Hi All,

The ability to do domain authentication for a PXE boot in RIS could be achieved by modifying the security directly on the image folder on the RIS server - however, I can't seem to implement the same access control in SCCM 2007 SP1 using WDS.

I have set up the capability to build bare metal machines using the OS Deployment feature in SCCM. The image process is advertised to “All Unknown Computers” and starts with the “builder” hitting F12 on the workstation. The boot image is loaded from the DP share and then the process begins.

My question is: How can I protect the PXE boot process by having the system request a domain Username and Password in order to begin the PXE boot process and also limit who can see the advertisements for the avialable images.

Thanks,

phil

• Moved by Torsten [MVP]MVP Monday, March 29, 2010 7:36 PM moved to OSD subforum (From:Configuration Manager Setup/Deployment)

Hi,

You can specify a password for computers that boot to PXE.

For more info :

http://technet.microsoft.com/en-us/library/bb680668.aspx

http://blogs.technet.com/configurationmgr/archive/2009/07/27/a-step-by-step-for-using-osd-through-system-center-configuration-manager-2007.aspx

http://technet.microsoft.com/en-us/library/bb632767.aspx

Regards.

Hi,

Thanks for the reply.

Yes - I did in fact set the password properties in the PXE boot service role on the SCCM server. However, that means I have to give that password out to everyone that needs to build a machine. This makes it difficult to control who has the password and does not provide enough security as to who can build machines.

I would really like to use domain authentication (similar to what was availble in RIS) so the "builder" has to enter his domain credentials before being enable to continue with the build process. This way only those people identified in AD would be able to build machines.

Any other suggestions would be appreciated.

Thanks,

Phil

 

I think there's no such feature built-in to grant rights based on domain authentication. However, I suppose it is possible to create a HTA script that is run as the first task of task sequence and which can decide, based on credentials, whether or not to proceed with task sequence.

Thanks - yep a custom script looks like the way to go. I was hoping there would be some way of stopping the process before it really gets started - at the PXE boot stage, but doesn't look like it.

Thanks for all the imput....appreciated.

Phil

 

some way of stopping the process before it really gets started  

Not exactly what you're looking for but you could have a look at the pre-execution hook: http://technet.microsoft.com/en-us/library/bb694075.aspx

• Marked as answer by Eric Zhang CHN Monday, April 12, 2010 3:14 AM

Did you ever get this working? I'm working obn the same thing. If you could share your solution it would be great. Louis

Hi... did you ever get this working? I'm looking to do exactly the same thing

Phil Did you ever develop a solution? we are currently implementing SCCM 2012 and i would like to include AD authentication rather than standard password protection. thanks