Deployment, PowerShell, Scripting, Sharepoint, SharePoint2010, Tips & Tricks
Leave a comment

Blocking SharePoint 2010 installs on unauthorized computers

SharePoint 2010 provides the ability to lock down, track, and even block random installations of Microsoft SharePoint Server 2010. The SharePoint 2010 setup wizard is designed to check for a registry key on the local system and block the install. If you want to block unauthorized SharePoint 2010 installs in your organization, you can setup the following registry key on all unauthorized computers.

HKLM\Software\Policies\Microsoft\Shared Tools\Web Server Extensions\14.0\ SharePoint\DisableInstall (DWORD): 1 

This will ensure that setup.exe is blocked on the computer. You can use domain group policy to add this registry setting to all computers. If you want to do this using PowerShell, you will require Group Policy PowerShell cmdlets. The following steps will show you how to do that. 

The above commands will first import the Group Policy cmdlets and then use Set-GPRegistryValue cmdlet to include the new registry setting. Since we changed the default domain policy iteself, it will now apply to all the systems in the domain. Once this setting is applied, if you try to run SharePoint 2010 setup.exe, you will see a message as shown here.

Blocked SharePoint install

Blocked SharePoint install

Now, there are several ways to unblock a computer from this group policy to deploy SharePoint 2010 on it. For smaller number of computers, you can just create a WMI filter to filter to all the computer names and assign that filter to GPO. Something similar to what is shown in the below screenshot. 

WMI Filter

WMI Filter

In the above example, I wanted to unblock (or not apply the registry key) SharePoint 2010 install on computer named WFE3. So, before GPO starts applying the settings to a target computer, it will first evaluate the given WMI query and applies the settings only if the query evaluates to true. Since I am cheking for computer name “not equals” WFE3, this will return false on a computer named WFE3. This is probably the easiest way to exclude computers from a GPO. But, if the number of servers is large, you can create a separate OU and place all the authorized computers in that OU where the domain group policy is not applied.

This is it for today. I will talk about how to track SharePoint 2010 installs in an enterprise using active directory and PowerShell in the next post. Stay tuned.!

Filed under: Deployment, PowerShell, Scripting, Sharepoint, SharePoint2010, Tips & Tricks


Ravikanth is a principal engineer and the lead architect for Microsoft and VMware virtualized and hybrid cloud solutions within the Infrastructure Solutions Group at Dell EMC. He is a multi-year recipient of Microsoft Most Valuable Professional (MVP) award in Windows PowerShell (CDM) and Microsoft Azure. Ravikanth is the author of Windows PowerShell Desired State Configuration Revealed (Apress) and leads Bangalore PowerShell and Bangalore IT Pro user groups. He can be seen speaking regularly at local user group events and conferences in India and abroad.