Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

Brown bag lunch January 30th 2017

Join us January 30, 2017 from 12:00pm – 1:00pm for an awesome open discussion on the Windows 10 Anniversary Edition upgrade. Grab your lunch and join us in the Visitors Dining Room on the 4th floor in the UW Tower.

 

Agenda

 

  1. Newsletter highlights – Brian Arkills
  2. Nebula  to NetID Domain migration – Brian Arkills
  3. Windows 10 Anniversary Edition upgrade – Brian Smith
  4. New features (start menu, dark theme, Edge, Search/Cortana, etc.
  5. Better Security (how vulnerable is Windows 10 compared to older versions, How to get your system infected (what NOT to do), how to protect your data).
  6. Your privacy and Windows 10
  7. Upgrading from Windows 7, 8.1, or older versions of Windows 10.
  8. What’s coming in 2017

Azure Active Directory application identity availability

This change is being rescheduled to allow for further review and testing.  The new release date is planned for February 15th, and a reminder will be sent before the change is made.    

If you have any questions or concerns regarding this change,  Azure Active Directory, or managing confidential data in any of your systems, please let us know by contacting help@uw.edu. Thank you. 

Brian

 

Entra ID application identity availability

What and when

On Wednesday, January 11, UW-IT will change its approach to Entra ID application identities to make them significantly easier for users to obtain and use. This change also provides:

  • Mitigation where there may be risks due to integration with UW confidential data
  • New capabilities you may wish to leverage

 

What you need to do

Nothing—this notice is to make you aware that UW-IT’s Entra ID service design is changing fundamentally, and that it provides new capabilities that may interest you.

 

More information on the changes

 

Monitoring and mitigation by UW-IT: Initially, we will monitor for applications that require tenant admin permissions to approve. Examples of these kinds of permissions are described under Admin permissions for Microsoft Graph API in our Entra ID Application Identities wiki page. We will disable any application identity discovered to have “risky permissions” that hasn’t otherwise been explicitly approved via a risk evaluation or acceptance by the appropriate data steward.

 

New capabilities for Entra ID application identities:

  • Users can self-integrate some third party cloud-based apps, resulting in UW NetID-based authentication.
  • Users can consent to allow or deny an Entra ID application to access their data in other Entra ID applications.
  • Developers can self-provision identities for their application, so that it is integrated with UW NetID-based authentication; developers also can ask users to consent to access other Entra ID applications.

 

New capabilities to be available in the future:

  • Business stakeholders can request that UW-IT monitor for and block applications that require a specific set of permissions because of concerns about confidential data related to those permissions.
  • Business stakeholders can find which application permissions a given user has consented to, in order to meet regulatory or audit needs.

 

We will let you know when you can take advantage of these forthcoming capabilities.

 

Details on IT Connect:

 

Questions about this change or Azure Active Directory can be directed to help@uw.edu.

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

Entra ID user and group info sync outage

Entra ID user and group info sync outage

 

What and When

Today through Monday morning, January 9th, UW-IT is replacing the infrastructure which provisions user and group information to Azure Active Directory, which Exchange, Sharepoint, Skype for Business, and some other applications leverage.

 

The primary expected customer impacts are:

-delayed user name changes or user creations,

-delayed group membership changes or group creations.

 

To be clear, existing users and groups already present in Azure Active Directory will remain fully operational. Changes to existing objects or new objects will be delayed until Monday.

 

What you need to do

There is no action you can take. This message is informational to let you know that delayed changes are expected through the weekend.

 

More info

This change is required because the existing infrastructure will not be supported by Microsoft soon. Because of the large number of users and groups at the UW, replacement requires a 2-3 day period. No user or group changes will be lost–they are just delayed. We expect the replacement provisioning component to be operational on Sunday sometime, but are advising customers to not expect full operations until Monday morning, January 9. We apologize for any inconvenience this causes.

 

Behind the scenes, the infrastructure we’re replacing is Entra ID DirSync with Entra ID Connect. This will open up some interesting new capabilities in the future, which we’ll share separately.

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

 

Disabling all remaining NEBULA2 accounts

We will begin disabling all remaining NEBULA2 user accounts the week of 11/28.

What and when:

Starting the week of 11/28, we will begin disabling the remaining 221 NEBULA2 accounts that are still in use.

What you need to do:

If you are still using your NEBULA2 user account, you need to migrate to your NETID account.  See https://it.uw.edu/wares/nebula/adding-users/nebula2-user-disables/ for information on how to do so.

More info:

For the last few years we have been encouraging users to use their NETID accounts rather than their NEBULA2 accounts as part of a migration of Managed Workstations services to use the NETID domain. This past April, we announced that we would be decommissioning the NEBULA2 domain on April 3, 2017 and would be working to get all users switched to using their NETID accounts. For reference, the announcement and additional info is also posted at https://it.uw.edu/wares/nebula/contact-us/news/20160425-nebula2-domain-end-of-life-april-3-2017/.

While most users are already using only their NETID account, not all users have made the switch.  To complete the user account migration, we will be disabling the remaining NEBULA2 user accounts starting the week of 11/28, and will be retiring the process that allowed users to keep their NEBULA2 account enabled.  We will be sending a message, later today, to department contacts with a list of users still using their NEBULA2 account.  The week of 11/28, we will send an email to those users still using their NEBULA2 account advising them that we will soon disable their NEBULA2 account, and asking them to let us know if they need assistance in migrating to their NETID account. The first 30 minutes of such assistance is available at no cost.

Nebula2 Account Disables

We will begin disabling all remaining NEBULA2 user accounts the week of 11/28.

What and when:

The week of 11/28, we will begin disabling the remaining 221 NEBULA2 accounts that are still in use.

What you need to do:

If you are still using your NEBULA2 user account, you need to migrate to your NETID account.  See https://it.uw.edu/wares/nebula/adding-users/nebula2-user-disables/ for information on how to do so.

More info:

For the last few years we have been encouraging users to use their NETID accounts rather than their NEBULA2 accounts as part of a migration of Managed Workstations services to use the NETID domain. This past April, we announced that we would be decommissioning the NEBULA2 domain on April 3, 2017 and would be working to get all users switched to using their NETID accounts. For reference, the announcement and additional info is also posted at https://it.uw.edu/wares/nebula/contact-us/news/20160425-nebula2-domain-end-of-life-april-3-2017/.

While most users are already using only their NETID account, not all users have made the switch.  To complete the user account migration, we will be disabling the remaining NEBULA2 user accounts starting the week of 11/28, and will be retiring the process that allowed users to keep their NEBULA2 account enabled.  We will be sending a message, later today, to department contacts with a list of users still using their NEBULA2 account.  The week of 11/28, we will send an email to those users still using their NEBULA2 account advising them that we will soon disable their NEBULA2 account, and asking them to let us know if they need assistance in migrating to their NETID account. The first 30 minutes of such assistance is available at no cost.

2016 September

Here’s our newsletter update on recent happenings with the Microsoft Infrastructure. This is usually semi-annual, but we’re late by 3 months this time around. Sorry!

 

==== New Capabilities and Improvements ====

 

* Entra ID application approval process. There is now a way to request Entra ID application identities. To find out more, we suggest you start at: https://it.uw.edu/wares/msinf/aad/apps/.

 

* Service rename. We’ve changed our name from UW Windows Infrastructure (UWWI) to Microsoft Infrastructure (MI) to better reflect what is provided. Most everything that had the old name has now been updated.

 

* Our customer documentation has moved into IT Connect.

 

* The ‘Per OU Computers’ group feature we’ve provided since 2008 has changed so that all of these groups are in the Group service. This allows these groups to be referenced as members of other groups in the Group service.

 

* Significant addition of Entra ID documentation:

When should a new Entra ID tenant be created?

Entra ID Apps

FAQ: Entra ID terminology (e.g. you find out what that tenant term used above means)

MI Architecture Guide: Entra ID Architecture

MI Architecture Guide: Entra ID Sync

 

* Addition of additional UW-IT service catalog entries provided by the Microsoft Infrastructure service offering:

Delegated OUs

Entra ID

 

* In 2016Q1, we worked with Microsoft to turn off the ability for UW users to create new Microsoft Accounts in the accepted domains of our Entra ID tenant (lots of terms here you can look up in the above FAQ link). Last week, Microsoft applied this change comprehensively to affect everyone, not just our domains: https://blogs.technet.microsoft.com/enterprisemobility/2016/09/15/cleaning-up-the-azure-ad-and-microsoft-account-overlap/. That link does a good job of explaining the poor user experience issues that this change helps address.

 

====Spotlights====

 

* We’ve done some proof of concept work around the Entra ID Application Proxy capability, but haven’t found a customer in need of this solution. This enables on-premises applications to use Entra ID based authentication without making any changes to their existing Integrated Windows Authentication configuration. They gain a hardened cloud-based endpoint (i.e. customers don’t need to VPN), the possibility of leveraging conditional access capabilities such as Azure MFA, and might leverage the logging and security anomaly analysis investments Microsoft is building. Let us know if you are interested in this.

 

* We’ve recently discovered that the latest Windows 10 build, 1607—the ‘anniversary edition’—has made a change to how Active Directory integrated Bitlocker works. Microsoft hasn’t documented this change well, so there is still some confusion about it. Keep in mind that this information is specific to a domain-joined computer which has enabled Bitlocker and is configured to save its bitlocker recovery key to AD.

 

When Bitlocker was initially introduced (vista), the TPM owner and recovery key data could be saved in AD as information on the computer object and a child object of the computer. With Windows 8, Microsoft made a change (which was not well documented) to support the ability to bitlocker non-system drives (i.e. drives that aren’t necessarily associated with a single computer). This change meant that TPM owner info was saved on a new object separate from the recovery key.

 

With this latest change (win10, build 1607), the TPM owner information is not saved to AD at all, but the recovery key continues to be saved to AD.

 

This change has been alarming to some, but the TPM owner information is not needed to recover bitlocker—only the recovery key is needed.

 

Relevant to this space, we have a new capability almost ready: MBAM (MS Bitlocker Administration and Monitoring). Earlier this year, we leveraged some Microsoft Windows 10 grant money for a contractor led MBAM deployment in the NETID domain. We intend to provide that MBAM deployment to all delegated OU customers, however many technical details and a scalable support model still need work.

 

* We’ve added some additional members to our service team: Bruce Edwards, Kevin Lee, and Patrick Lavielle. This addition provide some additional depth, and return us to 2014 overall staffing levels. We’ve been doing some training and swapping around roles and responsibilities to strengthen our skills across the team, with new ideas and perspectives already having a positive influence on the quality of what we provide.

 

==== Trends ====

 

* Since January, MI has sustained growth: +17 delegated OUs (129 total), -4 trusts (51 total), +~2700 computers (15113 total), +65k users (837k total), +8k groups (104k total).

* MI support requests are up 30%. 292 MI support records resolved between 1/15/16 and 7/15/2016 (vs. 224 in prior period). Note: the period from 7/15 through now will be covered in the January 2017 newsletter.

 

You can see metrics about MI at http://www.netid.washington.edu/dirinfo/stats. [Yes, this page on the “old” website still works]

 

==== What’s Next ====

 

Our objectives for the 6 months from July through Jan. 2017 include:

* Explore how to deliver MBAM capability, primarily working to develop scalable support model

* Explore local administrator password management solutions. We plan to release an analysis paper of the options & associated risks, and add the best option to our planned new capabilities.

* Replace our existing 5 wiki-based forms with UW Connect forms to help ensure accurate routing

* Continue to build Entra ID discovery/monitoring tools to enable better management and oversight

* Replace Entra ID DirSync with Entra ID Connect, as Entra ID DirSync moves to end of life in Feb 2017

* Deploy Azure Rights Management infrastructure to support RMS pilot exploration for customers with confidential data

* Partner with Managed Workstation to transition their existing Windows Imaging and Software Deployment capabilities to Microsoft Infrastructure via a SCCM deployment in NETID. This would mean delegated OU customers could have a SCCM client agent and get and share software packages.

* Support Managed Workstation migration into the NETID domain

* Release a ‘UW network’ Windows firewall GPO for re-use by delegated OU customers. This reference GPO will be maintained by us, and you’d be able to make a copy (and refresh your copy), without doing any of the work of building it or keeping current on what the existing definition of the UW network space is.

* Make a major change to our Entra ID App stance, re-enabling self-service Entra ID App approval for user-consent apps

* Begin long-term effort to build a redesigned identity data agent, incorporating a less brittle design, real-time data updates, and the preferred name data source

* Explore short-term fixes to our existing identity data agent (FIM), including possibly adding the preferred name data source

* Explore Entra ID Audit API to support inactive user design & regulatory business needs

 

Of the 15 forecasted objectives we listed in the last MI News, here’s a review of how they turned out:

  • 2 were successfully completed: AD-CS, Entra ID app approval
  • 8 were started and continue: LAPS, Entra ID-AP, RMS inf, Migration, inactive user design, UW firewall, Preferred name, Monitoring
  • 4 were started by dependent service, but hasn’t yet reached the point where we can start: MFA, hi-sec file svc, SCCM, basic managed desktop, MIM PAM
  • 0 were not started

 

==== Your Feedback ====

 

Supporting your needs for MI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the MI service more valuable to you.

 

The MI service has a capability map publicly visible at https://it.uw.edu/wares/msinf/design/capability-map/. This capability map includes a high-level summary of our roadmap. We also plan to publish a ‘strategy on a page’ based on the emerging UW enterprise architecture practice soon. We can also provide more detailed information about our backlog if you have questions. For broad discussion about the Microsoft Infrastructure, the mi-discuss@uw.edu mailing list is a great option.

 

You can voice your support for future objectives to help us rank priorities by voting in customer surveys when we have them, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

 

Brian Arkills

UW-IT, MI Service Manager

Managed Workstation Newsletter (December 2016)

Welcome to the semi-annual Managed Workstation service newsletter, which brings you valuable updates and information to help you make the most of our services.

This is usually semi-annual, but we’re late by 3 months this time around. Sorry!

New Capabilities and Improvements

Documentation reorganized and notable gaps filled: Over time our documentation lost its focus. So we’ve whipped it back into shape, so you can find what you need. In the future, we’ll be renaming the URL to our documentation to drop “Nebula”.

Lowered FY17 rates: Almost every Managed Workstation FY17 rate was lower when compared to FY16.

Service catalog support hours clarified: 3 sections in our service catalog entry have been updated to clarify for customers when Managed Workstation staff are available for different kinds of support:

To summarize: you can contact us at any time, we’re only available to respond to routine requests during normal university business hours, and we’ll respond to urgent and impactful service interruptions outside normal university business hours.

Transitions to enable focus and excellence: When it comes to IT support that we charge consulting rates for, we’ve tightened our focus on the core capabilities we can excel at. That means we’ve stopped providing some things that it makes little sense for us to continue providing. Reasons behind these decisions include that we aren’t the experts for that capability, our costs are too high to justify, or that the capability is best left managed locally. We believe all of these transitions are win-win–you get a better result by using a better solution, and we focus. Transitions since the last newsletter include:

Since we didn’t announce the last item, it’s worth saying a little more about that. We don’t provide the same set of management capabilities for Macs that we do for other OSes. So we stopped charging the MWS rate for Macs. At some point, we’d like to add those capabilities, but with current priorities, I suspect it will be a year before we can. In the meantime, we will continue to provide Mac support at consulting rates. Unlike other consulting situations, we don’t know what the initial state of the Mac is, which means we have to spend more orientation time, so the amount of time spent to do Mac support may be higher than for a managed workstation.

Installing Software:

How you install software changed from Run Advertised Programs to the Software Center.

Delete means delete:

We aligned the retention practices for MWS file services with the UW reference architecture so that deleted files do not persist in backups beyond 90 days.

Spotlights

Nebula2 domain end of life: We recently disabled all but a small handful of Nebula2 user accounts. We expect that by the end of December all Nebula2 user accounts can be disabled. This is a little later than we were planning, but is a significant milestone along our journey.

There is a hive of activity happening behind the scenes to prepare us to move workstations and the servers providing your services to the NETID domain. Some of the servers have silently been moved already, while others will move after we’ve moved workstations.

Speaking of moving workstations, in January, we’ll be contacting each department to schedule a time to migrate workstations. We are still targeting the beginning of April for shutting down the Nebula2 domain. The workstation migration will not break your access to what’s on your workstation and the activities related to it are mostly silent and automated. There is a reboot required, which is why we’ll be talking to you about scheduling. To prepare for the migration, a few workstations that have the “_” underscore character in their name will need to be renamed.

OS Support changes: Our OS lifecycle support document has been updated. Recent changes include:

  • Windows 8 moved to retirement
  • Windows 8.1 in containment with a strong recommendation to upgrade to Windows 10
  • Windows 10 1507 in containment (soon to retirement)

You may wonder what Windows 10 1507 is, and how you’d know whether you have that or not. In almost all cases, you shouldn’t need to know that detail–we’ll handle that. What you need to know is that we’ll upgrade old Windows 10 versions to the current supported version when necessary. An announcement with more details about Windows 10 upgrades is planned.

Version 1507 is the original release of Windows 10, and it is expected that Microsoft will drop its support for it in March 2017; Microsoft has released two versions since that original release. 

What’s Next

Our objectives for the next six months include:

  • Moving to NETID domain: This is our top priority in terms of improvements.
  • MWS Training room equipment refresh: The computers and equipment in our training room will be getting replaced with newer technology and the latest Windows 10 image.
  • Password Manager: We are working to purchase LastPass Enterprise licensing for Managed Workstation users. Using this software can improve your password management practices. We’ll share more when purchase is complete and we’re ready to roll it out. Note: at least two emails to every eligible user will be part of the roll out.
  • Migration from our H: drive to the central U: drive: We are exploring whether we can provide a seamless migration. This would result in a cost savings for many customers (U: drive provides first 30GB at no cost), would greatly simplify what UW-IT provides, and would resolve a persistent problem a small handful of users experience.
  • New hybrid Managed Workstation rate: We are exploring the viability of an offering that doesn’t include tier 2 services. A large potential customer is interested in this hybrid model and we suspect this kind of model may attract other customers.
    Note: all rates are essentially the (total costs)/(# using). So when the number using Managed Workstation increases, the rates fall for everyone. So our flexibility to potential new customers benefits your bottom line.
  • High security managed workstation offering: We continue work to develop this offering for those who have expressed an unmet need. Some of this work will also benefit the existing managed workstation offering via increased security settings and self-service benefits, e.g. we’ve been working on a group service based mechanism to manage local administrator privileges per managed workstation.
  • Windows File Services: We’ll update the server providing these services, transitioning to an offering that can handle confidential data with the ability to encrypt data at-rest by default.

Trends

Below are metrics across the Managed Workstation service. The takeaway statement following each graph compares metrics in the last 6 months to the prior 6 month period. For information specific to you or your department, the MyIT portal has more data: https://support.nebula.washington.edu/myIT/Default.aspx.

Operating System Versions

Takeaways: +70 Total Windows (3370 today), +1000 Windows 10 (~1560 total today), -180 Windows 8.1 (~260 total today), -700 Windows 7 (~1550 total today), +0 MacOS (~10 total today)

So Windows 10 adoption rate continues to be high.

VPN Use

Takeaways: -34 sessions on average (~21 sessions average with a peak of 53)

Network

Takeaways: +200 Public network (~2700 total today), +20 Private network (~570 total today)

We encourage customers to move to UW private networks; staying on the public network puts you at more risk. Contact us for help.

Nebula2 User Account Status

Takeaways: -5100 Enabled (~200 total today), +5000 Disabled (~9600 total today)

As noted elsewhere, Nebula2 user accounts are almost end of life.

Managed Workstation User Logons

Takeaways: -260 Active User (~1890 total today), -560 Nebula2 (~100 total today), +550 NETID (~2590 total today)

Active users is down, primarily because some folks are no longer using both a Nebula2 and NETID user account.

Support Requests

Takeaways: Support requests have increased by ~13%; 4708 requests resolved vs. 4166 in prior period.

Incidents

Takeaways: Incidents have increased by 379%; 277 incidents resolved vs. 73 in prior period.

Note: almost all of these incidents had the same parent incident and cause, namely the MWS file service issues we had this summer.

Your Feedback

Supporting your needs for Managed Workstation capabilities is our priority, so we welcome feedback on how we can make the Managed Workstation service more valuable to you. The nebula-announce and nebula-discuss mailing lists are good sources of information. We recommend that each customer have at least one individual join the nebula-announce mailing list. See https://www.washington.edu/itconnect/wares/nebula/contact-us/ for more on how to join.

You can voice your support for future objectives to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

Managed Workstation Service Owner

UW-IT

Service design change: DNS search suffixes

Managed Workstation service design change: DNS search suffixes

What and When

We’ll be making a change to all managed workstations over a period of a week, in increasing numbers of computers. A few will get this change Friday night 9/30, more Monday night, and so on. Every managed workstation get this change by 10/7.

In the past, we’ve provided configuration of a setting which gives managed workstations a hint to address the situation where a user doesn’t provide a fully qualified name for a server they want to connect to. We are no longer providing that configuration.

This configuration setting is called the DNS search suffix.

We’ll be removing this configuration. By removing our configuration, we open the door for this setting to be managed on each computer with different values. Prior to this change users could not manage this setting themselves.

What you need to do

You may find you need to fully qualify server names, e.g. enter “homer.u.washington.edu” instead of just “homer”.

Alternatively, you may wish to customize the DNS search suffix setting on your computer. To do so, you may wish to consult one of these websites for instructions:
https://technet.microsoft.com/en-us/library/bb847901(v=exchg.150).aspx
http://www.computerstepbystep.com/dns-suffix-search-list.html

If you do customize this setting on your computer, keep in mind that you are maintaining it.

More info

We are no longer providing this configuration for a number of reasons that include:

  • There is no technical reason why this setting needs to be configured across all managed workstations. This setting is a usability feature. If users don’t want to enter fully qualified server names, this setting is best left maintained by each user to the values they desire.
  • When someone enters a non-fully qualified server name, each DNS suffix “hint” in this setting is tried until a potential match is found. This means that attempts to contact a server can be significantly delayed while each possible suffix is tried. This also means DNS servers get spurious queries for servers which don’t actually exist. Put simply, this setting is a highly inefficient way of helping users who don’t wish to fully qualify server names. Most people don’t know that they are relying on this setting, and that their reliance on this setting might actually be causing slow behavior they don’t like.
  • The setting has a hard limit in terms of how many DNS suffixes can be included. When this setting is managed centrally, hard decisions must be made about which DNS suffixes are included. The UW has an unusually large number of DNS domains compared to other organizations, and over the years we’ve had to turn down many DNS suffixes in the interest of serving the broadest set of customers. Removing ourselves from being in the middle of managing this setting seems like the most responsible choice.
  • Configuring this setting does add some small delay to boot and logon time, so removing it speeds things up.

The DNS suffixes that we previously configured for this setting are:
clients.nebula2.washington.edu
nebula2.washington.edu
nebula.washington.edu
cac.washington.edu
u.washington.edu
admin.washington.edu
washington.edu
exchange.washington.edu

Brian Arkills
Managed Workstation service owner

Service design change: Default domain

Managed Workstation service design change: Default domain

What and When

We’ll be making a change to all managed workstations over a period of a week, in increasing numbers of computers. A few will get this change Friday night 9/30, more Monday night, and so on. Every managed workstation get this change by 10/7.

Each Windows computer has a setting called the default domain which determines which Windows domain the computer’s logon interface defaults to for user logon. This setting is relevant for Windows 7 or older computers, but doesn’t mean much on newer versions of Windows.

We will be configuring this setting to be NETID, to help encourage users still logging into NEBULA2 to make the switch we’ve been asking for.

What you need to do

After this change, users on Windows 7 computers who were previously logging into NEBULA2 may log into NETID. If they have never previously done this and/or have never configured their desktop profile for their NETID user account, they may be alarmed because it appears that many items have gone missing.

They will need to go through the steps documented at https://it.uw.edu/wares/nebula/adding-users/changing-to-netid-logins/#restore to move the missing items over to their NETID user profile.

More info

Users can override the default domain and continue to login using their NEBULA2 user account, but this is discouraged. At this time, less than 350 NEBULA2 user accounts are still active and the vast majority of customers are using their NETID user account. We do plan to turn off the NEBULA2 domain in April 2017, so customers still using their NEBULA2 user account should take this opportunity to switch.

Brian Arkills
Managed Workstation service owner