Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

Delegated OU role group changes

The role groups for delegated OUs will be changing. Delegated OU role groups are those groups which Microsoft Infrastructure provides to delegate permissions in your delegated OU.

 

What and When:

Later today March 29th, 2017, there will be two changes to the delegated OU role groups.

 

First, all delegated OU role groups will be moving to a new stem. They will move from the u_windowsinfrastructure stem to the u_msinf_delou stem. This is being done to reflect the service name change, as well as to shorten the overall length. For example, u_windowsinfrastructure_pottery_ouadmins will move to u_msinf_delou_pottery_ouadmins. This change will also move the _computers OU computers group.

 

Second, we’re making an adjustment related to the _computerjoiners role group. Existing _computerjoiners role groups will be renamed to _computermanagers to better reflect the permissions granted. A brand new _computerjoiners role group will be added for each delegated OU. This new role group will only have the permisissions necessary to create a computer account.

 

This change (by itself) will result in no one gaining additional permissions in your delegated OU.

 

What you need to do:

This announcement is advisory, but you may have follow-up actions to take. Actions you may want to consider:

 

  • There is a very small chance you have services dependent on the existing group names. If you have group policies or code which statically references the name of your delegated OU role groups, you should adjust those references to the new name. See the note below for important context.
  • You may want to adjust the membership of your role groups to better reflect what permissions individuals have. If so, request a change or use the self-service capabilities provided via UW NetID Computing Support Org to be able to manage those delegated OU role group memberships. Note: _computermanagers is not yet available in this tool, so you’ll need to contact us for changes to it.

 

Important note: Group moves/renames are generally a non-event for Microsoft technologies because most Microsoft technologies do not store the group name, but instead the objectSID of the group. NTFS and share permissions and many other Microsoft ACL capabilities have this dynamic reference which is not tied to the group name. Some group policy settings do store group names. So in almost all cases, you need do nothing.

 

More info:

When we released delegated OUs, the _computerjoiner role group only had permissions to create a computer account. Over time, some customers asked for this role to have more permissions—particularly when we started asking customers to provide valid dnsHostname values. So we grew the permissions of this role to be full control on computer objects. We now recognize that this choice was a mistake on our part—we should have added a new _computermanagers role, and left the _computerjoiners role as named & designed.

 

Two things brought this mistake to the forefront:

-In reviewing supportability for LAPS, we didn’t feel that the _computerjoiners role should have the ability to get the local admin password (more details about future LAPS support and changes related to that will be forthcoming)

-To support the Managed Workstation service’s adoption of delegated OUs, we recognized their broad need to delegate only the ability to create a computer account

 

We welcome comments, questions, requests, or issues related to these planned changes. Please send those to help@uw.edu with ‘Delegated OU role group changes’.

 

Brian Arkills

Microsoft Infrastructure service manager

UW-IT

Microsoft LAPS schema and permission changes

The NETID Active Directory will have minor changes to set the stage to add support for LAPS, a Microsoft provided capability, for delegated OU customers.

 

What and When:

On Friday March 31, 2017, the Microsoft Infrastructure (MI) team will be making a change to the NETID domain in preparation to implement Microsoft’s Local Administrator Password Solution (LAPS). 

 

The first change is a schema updates to allow two additional attributes on computer objects in the domain.

 

The second change will update permissions on each delegated OU to allow for the secure storage of a password when LAPS is implemented. Note: A separate but related change is planned to delegated OU role groups—you’ll see a separate announcement about that.

 

What you need to do:

This announcement if only advisory. Additional announcements will be made when Microsoft Infrastructure releases LAPS for general availability in the NETID domain.

 

More Info:

Schema changes are considered very low risk. NETID domain schema documentation will be updated to reflect this change. Delegated OU permission documentation will also be updated to reflect this change.

 

More info about LAPS: https://technet.microsoft.com/en-us/mt227395.aspx.

 

Brian Arkills

Microsoft Infrastructure service manager

UW-IT

 

Planned work on 4/2 for home and group directories

A service outage is planned for all Managed Workstation home (H:) and group (I:\groups) directories.

What and When:

On Sunday, April 2, 2017, all Managed Workstation home (H:) and group (I:\groups) directories will be unavailable from 8am to 9am, for planned maintenance.

More info:

This work is required to switch the underlying authentication mechanisms for the file servers that provide the home and group directories as part of the migration to the NETID domain.  During this work, there will be no access to files and folders in both user home directories (H:) and group directories (i:\groups).

If you have questions about this planned work, please send email to help@uw.edu with “MWS: Planned file server work” in the subject line.

Windows 8.1 will move to retirement

The Managed Workstation Service is moving Windows 8.1 into retirement on May 1, 2017.

What and When:

Starting on May 1, 2017, Managed Workstation support for Windows 8.1 will be done on a consulting hours basis only.

What does this mean?

Managed Workstation will continue to provide automatic fixes, security updates, and technical assistance for Windows 8.1  as part of the Managed Workstation rate through April 30, 2017.  After May 1, 2017, all support for Windows 8.1 will be done on a consulting hours basis only.

See our Operating System lifecycle and support page for additional info.

What You Need to Do:

If you have a computer running Windows 8.1, we recommend that you upgrade to Windows 10 soon, following the instructions at Upgrading to Windows 10.  We will be sending targeted announcements to department contacts with more info next week.

Windows 7 moves to containment

Every operating system has a support life-cycle determined by the software publisher, and the Managed Workstation service places each operating system into a support life-cycle.

The Managed Workstation Service is moving Windows 7 into containment.

What and When:

Managed Workstation will continue to support Windows 7, however we no longer provide an image using Lite-touch deployment or through CDW-G. On February 28, 2017, Windows 7 will move into containment.

What does this mean?

Managed Workstation will continue to provide automatic fixes, security updates, and technical assistance for Windows 7 operating system as part of the Managed Workstation rate. Microsoft will continue to support the Windows 7 operating system through 1/2020.

What You Need to Do:

If you have a Windows 7 operating system, we recommend that you upgrade to Windows 10. Below is a link with instructions for upgrading your workstation.

https://it.uw.edu/wares/nebula/managed-workstation-service-design/operating-system-support/upgrading-to-windows-10/

Microsoft Infrastructure to add Preferred Name data: 3/1/2017

The Microsoft Infrastructure service will add the Preferred Name data source to its existing identity data.

 

What and When

 

On Wednesday March 1 2017, Microsoft Infrastructure will replace its existing identity data agent with a new one. The new system will add the Preferred Name data source to the existing name algorithm, giving Preferred Name preference over other data sources. We will also drop our specialized character casing for non-personal UW NetIDs like Shared UW NetIDs. These changes will result in display name changes on a broad set of user accounts in the NETID Active Directory and the uw.edu Azure Active Directory tenant. Because there are many applications leveraging those user accounts, this will also result in name changes in a large set of applications.

 

There should be no noticeable interruption to implement this change—we have staged the replacement system so it can immediately take over for the old one.

 

What This Means For You

 

Your Microsoft Infrastructure user account’s display name value may change if you have set a Preferred Name via the https://identity.uw.edu portal. If you do not like the resulting display name value for your personal UW NetID, you can use that portal to set or update a Preferred Name.

If you want a change to a non-personal UW NetID name, you can use https://uwnetid.washington.edu/manage and the Name field exposed there to change the value yourself. You do not need to contact the UW-IT service desk for those changes.

In the past, we applied an algorithm to only upper case the first character of “words” from that data source. This would often result in a display name like “Uw Pottery Department” instead of “UW Pottery Department”. This has been a source of frustration for some customers, so we are removing the case adjustments and using the value as input by the UW-IT Service Desk (which is based on your input). If the display name changes to non-personal UW NetIDs are undesired, you can contact the UW-IT Service Desk to make changes.

 

**NOTE: Exchange, Sharepoint, Skype for Business, and other applications in the Office 365 suite leverage the display name on the Microsoft Infrastructure user account, so this change affects your name in all of those applications. There are many other applications which do their UW NetID identity integration via Microsoft Infrastructure user accounts, and those applications will also be affected.**

 

More Info

 

The approach to name data at the UW is complicated because there are many different user populations with a different data source for each population. And of course, each of those data sources has different methods to make changes to the data. This means that any given application (and infrastructure like ours), must make a number of complex decisions about which name data to use, which can be especially complicated when a given identity has multiple affiliations. In contrast, the Preferred Name data source is unique in that it is a single central authority for name data for UW identities, and provides a self-service mechanism for changes.

 

Because of this complex background, Microsoft Infrastructure has always documented the algorithm behind our naming logic, so everyone can understand what we are doing and how they might change what they see. This documentation continues to be at https://it.uw.edu/wares/msinf/design/arch/id-data-mapping/#name, and has been updated to reflect this change with deeper details than noted here. Up until this change, there have been a number of scenarios where there was literally nothing you could do to change the display name on an identity. I’m happy to report that is no longer the case.

 

Via a customer survey 8 years ago, you indicated this was your top desired change for this service, and we have been advocating for this type of solution for that entire time, so we are very pleased to be able to implement this.

 

If you have questions about this change, please send an email to help@uw.edu with “Microsoft Infrastructure Preferred Name change” in the subject.

 

Brian Arkills

Microsoft Infrastructure service manager

UW-IT

 

Entra ID application identities: risk mitigation

What is happening and when:

 

This notice is to make you aware that UW-IT’s Entra ID service design is changing fundamentally, providing risk mitigation processes as well as new capabilities.

 

On Wednesday, February 15, UW-IT will change its approach to Entra ID application identities to make them easier for users to obtain and use, while addressing potential risk to UW confidential data. The UW-IT Microsoft Infrastructure service will:

  • Monitor for risks of integration with UW confidential data
  • Disable any Entra ID application identity that presents risk to UW confidential data

 

Note that if you choose to add or consent to an Entra ID application provided by a third party, there is a risk that UW confidential data may intentionally or unintentionally be accessed, collected, or used by the third party. UW organizations are responsible for evaluating the risk and implementing controls for their unique technical deployments.

 

If you’ve evaluated the risk and decided to use a third party application, then it should meet the UW data security and privacy goals for contracting with vendors. This may include the need for a Data Security and Privacy Agreement or a Business Associate Agreement. Additional responsibilities may be required by UW Medicine for use of Entra ID applications with protected health information.

 

If you’d like help analyzing third party applications, adding an Entra ID application, or understanding the Entra ID change, please contact UW-IT at help@uw.edu.

 

Monitoring and mitigation by UW-IT: We will monitor for applications that require tenant admin permissions to approve. Tenant admin permissions generally correspond to those permissions that cross a single user resource boundary, e.g., the ability to read all Skype user contacts and groups. More examples of these kinds of permissions are described under More Details on our Risky Entra ID application permissions page. We will disable any application identity discovered to have admin permissions that have not otherwise been explicitly approved via a risk evaluation or acceptance by the appropriate data steward.

 

We will not provide automatic mitigations for permissions that individual users grant to applications, but you can find out what permissions have been granted by a given user.

 

New capabilities for Entra ID application identities:

  • Users can self-integrate some third party cloud-based apps, resulting in UW NetID based authentication.
  • Users can consent to allow or deny an Entra ID application to access their data in other Entra ID based applications.
  • Developers can self-provision identities for their application, so that it is integrated with UW NetID based authentication. Developers also can ask users to consent to access other Entra ID based applications.
  • Business stakeholders can request that UW-IT monitor for and block applications that require a specific set of permissions because of concerns about confidential data related to those permissions.
  • Business stakeholders can find which application permissions a given user has consented to, in order to meet regulatory or audit needs. Business stakeholders may consider actions taken by individuals risky, and this capability provides the ability to find out what permissions have been granted by a given user.

 

Details on IT Connect:

 

If you have questions about this change, please contact UW-IT via help@uw.edu.

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

Windows 10 upgrades coming next week

We will start upgrading all computers running Windows 10 to the latest version, 1607 – also known as Anniversary Edition, starting next week (2/6/2017).

What and when

As we recently announced, all computers running Windows 10 will be upgraded to version 1607, which is also known as the Anniversary Edition. This upgrade is mandatory as Microsoft will stop supporting versions of Windows 10 older than 1607 in March.

The upgrade will be done automatically in the evenings, requires no user interaction, and will not impact any user settings or files. We will start the process on 2/6/2017, and upgrade 50-100 computers each night. Each computer will take approximately 1-2 hours to complete.

While we cannot provide a specific date of when any given computer will be upgraded, individual users can choose to start the process any time using the ‘Software Center’ or via the shortcut on their desktop..

We will also be sending a separate notice to the primary user of each computer

What you need to do

This message is for your info only; there is no action required.

If you have any questions or concerns, send an email to help@uw.edu and in the subject line reference ‘MWS – Upgrades coming to Windows 10 computers’.

Brown bag lunch January 30th 2017

Join us January 30, 2017 from 12:00pm – 1:00pm for an awesome open discussion on the Windows 10 Anniversary Edition upgrade. Grab your lunch and join us in the Visitors Dining Room on the 4th floor in the UW Tower.

 

Agenda

 

  1. Newsletter highlights – Brian Arkills
  2. Nebula  to NetID Domain migration – Brian Arkills
  3. Windows 10 Anniversary Edition upgrade – Brian Smith
  4. New features (start menu, dark theme, Edge, Search/Cortana, etc.
  5. Better Security (how vulnerable is Windows 10 compared to older versions, How to get your system infected (what NOT to do), how to protect your data).
  6. Your privacy and Windows 10
  7. Upgrading from Windows 7, 8.1, or older versions of Windows 10.
  8. What’s coming in 2017

Azure Active Directory application identity availability

This change is being rescheduled to allow for further review and testing.  The new release date is planned for February 15th, and a reminder will be sent before the change is made.    

If you have any questions or concerns regarding this change,  Azure Active Directory, or managing confidential data in any of your systems, please let us know by contacting help@uw.edu. Thank you. 

Brian