The PXE boot plus the remote IDRAC is a terrible combination. . A remote Idrac connection allows them to setup a virtual console, provision a file share over the network as a local disk, or change the BIOS boot order to include a network boot.

A virtual console would allow someone on the network to come in and have keyboard and mouse access to these machines. Database management tools capable of altering the database were found on the machines. This would allow people to come in and basically alter the results the voting machines provided at will.

Provisioning a network share as a local disk. This would allow someone to point to any files they had prepared, and have them accessible. These could log altering to alter the logs on the machines to cover their tracks or any other scenario.

Change the Bios Boot Order to include a network boot. This is perhaps the most subtle and insidious using this could tell the machines to boot and run DIRTY during the election, but after the election they would run the CLEAN version from the disk.

Technical explanation of that 3rd really insidious one. Transfering an OS over the network is data intensive, but there are Minimal OS's designed to run other OS in a containerized fashion. Meaning that instead of booting the CLEAN OS on the disk, they boot a container OS configured to run the OS and Applications on the Disk, but with very subtle variations that the OS would be unaware of. Here is one Scenario

1. the Device is configured via IDRAC to boot from the network. This is known as a PXE Boot.
2. Via IDRAC virtual console the device is rebooted
3. The Device runs a container OS, which there are atleast a half dozen. The Container OS is really small and designed to be compressed for a minimal size. The Container OS then runs the OS on the disk with one subtle variation.
4. The OS on the Disk is booted, and thinks it is reading the hard drive, it instead is reading what the container presents. The container presents the entire contents of the hard drive exactly as it is except for the directory containing the election software. That instead points to the corrupt version instead.
5. The corrupt version appears to the OS to be in the exact same location as the Clean version, and the OS and all the logs think they are running the clean version.
6. The Corrupt version does anything they can dream of, including purposely misreading ballots to send them to adjucation, or simply recording a fraction Trump votes as Biden votes.
7. After the election is over they disconnect the PXE Server, and then machine runs the clean version instead. Any auditor turning on the machine sees the clean version
8. All the logs appear normal on the machine because it believed it was running the OS, and it was, just the container OS mislead it about the location of key files. All the logs that are supposed to be there are present, and there is no evidence of tampering on the machine, because the tampering occurred beneath the OS.

The thing about this is that PXE booting requires DHCP and BOOTP, which have a high probability of hitting the router and being logged by DHCP forwarding configured on the router. Worse yet if the PXE server was configured by someone with access the routers they could simply change the normal forwading address to the rogue server they setup. In this case the evidence would be on the router and network logs at the county, instead of on the Machines. Kindof an Odd coincidence that the county is fighting tooth and nail not to turn these over.