Accessibility statement

Managed Windows desktop changes

Posted on 5 March 2015

We will be making a number of updates to the managed Windows desktop over the coming months as detailed below.

If you have any thoughts or comments about any of the below please contact IT Services.

Upgrades to current services

Microsoft System Center Configuration Manager (SCCM)
Application Installs
Internet Explorer
Microsoft Office
Java

New products and changes

Google Chrome
The Enhanced Mitigation Experience Toolkit (EMET)
Firewall
Browser Plugins

Microsoft System Center Configuration Manager (SCCM) - upgrade to current service

Most office and classroom machines are currently managed by SCCM 2007. We will shortly be migrating all these machines to the newer version of SCCM which is now 2012. The most noticeable difference following this upgrade will be a change in the way you install applications, from using Run Advertised Programs, to using Software Center. The following article explains the differences in more detail:

http://www.york.ac.uk/it-services/it/software/installation/

SCCM 2012 will also be used to install and reinstall Windows on machines; we’ll provide additional information about how to do this soon. All new desktops and laptops have already been supplied with SCCM 2012 pre-installed.

If you’d like a machine migrated to SCCM 2012 to test in advance please email itsupport@york.ac.uk.

back to top

Application Installs - upgrade to current service

We will be using a new tool to help us update and deploy applications on managed machines, providing a more informative and better experience for users.

Here are some of the features that will improve the application update experience:

  • A prompt to close specific applications that are open prior to starting the application deployment. You will be prompted to save your documents and can close the program from within the prompt. (figure 1)
  • Ability to defer an installation a number of times, for a number of days or until a deadline date is reached.
  • Prevent the opening of specific applications until installation is complete.
  • A restart prompt with an option to restart later or restart now. (figure 4)

Example (using an upgrade to Microsoft Office 2013):

Figure 1. Warning to close applications before the install can continue

 

Figure 2. Notification of uninstalling Office 2010

Figure 3. Notification of installing Office 2013

Figure 4. Prompt to restart computer 

back to top

Internet Explorer - upgrade to current service

All machines should be running Internet Explorer 10 or above. Users have previously been prompted to upgrade manually, but we will be rolling out an automatic upgrade, to those machines still running an older version, over the next few months.

We will also be making Internet Explorer 11 available as an optional upgrade. There are still issues when using Internet Explorer 11 on some websites and users will be warned of this before they install the software.

back to top

Microsoft Office - upgrade to current service

Currently most managed desktops are using Microsoft Office 2010 Service Pack 1. In order to continue receiving patches and support from Microsoft all machines need to be updated to Service Pack 2. This will be pushed out to the machines that require it over the next few weeks.

We are also looking at the possibility of making Office 2013 available as an optional upgrade to users in the coming few months.

back to top

Java - upgrade to current service

Oracle will be dropping public support for Java 7 in April 2015. To coincide with this we will be removing all legacy versions of Java from individual managed PCs. We will no longer install Java as default on managed office machines. We will continue to provide Java 8 through Run Advertised and Software Center as usual. If you want to continue using Java you will need to reinstall it.

Note: Classroom machines will continue to have Java Runtime and Development Kit installed by default, and will run Java 7 until summer 2015 to avoid disruption to teaching.

back to top

Google Chrome - new product / change

We have been testing Google Chrome in PC classrooms since mid December and will soon be making it available to all office machines via Run Advertised and Software Center.

There are however some limitations to using Chrome as your chosen browser on a managed desktop. For example: The settings that Chrome creates won’t roam like other applications on the managed desktop - if you log onto a machine and customise Chrome, then log off and on to another PC those settings won’t follow you, instead Chrome will open with the default settings. For the best experience we recommend you sign into Chrome with your work google account which will syncronise the settings with Google.

back to top

The Enhanced Mitigation Experience Toolkit (EMET) - new product / change

Quote from Microsoft:

The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent attackers from gaining access to computer systems. EMET anticipates the most common attack techniques attackers might use to exploit vulnerabilities in computer systems, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET protects computers even before new and undiscovered threats are addressed by security updates and antimalware software.

The idea is that if someone opens a malicious word file or PDF, EMET will detect the exploit and stop the application, preventing the infection. EMET won’t replace McAfee, it’s designed to work alongside any Antivirus/Antimalware product.

If EMET does detect a problem the users can be notified by a popup:

Default: Custom:
EMET pop up notification for managed Windows desktop changes EMET pop up notification for managed Windows desktop changes - custom

It’s being used to provide additional protection to the following pieces of software: Internet Explorer, Opera, Firefox, Microsoft Office, Adobe Reader, Java, VLC and 7-Zip.

We’re currently testing EMET 5.1 in some of our classrooms. We’ll continue the rollout in our classrooms and then run a trial it on office PCs before rolling this out further.

back to top

Firewall - new product / change

The Windows firewall was disabled in Windows XP, for compatibility reasons and Windows 7 was set up the same. As part of improving the security of the managed desktop we’re looking at enabling the Windows firewall on all managed machines.

We’re interested in hearing if any DCOs currently remotely access managed desktops.

It is likely that when enabling the Windows firewall we will leave the Remote Desktop functionality enabled, as this is a popular way for people to get access to their desktop from anywhere on campus or from home. However, once the firewall is enabled you’ll be unable to remotely access any other service unless an exception is created. Please get in touch if you remotely access managed desktops so we can assess the impact of this change. Most popular examples of remote management are mapping a remote machines C drive or using Computer Management/Regedit to connect to remote machines.

back to top

Browser Plugins - new product / change

Currently an office machine gets the following plugins installed by default: Adobe Flash, Adobe Reader, Adobe Shockwave and Java. Once the migration to SCCM 2012 is complete we want to reduce the default plugins to just Adobe Flash and Adobe Reader. You will be able to install the other plugins from Software Center, they will then be updated and maintained as usual.

The primary reason for this is to improve the security of the managed desktop. By removing unused plugins it reduces the risk that a machine will be exploited to install a virus or malware. We’ve also had comments from users that they don’t like being prompted on a regular basis to update software, by removing software that isn’t used it will reduce the number of notifications.

back to top