TotlProvision

A config-driven Windows provisioning and fleet-management product for MSPs. Hands-off setup of thousands of machines, secure by default, with a Cloudflare-hosted backend for fleet reporting and zero-knowledge secret escrow (admin passwords + BitLocker keys) behind M365 SSO.

The three surfaces

• Engine (engine/) — the PowerShell provisioning engine that runs on each PC or from USB: ordered phases, reboot/resume, structured logging.
• Backend (backend/) — a Cloudflare Worker + D1 for run reporting, secret escrow, and an append-only audit trail. Stores ciphertext only.
• Portal (portal/) — a Cloudflare Pages app behind Access/Entra SSO where engineers see fleet status and reveal secrets, decrypted client-side.

Start here

• Architecture — how the surfaces fit together and the secret-escrow data flow.
• Build plan & roadmap — the phased plan (Phase 0 foundations are built).
• Security — the zero-knowledge model, data classification, and key recovery.
• Connecting to Cloudflare — set up the Worker, D1, portal, SSO, and docs site.
• Runbook — field workflow and troubleshooting.
• Deploying these docs — how this site auto-builds on Cloudflare.

These docs may be sensitive

The build plan and security pages describe internal architecture. Protect the docs site with Cloudflare Access if it should not be public — see Deploying these docs.