This article describes the technology components that comprise Windows Platform as a Service.
Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager (MEMCM) formerly known as System Center Configuration Manager (SCCM) is the infrastructure used by ITS to manage Windows client devices. The MEMCM infrastructure is used to deploy operating systems, operating system upgrades, software updates, and applications. In addition, MEMCM supports rich functionality for hardware inventory and hardware and software reporting. The Otto web application provides an interface to MEMCM for Windows Platform as a Service customers to deploy applications and to configure operating system deployments.
Active Directory Group Policy
Active Directory Group Policy is used to to deploy configuration settings to Windows Platform as a Service devices. Group Policy Objects (GPO) linked to the PaaS/Computers/Win10 organizational unit (OU) are managed by ITS and cannot be modified by customers. Customers may create and link GPO’s to the customer unit’s OU. In additional some configurations provided via GPO by ITS can be enabled or disabled via Otto.
Microsoft Bitlocker Administration and Monitoring
Laptop computers are configured to utilize to Bitlocker for system drive encryption. In addition, Bitlocker drive encryption can also be enabled for desktop computers. The Bitlocker recovery key is escrowed to a system called Microsoft Bitlocker Administration and Monitoring (MBAM). In cases where the recovery key is needed, customer unit IT staff can retrieve the key via the MBAM web application.
Local Administrator Password Solution
Each Windows Platform as a Service device is configured with a unique local administrator password. These passwords are periodically changed and stored in Active Directory using Microsoft’s Local Administrator Password Solution (LAPS). Windows Platform as a Service customers can use LAPS tools to retrieve the local administrator password of a device when needed.
Microsoft DirectAccess
Microsoft DirectAccess (DA) is an “always on” Virtual Private Network (VPN) technology that’s used on all Windows Platform as a Service laptop devices. Microsoft DirectAccess routes Active Directory and ITS mainstream storage traffic through a VPN tunnel. This allows customers to sign on from off-campus and access network storage locations without starting a VPN client. Microsoft DirectAccess is configured automatically for laptop computers and it can be enabled for desktop computer.
CrowdStrike Falcon
CrowdStrike Falcon is an antimalware deployed to all Windows Platform as a Service devices. Malware detections on Windows Platform as a Service devices are monitored by MiWorkspace and Information Assurance staff.
Otto
Otto is a web-based configuration management application that is made available to Windows Platform as a Service IT staff. Customers can use Otto to configure operating system deployments, deploy applications, activate configuration settings, and view system inventory.