You can restrict which install images are shown to users. These restrictions can be policy-based or enforced by the computer.

Automatic Filtering by Windows Deployment Services

Windows Deployment Services filters the images in the image selection page to avoid situations where a user is allowed to install an image that is not compatible. Images are filtered by hardware abstraction layer (HAL) and architecture.

For Windows Vista or Windows Server 2008 images, HAL filtering is not necessary because the image contains all possible HALs (and the correct HAL is detected and put in place automatically upon first boot). If the image is of an older operating system, Windows Deployment Services will compare the HAL type (as specified in the metadata for the .wim file) to that of the destination computer. If the HAL types are identical, the image will be shown to the user. If the HAL types do not match, the image will not be displayed. The HAL information about the image is stored in the image metadata in the <HAL> section of the .wim file.

Architecture filtering works as follows. For x86-based computers, you use only x86-based boot images and x86-based install images. The images that are applicable to that architecture will be filtered automatically. In Windows Server 2008, however, there is new functionality that controls how images are filtered to users on x64-based computers. When you boot into the Boot.wim file that is included on the x86 version of Windows Server 2008 media from an x64-based computer, you will be able to choose from both x86-based and x64-based install images. However, if you boot into an x64-based Boot.wim file from the same computer, only x64-based boot images will be displayed.

Filtering Images Manually

You can specify permissions to allow only certain users rights to see a particular install image. To set permissions, right-click the image (either in the MMC snap-in or in the RemoteInstall folder), and then click Properties. It is not possible to specify permissions for different users for images within the same image group. For example, if you have two images, ImageA and ImageB, and you would like User1 to have access to ImageA and User2 to have access to ImageB, you must have each image stored in a separate .wim file.

Note that setting these permissions sets the permissions on the .wim file (which contains only metadata), but not the Res.rwm file (which contains the file resources for the image). In order to secure the Res.rwm, you must create an ACL for the file. However we do not recommend this because if the permission sets differ for the files, a user could have permissions to view the .wim, but not the Res.rwm, and therefore the installation would fail.