Unknown Computers in SCCM 2007 R2 - overview

One of the new features in SCCM 2007 R2 is support for OSD deployments to 'Unknown' Computers - computers that do not exist in the SCCM database.  This is a feature that did exist in previous releases of OSD (SMS 2003) but was removed for security and safety reasons.  There are specific environments where having the ability to image 'unknown' computers is beneficial so it was again added to R2.

Before using this feature stop to consider that this can introduce unwanted image deployments to the environment.  If enabled, a system booting into the OSD environment, whether through boot media or PXE (more on that in a minute) will be able to access the SCCM environment and download images.  If there are any mandatory image deployments targeted to the 'unknown' system the image deployment starts immediately and the existing data on the systems hard drives is removed!  You don't want to be the one to accidentally cause the CEO's system to get wiped with a new image so be sure you use this feature appropriately!  :)  Before you get too nervous - we do have a way to add a layer or protection and ensure key machines aren't imaged.  More on that near the end of the blog entry.

So, you've considered the benefits, weighed the possibilities and decided this is a feature you want to implement - so how do you set it up?  There are really two key areas - Enable 'unknown' computer support in your boot sequence and target images to 'unknown' computers

Enable 'unknown' computer support
'Unknown' computers can either be imaged by PXE booting or through media - such as a CD based boot or USB key.  You can choose to enable 'unknown' support for either or both methods.

Enable for PXE booting:
To enable 'unknown' computer support for PXE booting systems all you need to do is select the 'Enable unknown computer support' box on the  PXE service point properties screen as shown:

image

When you select to enable this the warning screen below will be displayed.

image

Enable for media booting:
To enable 'unknown' computer support for media booting systems all you need to do is select the 'Enable unknown computer support' box in the create task sequence - bootable media wizard as shown:

image

This will create new task sequence media that will allow 'unknown' systems to be imaged.

Target images to 'unknown' computers
With the boot scenarios configured all that remains is to target images as our 'unknown' computers.  This is done by selecting the image(s) you want to be made available to 'unknown' computers and advertising them to the 'All Unknown Computers' collection.  This collection is new to R2 and contains generic machine records for each machine architecture that might be imaged - x86 or x64.  The 'All Unknown Computers' collection is shown below and is the collection that must be used for targeting images to 'unknown' systems.

image

Images can be advertised to this collection either as optional (safer) or mandatory (more risk - image deployment starts immediately).

That's it - now you can boot your 'unknown' system and they will be able to receive OSD images - just like standard machines.  Oh, so what is the mechanism to ensure we don't image certain machines?  You can specify which systems to deny imaging to using a text file - just list out the MAC addresses for the systems you don't want to be imaged and store it on the PXE service point - named whatever you like.  In the registry of the PXE service point navigate to HKLM/Software/Microsoft/SMS/PXE and add a string value called MACIgnoreListFile and point it to the full path to the text file!

Looking at this you might ask the question - how does this really work 'behind the scenes'?  Take a look at my next blog entry for details!