Windows desktop changes

Posted on 23 January 2019

On Tuesday 29 January we'll be making a number of changes to the Windows managed desktop, including enabling the lock feature on classroom PCs, updating logon screens, changing the way that Windows is installed, improving the process for encrypting new laptops, and changing the way that local administrator passwords are managed.

Please note that most of these changes are only relevant to people with responsibility for building or maintaining Windows devices (eg Departmental Computing Officers) but if you have any questions about these changes, please email itsupport@york.ac.uk.

Information for everyone

Classroom PCs automatic lock

At the moment, if you're using one of our Windows classroom PCs, you can't lock it if you need to leave your desk. This was set up because there was no way for other students to logoff a locked PC, meaning that someone could lock the PC and then leave it for hours, unable to be used by anyone else. However, this has been a security risk as students leave the PC logged on while they're away from the desk (eg while they collect printing) meaning that anyone can access their account.

Microsoft has now enabled a feature called SharedPC that adds a Sign out button to the lock screen. With this feature available, we are now making it possible for you to lock a classroom PC if you have to leave the desk for a short time.

Image of the Windows lock screen, including a sign out button.

In addition, if the PC isn't active it will automatically lock based on the monitor's power saving setting. This is 15 minutes for a classroom machine and two hours for a lecturer's PC (ie a device on a lectern, or linked to the projector).

Logon screen

We've had feedback that users didn't know how to identify a managed desktop. We're adding branding on the logon and lock screen for Windows to help make it clearer - this will be a phased rollout, and we'll be interested to have your feedback.

An image of the Windows logon screen for a managed desktop with University branding.

This change won't affect your background when you're logged on, so you can still add a picture of your favourite child, pet or place…

Mainly technical

The rest of this news item is concerned with technical information about Windows installation, disk encryption, and local administrator passwords. This will primarily be of interest to Departmental Computing Officers and others who manage departmental IT equipment. If that doesn't sound like you, feel free to stop reading now!

Installing Windows

To improve the security of the Windows managed desktop the device needs a few options set in the BIOS/Firmware, some of which need to be set before Windows is installed. To help make sure the right settings are enabled, we're adding a step to the installation process that will show which settings are correctly setup - this new step is known as Preflight checks.

Image of a preflight checks result screen, shown as part of the Windows installation process.

  • Red are errors so the installation won't continue
  • Yellow are warnings; if possible you should fix the issue before continuing, but you can continue the installation without fixing the issue if necessary
  • Green shows that the test has been passed

Initially the Preflight checks will only take place on laptops. This process will be enabled for desktop PCs at a later date; it's not an option yet as there are still a number of older desktops that don't support all of these features.

Disk encryption

Bitlocker is Microsoft's solution for full disk encryption that we use to encrypt Windows devices so that they comply with the University Information Policy.

We currently only encrypt devices with Bitlocker when they are built using the managed build process (normally carried out by DCOs, and also known as the F12 build process) and have a TPM (hardware on the device which stores secure information like the Bitlocker password) enabled. This has meant a number of laptops have been built without Bitlocker. To stop that from happening from now on, we're altering the Windows installation process so if there isn't a TPM active or installed the disk will still be encrypted. In this situation, you will need to create a password (we recommend using one that's at least 16 characters long for Bitlocker) that will need to be entered when the PC is powered on or rebooted.

You will be prompted with the following screen when the build is complete and you're logged into Windows.

Image of a screen prompting password creation for encryption.

The encryption will then begin

Image of a screen shown during the encryption process.

Image of a screen prompt showing that encryption is underway.

You can continue using the device as normal during encryption, although it may run more slowly than usual until the process is complete.

Devices that have a TPM will be encrypted and the password is stored with the TPM so the users won't be prompted for an additional password on startup.

At a later date we'll deploy Bitlocker to all laptops to encrypt any devices automatically that weren't built by our process.

Local Administrator Password

Following guidance from Microsoft we're rolling out Local Administrator Password Solution (LAPS). This software will randomise the password on each device and automatically change it every 30 days. The password is stored in Active Directory and can be retrieved by IT Services.

This will only affect the local Administrator account; if you have created your own local accounts within your department, these won't be affected.

Questions?

If you have any queries or comments about any of these changes, please get in touch: