6

I'm just getting the hang of trying to configure/use Windows Deployment Services (WDS) to image Windows 7 workstations on our network.

I have the WDS server configured so any machine can request an image, but the administrator must authorize the configuration. This way we would minimize accidental (or malicious) re-imaging of computers on the network.

For the initial setup, I configured the base Windows 7 install and boot images then hooked up a testbed Dell machine. Booted the Dell with PXE boot, it started the PXE boot, and went back to the WDS server to authorize ID 1 machine. No problem, the Dell booted to Win7 setup and started the whole configuration process.

Got all done and started going through instructions to create an image WIM file on the master; Sysprep with the generalize option completely hosed the staging client. After many profanities, I decided to start from scratch again.

Rebooted the client with PXE boot, and this time it saw the WDS server and started the re-imaging process again without me authorizing it.

This makes me think that if individuals on the network managed to PXE boot an imaged machine, the machine will allow them to re-image it without authorization.

Is this the case?

If so, is there a way to clear out the already authorized ID's/MAC's from the WDS server?

Using Windows Deployment Services on Windows 2008 Server.

pauska
  • 19,532
  • 4
  • 55
  • 75
Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87

1 Answers1

2

WDSUTIL does what you're after...

WDSUTIL /Verbose /Delete-AutoAddDevices /Server:MyWDSServer /DeviceType:ApprovedDevices

-Lewis

Lewis
  • 707
  • 4
  • 6
  • I'll test this out shortly, thank you! Is there a way to view the added devices in the database? I'm trying the Googles with the WDS command and going through the command references and white papers but not finding a way to do that. – Bart Silverstrim Jul 21 '11 at 16:30
  • Hmm...just ran the command, said it completed successfully on the WDS server, and I re-tried PXE boot on the machine and it again let me start the setup without administrator approval. :-( – Bart Silverstrim Jul 21 '11 at 17:14
  • re-running the command gives the error description: "No Auto Add Devices matched the specified criteria." – Bart Silverstrim Jul 21 '11 at 17:15
  • wdsutil /get-alldevices shows four items in the database. I must need to find a way to delete those. – Bart Silverstrim Jul 21 '11 at 17:34
  • Looks like deleting the machines from AD also eventually cleared them from /get-alldevices. Maybe that is part of what solves the mystery? – Bart Silverstrim Jul 21 '11 at 17:41
  • Does indeed kind of look like that is the case. http://social.technet.microsoft.com/forums/en-US/winserversetup/thread/ce4ff156-863e-4734-a13f-86f8f9a00c9f – Bart Silverstrim Jul 21 '11 at 18:17
  • I guess it kind of makes sense after reading that article. Essentially you have already approved that machine's GUID so it can continue to PXE boot forever more. Essentially an "unknown" computer is one that has never been approved or rejected. Once approved and installed, an account is created in Active Directory and tagged with the machine's GUID. Have a look at the properties of a computer account created via PXE/WDS and you'll see additional tabs over that of a manually created computer account. – Lewis Jul 22 '11 at 07:37