Filtering Images

  • Article

Applies To: Windows Server 2008

This topic contains information about restricting which install images are shown to users as part of an image deployment.

Automatic Filtering by Windows Deployment Services

Windows Deployment Services filters the images in the image selection page (by hardware abstraction layer and architecture) to avoid situations where a user is allowed to install an image that is not compatible.

  • HAL filtering. For Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 images, hardware abstraction layer (HAL) filtering is not necessary because the image contains all possible HALs. For previous operating systems, Windows Deployment Services will compare the HAL type (as specified in the metadata for the .wim file) to that of the destination computer and will only display the image to the user if the HAL types are identical.

  • Architecture filtering. For x86-based computers, when you boot into an x86-based boot image, the images that are applicable to that architecture will be filtered automatically. However, if you boot into an x86-based Boot.wim file from an x64-based computer, x86-based and x64-based install images will be displayed. However, if you boot into an x64-based Boot.wim file from a x64-based computer, only x64-based boot images will be displayed.

Filtering Images Manually

You can specify permissions to allow only certain users rights to see a particular install image. To set permissions, right-click the image (either in the MMC snap-in or in the RemoteInstall folder), and then click Properties. It is not possible to specify permissions for different users for images within the same image group. For example, if you have two images, ImageA and ImageB, and you would like User1 to have access to ImageA and User2 to have access to ImageB, you must have each image stored in a separate .wim file.

Note that setting these permissions sets the permissions on the .wim file (which contains only metadata), but not the Res.rwm file (which contains the file resources for the image). In order to secure the Res.rwm, you must create an ACL for the file. However we do not recommend this because if the permission sets differ for the files, a user could have permissions to view the .wim, but not the Res.rwm, and therefore the installation would fail.