Happy New Year, everyone! I'm reaching out to hear what solutions you all are using for re-imaging computers in the unfortunate event of a ransomware attack. While I know that prevention and backups are key, I want to focus on the restoration process. Currently, we're using a hybrid setup with on-prem AD synced to an Entra environment, utilizing WDS for imaging and PDQ Deploy for software distribution. However, I've found that PXE booting remote devices over SD-WAN is prohibitively slow, taking ages to download the boot image even with a decent connection. Have you had similar issues with Meraki SD-WAN? I've also been considering transitioning to Intune and Autopilot, but I'm concerned about re-imaging devices if WinRE gets encrypted. WDS seems outdated, and I'd rather not have to travel to numerous sites with USB drives. What are your thoughts on optimizing the PXE process or alternative methods?
5 Answers
Honestly, manual re-imaging is painful, but if you’re left with no other options, you’ve got to do what you have to do. Just be prepared—it hurts more than just in terms of time!
Using Configuration Manager with distribution points at each location can save you from relying on WAN for boot images. It makes the process smoother and avoids those long download times.
If you need a complete wipe and reinstall, I’ve had success using a multi-stage approach. Boot from a Linux USB to wipe everything clean before installing Windows again. It’s a bit involved, but it ensures you start fresh without any potential leftover malware.
I’d recommend moving towards Autopilot. It really simplifies things when you’re managing multiple remote sites. Imaging works well when everyone’s in one place, but with numerous locations, it’s just not practical anymore. I have about 8 sites and a bunch of remote users, so I totally get your struggle with physical re-imaging.
I’ve set up an imaging server on a private lab network for each site. While it’s a bit of work to duplicate servers, it helps manage the load and keeps things safe from ransomware attacks on the live network.
Exactly! I think going for Autopilot is the way to go. It takes the hassle out of manually handling each site.