Off-site PXE building

Hi,

We, for many years have been deploying PC images and task sequences on our LAN.  We're moving to a model where the supplier does as much of the build as possible off-site.  In an ideal world I would get a VPN up between us and our supplier, place some SCCM roles down there, replicate some content and get them to build from a PXE box at their end, meaning that when the machines arrive on site they are fully built and ready to use.  For compliance reasons a VPN is out of the question so we have tested the water using pre-stage media, which is allowing us to perform about half of the task off-site and then continue with the TS back here, where Windows Updates are applied and the machine is domain joined.

Does anyone have any design suggestions to allow more to take place at the supplier end but without VPN?  Our compliance team are happy to expose some ports to enable some communication between us and the supplier, e.g. to allow replication of an image from one site to the other but that is all.  I'd be happy for the domain join to take place when the machine arrives on-site but probably the biggest issue is applying updates.  We produce a new image each month after patches are released but if an old image is used then the number of applicable updates once built is high.  I'd like at least to be apply to run the apply updates stage at the supplier end, or if it was possible run an internet based Windows Update as part of the TS which runs in the factory but this doesn't appear to be an option.

Any thoughts?

Thanks

September 1st, 2015 9:56am

Well the first issue I see is the domain join part. If you can't allow any sort of VPN you would need to remove the domain join part out of the task sequence. By doing this you would need to make sure no other part of your task sequence require to access some sort of domain resources.

Once you are sure that you have nothing in the task sequence that make reference to something inside the domain you could simply provide them with a stand alone media. Each time you build the new ISO you can just make a new media and overnight ship it to them or have it copi over using FTP or something else.

The fact that no VPN can be open to allow communication with your domain makes it hard. I think the best solution if you want the entire process to be done when the pc arrive is to remove every part in the task sequence that require the domain and make a stand alone media. 
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2015 10:05am

Well the first issue I see is the domain join part. If you can't allow any sort of VPN you would need to remove the domain join part out of the task sequence. By doing this you would need to make sure no other part of your task sequence require to access some sort of domain resources.

Once you are sure that you have nothing in the task sequence that make reference to something inside the domain you could simply provide them with a stand alone media. Each time you build the new ISO you can just make a new media and overnight ship it to them or have it copi over using FTP or something else.

The fact that no VPN can be open to allow 

Hi,

This is basically what we do now, the steps in the TS which run after the machine is shutdown in the factory include the domain join.  It does work but in the gap between updates being released and us providing the supplier with a new image  means that those machines spend an hour running the Apply Updates step when the box arrives on site.  If there was any way of being able to apply the updates at their end this would be resolved...

Thanks

September 1st, 2015 10:08am

Well if you make a new media every month and you send it right away to the supplier when the machine arrive it should at the most be 1 month behind in patch. It should never take hours.

This part get tricky because the supplier need to have all the windows update you approved so he would need to get access to your SUP to get those package. You could try to make a script in the task sequence that try to install the missing windows update from the internet (if the supplier allow it but still would not be the same as the pre- approve update you decided).

I still think the easy thing for you would be to make a stand alone media and each time you make a new one ( each month) upload it to them for use.

Free Windows Admin Tool Kit Click here and download it now
September 1st, 2015 10:21am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics