Overview
The Classic-CoreImage is Michigan Medicine's managed Windows PC platform. It is deployed on Michigan Medicine-owned and HITS-approved desktop, laptop, and tablet PC hardware. It differs from its companion platform, the Intune-CoreImage, in significant ways that affect how they are managed by HITS and how they can use used by Michigan Medicine faculty, staff and learners.
See this article for a treatment of the Intune-CoreImage.
The following lists pertinent features of the Classic-CoreImage for users to review.
- Modes
- Applications
- Maintenance
- GreenIT
- Reboots
- Patching
- Microsoft 365
- Adobe
- VPN
Modes
Michigan Medicine deploys Classic-CoreImage devices across locations with different workflow requirements. To accommodate those needs, HITS developed "modes" -- a set of shared configuration settings and applications. These modes are available across desktops, laptops, and tablet PCs.
Standard mode -- used in locations where users log directly into the Windows operating system to have a personalized experience--meaning they have integrated access to OneDrive, Teams, Outlook, etc. as well as the ability to customize their Windows settings such as their wallpaper. This mode may be used when a device is assigned to just one person or in shared locations where users have lengthy sessions on the devices such as staff rooms. (In contrast, see Kiosk mode below for devices in shared locations where users have short encounters with devices). Standard mode devices use two-stage security timers: (1) the screensaver starts and 2) the screen locks.
Kiosk mode -- used in locations where users need a quick "walkup" encounter with the device. The user logs into a single sign-on application called Imprivata which passes their login into MiChart. The user may also choose to use their employee ID badge to "badge tap" into the device or to lock the screen as they walk away. Other users can log in when the screen is locked; doing so will logout the previous user in favor of logging in the new user. Kiosk mode is primarily deployed in clinical environments. Kiosk devices have three-stage security timers: (1) the screensaver starts, (2) the screen locks, and (3) the user is logged off. HITS has a set of available security timers for Kiosks; HITS will work with unit representatives to ensure that the correct security timers are implemented on Kiosk devices to balance the security and usability of the device.
Flex -- used primarily in research areas. They use Fast User Switching to allow for multiple concurrent logins; they do not participate in GreenIT; and they run Maintenance but will not automatically reboot. Flex devices use two-stage security timers: (1) the screensaver starts and (2) the screen locks.
Applications
The Classic-CoreImage has a set of "enterprise" applications shared across most modes. Additional, restricted (e.g., licensed) applications are available upon request via the Service Catalog and are listed here. The applications are prepared by HITS engineers for deployment to CoreImage devices. This preparation process is called "packaging." Restricted applications may need proof-of-license before they can be assigned to a device; this is handled when users request applications via the Service Catalog. The applications are installed during the device's Maintenance process after IT Support staff assign them to the device via the HITS-developed Fleet Configuration System (HITS internal link).
Software Center is available in the start menu as a user self-service method to install a small set of applications (Dropbox and Adobe Creative Cloud) and run Maintenance.
Manual installation of applications that are not packaged requires "administrator" rights on the device. This means that Device Support Agents (DSAs) will need to assist users in installing those types of applications, or users may choose to apply for "Just In Time" administrator access for their device(s).
Sometimes HITS needs to distribute an application to a large number of devices in the Classic-CoreImage fleet. They use Microsoft's Configuration Manager (SCCM) to send the application packages to the target devices on a schedule. To avoid inconvenient device downtime, HITS configures these distributions to either happen quietly in the background, or they present a window asking the user whether they want to defer the installation until a better time. Users get two deferrals--after which the application will install automatically. The Citrix client used to access MiChart is an example of an application that is distributed this way.
Maintenance
Classic-CoreImage devices are managed using a combination of Microsoft's Configuration Manager (SCCM) and the HITS-developed Fleet Configuration System (FCS). FCS holds a database record for each Classic-CoreImage device. Those records describe the configuration of the device (e.g., Maintenance time, GreenIT schedule, assigned applications, etc.). To ensure that the configuration held in FCS matches how the device is configured, HITS uses SCCM to run a daily process on the device called Maintenance. Maintenance will make changes to the device based on any changes made to the device's FCS record. Maintenance is frequently used to install and/or uninstall applications requested through the Service Catalog. It will also implement changes to the device's GreenIT configuration among other settings.
Maintenance takes only a few minutes to run (unless it has applications to install and/or uninstall). If the device does not participate in GreenIT and is therefore always on, then it will run Maintenance at a scheduled time sometime between the hours of 7pm and 5am. If the device does participate in GreenIT, meaning that it shuts down at the end of business hours and turns of at the beginning of business hours, Maintenance will run at the designated "end of business" and then power off the device. SCCM will power on the device per the designated "beginning of business" time.
Users can manually run Maintenance by opening Software Center in the start menu and clicking on the Maintenance icon. Maintenance will ask to reboot the device if it detects that Windows needs to reboot to complete a change such as applying a monthly security patch or an application update.
GreenIT
Michigan Medicine implemented a power savings measure on its Classic-CoreImage fleet in the early 2010's that powers down devices at the end of business hours and powers them back on at the beginning of business hours. Each device can have a different schedule. For instance, "Machine A" could power down at 6pm and power on at 5:30am while "Machine B" sitting right next to it could power down at 4:30pm and power on at noon. Users may request a GreenIT schedule change via a ticket to the HITS Service Desk. Devices that participate in GreenIT run Maintenance at their "end of business" time; Maintenance then powers down the device. Neither laptops nor Kiosk mode devices typically participate in GreenIT.
Reboots
Classic-CoreImage devices may reboot in a few different scenarios:
- When Maintenance detects that a recent change requires a reboot to finish--such as monthly patches or when it upgrades an application.
- (Infrequent) After the installation of an application distributed by SCCM that requires a reboot to complete.
- (Very rare) An emergency change such as something to address a critical security incident.
In the case of #1, when Maintenance completes a small program called the CoreImage Shutdown Assistant will launch with a countdown from 10 minutes to reboot. The application can be used to delay the reboot from a few minutes up to 3 hours. When the countdown expires, the device will be forcibly rebooted. This also applies to #2 as well. However, in #2's case, the user has usually been given the opportunity to defer the installation of the application that will require a reboot as well. In that case, both the installation and the subsequent reboot can be delayed. Flex devices do not reboot in scenarios #1 nor #2 though they will in scenario #3.
Patching
HITS follows Microsoft's monthly patching timeline for Windows security updates. HITS implements major feature updates (called WaaS updates) once a year--typically in the first half of the calendar year. CoreImage devices also receive updates to both Edge and Google Chrome web browsers as well as Adobe Acrobat each month. HITS may distribute updated device drivers--such as a Wi-Fi card driver or BIOS update--if they address a serious defect or a security vulnerability. The successful installation of any of these types of patches and updates will trigger Maintenance to reboot the device. The installation of patches cannot be deferred, but they will typically install silently in the background. Only the reboot triggered via Maintenance can be delayed. Flex devices will not reboot; instead, they rely on their users to reboot them when doing so is convenient.
Microsoft 365 Apps for enterprise, OneDrive, and Teams
Microsoft rebranded Office to "Microsoft 365 Apps for enterprise" -- though for the sake of ease, this article will continue to use "Office 365" to refer to the productivity suite of applications that includes Word, PowerPoint, Excel and Outlook. Office 365 receives monthly updates that include feature changes alongside security updates. HITS uses the Monthly Enterprise channel for its version of Office 365. This means that CoreImage users receive feature and bugfix updates two months after consumers do to ensure a higher level of application stability. Office 365 automatically activates using the user's Michigan Medicine email (uniqname@med.umich.edu). HITS uses a different version of Office on Kiosk mode devices, called Office 2021, that only receives bug fixes and security updates; this creates a more consistent experience on Michigan Medicine's most "task oriented" platform.
Standard mode and Flex CoreImage devices automatically activate Office 365 and log users into Outlook, OneDrive and Teams. The devices are configured to use OneDrive Backup for PC so that the local Desktop, Documents, and Pictures folders are backed up to OneDrive in the cloud. In the case of a device failure or the use of a different CoreImage device, any documents in those folders will be available via the web and automatically synced on the new device. Microsoft Teams doesn't automatically start, but once a user launches it for the first time, it will automatically start upon subsequent logins. Kiosk devices use the web version of Teams.
Adobe
CoreImage devices allow users to install the Adobe Creative Cloud Desktop Application (CCDA) on demand from Software Center using these instructions. The CCDA is Adobe's portal application for users to install Creative Cloud applications such as Acrobat Pro, Photoshop, and Illustrator. The Adobe Creative Cloud applications are made available through the U-M Campus agreement with Adobe.
VPN
Only managed devices such as the Classic-CoreImage are permitted to use the Michigan Medicine VPN. Every Classic-CoreImage Standard mode laptop has the VPN client installed. Desktops deployed to remote locations (e.g., at home) will have the VPN installed. The VPN is required to access Michigan Medicine internal resources such as network file shares when off the Michigan Medicine network. To start the VPN, users will launch the "Cisco Secure Client" from the start menu and follow the login instructions.