Using a MiWorkspace Windows device off-campus requires a VPN connection for the customer's first Active Directory logon. This article describes how to ensure that DirectAccess VPN policies have been applied to the device prior to sending the device to an off-campus customer.
Environment
Windows Platform as a Service
Procedure
The device should be pre-staged in Otto for whatever build will is needed for this customer. When pre-staging, also include the Cisco AnyConnect client if that software is not part of the build. Having the Cisco AnyConnect client installed provides a back-up method of connecting back to campus if DirectAccess fails. If the device is a desktop form-factor, be sure to add the EUC-DirectAccess-Desktops configuration to the device in Otto.
Build the device on campus. Following completion of OSD, ensure that the device restarts a couple of times while connected to a wired ethernet network. It should perform the restarts automatically. This will ensure that the device receives the DirectAccess GPO settings which will allow the customer to log on to U-M from off-campus.
Verify that the device has successfully applied the DirectAccess settings by logging into the device using an administrator account. After logging in, run WF.MSC to launch the Windows Defender Firewall with Advanced Security. In the Windows Firewall with Advanced Security app, click Connection Security Rules and verify that DirectAccess policies are listed.
Confirm that the device has updated it's local administrator (wkst_admin) password in LAPS. Confirming that wkst_admin password has been set since rebuild is important because it's a way for IT staff to help the user fix connectivity problems if DirectAccess fails to work for the customer's first logon.
Following completion of the above steps, the device can be given or shipped to the customer. The customer will need to be instructed to connect their device to a network (wired or wifi) before first logon. The customer can select a wifi network on the logon screen (bottom right corner).