Windows Platform-as-a-Service Capabilities
Windows Platform-as-a-Service (PaaS) provides the following technical capabilities.
Operating System Deployment (OSD)
Operating system deployment is supported using System Center Configuration Manager (SCCM). The SCCM infrastructure provides the ability install Windows 10 and configured applications via and OSD task sequence (TS) to devices connected to on-campus wired Ethernet networks. Specific combinations of applications can be configured for installation during OSD by creating and saving a build in the Otto web application. Saved builds may be assigned to specific computers in Otto.
Application Deployment
Available Applications
All systems built with using Windows PaaS OSD come with a standard set of software pre-installed. This set of applications is know as MiWorkspace Core software. A list of the MiWorkspace Core Software is available here - Windows Standard Software.
In addition to the MiWorkspace Core software, there are other categories of applications that may be deployed Windows PaaS systems. The available software catalogs are described in the table below:
Catalog Name | Catalog Description |
---|---|
MiWorkspace Core | Applications installed on all MiWorkspace and Windows PaaS computers. |
MiWorkspace Catalog | Applications that can be installed on any MiWorkspace or PaaS computer. |
BYOL Catalog | BYOL stands for Bring Your Own License. After installing a BYOL title, a customer must enter their own license or account information. BYOL titles may be installed on any MiWorkspace or PaaS computer. |
ITAM Catalog | Applications that can be installed on MiWorkspace or PaaS computers that are in a unit that participates in the UmichITAM program. |
Unit Catalog | Software that can be installed on any computer in the unit with unit approval. |
Additional applications may also be deployed to Windows PaaS systems using SCCM.
There are two types of deployments - required deployments and self-service.
Required Deployments
Required deployments will run automatically on targeted client systems when the client system meets all installation requirements. Status of deployments may be viewed by users in the Software Center application on the client system. Applications that have been installed by SCCM are listed in the installation status area of the Software Center application.
Self-Service Deployments
Self-service deployments will can be initiated by the user of a client system when the user and the client system meet all installation requirements. Available deployments are managed in the Software Center application on the client system. Applications that have been installed by SCCM are listed in the installation status area of the Software Center application.
Update Deployment
Updates for the Windows operating system and for Microsoft applications such as Microsoft Office and Skype are installed on client systems using required deployments. Deployed updates will install automatically when the deployment deadline is reached. Pending update installations may be viewed in the Software Center application. Installed updates are not displayed in Software Center, but they may be viewed in the Programs and Features control panel. To read about the release schedule of updates, view the Windows Change Schedule topic.
Anti-Virus
CrowdStrike Falcon is an antimalware product that's deployed to all Windows Platform as a Service devices. Malware detections from Falcon are monitored by MiWorkspace and Information Assurance team members.
Security Configurations
Windows PaaS systems share many of the same security settings that are implemented on MiWorkspace Windows systems. The baseline security configuration for Windows PaaS systems is designed to enable users to securely access institutional and personal data while still preserving an easy to use computing experience. The settings were developed in consultation with the University of Michigan Information Assurance (IA) team. The specific settings that comprise the baseline security configuration have been tested by the MiWorkspace Quality Assurance (QA) Team to ensure compatibility with major university systems and applications.
The baseline security settings are implemented by Active Directory Group Policies. Settings are implemented in the following Group Policy Objects (GPO):
Windows 10
- EUC PaaS Workstation Admins
- EUC PaaS Windows 10 - Core Security Settings Base
- EUC Windows 10 - Firewall Settings - Prod
- EUC Windows Legacy LAPS Configurations
- EUC Windows MBAM 2.5 SP1 Client Settings
Windows 11
- EUC PaaS Workstation Admins
- EUC Windows 11 - Baseline Computer Security
- EUC Windows 10 - Firewall Settings - Prod
- EUC Windows Legacy LAPS Configurations
- EUC Windows MBAM 2.5 SP1 Client Settings
Virtual Private Network (VPN)
The Windows PaaS product provides secure network capabilities via the Cisco Management Tunnel.
The Cisco Management Tunnel is an always-on VPN that provides connectivity to organization network resources without the need for traditional Virtual Private Network (VPN) connections. More information about the Cisco Management Tunnel implementation in Windows PaaS is available in the MiWorkspace Cisco Management Tunnel Overview document.
The Cisco VPN Client is also available on Windows PaaS computers. The client provides connection to the ITS VPN Service. More information about the Cisco VPN Client implementation in Windows PaaS is available in the MiWorkspace Cisco Overview document.
BitLocker Drive Encryption
The hard drives of all laptop computers using the Windows PaaS solution are automatically encrypted using BitLocker. Hard drives on desktop computers may be opted-in to BitLocker drive encryption. BitLocker drive encryption is deployed and managed using the Microsoft BitLocker Administration and Monitoring (MBAM) product. The MBAM product provides automated deployment of encryption policies and provides simplified management of recovery keys. More information about the BitLocker implementation is Windows PaaS is available in the MiWorkspace BitLocker Overview document.