none
WDS deployment of Win7 - Administrator Approval for unknown computers

    Question

  • hi,

    I've setup and configured WDS to deploy Win7 professional. All is working fine although I have noticed a strange anonamly.I have set the attributes in the tab 'PXE Response' of the properties of the wds server to:

    "Respond to All client computers (known and unknown)" and also checked the tick box so the administrator approval is required.

    The automated install builds the pc and joins it to the domain - this all works great (what's this issue then..!). The issue is that after the install, should the pc be rebuilt a week later (eg. virus on a user pc), I noticed that should the pc account not be removed from AD, upon the rebuild the pc doesn't prompt for the pc account (presumably due to the pc guid being assigned to the pc name) it will just rebuild the pc with the deployment image !.

    This has concerned me somewhat for what stops the user accidentally hitting F12 and the pc PXE booting, wiping their current pc and installing a base install on the pc ? This could potentially wipe/rebuild good machines losing peoples data. arrggh !

    Is there anyway I can prevent a rebuild from automatically deploying a new install on a pc build through wds when F12 is hit..?

    I'm aware I could disable the PXE after the install, but what I what hoping is that whenever F12 is hit after the pc is built is for the administrator always has to approve the pc build on the wds server otherwise the install does not continue. Is this possible to configure this way ?

    thanks,

    John


    thanks, John

    Friday, August 16, 2013 11:45 AM

Answers

  • Hi John,

     

    As my understanding, you would like to make a setting to prevent the automatic deployment on user’s computer when F12 is hit.

     

    Based on my knowledge, WDS doesn't provide any security for its native boot images. But we have following workaround to implement what you mentioned.

     

    Method 1: Add pxelinux and vesamenu.c32 to WDS, you can add that feature.

    Combining Windows Deployment Services & PXELinux for the ultimate network boot

    http://thommck.wordpress.com/2011/09/09/deep-dive-combining-windows-deployment-services-pxelinux-for-the-ultimate-network-boot/

    Note This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

     

    Method 2: Use SCCM to implement this.

    System Center 2012 Configuration Manager

    http://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx

     

    Operating System Deployment in Configuration Manager

    http://technet.microsoft.com/en-us/library/bb632767.aspx

     

    Hope these could be helpful. 


    Kate Li

    TechNet Community Support

    • Marked as answer by Millsy107 Tuesday, August 20, 2013 3:32 PM
    Monday, August 19, 2013 2:15 PM
    Owner
  • Hi,

    I have found a much simpler way to ensure users cannot accidentally initiate and overwrite the data on their pc (laptop) through accidentally pressing f12 on a previously deployed pc using wds.

    To build the pc, windows uses a netBootGUID that is assigned to the pc at prestgaing during a wds deployment. The netBootGUID is also stored in AD. It is the assignment of this number in AD that is responsible for giving the machine the ability to be re-installed through WDS upon a network boot without prompting the administrator in the WDS console. For my environment this wouldn't be appreciated.

    By running the following commands, you can overcome this issue.

    Firstly, ensure the pc built is purged from WDS. I have set the purge to be performed on any records older that 7 days in wds. You change change the value to one that you feel comfortable.

    WDSUTIL /Set-Server /AutoAddPolicy /RetentionPeriod /Approved:7

    Secondly, ensure the NetBootGUID is removed from the machine's AD account object. Again, I have set this to 7 days - but you can change the value to what you feel sensible.

    Get-ADComputer -Filter {NetbootGUID -like "*"} -Properties name,NetbootGUID,Created | ? {$_.Created -le ((get-date).addDays(-7))} | Set-ADComputer -clear NetbootGUID

    By removing the values ensures any re-installation from wds outside of the first week will need the administrator to to approve and name the pc requesting the deployment.

    I hope this helps any of you having the same issue that I did.

    John


    thanks, John

    • Marked as answer by Millsy107 Wednesday, October 30, 2013 9:23 PM
    Monday, October 28, 2013 12:08 PM

All replies

  • Hi John,

     

    As my understanding, you would like to make a setting to prevent the automatic deployment on user’s computer when F12 is hit.

     

    Based on my knowledge, WDS doesn't provide any security for its native boot images. But we have following workaround to implement what you mentioned.

     

    Method 1: Add pxelinux and vesamenu.c32 to WDS, you can add that feature.

    Combining Windows Deployment Services & PXELinux for the ultimate network boot

    http://thommck.wordpress.com/2011/09/09/deep-dive-combining-windows-deployment-services-pxelinux-for-the-ultimate-network-boot/

    Note This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

     

    Method 2: Use SCCM to implement this.

    System Center 2012 Configuration Manager

    http://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx

     

    Operating System Deployment in Configuration Manager

    http://technet.microsoft.com/en-us/library/bb632767.aspx

     

    Hope these could be helpful. 


    Kate Li

    TechNet Community Support

    • Marked as answer by Millsy107 Tuesday, August 20, 2013 3:32 PM
    Monday, August 19, 2013 2:15 PM
    Owner
  • Thanks for all the info Kate :) Much appreciated.

    thanks, John

    Tuesday, August 20, 2013 3:32 PM
  • Hi,

    I have found a much simpler way to ensure users cannot accidentally initiate and overwrite the data on their pc (laptop) through accidentally pressing f12 on a previously deployed pc using wds.

    To build the pc, windows uses a netBootGUID that is assigned to the pc at prestgaing during a wds deployment. The netBootGUID is also stored in AD. It is the assignment of this number in AD that is responsible for giving the machine the ability to be re-installed through WDS upon a network boot without prompting the administrator in the WDS console. For my environment this wouldn't be appreciated.

    By running the following commands, you can overcome this issue.

    Firstly, ensure the pc built is purged from WDS. I have set the purge to be performed on any records older that 7 days in wds. You change change the value to one that you feel comfortable.

    WDSUTIL /Set-Server /AutoAddPolicy /RetentionPeriod /Approved:7

    Secondly, ensure the NetBootGUID is removed from the machine's AD account object. Again, I have set this to 7 days - but you can change the value to what you feel sensible.

    Get-ADComputer -Filter {NetbootGUID -like "*"} -Properties name,NetbootGUID,Created | ? {$_.Created -le ((get-date).addDays(-7))} | Set-ADComputer -clear NetbootGUID

    By removing the values ensures any re-installation from wds outside of the first week will need the administrator to to approve and name the pc requesting the deployment.

    I hope this helps any of you having the same issue that I did.

    John


    thanks, John

    • Marked as answer by Millsy107 Wednesday, October 30, 2013 9:23 PM
    Monday, October 28, 2013 12:08 PM