I have been asked a number of times on the possibility of allowing or denying Windows 7 installation to specific MAC addresses.
If you are performing a light touch installation (LTI) using MDT, you can append the MAC address to your customsettings.ini file. A sample configuration is shown below:
The above entries will install the operating system only to the MAC address [00:15:5D:84:2F:24]. Any other MAC address won’t be able to perform the OS installation. When you try to run a task sequence from an unauthorized machine, you will get the below error:
You could also make use of the SQL Express for dynamic configuration. To do so, expand your deployment share, expand Advanced Configuration, expand Database, right click on Computers and click New Computer.
Fill in the information to identify the computer machine as shown below and click Apply:
Click the Details tab, and scroll down to Miscellaneous section. On the OSInstall value, type NO and click OK:
Right click Database and select Configure Database Rules. On the Configure DB Wizard page, select the first option to query for computer-specific settings only:
Click Next and Deselect All for Location Options. Repeat this for the remaining pages till you reach the confirmation page.
Check your customsettings.ini and it should look as below:
When you try to run an operating system deployment from an unauthorized machine, you would get a similar error to the one at the top of this article.
On the other hand, if you are performing a zero touch installation (ZTI) with Configuration Manager, the steps would be similar to LTI but you would need to add a Gather step to read customsettings.ini at the beginning of your task sequence.
From the configuration manager console, expand Operating System Deployment and click on Task Sequences. Right click your desired task sequence and click on Edit.
Place your cursor on the Initialization group, click on Add, select MDT and click Gather.
Select Gather local data and process rules and browse to your Settings package that was created prior to the task sequence creation. On the Rules file field, type CustomSettings.ini:
Machines with MAC address not listed for deployment will get the following error:
You can also deny the installation at the PXE level by adding a string value MACIgnoreListFile to the registry of the PXE server. This key should reference a text file placed on the same server which lists the MAC addresses to be ignored for PXE boot:
On a 32-bit system, the registry key needs to be created at HKLM\Software\Microsoft\SMS\PXE. On a 64-bit system, the registry key needs to be created at HKLM\Software\Wow6432Node\SMS\PXE.
Machines listed in the text file would get the following error when booting from the PXE:
Conversely, you can allow only specific MAC addresses to boot from a PXE server. To do so, from the configuration manager console, expand your Site Settings, select your site server, right click your PXE service point and click on properties.
Under Interfaces, select “Respond to PXE requests on specific network interfaces” and add your MAC addresses as shown below:
Best one yet buddy
This definitely helps with testing out new images so that others don't accidentally deploy them. I prefer to test in virtual machines and I can control the MAC address that is seen, so it makes it easy to lock down what I want with this.
Arposh: Indeed a great way to go!!
Perfect, will help a lot