When we were first looking at implementing bare metal provisioning as part of what became the Tanium Provision module, we were already into the Covid-19 pandemic work-from-home mindset. So, we expanded our definition of “normal” imaging scenarios to include those that weren’t typically done, e.g. imaging from home over the internet (since it will usually be faster to re-image than it would be to ship the device back to IT). And I’m sure there are plenty of people out there who don’t have wired Ethernet connections at home, so that also means bare metal imaging over Wi-fi.
Given those requirements, we started building out a set of scenarios. Let’s walk through those. (The videos haven’t been edited, so you might want to fast forward through the more boring parts. Unless of course you like watching progress bars. They are quite relaxing.)
IT pros are used to kicking off the bare metal imaging process by pressing the required keystrokes (whether F10, F12, volume up, or whatever the particular model of PC requires) on an Ethernet-connected PC, so we started there.
It’s a fairly traditional implementation of a PXE server, although we do support running it on Windows 10/11, Windows Server, MacOS, and Linux, so that’s a little more unique.
We can join the device to Active Directory as part of the process, leveraging an offline domain join (ODJ) service for improved security (no join accounts and passwords floating around), so at the end of the process the computer is already joined.
Since this is (by definition) an Ethernet-connected device, it is transferring at full gigabit Ethernet speeds, so the whole process is pretty fast. We download all content at the start of the process, storing on the local disk, before then using that content locally for the rest of the process.
In addition to initiating the boot process using PXE, devices with the latest UEFI firmware can also use a process called HTTP boot, which I talked about in great detail in a previous blog post. The quick summary: The whole process is very similar to PXE boot, leveraging DHCP/proxyDHCP packets to discover where to boot from, but then instead of getting a TFTP location for the boot files, the device instead gets an HTTP URL. It can then download the boot files using HTTP, which is a much more performant protocol compared to TFTP (not that you’ll notice much with Tanium Provision, since what gets transferred is fairly small).
The process to initiate an HTTP boot is typically the same as PXE: press the required key(s), then choose HTTP boot from the list of boot options. Here’s what it looks like on the same device I used for the previous video, a Dell Optiplex 7090:
There’s really no reason why a bare metal provisioning solution wouldn’t support HTTP boot as an option, since it’s so simple to implement (building on top of PXE). But that doesn’t mean I’ve found any other solutions that do so.
Again the process is going to be pretty fast, because we’re transferring everything over gigabit Ethernet, and we’re doing an offline domain join as part of the process (and of course installing the Tanium client, so the device is fully managed at the end of the process).
Today, it’s pretty hard to boot a device over Wi-fi, so for this scenario we need to use a small USB key (1GB is sufficient). Again we start off the process by pressing the required keys and choosing a temporary boot device, in this case the USB key that has been prepared with the needed Tanium Provision boot files.
Since Wi-fi requires some configuration, e.g. choosing an SSID and providing a password, you need to provide those details as part of the process, after we’ve booted up. Since we’re transferring everything over Wi-fi, it’s not quite as fast as gigabit Ethernet, but it’s still pretty fast (helped by the fact that my 802.11ac access point is just a few feet away).
Yes, this is still the same Dell Optiplex 7090 desktop, but in this case I’ve added a Netgear A6210 802.11ac AC1200 USB Wi-fi adapter to the device. And again, we’ve done the offline domain join, installed the Tanium client, etc., to get the device ready to go.
Internet + Wi-Fi
Back to that original home scenario: What if you don’t have a simple way to connect your device to an Ethernet connection, and you aren’t on the corporate network? We can still do that, kicking the process off using a USB key again (nothing available to do a network boot) and connecting to a Wi-fi access point. But in this case, I connect it to a different access point, the one hosted by my Internet router (Xfinity).
This process takes a lot longer, primarily because of my network setup: My simulated “internet” basically routes all traffic from my local network up to the cloud and then back again (and if you are familiar with Xfinity, you know that the uplink speeds are not that good, limited to 40MB up even though I get 1200MB down). But it works, including getting the device joined to Active Directory using ODJ and managed using the Tanium client. And it’s a lot faster than shipping the device back to IT, where the turnaround time is measured in days.
I think we’ve got pretty much all the scenarios covered (well, except for one — can you think of what that one might be?). If you are a Tanium customer, contact you TAM or other Tanium representative to try this out. If you aren’t a Tanium customer, well, we can fix that too (starting with https://try.tanium.com for a free trial).