...
Operating system deployment is supported using System Center Configuration Manager (SCCM). The SCCM infrastructure provides the ability install Windows 10 and configured applications via and OSD task sequence (TS) to devices connected to on-campus wired Ethernet networks. Specific combinations of applications can be configured for installation during OSD by creating and saving a build in the Config-O-Matic Otto web application. Saved builds may be assigned to specific computers in Config-O-MaticOtto.
Application Deployment
Available Applications
...
Updates for the Windows operating system and for Microsoft applications such as Microsoft Office and Skype are installed on client systems using required deployments. Deployed updates will install automatically when the deployment deadline is reached. Pending update installations may be viewed in the Software Center application. Installed updates are not displayed in Software Center, but they may be viewed in the Programs and Features control panel. To read about the release schedule of updates, view the Windows Change Schedule topic.
Anti-Virus
Windows Defender antivirus is deployed to all Windows PaaS client systems. Antivirus definitions are updated automatically multiple times per day. Configuration policies for Windows Defender are deployed centrally using SCCM. Customized configuration policies may be deployed on a per-unit basis. To read detailed information about the Windows Defender configuration, view the Windows Defender Configuration topic.
Security Configurations
Virtual Private Network (VPN)
...
CrowdStrike Falcon is an antimalware product that's deployed to all Windows Platform as a Service devices. Malware detections from Falcon are monitored by MiWorkspace and Information Assurance team members.
Security Configurations
Windows PaaS systems share many of the same security settings that are implemented on MiWorkspace Windows systems. The baseline security configuration for Windows PaaS systems is designed to enable users to securely access institutional and personal data while still preserving an easy to use computing experience. The settings were developed in consultation with the University of Michigan Information Assurance (IA) team. The specific settings that comprise the baseline security configuration have been tested by the MiWorkspace Quality Assurance (QA) Team to ensure compatibility with major university systems and applications.
The baseline security settings are implemented by Active Directory Group Policies. Settings are implemented in the following Group Policy Objects (GPO):
Windows 10
- EUC PaaS Workstation Admins
- EUC PaaS Windows 10 - Core Security Settings Base
- EUC Windows 10 - Firewall Settings - Prod
- EUC Windows Legacy LAPS Configurations
- EUC Windows MBAM 2.5 SP1 Client Settings
Windows 11
- EUC PaaS Workstation Admins
- EUC Windows 11 - Baseline Computer Security
- EUC Windows 10 - Firewall Settings - Prod
- EUC Windows Legacy LAPS Configurations
- EUC Windows MBAM 2.5 SP1 Client Settings
Virtual Private Network (VPN)
The Windows PaaS product provides secure network capabilities via the Cisco Management Tunnel.
The Cisco Management Tunnel is an always-on VPN that provides connectivity to organization network resources without the need for traditional Virtual Private Network (VPN) connections. More information about the Cisco Management Tunnel implementation in Windows PaaS is available in the MiWorkspace Cisco Management Tunnel Overview document.
The Cisco VPN Client is also available on Windows PaaS computers. The client provides connection to the ITS VPN Service. More information about the Cisco VPN Client implementation in Windows PaaS is available in the MiWorkspace Cisco Overview document.
BitLocker Drive Encryption
The hard drives of all laptop computers using the Windows PaaS solution are automatically encrypted using BitLocker. Hard drives on desktop computers may be opted-in to BitLocker drive encryption. BitLocker drive encryption is deployed and managed using the Microsoft BitLocker Administration and Monitoring (MBAM) product. The MBAM product provides automated deployment of encryption policies and provides simplified management of recovery keys. More information about the BitLocker implementation is Windows PaaS is available in the MiWorkspace BitLocker Overview document.