Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

Managed Workstation service catalog update

A change to our service catalog entry occurred.

 What and When:

On Friday, March 11th an updated service catalog entry was published at https://it.uw.edu/service/managed-workstation-services/

 

What you need to do:

Nothing. This is purely an advisory to you that we’ve updated the catalog entry that describes the service, so you aren’t caught off-guard.

 

 More info:

This update consisted of a couple minor updates:

-We updated the name used for the service to be more consistent: Managed Workstation Services

-We removed one of the optional service options at additional cost: group management

 This last item needs more explanation, and we’ll cover that in a separate email.

 There will be some additional changes to the service catalog entry in the near future to add links to customer documentation that didn’t exist a year ago when we last updated the service catalog entry, and also to add links to a couple new customer documents we’re writing now. A highly relevant document that will be linked in the near future is one which covers in much greater detail what services are included in the Managed Workstation Services rate and what is billable separately as consulting. We will send a separate note when that document is available, because we believe it’ll be of high interest to most if not all of our customers.

 If you have concerns or questions about this update, please send email to help@uw.edu with “Managed Workstation Services service catalog update” in the subject line.

 

Windows 10 Upgrade

The Managed Desktop service has a self-service capability to upgrade your Windows 7 or Windows 8.1 computer to Windows 10.

 

What and When:

We’ve released documentation and will shortly release a desktop shortcut which enables customers to perform an upgrade to Windows 10.

 

This allows users to upgrade their computer to Windows 10 at a time of their choice without intervention by someone else, similar to how users can choose to install software packages on their computers.

 

We will be sending a notice to all Managed Desktop users about this new capability because their desktop will noticeably change with an icon which enables the upgrade and because we believe all customers should get the information about the ability to upgrade.

 

What you Need to Do:

If you have additional questions, feel free to ask them via help@uw.edu or nebula-discuss@uw.edu.

 

If you run into an upgrade problem, send an email to help@uw.edu for assistance. If the upgrade problem causes an interruption in your ability to use your desktop, call 221-5000, and let the UW-IT Service Center know that you are experiencing an incident with your Managed Desktop. This will result in a more urgent notification to our service team, and a quicker response.

 

More Info:

Documentation:

Should I upgrade my computer to Windows 10?

https://it.uw.edu/wares/mws/design/operating-system-support/should-i-upgrade-my-computer-to-windows-10/

Upgrading to Windows 10

https://it.uw.edu/wares/mws/design/operating-system-support/upgrading-to-windows-10/

 

As noted at the 2nd link above, customers double-click an icon we’ve placed on their desktop to initiate the upgrade. We advise customers leave plenty of time for the upgrade to happen—the computer won’t be available during the upgrade. Consider starting the upgrade before you leave for the day. You should reboot your computer before starting the upgrade to clear any pending updates, as pending updates could interfere with the upgrade. After the upgrade to Windows 10, the upgrade icon on your desktop will go away—it is only provided to Windows 7 and Windows 8.1 computers.

 

You may have tried upgrading a computer to a prior version of Windows in the past and had a bad experience. That might have left you reluctant to try an upgrade to Windows 10. However, Microsoft completely re-engineered its upgrade process for Windows 10 to make it extremely reliable. If a problem is encountered which prevents the upgrade from cleanly completing, the upgrade can cleanly back out to the original Windows OS without losing anything or introducing any new problems. The reported number of cases where Windows 10 can’t cleanly upgrade is extremely low, to the point that you’ll be hard-pressed to find someone who has experienced it. We haven’t heard of any cases where a Windows 10 upgrade was backed out and wasn’t returned to the same state it was in prior to the upgrade.

Please note: Some icons on your desktop or in the task bar may stop working and will need to be recreated after the upgrade.

Setting Up a Managed Workstation & Lite Touch

The Managed Workstation service has revised and added documentation for the commonly recurring task of setting up a managed workstation, including new documentation for a capability we provide that you may not be familiar with.

 

What and When:

There are two events in this notification:

  1. Notification of new documentation for a capability we believe should have been documented previously.
  2. Notification that there are a few things changing about that capability.

 

New documentation:

We’ve renamed the ‘Hardware and Repair’ document at https://it.uw.edu/wares/nebula/hardware-2/ to be ‘Setting Up a Managed Workstation’ to make it more clear that this documentation is where you go to find out how to do that task. There are three options listed: full service, self-service via CDW, and self-service via Lite Touch.

 

Linked from the ‘Setting Up a Managed Workstation’ document, we’ve also added documentation for a self-service option that provides Windows OS image deployment over the UW Network: https://it.uw.edu/wares/nebula/hardware-2/lite-touch/. Some customers have previously been told about this capability, and may be using it, while others have never been advised it exists.

 

Note: I expect we’ll have future additions to the ‘Setting Up a Managed Workstation’ document, as we are exploring other possible capabilities.

 

Changes to the Lite Touch capability:

We are retiring the legacy server providing the OS images for the Lite Touch capability, and already have in place a new server that provides up to date OS images. The customer interface provided by the legacy server advises customers to use the new server. Existing customers leveraging the Lite Touch capability should update their existing flash drive to use the new server that provides this capability. The legacy server will be unavailable for customer use after Friday, March 11.

 

What You Need to Do:

No action is required, unless you are currently leveraging the Lite Touch network-based OS deployment option. If you are, you need to update your existing flash drives before using it. See the Lite Touch documentation noted above for how to get a fresh flash drive.

 

More Info:

I want to express my apologies to customers who were not previously aware of this capability. Obviously, in the past we failed to document this capability and how you could leverage it. Some customers found out about it by asking, but we really should have represented this capability in our customer documentation before now. The good news is that this is now a capability all Managed Workstation customers can leverage.

 

Many customers use the self-service via CDW option to get their Managed Workstations setup. If that describes your usual approach, you may want to review your options afresh. The CDW option is excellent if you have little or no IT expertise within your department. If you have more than 5 computers to setup at once, we believe it is more cost effective for you to use the full service option (the CDW supplied image option does cost an incremental amount per computer). Finally, if you do have some IT expertise available within your department, you probably want to consider the self-service via Lite Touch option as that does not require any additional payment.

 

If you need to rebuild an existing Managed Workstation, the CDW option isn’t possible, so you may find the Lite Touch option is a good fit if you don’t want to pay for the full service option we provide. One scenario where you may need to rebuild an existing Managed Workstation is if it is compromised. Making sure that everyone has a way to rebuild an existing Managed Workstation that does not require the full service option is one of several reasons this gap in documentation came to light. J

2016 January

Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.

 

==== New Capabilities and Improvements ====

 

* Self-service certificates for Delegated OUs. An AD-integrated certificate authority (AD Certificate Services) has been deployed. This allows Windows domain joined computers to automatically get a certificate which is automatically renewed. See https://wiki.cac.washington.edu/x/_69NB for more details.

 

* Azure Active Directory (AD) External User Invitations. Invitations to users outside the UW can be initiated by anyone with a UW NetID. This allows sharing of data, applications, and services where the method of authentication is Entra ID based. The most commonly used resource leveraging Entra ID that you might want to invite external users to share is likely Sharepoint Online, which supports this for sites but not yet for OneDrive for Business. However, external users are useful beyond just Sharepoint Online—think of them as federated users on steroids—where not only do you have to provide a user account, but you have a meaningful way to control their access to your resources which works just the same way as it does for a UW user. We have more orientation material on this capability planned.

 

* Entra ID device registration. There are many different ways to get a device registered with Entra ID , across varying operating system platforms. For example, there are three ways to get a Windows 10 device Entra ID registered. Registering your device with Entra ID enables certain data protection and security capabilities. If you take it one step further and join your device to Entra ID (only possible with Windows 10), you get interactive logon using your Entra ID user account. Many of the various ways to do this are not enabled today, but a few are. We have more orientation material on this capability planned, to help everyone wade through all the details.

 

* Microsoft Advanced Threat Analytics. This product provides machine learning capabilities to evaluate activity on domain controllers to identify anomalous events. This tool is capable of identifying attacks and persistent “hidden” compromises of highly privileged accounts.

 

 

====Spotlights====

 

* UWWI service staffing availability has been down over the past 12 months—this is because other UW-IT services have had higher priority work and staffing shortages. You may notice a smaller amount of new capabilities again in this 6 month period, which is attributable to this smaller investment. We’re waiting for a new employee to start who will help backfill this staffing gap.

 

* An Entra ID governance team spent an intensive amount of time this summer working through the many emerging capabilities Microsoft is providing that are tied to this technology, including identity, access management, device management, and application support. We should have an Entra ID Application Request process soon, thanks to efforts here. And again, we have more orientation material planned. J

 

* The Enterprise Architecture program has encouraged the use of capability maps to facilitate communication about what’s provided and what’s needed. UWWI has created two capability maps, one for the overall service and one for Entra ID . You can view them at:

UWWI Capability Map: https://wiki.cac.washington.edu/x/sx5JB

Entra ID Capability Map: https://wiki.cac.washington.edu/x/sh1JB

Other services are developing capability maps, and over time you will likely be able to see connections. For example, you may also be interested in the Managed Desktop Capability Map: https://wiki.cac.washington.edu/x/LCBJB.

 

A brief description of the format used may help orient you. The use of color highlights specific capabilities and future planned initiatives in a broad capability area. The left side denotes some desired customer needs and outcomes. What’s within the rectangle with rounded corners is what is provided, although in some cases we haven’t yet provided an item or are planning to retire or divest (see the key to find those cases). The right side is a high level “roadmap” of imagined investment in initiatives. Between the key and rectangle with rounded corners is a laundry list of possible capabilities that we can imagine. Unfortunately, space constrains our imagination, so there are definitely things we’ve imagined but don’t list—we had to make a judgment call.

 

And that’s a really good note to end the description on—within a single page, it is hard to represent something like this, but the goal is not to create a perfect representation, but to encourage good conversations. Please do ask questions about this, either via the uwwi-discuss mailing list or help@uw.edu.

 

* UWWI plans to implement a design to address inactive user accounts. Of the ~770K NETID user accounts, only ~110K have been logged into over the last two year period. Reducing the risk and costs associated with the large set of unused user accounts is the primary goal of this design change. We are still refining the design after gathering some initial feedback within UW-IT, and when we have something we’re happy with, we’ll share it more broadly.

 

* We know that our customer documentation is currently split between two locations and this is not a good situation. We are exploring some options which should greatly improve this, which hopefully will come just in time for all the orientation material mentioned above. J

 

==== Trends ====

 

* Since July, UWWI has sustained growth: +9 delegated OUs (112 total), +2 trusts (55 total), +~1750 computers (12389 total), +18k users (772k total), -12k groups (96k total).

* UWWI support requests are steady. 224 UWWI support records resolved since the last newsletter (vs. 241 in prior period).

 

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

 

==== What’s Next ====

 

Our objectives for the 6 months ahead include:

* Explore possible expanded uses of AD-integrated Certificate Authority, as identified by customer business needs

* Explore LAPS-E, a local administrator password management solution. See current discussion on uwwi-discuss about possibilities here.

* Explore Azure MFA and Microsoft Passport as possible Microsoft MFA solutions for the UW, so we are ready for a broader discussion about MFA at the UW later in the year.

* Enable Entra ID Applications, via releasing a request and approval process, working with Microsoft to extend its user consent framework, and providing integration guidance for developers

* Entra ID Application Proxy deployment. This enables on-premises applications to use Entra ID based authentication without making any changes to their existing Windows Integrated configuration. They gain a hardened, cloud-based endpoint, the possibility of leveraging conditional access capabilities such as Azure MFA, and can leverage the logging and security anomaly analysis investments Microsoft is building.

* Deploy Azure Rights Management infrastructure to support RMS pilot exploration for customers with confidential data

* Partner with Nebula to build a high security Windows file service offering in connection with a high security managed desktop offering

* Partner with Nebula to support new Software Deployment Service via SCCM deployment in NETID

* Support growing Nebula migration efforts into the NETID domain

* Explore possibility of offering basic managed desktop offering for a nominal cost (or possibly no cost), re-using the infrastructure Nebula brings to the NETID domain.

* Implement ‘inactive user design’

* UW firewall GPO template to provide customers with a simple way to leverage Windows Firewall

* Deploy Microsoft Identity Manager’s Privileged Account Management capability to provide ‘just in time’ domain admin privileges instead of ‘always on’. This will reduce enterprise risk.

* Preferred Name (assuming this work has investment from the Directory Services service)

* Support emerging Monitoring Service by sharing Windows expertise

 

Of the 14 forecasted objectives we listed in the last UWWI News, here’s a review on how they turned out:

  • 3 were successfully completed: AD-CS, ATA, AAD gov
  • 4 were started and continue: RMS, Software Deployment (SCCM), Nebula Migration, AuthN restrictions
  • 3 were started by dependent service, but hasn’t yet reached the point where we can start: Preferred Name, MFA project, Monitoring service
  • 4 were not started: ADMT, Firewall GPO, PAM, LDAP signing

 

==== Your Feedback ====

 

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

 

The UWWI service has a capability map publicly visible at https://wiki.cac.washington.edu/x/sx5JB. This capability map includes a high-level summary of our roadmap. We can also provide more detailed information about our backlog if you have questions.

 

You can voice your support for future objectives to help us rank priorities by voting in customer surveys when we have them, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

 

Brian Arkills

UW-IT, UWWI Service Manager

IE Browser Support

Browser support changes will be coming on 1/12/2016. Microsoft will drop support for older versions of Internet Explorer, leaving IE11 as the only supported version of Internet Explorer.  Go to the OS and Browser Support page for information.

Undesired H: Drive Purge

H: drive deletions coming for those without departmental eligibility groups

Current staff members who are not in your department’s eligibility group will have their home directory (H:drive) deleted on 1/15/2015. Please verify that all of your staff members have been added to the correct eligibility group before that date.

More info:

Last summer we revealed that there were a significant number of Nebula home directories which we believed were undesired, primarily associated with individuals who had long since stopped having an association with the university. That was primarily because the Managed Workstation service didn’t have an active mechanism to capture when individuals should lose their eligibility for our service. We implemented the user eligibility mechanism which puts you as a customer in the driver seat of provisioning and deprovisioning home directories and some other user related access. As detailed above we didn’t complete connecting those eligibility groups with the home directory provisioning and deprovisioning until the end of February.

In December we notified those users with an “undesired” home directory who were still accessing that home directory to let them know that unless a customer marked them as eligible and paid for that home directory, that the home directory would be deleted.

In late January we removed access to undesired home directories.

In mid February, we deleted undesired home directories. This constituted almost 5200 home directories using 6 TB of space. Under current practices, there is still a copy of that deleted data for a year.

Nebula to disable SSLv3

Nebula will disable SSLv3 on Nebula workstations and servers which still have it enabled.

 

What and When:

On Tuesday, January 5th, 2016, Nebula will configure managed desktops and its servers to no longer permit SSLv3.

 

SSLv3 is broadly used to encrypt sessions, but it is also very old and now considered insecure. Disabling SSLv3 should have little to no impact because there is broad support for TLS and no obvious impact on the user experience to using TLS instead of SSLv3. While the most secure option should be chosen when a client connects to a server, there are situations where that doesn’t happen, so this change will ensure that Nebula does not permit a less secure scenario.

 

What You Need to Do:

Nothing, unless you are responsible for a web server or other service that uses this protocol, in which case you should update to a stronger encryption protocol as soon as possible.

 

This is primarily an advisory to let you know that we’re making a design change to make Nebula more secure.

 

More Info:

There is a vulnerability in the cryptographic protocol Secure Sockets Layer version 3, or SSLv3 (see https://technet.microsoft.com/en-us/library/security/3009008.aspx). In order to prevent malicious actors intercepting your data, Nebula is disabling the weakened protocol SSLv3 for all Nebula managed desktops and all Nebula servers.

 

This change could affect anyone still using a service protected with SSLv3, and anyone using a version of Internet Explorer prior to 11. Since this protocol is being dropped across the industry, it is unlikely that you will be affected unless you use a site or service still only using SSLv3. If you anticipate or experience any difficulties that you believe are related to this change, please email help@uw.edu with the subject line “Nebula SSLv3 Change”.

 

 

Changes in accessing Nebula file services

Changes in accessing Nebula file services

Access is now based on eligibility groups managed by each customer. As users are added and removed from eligibility groups, access to Nebula services will be added or removed. If you are unsure or do not know what your eligibiity group is, send and email to help@uw.edu

If you do not have an UW eligibility group and need to create one, instructions are on our webpage  How do I set up an eligibility group for my department?