Internet based PC provisioning and rebuild – aka ‘remote build’
Remote work is no longer a luxury — it’s essential, and isn’t about to change anytime soon.
Remote is the new black
Due to the COVID-19 pandemic, a huge chunk of the global workforce went remote in the blink of an eye.We have customers that added 240k new VPN users in three short days.Now this new 'hybrid' way of working combines home and office.
A new world order
Within this new world order, enterprises face new issues. Corporate VPNs are stressed, and network management and security has become even more complex for IT teams stretched thin and operating under tremendous strain.
To make matters worse, there are some key IT tasks that were designed to be ‘on-prem only’, mainly due to a historic and “we’ve always done it this way” mentality.
A prime example of this is PC rebuild and onboarding of PC’s over the Internet.
The new normal
The COVID pandemic certainly changed the way we work, and few now believe that work will ever go completely back to the old “normal.”
Between the establishment of new remote work habits and the fear that another unforeseen crisis could send their entire workforce home again, companies are formulating strategies to protect their networks, operations and employees.
Between the establishment of new remote work habits and the fear that another unforeseen crisis could send their entire workforce home again, companies are formulating strategies to protect their networks, operations and employees.
This Solution deals with a critical function of the ‘Work From Home “(WFH) ideal - Rebuilding User Computers
How do we deal with PC builds(and rebuilds) when people cannot go into the office?
How do we deal with PC builds(and rebuilds) when people cannot go into the office?
The three big rebuild obstacles
Traditional PC rebuild scenarios like staff onboarding or break fix scenarios require networks and infrastructure to be available.
They were never built to enable an entire workforce to work remotely all the time, or even for weeks and months at a time.
The problem
Where this becomes a problem, is that companies still need to maintain that provisioning and ‘break fix’ alongside key aspects of
the PC management for all the computers and devices connected to the network.
We know that it gets a whole lot more complicated when everyone is out of the office.
The following are the three major issues:
How do we remotely start and build a device?
How do we securely re - establish connectivity with our home base ?
How can we use existing infrastructure investments as much as possible ?
Using traditional USB based installation media offers some key disadvantages that makes it impossible to use in an enterprise setting:
Security – there is no way to guarantee the media has not been tampered with.
Keeping media up to date is a major issue, and if we don’t have up to date media, how can we securely re-initiate the machine?
Media has to be somewhat tailored to the device that uses it, which brings on compatibility issues. Think drivers etc..
So let’s say we do solve this, what then?
Allowing Home/Remote Users to Build From The Cloud/Internet
Let’s say we actually get the technology in place to do this. We quickly run into several other issues.
Other questions that come up once these initial hurdles are overcome are questions that are less commonly discussed.
The IT industry never really considered these capabilities:
How do we build over WiFi only?
How we do build over the internet securely?
How do we make it simple enough for users to do this themselves?
How do we allow IT to monitor and “shadow” installations being done from home ?
Introducing
Imaging from the Cloud
Remote Builds
A New Way To Deploy With PXE Over The WAN
2Pint’s iPXE Anywhere is a Next Generation network booting solution that enables secure, fast, and reliable Operating System deployment. It operates in the most challenging environments, and the most simple.
We have built in complete flexibility so that practically any scenario can be easily covered with minimal management overhead. Extremely simple to setup and manage, we believe that iPXE Anywhere is unsurpassed as a solution to the challenges of Modern Windows Management.
For remote branches, typically not having any remote servers often means we don’t have any local PXE capabilities, crippling the ability to rebuild machines remotely in a secure and efficient way.
iPXE Anywhere challenges this by allowing remote over the WAN PXE booting which will simplify and speed up the enterprise-wide OS deployments of any PC.
Boot securely using either USB (iPXE binary only on the USB media) or PXE boot directly in your remote locations. You can even boot directly from the Cloud, over the Internet, using secure HTTPS Network Booting.
2Pint’s iPXE Anywhere is a Next Generation network booting solution that enables secure, fast, and reliable Operating System deployment. It operates in the most challenging environments, and the most simple.
We have built in complete flexibility so that practically any scenario can be easily covered with minimal management overhead. Extremely simple to setup and manage, we believe that iPXE Anywhere is unsurpassed as a solution to the challenges of Modern Windows Management.
For remote branches, typically not having any remote servers often means we don’t have any local PXE capabilities, crippling the ability to rebuild machines remotely in a secure and efficient way.
iPXE Anywhere challenges this by allowing remote over the WAN PXE booting which will simplify and speed up the enterprise-wide OS deployments of any PC.
Boot securely using either USB (iPXE binary only on the USB media) or PXE boot directly in your remote locations. You can even boot directly from the Cloud, over the Internet, using secure HTTPS Network Booting.
The Clean Source Principle
The clean source principle requires all security dependencies to be as trustworthy as the object being secured.
This is key when deploying over the Internet, as we are no longer playing in our own back yard.
An attacker that compromises the source media gets access to everything the device later controls (including user credentials), and everything the user controls (including high privilege user access).
Applying the clean source principle to installation media requires you to ensure that the installation media has not been tampered with since being released by the manufacturer (as best you are able to determine).
Applying the clean source principle to installation media requires validating the software integrity throughout the cycle you possess it including during acquisition, storage, and transfer up until it is used.
For 2Pint Software’s ability to build over the Internet, this means that we build over the wire using HTTPS and that we also securely check and verify the downloaded media, and that all access paths do not include passwords in text files etc.
This is key when deploying over the Internet, as we are no longer playing in our own back yard.
An attacker that compromises the source media gets access to everything the device later controls (including user credentials), and everything the user controls (including high privilege user access).
Applying the clean source principle to installation media requires you to ensure that the installation media has not been tampered with since being released by the manufacturer (as best you are able to determine).
Applying the clean source principle to installation media requires validating the software integrity throughout the cycle you possess it including during acquisition, storage, and transfer up until it is used.
For 2Pint Software’s ability to build over the Internet, this means that we build over the wire using HTTPS and that we also securely check and verify the downloaded media, and that all access paths do not include passwords in text files etc.
Secure Software and Media Acquisition
The source of the software is validated through one or several of the following means:
- Media that can be tampered with is never stored on media like USB sticks.
This includes boot.wim files, which are always fetched from a verifiable (server) source. - Boot.wim files are always downloaded over HTTPS with hash verification before trusts.
- All deployments are verified using user credentials and trackable.
- Trust is escalated only after successful user verification.
- Multifactor authentication can be configured for extra security.
- All software that is obtained from the Internet is validated with vendor - provided file hashes.
2Pint Remote Build Scenarios
Build over Internet infrastructure
You can build from the cloud with minimal infrastructure and setup using 2Pint tech.
iPXE 100% remote build
Yes, your OS deployments can be 100% remote and user driven!
Build at home with ethernet
Rebuild a broken PC from home? No problem - ask us how it's done, book a demo!
Phone tether expanded
You can even rebuild over 4/5G connection using mobile phone tethering! Talk to one of our experts today.
How Do We Do It?
We boot the machine using an iPXE binary that contains no customer information at all, this then queries the infrastructure
for configuration, providing credentials to be verified.
iPXE – where it all starts
The iPXE binary comes from one of the following sources:
By using iPXE as a starting point, we have a non customizable source point that we can verify the integrity on.
1. From the target machine (if still bootable and previously configured)
2. A USB drive with only a 300KB stage binary on it
3. PXE booted directly
By using iPXE as a starting point, we have a non customizable source point that we can verify the integrity on.
From iPXE to network
Once in iPXE, we then query the device for industry standard protocols such as the SNP/NII drivers if using an Ethernet network card, or more likely the users Smartphone (which gives us access to WiFi or LTE type data sources).
From this network connection, we then authenticate and take the actions determined by the customer, yeah that’s you reading this.
Once all required checks are complete, we then download WinPE and move to a higher level.
From WinPE – The World Is Your Oyster
As WinPE is always downloaded from a tamper-free source, we can guarantee no unwanted config is introduced in the process, typically the process in WinPE is entirely hands off as well.
From Full OS – Domain Join And VPN Setup
So once we leave WinPE we do the actual domain join (offline) via Azure PowerShell automation services or via custom based web services if required.
Once that is completed, the machine is typically configured to set up VPN access with the appropriate configuration using certificates.
Monitoring In Real Time – Proactive Operations
We do offer the ability to monitor the solution in real time from StifleR, to determine the ongoing deployments success and performance.
2Pint Software Technology Used
- iPXE Anywhere 2PXE Server – for initial boot configurations
- iPXE Anywhere Web Service – for custom scenarios
- OSD Toolkit – for the WinPE carrier
- StifleR Enterprise – for operations and monitoring
Works with the following Microsoft technology
- ConfigMgr (MEMCM)
- Microsoft Intune
- PSD – PowerShell Deployment
Book A Tour
Like to know more about Remote Builds?
We can help you to get things going in your own environment,
just drop us a line using this handy form and we will get back to you!
2Pint Chat
Doris The Bot..OI!
OK I was having a nap, this had better be good. Whaddya want? Fill out the damn form and NO SPELLING MISTAKES! (have a nice day)🍻