Nebula2 domain end of life: April 3, 2017

The Managed Workstation Service plans to move the Nebula2 domain to end of life on April 3, 2017.

What and When

On April 3, 2017, the Managed Workstation Service plans to shut down the Nebula2 domain.

The Managed Workstation Service has planned to migrate to the NETID domain for many years. Moving the Nebula2 domain to end of life by April 2017 will allow us to remove that cost from the Managed Workstation Service core rate for FY18, greatly simplify the infrastructure, and allow the Managed Workstation service to leverage additional capabilities provided at no additional cost via that service.

Over the course of the next year, you will see a series of changes to transition the design of the Managed Workstation service from the Nebula2 domain to the NETID domain. We will communicate about those changes separately, but from a big picture, these will include:

-Automatically disable any unused Nebula2 user account (~May 2016)

-Move Mac VPN services to end of life; replaced by Husky OnNet VPN (~May 2016)

-By department, disable still active Nebula2 user accounts; will allow self-service re-enable to mitigate impact (~May-July 2016)

-Work with customers who have included Nebula2 in their server/application designs outside the scope of the Managed Workstation service (~May 2016-March 2017)

[Note: Standard Managed Servers customers leveraging Nebula2 will receive assistance via that service]

-Begin workstation migrations of departments with no active Nebula2 user accounts (~August 2016)

-Complete workstation migrations (~December 2016)

What you need to do

If you have a server in the Nebula2 domain, it is time to migrate it.

If you have an application or other IT infrastructure which depends on the Nebula2 domain, it is time to begin planning how to change it to the NETID domain.

If you are still using a Nebula2 user account, it is time to stop using it, and instead use a NETID user account. The only remaining part of the Managed Workstation service design which requires a Nebula2 user account is the Mac VPN, which will move to end of life very soon. You can follow our self-service instructions here: https://it.uw.edu/wares/nebula/adding-users/changing-to-netid-logins/

More Info

Customers still using the Nebula2 domain beyond April 3, 2017 will likely need to bear the full cost of that infrastructure, as it is not fair for all customers to bear that cost beyond this timeframe.

If you have questions about this planned change a year from now, please send an email to help@uw.edu with “Nebula2 domain shutdown” in the subject.

If you have a server or application you need help with, please send an email to help@uw.edu with “Nebula2 server/application domain migration” in the subject.

Brian Arkills

Managed Workstation Service Owner

Backup retention period adjustment for deleted files

The Managed Workstation Service plans to align its retention practices for deleted files with a newly approved UW reference architecture practice; deleted files will not persist in backups beyond 90 days.

What and When

In concert with the supplier which provides the infrastructure for Nebula File services, we plan to implement changes to our backup retention. We will implement this change over the coming weeks.

We will retain deleted files in Nebula File services no longer than 90 days. Files which still exist may have prior versions available for a longer period. To be available for restore, a file must have been backed up previously.

What you need to do

Nothing. This announcement is purely advisory so you are aware of a change in our practice. If you do regularly delete files stored in Nebula File Services, but have previously counted on the fact that we retain those files for a longer period, you may want to implement a practice of reviewing for accidentally deleted content on a recurring schedule shorter than 90 days.

More Info

Information about using Nebula File Services is available at https://it.uw.edu/wares/nebula/nebula-file-services/

This specific practice is documented at https://it.uw.edu/wares/nebula/nebula-file-services/recovering-files/, along with details about the self-service way to recover files in Nebula File Services and our backup practices.

If you have questions about this planned change, please send an email to help@uw.edu with “MWS backup retention for deleted files” in the subject.

Brian Arkills

Managed Workstation Service Owner

Nebula2 user account disable activity

Unused Nebula2 user accounts will be automatically disabled when they meet a variety of conditions, including after 37 days of no logon activity.

What and When:

On April 11th, 2016, the Managed Workstation service will put into place a new automated practice where Nebula2 user accounts without logons for 37 days will be disabled. When a Nebula2 user account hasn’t been used for 30 days, an email notification will be sent to the associated user, notifying them of the impending action.

We also plan to initiate a disable of all Nebula2 user accounts on a per department basis. For each department, we will contact the department to let them know when we plan to take action.

What you need to do:

Users which receive a notification can logon to their Nebula2 user account if they don’t want it to be disabled. Users can ignore the notification if they have no further need of their Nebula2 user account.

For those whose account has been disabled, if there is a significant need to regain the Nebula2 user account, each user can re-enable their Nebula2 user account themselves (using their UW NetID). Users should make note of what their need is so that we can later assist the user with resolving that issue.

More info:

Nebula2 user accounts are in containment (we don’t create them any more without a compelling justification). The Managed Workstation service expects to retire all Nebula2 user accounts during fiscal year 2017, and this will help everyone by making it clear which Nebula2 user accounts are still in use. The Managed Workstation service design does not require a Nebula2 user account–a NETID user account is recommended.

Your department may have designed your own services so that they are dependent on a Nebula2 user account. If so, you should prioritize design changes to the NETID user account.

If you need assistance transitioning to a NETID user account, please refer to http://www.washington.edu/itconnect/wares/nebula/changing-to-netid-logins-in-nebula/ or send a request for assistance to help@uw.edu.

This activity does not relate to eligibility groups, nor will it result in loss of an Nebula home directory—it is only about whether a given Nebula2 user account is enabled or disabled. J

Run Advertised Programs -> Software Center

The Managed Workstation Service is upgrading the software we use to deploy applications to managed workstations.

What and When

Beginning April 5^th through April 19^th, we will be migrating all managed workstations to a new management infrastructure which provides improved capabilities.

Most of the improvements won’t be visible, however, this will change how you install additional applications on your computer. A new “Software Center” will replace ‘Run Advertised Programs’. While Software Center is functionally similar to ‘Run Advertised Programs’, the Software Center provides a better user experience and is more fully integrated into Windows 10. The link in the More Info section describes the Software Center user experience.

The migrations of managed workstations to this new management infrastructure will start on April 5^th and will take up to two weeks to complete. During this time, there is no change in behavior or service for those computers that haven’t yet migrated—they will continue to use the ‘Run Advertised Programs’ mechanism until migrated.

What you need to do

No immediate action is required. Prior to your computer migrating, software will remain available via “Run Advertised Programs”. Once your computer has migrated, the new “Software Center” will become available.

More Info

See https://it.uw.edu/wares/nebula/software/ for more info on Software Center. If you need to reference the old instructions for Run Advertised Programs, that will remain available at https://it.uw.edu/wares/nebula/news/software-old/#RunAdvertisedPrograms until the end of April.

This change represents a lot of work we’ve been doing behind the scenes to keep the infrastructure we provide current and relevant. The user experience change noted here is accompanied by a number of new capabilities which we’ll look to leverage in the coming year. We’ve also started work to deploy a duplicate of this management infrastructure in the NETID domain so we are ready to begin computer migrations later this year. We’ll let you know more about new capabilities when they are relevant, but this is a good opportunity to let you know that we continue to invest in improving what we provide to you.

Managed Workstation Newsletter (March 2016)

Welcome to the semi-annual Managed Workstation service newsletter, which brings you valuable updates and information to help you make the most of our services.

New Capabilities and Improvements

Windows 10 Self-service Upgrade: In January, we released a self-service mechanism that allows users to upgrade their Windows 7 or Windows 8.1 computer to Windows 10. More info here. This has been an overwhelming success, with over 20% of Managed Workstations having already made the switch to Windows 10. Customers running Windows 8 or 8.1 should strongly consider upgrading to Windows 10 as we have reduced the support capabilities provided to those operating systems.

‘What Does the Managed Workstation Rate Include?’ Documentation: A common source of confusion surrounding the Managed Workstation Service is understanding our business model and when something is included in the Managed Workstation rate versus something for which we charge an hourly consulting rate. We’ve tackled this question directly in some new documentation which conceptually explains where the line is, and then dives into concrete examples to help you understand the difference.

Capability Map: We developed a capability map for the Managed Workstation Service. Capability maps are a mechanism to facilitate discussion about what capabilities a given service, organization, or technology provides. The purpose for a capability map is that the audience is better able to engage–whether that is to ask for more details, identify and raise unmet needs, or understand the business better including what is planned for the future. Please do ask any questions this inspires–your question may help us to refine the map or prioritize our investments more appropriately.

Infrastructure Upgrades: There have been a series of replacements and improvements related to infrastructure mechanisms behind the Managed Workstation service. Most of these activities are hidden from you as a customer, and it’s great when we can keep these things from impacting the work you do. These include:

replacing an aging Sophos AntiVirus server,
replacing our aging System Center Configuration Manager servers (SCCM) – which provide software packages,
retiring the Internet Explorer Exempt mechanism

Self-service User Eligibility and Accounts: Since the last newsletter, we’ve completed the work to align the user eligibility group mechanism to automatically provision and deprovision the user-oriented capabilities provided by the Managed Workstation service. This puts you in the driver seat of adding and removing users from the Managed Workstation service. If you don’t understand the user eligibility group mechanism, either read the documentation at the link or ask us to explain–this is really important to understand.

This means you no longer request a “Nebula account” when a new employee or person joins your department. Instead, you simply add them to your eligibility group. If you need an Exchange mailbox, you can still ask us to help facilitate that. If you need the new user to have access to a Nebula file service location, in the future, you will also have a self-service mechanism to do that–see the Group Management item below. NOTE: The Managed Workstation service does not provide the Exchange mailbox, we are simply helping you ask the service which does provide that.

A corollary of not requesting a Nebula account is that the Nebula2 user account is no longer required for Managed Workstation services. Metrics suggest only 660 users are still using a Nebula2 user account. By default, we no longer create Nebula2 user accounts for customers because the Managed Workstation service design does not require them. Existing use of Nebula2 user accounts should stop, with customers encouraged to instead use NETID user accounts. We still provide assistance in making this change on your Managed Workstation at no additional cost.

Group Management Services Removed: We will no longer make group membership changes on your behalf. In the far past, the service design for Nebula file services required that the Managed Workstation service manage the groups which owned a given file directory. Several years ago, we changed that design to allow customers to manage the groups which owned a given file directory. We are now requiring customers to take over management of their groups, so if you request a change to one of the groups which currently only we can manage, we will transfer management of that group to you. More information about why we made this change and especially why we think you’ll agree this is a step in the right direction is available here.

Spotlights

Mac VPN – End of Life: We plan to move Nebula VPN services for Mac clients to end of life in the near future. At this time, we do not have a specific date to communicate as we are waiting for the general purpose campus VPN solution to be released. Existing customers of the Mac VPN will have a month after the campus VPN is released to transition to that general offering. We’ll send a separate announcement about this change.

Windows 10 and Office 2016 available: We made an Office 2016 software package available in early January. You can install it via the mechanism described here. Office 2016 is also standard in the Windows 10 image, and in a new Windows 7 image that should be available shortly. In December we made a Windows 10 image available via Lite Touch and full service. In early January we moved Windows 10 to baseline support status, released the self-service upgrade capability mentioned previously, and provided the Windows 10 image via CDW.

NOTE: We also updated our Windows 7 image. Both are available via CDW or Lite Touch.

Home Directory Purge: In mid-February, we deleted undesired home directories. This constituted almost 5200 home directories using 6 TB of space. Under current practices, there is still a copy of that deleted data for a year but a change is pending to only retain deleted data 90 days. More info here.

FY17 Rates: We are in the period of the year where rates for cost-recovery services are under review and being submitted for central review. We can’t say anything definitive about what rates will be, but at this time, we don’t expect any of the rates to increase. Budgeting for approximately the same costs for Managed Workstation Services should be relatively safe. We’ll share more information about rates when they are finalized.

Staffing changes: In January we were sad to see service team member Kay Lutz retire. Kay had served on this team for many years, and we will miss her. Her position is still unfilled, but we hope to return to full strength soon. In September 2015, we welcomed Brian W Smith to the service team. Brian came to us from a customer department, and has shored up our depleted engineering ranks. Brian brings a positive, customer results focused attitude that the entire team has appreciated. Brian replaced the ancient server providing Sophos Antivirus services to Managed Workstations with a minimum of impact on customers, and helped put together the Windows 10 upgrade capability.

Additional Security Offerings: If you have confidential data needs and/or regulatory compliance issues that aren’t currently being addressed, please let us know. We’re designing a solution in this area with a customer. Knowing you would like such a solution will help us to secure central funding to build a capability that addresses this gap. We are currently exploring the following options (which would have some additional ongoing cost):

File service with encryption by default, with additional protections available based on metadata classification or manually intervention,
Audit log collection and analysis to detect undesired/anomalous activity,
More administrative controls on a per computer basis on who has access to desktops,
Managed Workstation encrypted drives (via Bitlocker) with the option to have this on by default,
Password manager (this helps users manage passwords by suggesting strong ones, storing them securely, and provides the option to supply them).

Send an email to help@uw.edu with “Managed Workstation high security” in the subject line if you have interest.

Trends

Below are metrics across the Nebula service. The takeaway statement following each graph compares metrics in the last 6 months to the prior 6 month period. For information specific to you or your department, the MyIT portal has more data: https://support.nebula.washington.edu/myIT/Default.aspx.

Operating System Versions

Takeaways: +0 Total Windows (~3300 today), +550 Windows 10 (~600 total today), -80 Windows 8.1 (~420 total today), -500 Windows 7 (~2250 total today), -10 MacOS (~10 total today)

IE Versions

Takeaways: +400 IE11 (~3200 total today), -215 IE10 (~85 total today), -165 IE9 (~35 total today), -35 IE8 (~15 total today).

VPN Use

Takeaways: +15 sessions on average (~55 sessions average with a peak of 80)

Network

Takeaways: +0 Public network (~2500 total today), +0 Private network (~550 total today)

_{NOTE: This is a new metric we are tracking so net change is not yet available}

Nebula2 User Account Status

Takeaways: +100 Enabled (~5300 total today), +100 Disabled (~4600 total today)

_{NOTE: This is a new metric we are tracking so net change is based on less than 6 month period}

Managed Workstation User Logons

Takeaways: +0 Active User (~2150 total today), -220 Nebula2 (~660 total today), +200 NETID (~2040 total today)

_{NOTE: This is a new metric we are reporting}

Support Requests

Takeaways: Support requests have decreased by 0.8%; 4166 Nebula support records resolved vs. 4203 in prior 6 month period.

Incidents

Takeaways: Incidents have increased by 406%; 73 Nebula incidents resolved vs. 18 in prior 6 month period.
_{NOTE: We believe this significant change reflects a couple factors:}

_{Our guidance to customers to ask for incidents when they are experiencing a work stoppage due to a non-functional Managed Workstation}
_{Increased maturity within the service team in tracking incidents}
_{An increase in unexplained anomalies with Nebula File Services. We have put in place some mechanisms to help us determine the cause for future instances of this, but there is some technical debt here which is part of the reason we do not consider this solution as viable long-term.}

What’s Next

Our objectives for the next six months include:

Bring Mac VPN to end of life, assist Mac based customers in transitioning to new Husky OnNet VPN service, evaluate whether Windows VPN should also move to end of life
Infrastructure replacement, including:
- Complete the replacement of the servers behind our aging software deployment infrastructure (System Center Configuration Manager). There will be some customer noticeable changes which we’ll share before we make this transition.
- Replace the servers providing the database powering much of the Managed Workstation capabilities. This should not be customer noticeable.
- Replace the server providing the Windows File Services, transitioning that into an offering that can handle confidential data with the ability to encrypt data at-rest by default
Activities related to the Nebula2 user transitions.
Begin planning for computer migrations to NETID domain.
In concert with above computer migration planning, transition Nebula’s software deployment capabilities to the UW Windows Infrastructure service so a broader set of the UW can leverage this capability and contribute packages Managed Workstation customers might use.
Reorganize customer documentation and address any gaps
Continue explorations in our partnership with the UW-IT Service Desk to improve the quality of customer handling & routing, and reduce the Managed Workstation rate by identifying activities which they can provide

Of the objectives we listed 6 months ago, here is a summary of our progress:

4 complete: Office 2016, Windows 10 support, customer routing improvements, OS deployment
3 significant progress, work continues: Mac VPN, software deployment infrastructure replacement
3 some progress, work continues: Nebula2 user transitions, planning for computer migrations to NETID, confidential data/high security need explorations

Your Feedback

Supporting your needs for Managed Workstation capabilities is our priority, so we welcome feedback on how we can make the Managed Workstation service more valuable to you. The nebula-announce and nebula-discuss mailing lists are good sources of information. We recommend that each customer have at least one individual join the nebula-announce mailing list. See https://www.washington.edu/itconnect/wares/nebula/contact-us/ for more on how to join.

You can voice your support for future objectives to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

UW-IT, Managed Workstation Service Manager and Service Owner

Managed Workstation Group Management Changes

The Managed Workstation service will no longer make group membership changes on your behalf.

What and When:

On Friday, March 11^th, we changed our position on whether we’ll manage your group memberships. We no longer provide that assistance.

What you need to do:

No immediate action is required on your part. This notice is advisory so you know that if you request a change to one of the groups which currently only we can manage, we will transfer management of that group to you.

More info:

In the far past, the service design for Nebula file services required that the Managed Workstation service manage the groups which owned a given file directory. These are sometimes called “Nebula groups.” Several years ago, we changed that design to allow customers to manage the groups which owned a given file directory. A year ago, we moved group management to be an additional cost outside the core Managed Workstation rate. This is the next step in a progression based on a careful review of our practices in light of your needs.

We do not have adequate processes to provide group management services; in many cases you believe we are providing some process to ensure requests we receive are authorized or that we somehow know when to remove users who should no longer have access. This has led to many faulty assumptions, and we do not think your needs are being met. You are in the best position to manage your groups, so we believe from the perspective of needing good access control, this is the right step.

We do not provide any added value by making group membership changes for you. By having us make the changes you request, a delay is introduced while you wait for us to make your change. There is nothing special about the group membership changes we make—anyone can make that change. So from the perspective of timely changes made by those who decide who should have access, we believe this is the right step.

We do not think providing group membership management is a capability that is within the primary goal of the Managed Workstation Service. The core capability we provide is managing workstations. If you have a need for someone else to provide a group membership management offering, we believe the Groups Service would have the core competencies to provide that. The Groups Service provides customer assistance at no cost, so you can work with them if there is analysis or orientation needed. We’ll be happy to make sure you get connected with that service team.

The transition of your group will require three things:

The existing group name or the Nebula file service path (e.g. “pottery” or i:\groups\pottery or u_nebula_pottery)
A desired group name (e.g. we’d like to rename u_nebula_pottery to uw_pottery_filedir_pottery)
A desired group of administrators for the group (e.g. the admins should be uw_pottery_roles_groupadmins)

We’ll walk you through this when you have a group change request, so there isn’t need to worry too much about these, but being prepared will make the transition smoother.

We will continue to provide assistance with:

Setting permissions on Nebula file services (i:\groups included) –part of Managed Workstation core rate
Helping you get the right eligibility group(s) set for your department–part of Managed Workstation core rate
Getting a workaround for a Nebula file service failure–part of Managed Workstation core rate
Analysis of your IT problems, like how to model permissions within Nebula file services to achieve your goal—billable at hourly consulting rates
Analysis of your existing access management controls, like ‘what group memberships does Sally have so I can apply those same group memberships to Joe?’—billable at hourly consulting rates. Note1: we’ll help with this, but will not make the group membership changes on your behalf. Note2: The Groups Service would be a better choice to provide this kind of analysis.

Note: all of these examples are included in the recently published ‘What does the Managed Workstation rate include?’ document.

In summary:

we will happily transition management of your existing groups to you at no cost,
there is no expected loss in functionality, and
we suspect that this will mean lowered costs for the service (which could translate into a lower future rate you’d pay).

If you have concerns or questions about this update, please send email to help@uw.edu with “Managed Workstation Services group management change” in the subject line.

Managed Workstation service catalog update

A change to our service catalog entry occurred.

What and When:

On Friday, March 11^th an updated service catalog entry was published at https://it.uw.edu/service/managed-workstation-services/

What you need to do:

Nothing. This is purely an advisory to you that we’ve updated the catalog entry that describes the service, so you aren’t caught off-guard.

More info:

This update consisted of a couple minor updates:

-We updated the name used for the service to be more consistent: Managed Workstation Services

-We removed one of the optional service options at additional cost: group management

This last item needs more explanation, and we’ll cover that in a separate email.

There will be some additional changes to the service catalog entry in the near future to add links to customer documentation that didn’t exist a year ago when we last updated the service catalog entry, and also to add links to a couple new customer documents we’re writing now. A highly relevant document that will be linked in the near future is one which covers in much greater detail what services are included in the Managed Workstation Services rate and what is billable separately as consulting. We will send a separate note when that document is available, because we believe it’ll be of high interest to most if not all of our customers.

If you have concerns or questions about this update, please send email to help@uw.edu with “Managed Workstation Services service catalog update” in the subject line.

Windows 10 Upgrade

The Managed Desktop service has a self-service capability to upgrade your Windows 7 or Windows 8.1 computer to Windows 10.

What and When:

We’ve released documentation and will shortly release a desktop shortcut which enables customers to perform an upgrade to Windows 10.

This allows users to upgrade their computer to Windows 10 at a time of their choice without intervention by someone else, similar to how users can choose to install software packages on their computers.

We will be sending a notice to all Managed Desktop users about this new capability because their desktop will noticeably change with an icon which enables the upgrade and because we believe all customers should get the information about the ability to upgrade.

What you Need to Do:

If you have additional questions, feel free to ask them via help@uw.edu or nebula-discuss@uw.edu.

If you run into an upgrade problem, send an email to help@uw.edu for assistance. If the upgrade problem causes an interruption in your ability to use your desktop, call 221-5000, and let the UW-IT Service Center know that you are experiencing an incident with your Managed Desktop. This will result in a more urgent notification to our service team, and a quicker response.

More Info:

Documentation:

Should I upgrade my computer to Windows 10?

https://it.uw.edu/wares/mws/design/operating-system-support/should-i-upgrade-my-computer-to-windows-10/

Upgrading to Windows 10

https://it.uw.edu/wares/mws/design/operating-system-support/upgrading-to-windows-10/

As noted at the 2^nd link above, customers double-click an icon we’ve placed on their desktop to initiate the upgrade. We advise customers leave plenty of time for the upgrade to happen—the computer won’t be available during the upgrade. Consider starting the upgrade before you leave for the day. You should reboot your computer before starting the upgrade to clear any pending updates, as pending updates could interfere with the upgrade. After the upgrade to Windows 10, the upgrade icon on your desktop will go away—it is only provided to Windows 7 and Windows 8.1 computers.

You may have tried upgrading a computer to a prior version of Windows in the past and had a bad experience. That might have left you reluctant to try an upgrade to Windows 10. However, Microsoft completely re-engineered its upgrade process for Windows 10 to make it extremely reliable. If a problem is encountered which prevents the upgrade from cleanly completing, the upgrade can cleanly back out to the original Windows OS without losing anything or introducing any new problems. The reported number of cases where Windows 10 can’t cleanly upgrade is extremely low, to the point that you’ll be hard-pressed to find someone who has experienced it. We haven’t heard of any cases where a Windows 10 upgrade was backed out and wasn’t returned to the same state it was in prior to the upgrade.

Please note: Some icons on your desktop or in the task bar may stop working and will need to be recreated after the upgrade.

Setting Up a Managed Workstation & Lite Touch

The Managed Workstation service has revised and added documentation for the commonly recurring task of setting up a managed workstation, including new documentation for a capability we provide that you may not be familiar with.

What and When:

There are two events in this notification:

Notification of new documentation for a capability we believe should have been documented previously.
Notification that there are a few things changing about that capability.

New documentation:

We’ve renamed the ‘Hardware and Repair’ document at https://it.uw.edu/wares/nebula/hardware-2/ to be ‘Setting Up a Managed Workstation’ to make it more clear that this documentation is where you go to find out how to do that task. There are three options listed: full service, self-service via CDW, and self-service via Lite Touch.

Linked from the ‘Setting Up a Managed Workstation’ document, we’ve also added documentation for a self-service option that provides Windows OS image deployment over the UW Network: https://it.uw.edu/wares/nebula/hardware-2/lite-touch/. Some customers have previously been told about this capability, and may be using it, while others have never been advised it exists.

Note: I expect we’ll have future additions to the ‘Setting Up a Managed Workstation’ document, as we are exploring other possible capabilities.

Changes to the Lite Touch capability:

We are retiring the legacy server providing the OS images for the Lite Touch capability, and already have in place a new server that provides up to date OS images. The customer interface provided by the legacy server advises customers to use the new server. Existing customers leveraging the Lite Touch capability should update their existing flash drive to use the new server that provides this capability. The legacy server will be unavailable for customer use after Friday, March 11.

What You Need to Do:

No action is required, unless you are currently leveraging the Lite Touch network-based OS deployment option. If you are, you need to update your existing flash drives before using it. See the Lite Touch documentation noted above for how to get a fresh flash drive.

More Info:

I want to express my apologies to customers who were not previously aware of this capability. Obviously, in the past we failed to document this capability and how you could leverage it. Some customers found out about it by asking, but we really should have represented this capability in our customer documentation before now. The good news is that this is now a capability all Managed Workstation customers can leverage.

Many customers use the self-service via CDW option to get their Managed Workstations setup. If that describes your usual approach, you may want to review your options afresh. The CDW option is excellent if you have little or no IT expertise within your department. If you have more than 5 computers to setup at once, we believe it is more cost effective for you to use the full service option (the CDW supplied image option does cost an incremental amount per computer). Finally, if you do have some IT expertise available within your department, you probably want to consider the self-service via Lite Touch option as that does not require any additional payment.

If you need to rebuild an existing Managed Workstation, the CDW option isn’t possible, so you may find the Lite Touch option is a good fit if you don’t want to pay for the full service option we provide. One scenario where you may need to rebuild an existing Managed Workstation is if it is compromised. Making sure that everyone has a way to rebuild an existing Managed Workstation that does not require the full service option is one of several reasons this gap in documentation came to light. J

2016 January

Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.

==== New Capabilities and Improvements ====

* Self-service certificates for Delegated OUs. An AD-integrated certificate authority (AD Certificate Services) has been deployed. This allows Windows domain joined computers to automatically get a certificate which is automatically renewed. See https://wiki.cac.washington.edu/x/_69NB for more details.

* Azure Active Directory (AD) External User Invitations. Invitations to users outside the UW can be initiated by anyone with a UW NetID. This allows sharing of data, applications, and services where the method of authentication is Entra ID based. The most commonly used resource leveraging Entra ID that you might want to invite external users to share is likely Sharepoint Online, which supports this for sites but not yet for OneDrive for Business. However, external users are useful beyond just Sharepoint Online—think of them as federated users on steroids—where not only do you have to provide a user account, but you have a meaningful way to control their access to your resources which works just the same way as it does for a UW user. We have more orientation material on this capability planned.

* Entra ID device registration. There are many different ways to get a device registered with Entra ID , across varying operating system platforms. For example, there are three ways to get a Windows 10 device Entra ID registered. Registering your device with Entra ID enables certain data protection and security capabilities. If you take it one step further and join your device to Entra ID (only possible with Windows 10), you get interactive logon using your Entra ID user account. Many of the various ways to do this are not enabled today, but a few are. We have more orientation material on this capability planned, to help everyone wade through all the details.

* Microsoft Advanced Threat Analytics. This product provides machine learning capabilities to evaluate activity on domain controllers to identify anomalous events. This tool is capable of identifying attacks and persistent “hidden” compromises of highly privileged accounts.

====Spotlights====

* UWWI service staffing availability has been down over the past 12 months—this is because other UW-IT services have had higher priority work and staffing shortages. You may notice a smaller amount of new capabilities again in this 6 month period, which is attributable to this smaller investment. We’re waiting for a new employee to start who will help backfill this staffing gap.

* An Entra ID governance team spent an intensive amount of time this summer working through the many emerging capabilities Microsoft is providing that are tied to this technology, including identity, access management, device management, and application support. We should have an Entra ID Application Request process soon, thanks to efforts here. And again, we have more orientation material planned. J

* The Enterprise Architecture program has encouraged the use of capability maps to facilitate communication about what’s provided and what’s needed. UWWI has created two capability maps, one for the overall service and one for Entra ID . You can view them at:

UWWI Capability Map: https://wiki.cac.washington.edu/x/sx5JB

Entra ID Capability Map: https://wiki.cac.washington.edu/x/sh1JB

Other services are developing capability maps, and over time you will likely be able to see connections. For example, you may also be interested in the Managed Desktop Capability Map: https://wiki.cac.washington.edu/x/LCBJB.

A brief description of the format used may help orient you. The use of color highlights specific capabilities and future planned initiatives in a broad capability area. The left side denotes some desired customer needs and outcomes. What’s within the rectangle with rounded corners is what is provided, although in some cases we haven’t yet provided an item or are planning to retire or divest (see the key to find those cases). The right side is a high level “roadmap” of imagined investment in initiatives. Between the key and rectangle with rounded corners is a laundry list of possible capabilities that we can imagine. Unfortunately, space constrains our imagination, so there are definitely things we’ve imagined but don’t list—we had to make a judgment call.

And that’s a really good note to end the description on—within a single page, it is hard to represent something like this, but the goal is not to create a perfect representation, but to encourage good conversations. Please do ask questions about this, either via the uwwi-discuss mailing list or help@uw.edu.

* UWWI plans to implement a design to address inactive user accounts. Of the ~770K NETID user accounts, only ~110K have been logged into over the last two year period. Reducing the risk and costs associated with the large set of unused user accounts is the primary goal of this design change. We are still refining the design after gathering some initial feedback within UW-IT, and when we have something we’re happy with, we’ll share it more broadly.

* We know that our customer documentation is currently split between two locations and this is not a good situation. We are exploring some options which should greatly improve this, which hopefully will come just in time for all the orientation material mentioned above. J

==== Trends ====

* Since July, UWWI has sustained growth: +9 delegated OUs (112 total), +2 trusts (55 total), +~1750 computers (12389 total), +18k users (772k total), -12k groups (96k total).

* UWWI support requests are steady. 224 UWWI support records resolved since the last newsletter (vs. 241 in prior period).

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

==== What’s Next ====

Our objectives for the 6 months ahead include:

* Explore possible expanded uses of AD-integrated Certificate Authority, as identified by customer business needs

* Explore LAPS-E, a local administrator password management solution. See current discussion on uwwi-discuss about possibilities here.

* Explore Azure MFA and Microsoft Passport as possible Microsoft MFA solutions for the UW, so we are ready for a broader discussion about MFA at the UW later in the year.

* Enable Entra ID Applications, via releasing a request and approval process, working with Microsoft to extend its user consent framework, and providing integration guidance for developers

* Entra ID Application Proxy deployment. This enables on-premises applications to use Entra ID based authentication without making any changes to their existing Windows Integrated configuration. They gain a hardened, cloud-based endpoint, the possibility of leveraging conditional access capabilities such as Azure MFA, and can leverage the logging and security anomaly analysis investments Microsoft is building.

* Deploy Azure Rights Management infrastructure to support RMS pilot exploration for customers with confidential data

* Partner with Nebula to build a high security Windows file service offering in connection with a high security managed desktop offering

* Partner with Nebula to support new Software Deployment Service via SCCM deployment in NETID

* Support growing Nebula migration efforts into the NETID domain

* Explore possibility of offering basic managed desktop offering for a nominal cost (or possibly no cost), re-using the infrastructure Nebula brings to the NETID domain.

* Implement ‘inactive user design’

* UW firewall GPO template to provide customers with a simple way to leverage Windows Firewall

* Deploy Microsoft Identity Manager’s Privileged Account Management capability to provide ‘just in time’ domain admin privileges instead of ‘always on’. This will reduce enterprise risk.

* Preferred Name (assuming this work has investment from the Directory Services service)

* Support emerging Monitoring Service by sharing Windows expertise

Of the 14 forecasted objectives we listed in the last UWWI News, here’s a review on how they turned out:

3 were successfully completed: AD-CS, ATA, AAD gov
4 were started and continue: RMS, Software Deployment (SCCM), Nebula Migration, AuthN restrictions
3 were started by dependent service, but hasn’t yet reached the point where we can start: Preferred Name, MFA project, Monitoring service
4 were not started: ADMT, Firewall GPO, PAM, LDAP signing

==== Your Feedback ====

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

The UWWI service has a capability map publicly visible at https://wiki.cac.washington.edu/x/sx5JB. This capability map includes a high-level summary of our roadmap. We can also provide more detailed information about our backlog if you have questions.

You can voice your support for future objectives to help us rank priorities by voting in customer surveys when we have them, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

UW-IT, UWWI Service Manager