MiServer: Managed Windows: Service Overview

MiServer
Service Overview

MiServer Managed Windows

Background

The MiServer Managed Service offers customers a managed operating system, including installation and support for the operating system, patch management, antivirus, monitoring, and backups. MiServer Managed (sometimes referred to as Managed OS) is an offering in the cloud service that leverages components from Infrastructure as a Service (IaaS) to provide service to customers. More information on components listed in IaaS can be found on the IaaS and Cloud service definitions. 
For detailed information about these services refer to the Service Definition Documents and Service Level Expectation document. 

Scope

The scope of this document is to provide customers more detailed information regarding components of the service.

In Scope

Managed OS service includes the following: OS provisioning, patch management, antivirus, monitoring, backups/restores and OS retirement.

Operating Systems offered to customer for new requests:

  • Windows Server 2012 R2 Standard
  • Windows Server 2008 R2 Enterprise

Operating Systems supported when migrated into the service:

  • Windows Server 2012 R2
  • Windows Server 2008 R2

Out of Scope

  • Any system with PCI or HIPAA data
  • High Performance Computing (HPC)
  • Application support
  • Any operating system not specified in scope for the service

Expectations

  • Customers should have the capability and necessary skillsets to manage applications.
  • Customers will put servers in maintenance mode prior to performing any maintenance or performing any work that may be disruptive on the server.
  • Applications will not be installed or supported by the Managed OS support.
  • Managed OS support will only be for OS support level.

Antivirus

All servers subscribed to the MiServer Managed service will have antivirus clients installed. This measure is taken to provide customers additional protection against known and unknown viruses, malware, spyware, threats, etc. The antivirus agent will be monitored, maintained and managed as part of the service by the MiServer Managed team. In the event a security incident is identified by the antivirus agent or through other channels, the MiServer Managed team will work with the customer to help take corrective measures as necessary.

Monitoring

The MiServer Managed service proactivity monitors the Operation System to help identify potential problems, maintain high availability, and provide prompt break\fix response times if OS issues arise. Customers are asked to put servers in down time prior to performing any maintenance or disruptive work on the server. The monitoring component in the MiServer Managed service includes however not limited to:

  • Unplanned Server Restarts\Crashes
  • Operating System & Operating System Core Services
  • MiServer Components (Antivirus, Backups, Patches, etc.)
  • Service Infrastructure Components

In the event an incident is identified by the monitoring agent or through other channels the MiServer Managed team will work with the customer to take corrective measures as necessary. Please remember it’s crucial to put servers subscribed to the service in down time prior to taking any services offline intentionally or performing any disruptive maintenance. This process is to help identify servers that do not need to be responded to immediately and prevent services from being recovered when the original intent to have those services remain offline.

Patch Management

It is best practice to apply security patches as soon as possible to not further risk a server from being compromised due to known exploits. All servers subscribed to the MiServer Managed service will be scanned and patched monthly for OS exploits. Customers will have the flexibility to choose a date and time when to start the patching process on his or her server(s) from a predefined list of available time slots. The customer will also have the ability to change the date and time as often as needed within the service to fit his or her specific needs up to the first day patching begins. Any requests to change a patch schedule for a server during or after the first day patching begins will take affect prior to the next monthly patching cycle. Before patch deployment, patches will be tested. To allow appropriate time to test patches prior to deployment, patches will not be applied to MOS subscribed servers earlier than Thursday morning following the second Tuesday of every month which is known as patch Tuesday. Available time slots for patching start Thursday 1AM and run every 2 hours until Sunday at 11PM. MOS subscribed servers need be patched within one of the available time slots.

At times there have been slight differences noted between available patches for servers amongst different patching applications. Customers are expected to maintain and patch all non-OS applications.

Patch Scheduling

When selecting a scheduled time slot for patching please take the following into consideration:

  • Scheduled time slots are when the patching process will start for a server. The patching process involves: Scanning, Deploying, Applying patches and Patch Reconciliation and may run up to the next available patch window (2 hours). Following the patching process, servers will be rebooted. The servers should be available for the duration of the patching process and will only be unavailable for a brief period while the server is rebooted following patches being applied. Any patches that are missed and cannot be applied within the selected scheduled time slot will be scheduled the following week at the same selected time.
  • Customers should always schedule any non-production\test machines if they exist within the MOS service first prior to any production servers subscribed to the service. This should help mitigate risk even though it’s very rare a patch would need to be rolled back.
  • The patch schedule takes priority over any other scheduled maintenance initiated by subscribers of the MOS service for a particular server or maintenance initiated by the MOS team. However, the patch schedule does not take priority over other maintenance scheduled for other services that may affect the MOS service. For this reason, flexibility has been built into the OS patching process for the service to allow customers to choose the best time to patch his or her subscribed servers.

Patching Time Slots

Thursday

Friday

Saturday

Sunday

1:00 AM

1:00 AM

1:00 AM

1:00 AM

3:00 AM

3:00 AM

3:00 AM

3:00 AM

5:00 AM

5:00 AM

5:00 AM

5:00 AM

7:00 AM

7:00 AM

7:00 AM

7:00 AM

9:00 AM

9:00 AM

9:00 AM

9:00 AM

11:00 AM

11:00 AM

11:00 AM

11:00 AM

1:00 PM

1:00 PM

1:00 PM

1:00 PM

3:00 PM

3:00 PM

3:00 PM

3:00 PM

5:00 PM

5:00 PM

5:00 PM

5:00 PM

7:00 PM

7:00 PM

7:00 PM

7:00 PM

9:00 PM

9:00 PM

9:00 PM

9:00 PM

11:00 PM

11:00 PM

11:00 PM

11:00 PM

 

 

Patch Troubleshooting

In the event patches are either missed or failed to deploy to a customer’s manage server the MiServer Managed team will notify the customer in advance and re-schedule patches for the same patch time selected for that server the following week. If any issues arise following patching, customers should work with the MiServer Managed team to investigate prior to removing patches.

Emergency Patches

In the event Microsoft releases emergency out of band patches to address critical OS exploits the MiServer Managed team will notify the customer in advance and schedule emergency maintenance to deploy out of band patches to all customer managed servers.

Optional Reboot Schedule

Customers may have a business requirement to reboot a server to support or address various application issues. The MiServer Managed service will offer (optional) a scheduled reboot component where customers can schedule reboots from a predefined list of available time slots. Overtime, additional time slots may be added to expand this component of the service. When selecting a scheduled time slot for a scheduled reboot please take the following into consideration:

Scheduled time slots are when the reboot process will start for a reboot collection. The reboot process may not reboot your server at the exact scheduled time defined on the collection but should process it within 10 minutes.

Optional Reboot Time Slots

Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

Sunday

12:00 AM

12:00 AM

12:00 AM

12:00 AM

12:00 AM

12:00 AM

12:00 AM

12:30 AM

12:30 AM

12:30 AM

12:30 AM

12:30 AM

12:30 AM

12:30 AM

1:00 AM

1:00 AM

1:00 AM

1:00 AM

1:00 AM

1:00 AM

1:00 AM

1:30 AM

1:30 AM

1:30 AM

1:30 AM

1:30 AM

1:30 AM

1:30 AM

2:00 AM

2:00 AM

2:00 AM

2:00 AM

2:00 AM

2:00 AM

2:00 AM

2:30 AM

2:30 AM

2:30 AM

2:30 AM

2:30 AM

2:30 AM

2:30 AM

3:00 AM

3:00 AM

3:00 AM

3:00 AM

3:00 AM

3:00 AM

3:00 AM

3:30 AM

3:30 AM

3:30 AM

3:30 AM

3:30 AM

3:30 AM

3:30 AM

4:00 AM

4:00 AM

4:00 AM

4:00 AM

4:00 AM

4:00 AM

4:00 AM

4:30 AM

4:30 AM

4:30 AM

4:30 AM

4:30 AM

4:30 AM

4:30 AM

5:00 AM

5:00 AM

5:00 AM

5:00 AM

5:00 AM

5:00 AM

5:00 AM

5:30 AM

5:30 AM

5:30 AM

5:30 AM

5:30 AM

5:30 AM

5:30 AM

6:00 AM

6:00 AM

6:00 AM

6:00 AM

6:00 AM

6:00 AM

6:00 AM

6:30 AM

6:30 AM

6:30 AM

6:30 AM

6:30 AM

6:30 AM

6:30 AM

Backup & Restore

Customers will have the ability select a desired incremental backup time for his or her server. In the event the customer needs to change the schedule for his or her server this ability will be allowed through the portal and should take approximately one business day for the scheduling change to occur. 

Backup Time Slots

Everyday

6:00 PM

8:00 PM

10:00 PM

12:00 AM

2:00 AM

 

Scheduled backups will include system state and all files on all drives on the server except for files that fall into the following exclusions shown below. Customers have the ability to restore individual files on demand using the backup client installed on the server. In the event a customer requires or would like additional assistance, he or she may work with the MiServer Managed team by submitting a service request for additional help. If a complete system state restore is required, customers should work with the MiServer Managed team by requesting a system state restore.

SQL Excludes
Exclude "?:\...\*.mdf"
Exclude "?:\...\*.ndf"
Exclude "?:\...\*.ldf"
Exclude "?:\...\*.trc"
Exclude "?:\...\*.log"

BigFix Excludes
Exclude.dir "?:\...\BigFix Enterprise\BES Client\__BESData\actionsite\__Local\*"

Tripwire Excludes
Exclude.dir "?:\Program Files\Tripwire\TE\Agent\tmp\*"

SCOM Excludes
Exclude "?:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store\edb.log"
Exclude "?:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store\edbtmp.log"
Exclude "?:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store\HealthServiceStore.edb"
Exclude "?:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store\tmp.edb"

Microsoft Forefront Excludes
Exclude.dir "?:\ProgramData\Microsoft\Microsoft Antimalware\*"
Exclude.dir "?:\ProgramData\Microsoft\Microsoft Security Client\*"
Exclude.dir "?:\Program Files (x86)\Microsoft Security Client\Antimalware\*"
Exclude "?:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Incidents\*.edb"
Exclude "?:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Incidents\inc.log"
Exclude "?:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Incidents\incident.fssdb"
Exclude "?:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Incidents\inctmp.log"

OS Excludes
Exclude.dir "?:\$Recycle.Bin\*"
Exclude "?:\...\cache\...\*"
Exclude "?:\...\temp*\...\*"
Exclude "?:\...\pagefile.sys"
Exclude "?:\System Volume Information\Syscache.hve"
Exclude "?:\System Volume Information\Syscache.hve.LOG*"
Exclude            "?:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT.LOG*"
Exclude "?:\Windows\System32\config\RegBack\COMPONENTS"
Exclude "?:\Windows\System32\config\RegBack\DEFAULT"
Exclude "?:\Windows\System32\config\RegBack\SAM"
Exclude "?:\Windows\System32\config\RegBack\SECURITY"
Exclude "?:\Windows\System32\config\RegBack\SOFTWARE"
Exclude "?:\Windows\System32\config\RegBack\SYSTEM"
Exclude "?:\Boot\BCD"
Exclude "?:\Boot\BCD.LOG"
Exclude "?:\Windows\System32\config\COMPONENTS.LOG*"
Exclude "?:\Windows\System32\config\DEFAULT.LOG*"
Exclude "?:\Windows\System32\config\SAM.LOG*"
Exclude "?:\Windows\System32\config\SECURITY.LOG*"
Exclude "?:\Windows\System32\config\SOFTWARE.LOG*"
Exclude "?:\Windows\System32\config\SYSTEM.LOG*"
Exclude "?:\Program Files\Tivoli\TSM\baclient\dsmsched.log"
Exclude "?:\ProgramData\McAfee\Common Framework\Db\*.xml"
Exclude "?:\...\temp.edb"
Exclude "?:\...\tmp.edb"
Exclude "?:\...\edb.log"
Exclude "?:\...\tmp.log"

User Profiles Excludes
Exclude "?:\Users\...\ntuser.dat"
Exclude "?:\Users\...\ntuser.dat.log"
Exclude "?:\Users\...\usrclass.dat"
Exclude "?:\Users\...\usrclass.dat.log"
Exclude "?:\Documents and Settings\...\ntuser.dat"
Exclude "?:\Documents and Settings\...\ntuser.dat.log"
Exclude "?:\Documents and Settings\...\usrclass.dat"\
Exclude "?:\Documents and Settings\...\usrclass.dat.log"\
Exclude.dir "?:\Documents and Settings\...\Local Settings\Temporary Internet Files\...\*"
Exclude.dir "?:\Documents and Settings\...\Mozilla\...\Cache\...\*"
Exclude.dir "?:\Documents and Settings\...\AppData\Local\Google\Chrome\*"
Exclude.dir "?:\Users\...\Local Settings\Temporary Internet Files\...\*"
Exclude.dir "?:\Users\...\Mozilla\...\Cache\...\*"
Exclude.dir "?:\Users\...\AppData\Local\Google\Chrome\*"
Exclude.dir "?:\Users\...\Downloads\*"

Patching, Optional Reboots, and Backup Scheduling Conflicts

In the event there is a conflict with schedules between the patching process, reboot schedule, and backup schedule for a server, customers will be notified he or she may need to select a new schedule for specific features of the service to avoid scheduling conflicts between patching, reboots and backups. In the event the customer is unresponsive based upon scheduling priority (backups, patching, reboots) the feature of the lesser priority will be scheduled at the next available time following the customer requested time. The portal will help avoid scheduling conflicts if used as the primary source to scheduling changes between the features.

MiServer Managed Priority of Scheduling Amongst Service Components

  1. Patching & optional reboots cannot be scheduled at the exact time or within 2 hours of the selected backup schedule.
  2. Optional scheduled reboots cannot be schedule at the exact time or within 2 hours of the selected patching schedule.

Group Policy Management

Servers subscribed to the MiServer Managed service will have components of the OS managed via group policies. If customers would like group policies created which are specifically applied to servers they own two options are available: one option is to work with the MiServer Managed team to link existing policies to your Servers OU for you; the second option is create and link your own policies with your designated MOS OU administration account.

New Operating Systems

As new Operating Systems become available the MiServer Managed service will review, evaluate and test the new Operating System. After the new OS has been completely reviewed and fully tested within the service to reflect best practices, the new OS will become available.  All customers will be required to upgrade the OS on their server by the end of Microsoft Extended Support for that OS to remain fully managed. In the event a server is running an unsupported OS, that server will only have limited support available within the MiServer Managed service.

Last Updated: 
Monday, November 14, 2016