Summary

An introduction to the features of PXE Everywhere, what it does, how it can benefit your organization, and a high-level explanation of the PXE Everywhere architecture.

Introduction

PXE Everywhere allows computers to automatically boot up into Windows PE, which then allows a Windows Operating System to be installed. The following deployment scenarios are supported:

  • Installing a Windows OS image for the first time (the 'New Computer' scenario, sometimes known as 'bare-metal')
  • Installing a Windows OS image when the current OS is not bootable (often referred to as 'break-fix')
  • Installing a Windows OS image when the current OS can be wiped and there is no requirement to retain user data (for example, when preparing a previously used computer for a new user).

On this page:

Typically this is achieved using either USB media or booting directly from the network using the Pre-Execution Environment (PXE) code built in to the network adapter. Booting from the network requires one or more PXE servers to be implemented that serve the Windows PE boot image to the booting PXE client. Implementing PXE in Configuration Manager requires DPs with the PXE role enabled. To avoid PXE clients downloading the Windows PE boot image (anything upwards of 200MB) over the WAN, DPs need to be located wherever you need to use PXE. It is unlikely that you have Distribution Points in every location, especially if you are using 1E Nomad to eliminate remote Distribution Points. As PXE requests are broadcast on the local subnet, if there is no PXE server on the local subnet you need to configure IP helpers on routers to forward the PXE requests to the PXE server. The PXE client will then try to download the Windows PE boot image from the PXE server over the WAN, which can take hours on slow links and provides no bandwidth management.

PXE Everywhere addresses this issue by implementing a lightweight PXE server (the PXE Everywhere agent) on computers, enabling you to eliminate Configuration Manager PXE servers and instead make every computer (or as many as you want) on the network a potential PXE server. Each subnet therefore has one or more PXE servers available to serve the Windows PE boot image so there is no router configuration required unless DHCP Snooping is enabled,  and the Windows PE boot image is not downloaded over the WAN. The boot image can be staged on the PXE Everywhere agent machines using Nomad, which ensures the boot image can be safely transferred to remote subnets ahead of deployments without slowing down other traffic on the network.

When a PXE client boots up, the PXE request is intercepted by each of the PXE Everywhere agents. These agents then elect one agent to check with Configuration Manager to see if there are any OS deployments targeted at the booting PXE client. If so, the PXE Everywhere agents will then hold a second election to determine which PXE Everywhere agent should respond to the booting PXE client. The elected agent sends the response and the booting PXE client downloads the boot image from the elected agent. PXE Everywhere supports booting BIOS and UEFI systems. It integrates with Configuration Manager and works with your existing OS Deployment Task Sequences.

Support for networks with DHCP Snooping enabled

DHCP Snooping is a network security measure implemented in network switches that stops DHCP packets from being forwarded to switch ports that are not authorized. The intention of this security measure is to prevent rogue DHCP servers from issuing IP addresses to devices on the network. A side effect of this measure being enabled is that PXE requests, which are a form of DHCP request, are also blocked. This prevents 1E PXE Everywhere from functioning as expected, as peers are no longer able to receive or respond to PXE requests as their switch ports are not authorized.

With PXE Everywhere 4.0, it is possible to set up one or more 'responders' that are connected to switch ports authorized to receive and respond to DHCP requests. The responder is simply a PXE server that provides the initial boot loader (as this is around 50K in size, it is safe to transfer over the WAN). As PXE clients will not be on the same subnet as the Responder, it is necessary to configure DHCP Relay agents on routers (known as IP helpers in Cisco terminology) to forward DHCP (including PXE) requests from each subnet to the Responder, in addition to any existing DHCP servers that you have configured. The Responder will discard any DHCP packets that are not PXE requests.

When the responder receives a PXE request, it responds with a boot loader that the booting PXE client downloads. The boot loader then broadcasts a new PXE request on a custom UDP port that is not blocked by the DHCP Snooping filter on the switch. The PXE Everywhere agents on the subnet are configured to listen on the custom port and can therefore continue to function as normal - electing an agent to check for active deployments and respond with an offer of the appropriate boot image - unobstructed by DHCP Snooping.

PXE Everywhere components

PXE Everywhere includes the following components:

  • PXE Everywhere Central Server. PXE Everywhere Central is a web service that the PXE Everywhere Agents contact to determine if the booting PXE client requires a boot image. It does this by checking the Configuration Manager database to determine if there are any OS Deployment Task Sequences deployed to the booting PXE client (identified by that client's MAC address and SMBIOS GUID). The web service component of the PXE Everywhere Central Service can be installed on any IIS server that has good connectivity to the Configuration Manager Database server (it can be installed on the Configuration Manager site server if IIS is installed). PXE Everywhere Central also includes boot image tools, which can be installed on any system that has the Configuration Manager Console installed. To install, please refer to Installing PXE Everywhere Central.
     
  • PXE Everywhere Agent.  PXE Everywhere Agent is a client module of the 1E Client (introduced in 1E Client 5.1 for PXE Everywhere v4.0). It is installed on all (or as many as you want) computers. It establishes a lightweight PXE service which listens for PXE boot requests broadcast on the local subnet. By default, the Agent listens on port 67, but will listen instead on port 2067 if the Agent has been configured to run in an environment that has DHCP Snooping enabled. When intercepted the agents will initiate an election and the elected agent will check, via the PXE Everywhere Central server, if there are any OS Deployment Task Sequences deployed to the booting PXE client. If so, the Agents will initiate a second election to determine the best agent to serve the Windows PE boot image to the booting PXE peer. The elected agent then responds to the booting PXE client with an offer of the boot image, which the PXE client then downloads over TFTP and boots into to start the Task Sequence. To install, please refer to Installing PXE Everywhere Agents.

  • PXE Everywhere Responder. PXE Everywhere Responder has its own installer (introduced in v4.0). It is only required to support networks that have DHCP Snooping enabled. DHCP snooping prevents PXE Everywhere Agents from receiving or responding to PXE requests on the standard UDP ports (67 & 68). As the PXE code built into the network adapter always broadcasts PXE requests on UDP port 67, it is necessary to load a custom boot loader from an authorized source (the PXE Everywhere Responder) that can then broadcast another request on the custom UDP port that is not blocked by the network switch and on which the Agents are configured to listen. Once the PXE Everywhere Agents intercept these requests on the custom port, the functionality of the agents remains the same as if DHCP snooping were not enabled. The network routers (IP helpers) must be configured to forward DHCP packets to the Responder and DHCP Snooping must be configured on network switches to authorize the Responder to receive and respond to DHCP requests. Booting PXE clients will always download the custom, light-weight boot loader (51KB) from the Responder but will download the much larger Windows PE boot image from a local peer. You can implement a single PXE Everywhere Responder for all clients, or you may prefer to implement regional or more localized Responders throughout your network. In either case, you will need to configure router IP helpers wherever DHCP Snooping is used, ensuring that the network configuration enables the designated Responder to receive and respond to PXE requests generated by PXE clients. To install, please refer to Installing PXE Everywhere Responder.

How it works

After PXE Everywhere installation and setup, during operation the PXE-booting of machines runs through the following sequence, as illustrated in the picture opposite:

  1. PXE Boot me (67) - When the PXE client boots, it performs the normal DHCP request to get an IP address and also sends a normal PXE request
  2. Elect the initial Agent - The PXE Everywhere Agents on the local subnet intercept the PXE request and elect a candidate for servicing the request.
  3. What should I do? - The elected Agent contacts the PXE Everywhere Central Server to find out whether the PXE client should be served a boot image.
  4. Any OS for PXE Client? - The PXE Everywhere Central Server checks the Configuration Manager database to see if there are any OS deployment task sequences deployed to the PXE client matching its MAC address and / or SMBIOS GUID.
  5. Here's what to do - If a task sequence deployment is found, the PXE Everywhere Central Server replies to the elected Agent with the boot image ID referenced in the task sequence and information whether the deployment is mandatory or not. If more than one deployment is found, the last one is used. If no deployments are found, the Central Server indicates so in the reply.
  6. Elect the final Agent - Upon receiving the reply, the elected Agent holds a second election in the subnet to choose an Agent that will boot the PXE client. If an Agent other than itself wins the second election, the information received from Central Server is passed on to it.
  7. Boot or abort - The winner of the second election boots responds to the PXE client which boots as follows:
    • If a mandatory deployment was found, the PXE client is booted using the WinPE boot image referenced in the deployed task sequence
    • If non-mandatory deployment was found, the PXE client is presented with an option to boot using a WinPE boot image, requiring user interaction at the machine
    • If no deployments were found, the PXE-boot is aborted allowing the PXE client to boot to a local OS, if any.

When DHCP Snooping is enabled on the network, the above process changes slightly, as illustrated in the picture opposite:

  1. PXE Boot me (67) - When the PXE client boots, it performs the normal DHCP request to get an IP address and also sends a normal PXE request.
  2. Router forwards the request - The PXE request is forwarded to the PXE Everywhere Responder by an IP helper configured on the router.
  3. Offer the boot loader - The PXE Everywhere Responder offers the PXE client the appropriate (BIOS or UEFI) boot loader.
  4. Run the boot loader - The PXE client downloads the boot loader from the PXE Everywhere Responder and executes it.
  5. PXE boot me (2067) - The boot loader broadcasts a new PXE request on the custom port (2067). The PXE Everywhere Agents are also configured to listen on this custom port.
  6. Standard PXE Everywhere PXE boot process - From this point on the process follows from step 2 in the standard process detailed above.

Please refer to Design Considerations for further explanation of how to get PXE Everywhere ready for use.