Persistent enrollment of a computing device using a BIOS

US 10,445,106 B2
Filed: 03/22/2017
Issued: 10/15/2019
Est. Priority Date: 03/22/2017
Status: Active Grant

First Claim

Patent Images

1. A method for enrolling a computing device with a management server on first boot of the computing device, comprising:

accessing, on first boot of the computing device, a Windows Platform Binary Table (WPBT) that resides in firmware of the computing device;

executing a bootstrap loader that resides in the WPBT, the bootstrap loader initiating an enroller;

locating a management agent based on the enroller contacting a specified address; and

installing the management agent prior to an operating system allowing a user to log in, the management agent implementing policies defined at the management server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are included for causing a computing device to install a management agent prior to an operating system completing its first boot. A bootstrap loader is flashed into firmware, such as the BIOS, of a computing device. The bootstrap loader installs an enroller that identifies a management agent. This can include downloading the management agent from a management server. The enroller can find or contact the management server by contacting an address provided in a WINDOWS Platform Binary Table (WPBT). The management agent is installed prior to the user logging into the operating system to prevent circumvention of management policies.

84 Citations

View as Search Results

20 Claims

1. A method for enrolling a computing device with a management server on first boot of the computing device, comprising:
- accessing, on first boot of the computing device, a Windows Platform Binary Table (WPBT) that resides in firmware of the computing device;
  
  executing a bootstrap loader that resides in the WPBT, the bootstrap loader initiating an enroller;
  
  locating a management agent based on the enroller contacting a specified address; and
  
  installing the management agent prior to an operating system allowing a user to log in, the management agent implementing policies defined at the management server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - establishing communication over a network between the enroller and a first server at the address, wherein the first server provides a second address for the management server; and
      
      receiving the management agent from the management server.
  - 3. The method of claim 1, wherein the bootstrap loader is executed based on the operating system running an SMPexecuteCommand that identifies the bootstrap loader.
  - 4. The method of claim 1, wherein the firmware of the computing device includes a Unified Extensible Firmware Interface (UEFI).
  - 5. The method of claim 1, wherein the firmware includes a BIOS.
  - 6. The method of claim 1, wherein the bootstrap loader is a kernel driver and the enroller executes outside the kernel and waits for a Win32 process to activate a network interface.
  - 7. The method of claim 1, wherein the bootstrap loader accesses an application programming interface (API) of the operating system to inject the management agent.
  - 8. The method of claim 1, wherein the enroller blocks login to the operating system until after the computing device has enrolled with the management server.
  - 9. The method of claim 1, wherein the enroller updates itself by downloading an updated enroller from the management server.

10. A computing device that enrolls at a management server upon first boot, comprising:
- a processor;
  
  an operating system; and
  
  firmware comprising;
  
  a Windows Platform Binary Table (WPBT); and
  
  an executable bootstrap loader in the WPBT;
  
  wherein the processor performs stages including;
  
  accessing the WPBT on first boot and executing the bootstrap loader, the bootstrap loader installing an enroller; and
  
  installing a management agent located by the enroller prior to an operating system completing boot up, the management agent implementing policies defined at the management server.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computing device of claim 10, wherein locating the management agent includes identifying a server address in the firmware that the firmware contacts after a network interface is active.
  - 12. The computing device of claim 11, wherein the processor performs further stages including:
    - communicating over the network with the management server; and
      
      downloading the management agent from the management server.
  - 13. The computing device of claim 10, wherein the processor performs further stages including blocking the operating system from allowing user login until after the computing device has enrolled with the management server.
  - 14. The computing device of claim 10, wherein the processor performs further stages including:
    - waiting for a network interface to activate; and
      
      updating the enroller by communicating with the management server through the network interface.
  - 15. The computing device of claim 10, wherein the processor is an auxiliary processor that is separate from a central processing unit of the computing device.

16. A non-transitory, computer-readable medium comprising instructions that, when executed by a processor of a computing device, cause the processor to perform stages for enrolling the computing device with a management server, the stages comprising:
- executing, on first boot, a bootstrap loader located in a Windows Platform Binary Table (WPBT) in firmware of the computing device;
  
  installing an enroller based on the execution of the bootstrap loader;
  
  executing the enroller to perform stages including;
  
  identifying a management agent; and
  
  injecting the management agent into an operating system prior to allowing a user to log into the operating system.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory, computer-readable medium of claim 16, wherein the bootstrap loader is part of a UEFI or BIOS.
  - 18. The non-transitory, computer-readable medium of claim 16, wherein identifying the management agent includes:
    - contacting a server identified in the firmware to receive a location of the management server; and
      
      downloading the management agent from the management server.
  - 19. The non-transitory, computer-readable medium of claim 16, wherein the bootstrap loader is a kernel driver.
  - 20. The non-transitory, computer-readable medium of claim 16, wherein the stages further include updating the enroller prior to enrolling the computing device with the management server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Roszak, Jason, Newell, Craig, Shantharam, Shravan, Murthy, Varun, Regula, Kalyan, Watts, Blake
Primary Examiner(s)
Chan, Wing F
Assistant Examiner(s)
Maniwang, Joseph R

Application Number

US15/466,830
Publication Number

US 20180276000A1
Time in Patent Office

937 Days
Field of Search

709223
US Class Current
CPC Class Codes

G06F 11/14   Error detection or correcti...

G06F 8/61   Installation

G06F 9/4401   Bootstrapping security arra...

G06F 9/4416   Network booting; Remote ini...

G06F 9/452   Remote windowing, e.g. X-Wi...

H04L 67/34   involving the movement of s...

Persistent enrollment of a computing device using a BIOS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Persistent enrollment of a computing device using a BIOS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links