Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 

Sign in to follow this  

WDS Authentication for Boot Images

Recommended Posts

Hi again all...

I know this may not be the exact forum for this... it's a WDS question.

I'd appreciate if it could be moved to the correct forum if wrong.

We used to use RIS.

- When we PXE to RIS, we would get a screen to authenticate the user.

- Depending on the user, different screens would appear (Maintenance & Troubleshooting etc).

WDS seems to be very different in this respect.

- The BOOT IMAGES have no authentication.

We would like to PXE to WDS, and only show certain BOOT IMAGES depending on the user.

We may have ~10 active boot images for development work, but only one production boot image that everyone else should use. Unfortunately everyone sees all boot images and may select the incorrect one.

Does anyone know why the (inital) authentication was removed?

I preferred the RIS method to authenticate first, and then have various choices.

Any ideas?


Share this post

Link to post
Share on other sites

I am thinking that your best option would be to pre-qualify the clients into WDS/Active Directory. Then create a deployment exception (rule) that makes those said computers use a different boot rom than the default.

wdsutil.exe /set-device /Device:SERVER01 /BootProgram:Boot\x86\pxeboot.n12



So, create a rule for your pre-qualified clients to receive the x86 boot file, and only use 1 x86 Boot Image. Then set your default boot image to x64, and only use 1 x64 boot image. The x64 could be used by developers and should be able to deploy x86 images. However, if you have more clients than developers, you may want to pre-qualify the dev computers instead. If you are running any asset management environments (such as Altiris Notification Server) you could probably script it to pre-qualify them automatically, presuming you can set up the appropriate container. Otherwise you'd have to enter this information manually.

If this seems confusing, let me know exactly how your WDS is laid out. Myself, for example, have 2 Boot Images and 7 Install Images.

You have an additional option as well, if there is only 1 client "system image", aka a captured and sysprepped image, you could pre-qualify your client machines to boot into a standard WinPE, and then script it appropriately to deploy the image. That way the client would not have any option to do a selection.

As far as "no authentication" this is incorrect. Although, this does depend on where you are getting these boot images from. A standard Win PE does not, this is correct, but the boot.wim from a Vista disc does.

Let me know your thoughts about this.

Share this post

Link to post
Share on other sites

Working in an educational environment, we don't want students to be able to PXE and start an image.

We have various scripts after mini setup to install certain items over the network depending on lab (machine name).

Authentication is required to stop students from doing this to a computer and perhaps interupting classes etc.

Authentication at the very beginning of a sequence makes sense... we can lock down the WIMs which will ask for authentication later on through the sequence... it would be much better (IMO) if auth was asked for at the beginning...

It's not a huge problem, just a little untidy IMO.

Wasn't sure if there is something I was missing when comparing to RIS, which does do what I want. Shame they simply removed it the initial auth.

Share this post

Link to post
Share on other sites

OK, this would be what I recommend. By default your PXE option should not be available. Since you are in a school, you should already have inventory information for your system, which (I would hope) includes the hardware (MAC) address. For all of your domain computers, this information should be included into Active Directory. Your default boot option in WDS should be: Boot\x86\abortpxe.com.

Then, when you know you have to re-image a certain machine, you put in your exception (in my previous post) to use one of the other options for PXE.

Just make sure that if you ever replace a system, a motherboard or upgrade/replace a NIC that you update the hardware address in Active Directory.

Share this post

Link to post
Share on other sites

Currently we only have pxe as optional boot (i.e. hit F12).

When booting to RIS you are asked to auth, and can then start an image immediately witout any special work.

We have over 4000 machines.

Labs are imaged at a time by technicians when required... it's extra work to add exceptions as and when they need it. Instead a technician can just go PXE, authenticate and the rest of the work goes automatically.

WDS will let me authenticate a bit further through the boot.wim (when I am about to select image) and that would have to do. More than likely I can script it (AutoIT etc) to begin with to ask for user/pass and authenticate to the WDS share - this should hopefully hold when I need to select an image.

Again, it's no big deal really - just wanted to make sure I wasn't missing something before I go and write something that should already be working...

Thanks for all the info Tripredacus!

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.