Preventing PXE Boot on Servers and Other Critical Client Systems Using MACIgnoreListFile

Following on from my last post here’s another method you can implement to protect specific clients in your environment.

There is a documented but seemingly little known setting in the registry of the PXE Service Point Role in Configuration Manager. MACIgnoreListFile allows you to have a list of MAC addresses which will be explicitly rejected if they try and boot via PXE.

The setting is documented here: https://technet.microsoft.com/en-us/library/cc431378.aspx but I thought i would share this simple trick with you to further protect vital computers from accidental rebuilds.

For 32 bit servers create a string value called MACIgnoreListFile at

HKLM\Software\Microsoft\SMS\PXE

For 64 bit servers, the value needs to be created under the WOW6432Node at

HKLM\Software\Wow6432Node\Microsoft\SMS\PXE

A small difference but a crucial one if you want the setting to take affect.

Create the value pointing to a text file that lists all the MACs you wish to protect. Looking something like this

Now, restart the WDS service so that the MAC file is read in correctly. You will see this in the SMSPXE.log on the PXE Service Point.

It seems that you will need to restart the WDS service every time you make a change to the exclusion list.

You will be able to see in the SMSPXE.log any attempts from these excluded PCs at PXE booting

The client itself will continue to retry, hence multiple entries in the log file above, before timing out and booting to the next available device.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .

This post was contributed by Rob York, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.