows Authentication configuration. They gain a hardened cloud-based endpoint (i.e. customers don’t need to VPN), the possibility of leveraging conditional access capabilities such as Azure MFA, and might leverage the logging and security anomaly analysis investments Microsoft is building. Let us know if you are interested in this.

* We’ve recently discovered that the latest Windows 10 build, 1607—the ‘anniversary edition’—has made a change to how Active Directory integrated Bitlocker works. Microsoft hasn’t documented this change well, so there is still some confusion about it. Keep in mind that this information is specific to a domain-joined computer which has enabled Bitlocker and is configured to save its bitlocker recovery key to AD.

When Bitlocker was initially introduced (vista), the TPM owner and recovery key data could be saved in AD as information on the computer object and a child object of the computer. With Windows 8, Microsoft made a change (which was not well documented) to support the ability to bitlocker non-system drives (i.e. drives that aren’t necessarily associated with a single computer). This change meant that TPM owner info was saved on a new object separate from the recovery key.

With this latest change (win10, build 1607), the TPM owner information is not saved to AD at all, but the recovery key continues to be saved to AD.

This change has been alarming to some, but the TPM owner information is not needed to recover bitlocker—only the recovery key is needed.

Relevant to this space, we have a new capability almost ready: MBAM (MS Bitlocker Administration and Monitoring). Earlier this year, we leveraged some Microsoft Windows 10 grant money for a contractor led MBAM deployment in the NETID domain. We intend to provide that MBAM deployment to all delegated OU customers, however many technical details and a scalable support model still need work.

* We’ve added some additional members to our service team: Bruce Edwards, Kevin Lee, and Patrick Lavielle. This addition provide some additional depth, and return us to 2014 overall staffing levels. We’ve been doing some training and swapping around roles and responsibilities to strengthen our skills across the team, with new ideas and perspectives already having a positive influence on the quality of what we provide.

==== Trends ====

* Since January, MI has sustained growth: +17 delegated OUs (129 total), -4 trusts (51 total), +~2700 computers (15113 total), +65k users (837k total), +8k groups (104k total).

* MI support requests are up 30%. 292 MI support records resolved between 1/15/16 and 7/15/2016 (vs. 224 in prior period). Note: the period from 7/15 through now will be covered in the January 2017 newsletter.

You can see metrics about MI at http://www.netid.washington.edu/dirinfo/stats. [Yes, this page on the “old” website still works]

==== What’s Next ====

Our objectives for the 6 months from July through Jan. 2017 include:

* Explore how to deliver MBAM capability, primarily working to develop scalable support model

* Explore local administrator password management solutions. We plan to release an analysis paper of the options & associated risks, and add the best option to our planned new capabilities.

* Replace our existing 5 wiki-based forms with UW Connect forms to help ensure accurate routing

* Continue to build Entra ID discovery/monitoring tools to enable better management and oversight

* Replace Entra ID DirSync with Entra ID Connect, as Entra ID DirSync moves to end of life in Feb 2017

* Deploy Azure Rights Management infrastructure to support RMS pilot exploration for customers with confidential data

* Partner with Managed Workstation to transition their existing Windows Imaging and Software Deployment capabilities to Microsoft Infrastructure via a SCCM deployment in NETID. This would mean delegated OU customers could have a SCCM client agent and get and share software packages.

* Support Managed Workstation migration into the NETID domain

* Release a ‘UW network’ Windows firewall GPO for re-use by delegated OU customers. This reference GPO will be maintained by us, and you’d be able to make a copy (and refresh your copy), without doing any of the work of building it or keeping current on what the existing definition of the UW network space is.

* Make a major change to our Entra ID App stance, re-enabling self-service Entra ID App approval for user-consent apps

* Begin long-term effort to build a redesigned identity data agent, incorporating a less brittle design, real-time data updates, and the preferred name data source

* Explore short-term fixes to our existing identity data agent (FIM), including possibly adding the preferred name data source

* Explore Entra ID Audit API to support inactive user design & regulatory business needs

Of the 15 forecasted objectives we listed in the last MI News, here’s a review of how they turned out:

2 were successfully completed: AD-CS, Entra ID app approval
8 were started and continue: LAPS, Entra ID-AP, RMS inf, Migration, inactive user design, UW firewall, Preferred name, Monitoring
4 were started by dependent service, but hasn’t yet reached the point where we can start: MFA, hi-sec file svc, SCCM, basic managed desktop, MIM PAM
0 were not started

==== Your Feedback ====

Supporting your needs for MI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the MI service more valuable to you.

The MI service has a capability map publicly visible at https://it.uw.edu/wares/msinf/design/capability-map/. This capability map includes a high-level summary of our roadmap. We also plan to publish a ‘strategy on a page’ based on the emerging UW enterprise architecture practice soon. We can also provide more detailed information about our backlog if you have questions. For broad discussion about the Microsoft Infrastructure, the mi-discuss@uw.edu mailing list is a great option.

You can voice your support for future objectives to help us rank priorities by voting in customer surveys when we have them, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

UW-IT, MI Service Manager

Managed Workstation Newsletter (December 2016)

Welcome to the semi-annual Managed Workstation service newsletter, which brings you valuable updates and information to help you make the most of our services.

This is usually semi-annual, but we’re late by 3 months this time around. Sorry!

New Capabilities and Improvements

Documentation reorganized and notable gaps filled: Over time our documentation lost its focus. So we’ve whipped it back into shape, so you can find what you need. In the future, we’ll be renaming the URL to our documentation to drop “Nebula”.

Lowered FY17 rates: Almost every Managed Workstation FY17 rate was lower when compared to FY16.

Service catalog support hours clarified: 3 sections in our service catalog entry have been updated to clarify for customers when Managed Workstation staff are available for different kinds of support:

To summarize: you can contact us at any time, we’re only available to respond to routine requests during normal university business hours, and we’ll respond to urgent and impactful service interruptions outside normal university business hours.

Transitions to enable focus and excellence: When it comes to IT support that we charge consulting rates for, we’ve tightened our focus on the core capabilities we can excel at. That means we’ve stopped providing some things that it makes little sense for us to continue providing. Reasons behind these decisions include that we aren’t the experts for that capability, our costs are too high to justify, or that the capability is best left managed locally. We believe all of these transitions are win-win–you get a better result by using a better solution, and we focus. Transitions since the last newsletter include:

Since we didn’t announce the last item, it’s worth saying a little more about that. We don’t provide the same set of management capabilities for Macs that we do for other OSes. So we stopped charging the MWS rate for Macs. At some point, we’d like to add those capabilities, but with current priorities, I suspect it will be a year before we can. In the meantime, we will continue to provide Mac support at consulting rates. Unlike other consulting situations, we don’t know what the initial state of the Mac is, which means we have to spend more orientation time, so the amount of time spent to do Mac support may be higher than for a managed workstation.

Installing Software:

How you install software changed from Run Advertised Programs to the Software Center.

Delete means delete:

We aligned the retention practices for MWS file services with the UW reference architecture so that deleted files do not persist in backups beyond 90 days.

Spotlights

Nebula2 domain end of life: We recently disabled all but a small handful of Nebula2 user accounts. We expect that by the end of December all Nebula2 user accounts can be disabled. This is a little later than we were planning, but is a significant milestone along our journey.

There is a hive of activity happening behind the scenes to prepare us to move workstations and the servers providing your services to the NETID domain. Some of the servers have silently been moved already, while others will move after we’ve moved workstations.

Speaking of moving workstations, in January, we’ll be contacting each department to schedule a time to migrate workstations. We are still targeting the beginning of April for shutting down the Nebula2 domain. The workstation migration will not break your access to what’s on your workstation and the activities related to it are mostly silent and automated. There is a reboot required, which is why we’ll be talking to you about scheduling. To prepare for the migration, a few workstations that have the “_” underscore character in their name will need to be renamed.

OS Support changes: Our OS lifecycle support document has been updated. Recent changes include:

Windows 8 moved to retirement
Windows 8.1 in containment with a strong recommendation to upgrade to Windows 10
Windows 10 1507 in containment (soon to retirement)

You may wonder what Windows 10 1507 is, and how you’d know whether you have that or not. In almost all cases, you shouldn’t need to know that detail–we’ll handle that. What you need to know is that we’ll upgrade old Windows 10 versions to the current supported version when necessary. An announcement with more details about Windows 10 upgrades is planned.

Version 1507 is the original release of Windows 10, and it is expected that Microsoft will drop its support for it in March 2017; Microsoft has released two versions since that original release.

What’s Next

Our objectives for the next six months include:

Moving to NETID domain: This is our top priority in terms of improvements.
MWS Training room equipment refresh: The computers and equipment in our training room will be getting replaced with newer technology and the latest Windows 10 image.
Password Manager: We are working to purchase LastPass Enterprise licensing for Managed Workstation users. Using this software can improve your password management practices. We’ll share more when purchase is complete and we’re ready to roll it out. Note: at least two emails to every eligible user will be part of the roll out.
Migration from our H: drive to the central U: drive: We are exploring whether we can provide a seamless migration. This would result in a cost savings for many customers (U: drive provides first 30GB at no cost), would greatly simplify what UW-IT provides, and would resolve a persistent problem a small handful of users experience.
New hybrid Managed Workstation rate: We are exploring the viability of an offering that doesn’t include tier 2 services. A large potential customer is interested in this hybrid model and we suspect this kind of model may attract other customers.
Note: all rates are essentially the (total costs)/(# using). So when the number using Managed Workstation increases, the rates fall for everyone. So our flexibility to potential new customers benefits your bottom line.
High security managed workstation offering: We continue work to develop this offering for those who have expressed an unmet need. Some of this work will also benefit the existing managed workstation offering via increased security settings and self-service benefits, e.g. we’ve been working on a group service based mechanism to manage local administrator privileges per managed workstation.
Windows File Services: We’ll update the server providing these services, transitioning to an offering that can handle confidential data with the ability to encrypt data at-rest by default.

Trends

Below are metrics across the Managed Workstation service. The takeaway statement following each graph compares metrics in the last 6 months to the prior 6 month period. For information specific to you or your department, the MyIT portal has more data: https://support.nebula.washington.edu/myIT/Default.aspx.

Operating System Versions

Takeaways: +70 Total Windows (3370 today), +1000 Windows 10 (~1560 total today), -180 Windows 8.1 (~260 total today), -700 Windows 7 (~1550 total today), +0 MacOS (~10 total today)

So Windows 10 adoption rate continues to be high.

VPN Use

Takeaways: -34 sessions on average (~21 sessions average with a peak of 53)

Network

Takeaways: +200 Public network (~2700 total today), +20 Private network (~570 total today)

We encourage customers to move to UW private networks; staying on the public network puts you at more risk. Contact us for help.

Nebula2 User Account Status

Takeaways: -5100 Enabled (~200 total today), +5000 Disabled (~9600 total today)

As noted elsewhere, Nebula2 user accounts are almost end of life.

Managed Workstation User Logons

Takeaways: -260 Active User (~1890 total today), -560 Nebula2 (~100 total today), +550 NETID (~2590 total today)

Active users is down, primarily because some folks are no longer using both a Nebula2 and NETID user account.

Support Requests

Takeaways: Support requests have increased by ~13%; 4708 requests resolved vs. 4166 in prior period.

Incidents

Takeaways: Incidents have increased by 379%; 277 incidents resolved vs. 73 in prior period.

Note: almost all of these incidents had the same parent incident and cause, namely the MWS file service issues we had this summer.

Your Feedback

Supporting your needs for Managed Workstation capabilities is our priority, so we welcome feedback on how we can make the Managed Workstation service more valuable to you. The nebula-announce and nebula-discuss mailing lists are good sources of information. We recommend that each customer have at least one individual join the nebula-announce mailing list. See https://www.washington.edu/itconnect/wares/nebula/contact-us/ for more on how to join.

You can voice your support for future objectives to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

Managed Workstation Service Owner

UW-IT

Service design change: DNS search suffixes

Managed Workstation service design change: DNS search suffixes

What and When

We’ll be making a change to all managed workstations over a period of a week, in increasing numbers of computers. A few will get this change Friday night 9/30, more Monday night, and so on. Every managed workstation get this change by 10/7.

In the past, we’ve provided configuration of a setting which gives managed workstations a hint to address the situation where a user doesn’t provide a fully qualified name for a server they want to connect to. We are no longer providing that configuration.

This configuration setting is called the DNS search suffix.

We’ll be removing this configuration. By removing our configuration, we open the door for this setting to be managed on each computer with different values. Prior to this change users could not manage this setting themselves.

What you need to do

You may find you need to fully qualify server names, e.g. enter “homer.u.washington.edu” instead of just “homer”.

Alternatively, you may wish to customize the DNS search suffix setting on your computer. To do so, you may wish to consult one of these websites for instructions:
https://technet.microsoft.com/en-us/library/bb847901(v=exchg.150).aspx
http://www.computerstepbystep.com/dns-suffix-search-list.html

If you do customize this setting on your computer, keep in mind that you are maintaining it.

More info

We are no longer providing this configuration for a number of reasons that include:

There is no technical reason why this setting needs to be configured across all managed workstations. This setting is a usability feature. If users don’t want to enter fully qualified server names, this setting is best left maintained by each user to the values they desire.
When someone enters a non-fully qualified server name, each DNS suffix “hint” in this setting is tried until a potential match is found. This means that attempts to contact a server can be significantly delayed while each possible suffix is tried. This also means DNS servers get spurious queries for servers which don’t actually exist. Put simply, this setting is a highly inefficient way of helping users who don’t wish to fully qualify server names. Most people don’t know that they are relying on this setting, and that their reliance on this setting might actually be causing slow behavior they don’t like.
The setting has a hard limit in terms of how many DNS suffixes can be included. When this setting is managed centrally, hard decisions must be made about which DNS suffixes are included. The UW has an unusually large number of DNS domains compared to other organizations, and over the years we’ve had to turn down many DNS suffixes in the interest of serving the broadest set of customers. Removing ourselves from being in the middle of managing this setting seems like the most responsible choice.
Configuring this setting does add some small delay to boot and logon time, so removing it speeds things up.

The DNS suffixes that we previously configured for this setting are:
clients.nebula2.washington.edu
nebula2.washington.edu
nebula.washington.edu
cac.washington.edu
u.washington.edu
admin.washington.edu
washington.edu
exchange.washington.edu

Brian Arkills
Managed Workstation service owner

Service design change: Default domain

Managed Workstation service design change: Default domain

What and When

Each Windows computer has a setting called the default domain which determines which Windows domain the computer’s logon interface defaults to for user logon. This setting is relevant for Windows 7 or older computers, but doesn’t mean much on newer versions of Windows.

We will be configuring this setting to be NETID, to help encourage users still logging into NEBULA2 to make the switch we’ve been asking for.

What you need to do

After this change, users on Windows 7 computers who were previously logging into NEBULA2 may log into NETID. If they have never previously done this and/or have never configured their desktop profile for their NETID user account, they may be alarmed because it appears that many items have gone missing.

They will need to go through the steps documented at https://it.uw.edu/wares/nebula/adding-users/changing-to-netid-logins/#restore to move the missing items over to their NETID user profile.

More info

Users can override the default domain and continue to login using their NEBULA2 user account, but this is discouraged. At this time, less than 350 NEBULA2 user accounts are still active and the vast majority of customers are using their NETID user account. We do plan to turn off the NEBULA2 domain in April 2017, so customers still using their NEBULA2 user account should take this opportunity to switch.

Brian Arkills
Managed Workstation service owner

Change in printer support

As many of you may be aware UW-IT retired the Computer Maintenance Group (CMG) back in June, 2014. This group provided printer support for the Seattle campus including MWS customers until June, 2014. Since the retirement of the Computer Maintenance Group we have continued helping intermittently with printer issues for some of our customers. As of today, the Managed Workstation Service will no longer provide printer support. By stopping this support we are keeping with UW-IT’s mission to provide technology services in line with the University’s priorities.

Ceasing this support is in line with UW-IT’s mission to support the University’s environmental and sustainability initiatives, in this case, UW Managed Print Services.

If you need assistance installing, uninstalling or troubleshooting a printer there are written instructions available on our IT Connect site: https://it.uw.edu/wares/nebula/other-it-services-and-help/printing/.

Below are some printer options in the event you have a printer that needs to be serviced:

UW Managed Print Services

UW Managed Print Services is available for a monthly fee, and includes equipment (multi-functional devices that can copy, print, scan and fax), supplies (except paper) and service from Ricoh. See http://f2.washington.edu/mps/.

Local Computer and Printer Repair Shops

Departments can work directly with the following local vendors with which UW-IT has historically had good working relationships:
Xerox Printers: Integrity Business Systems; 888-840-0844
HP Printer repair: CPR Computer and Printer Repair;cprnw.com/hewlettpackard.htm; 1-800-955-4075
Computer Repair: Up Time Technology (on N 45^th)) uptimetech.com; 206-547-1817.

Please send an e-mail to help@uw.edu if you have any other questions.

On-going Problems H: and I: Drives

Last month we experienced a significant incident where the server infrastructure behind H:\ and I:\groups was unable to accept new connections. We applied a workaround, moving all user home directories and group directories to new server infrastructure, which also has much newer software, before we had completed testing and validation. Since then, we’ve had a series of smaller, intermittent incidents, the continuing nature of which makes them all the more frustrating. Work to identify the cause(s) of these issues and resolve them continues. We are also looking at alternatives, including changing the underlying technologies in use. As we’ve seen, however, such changes can have undesirable impacts of their own.

Managed Work Station FY17 Rates

FY17 rates for Managed Workstation services are now available.

As of 7/1/2016 the new FY17 rates for Managed Workstation service have been approved by Management Accounting & Analysis (MAA). MAA provides final approval of rates for all cost-recovery centers at the UW.

The rates are:

* Managed Workstation rate: $34.50/desktop/month

* Managed Workstation file storage: $.15/GB/month

* Windows File Storage: $.37/GB/month

* Consulting Services: $98.50 Hour

If you haven’t provided an eligibility group that you manage for your department, you really need to do that. Contacts for Managed Workstation departments should contact us to transition from the temporary eligibility groups we created on your behalf last summer. To see whether you still have a temporary eligibility group visit https://support.nebula.washington.edu/myIT/myNebulaDepartments.aspx. If the group listed starts with u_nebula_temp then you need to take action. This allows you to tell us who your active users are.

If you have any questions or concerns, please contact me.

Managed Workstation service will update MyIT pages that provide estimated costs with FY17 rates soon.

Managed Workstation H: and I:\groups troubles

On 6/15/2016, we experienced a significant incident where the server infrastructure behind H:\ and I:\groups was unable to accept new connections. The cause of that incident is now understood. We applied a workaround of moving the 90% of file directories that were affected by this incident to new server infrastructure, which was already in use for 10% of our file directories. As mentioned at the time, we were hesitant to make that change because we weren’t fully confident that the new server infrastructure was ready for a bigger load, but at the time it appeared to be the quickest and best way to restore service.

Since then, we’ve had a series of incidents that were smaller in scope. This is because one of the 4 new servers continues to have problems, which seems to be tied to something that happens in the very early morning. The other 3 new servers don’t experience these same problems, and the incidents since 6/15 have only affected the same set of customers that leverage the 1/4 of file directories hosted by that one server. Those recurring incidents do not prevent new connections like the 6/15 incident, instead there is a slow degradation of performance to the point where it is very noticeable. The eOutage messages sent about those incidents have been pretty generic, so we thought it important to provide more detail than what has been communicated via eOutage.

We recognize that these continuing problems are impactful and undesirable, and continue to work hard to identify what is causing those problems and to seek solutions.

As we explore solutions we are also trying to limit any undesirable impacts from changes, but we recognize that moving too slowly isn’t acceptable. As we try to move quickly, we are making some changes that we’d normally move more slowly on, with more customer notification.

We really appreciate your patience with us, and please know that we continue to work hard to provide a reliable service that meets your needs.