Nice to know: – Blocking OS install on unsupported models in Microsoft Deployment Toolkit (MDT)

A customer asked me:

– Is it possible to block an attempt to upgrade, refresh or install the Operating System if that model is not “certified?

– Yes, we can set the OSinstall property to N based on model, that will block any attempt

– But that will block that model from running any Task Sequence? That is not what I want…

Well, that is correct, so I needed a way to block that particular model on that particular Task Sequence, so I  would like something a bit more sophisticated, something like this:

For task sequence “Windows 7 Enterprise x86 – Basic” the following models are supported and for the task sequence “Windows Server 2008 R2 – Basic” the following models are supported (or something like that)  and here is how you do it:

(This has been tested on MDT 2010, MDT2010 update 1 and MDT2012)

Create a new group in your task sequence

  • Open up your deployment workbench
  • Open your task sequence
  • Add a new group called “Certified Hardware”

Like this:


Setting condition on the group

  • Select the group Certified Hardware
  • Select Options for that group
  • Add the following condition:

Task sequence variable “Model not equals HP ProBook 5310m” (if that is the model that you support for this Task sequence)

Like this:


Adding the “blocker”

  • Select the group
  • Add a “Set Task Sequence Variable”
  • Task Sequence Variable = OSInstall
  • Value = N

Like this:


Adding script that will write in the log and display “why” the OS install failed

Without this step it will just display a “failed”, but maybe, just maybe you would like to have it a bit more sophisticated. So let us add a script

The script should go into the Scripts folder and you can download it from my SkyDrive

  • Download it
  • Extract it
  • Save it in the scripts folder
  • Add a run command before the Set Task Sequence Variable
  • Use this command : cscript.exe “%SCRIPTROOT%\ZTIUnSupportedHardware.wsf”

It should look like this:


Let us take a look in the BDD.log file

Here is how it looks in BDD.log


Next step

With this in place you can prohibit installations of Domain Controllers on Laptops, Hyper-V servers on Virtual Machines and people trying to refresh a Machine from XP to XP even if you have NO device drivers for that model, my guess is that this will solve a couple of “Ops, sorry”

If you want to you can add scripts and other logic to this, things that automatically runs a scripts that will collect the hardware information to a log so that you then can figure out what drivers are needed or something like that, or you could add the “Send Email” script so it will send an email to you saying that some “schmuck” tried to do something bad. You could also add the userexit script for ModelAlias and use that. You could also add other conditions, like Firmware, certain kind of hardware and so on. It would be for example possible to run a Web Services that checks if this computer is correctly added into the asset management database or something like that.

Yes, you can also use CustomSettings.ini to perform similar

And here is a couple of samples of that:

Sample No:1 – Blocking on Model

Here is the “easy” way, the only downside with this one is that it will only block based on Model and that could be perfectly ok in many situations.

Priority=Model, Default


[HP ProBook 5310m]


[Virtual Machine]

Sample No:2 – Blocking on Model + Task Sequence:

In this sample we create one property and two priority blocks. If we run this WHEN the task Sequence is known (That means that you need to re-run the gather process with “process rules”, ZTIGather will set the model + Task Sequence ID in to the property Model_TS in the [Init] section, it will then process the [CertifiedHardware] section and the use the Subsection to continue to the section that matches the Model+Task Sequence ID, in this case since my machine is a VM running on Hyper-V it will be “Virtual Machine” and if the Task Sequence is W7X64 it will process the [Virtual Machine_W7X64] section and OSinstall property will be set to Y.

Priority=Init, CertifiedHardware, Default
Properties=MyCustomProperty, Model_TS




[Virtual Machine_W7X64]

More tips…

You can of course block OS install temporary, during maintenance could be a valid scenario. A good friend (And fellow MVP) Maik Koster created a solution for that (I tricked him into it) and you can read a bit more about it here.

And here are some more discussions on how to pick the info from the Database:

/mike aka the Deployment Bunny

2 replies »

  1. Almost missed the note on using just cs.ini, would be nice to have a screenshot of the blocking all sequences option using cs.ini as well.

    / Johan

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.