Upload
donga
View
237
Download
0
Embed Size (px)
Citation preview
Windows 7 Deployment Procedures in 802.1X
Wired Networks
Lite Touch and Zero Touch
03.03.2010
Version 0.1 Draft
Prepared by
David Marín Hebra
Consultant
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 1
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
Revisions and Signatures
Registry of Changes
Date Author Version Reference
02/03/2010 David Marín 0.1 Draft Initial Version
Reviewers
Name Approved Version Position Date
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 2
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
Table of Contents
1 Introduction .......................................................................................................................... 3
2 Procedures ............................................................................................................................ 4
2.1 WinPE Phase ................................................................................................................................ 4
2.1.1 Requirements ...................................................................................................................... 5
2.1.2 Procedure ............................................................................................................................ 1
2.1.3 Integration in Lite Touch Deployment (MDT) ..................................................................... 2
2.1.4 Integration in Zero Touch Deployment (SCCM + MDT) ...................................................... 4
2.2 Windows 7 Phase ......................................................................................................................... 5
2.2.1 Procedure ............................................................................................................................ 6
2.2.2 Integration in Lite Touch Deployment (MDT) ..................................................................... 7
2.2.3 Integration in Zero Touch Deployment (SCCM + MDT) .................................................... 10
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 3
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
1 Introduction
Traditionally, Microsoft operating system deployment has always had a very important blocker,
installation across 802.1x wired networks. Consequently, in any company that used a wired 802.1x
network it has never been possible to deploy desktops from Distribution Points with the old BDD
“Business Desktop Deployment” and the new MDT “Microsoft Deployment Toolkit” (Lite Touch).
Neither was it possible from SMS 2003 nor SCCM 2007 Infrastructure (Zero Touch).
The only solution was based on implementing network segments not secured by 802.1x
authentication, in which the desktops were first deployed, and then moved to their final 802.1x
VLANs. Customers really didn’t like this approach and they didn´t really consider it as an acceptable
workaround.
The principal cause of this problem has always been that WinPE never offered support for 802.1x
authentication, consequently complicating any deployment projects. However, in December of
2009, the WinPE product group developed and published the necessary add-ins for versions 2.1 and
3.0 of WinPE; available here:
WinPE 2.1: http://support.microsoft.com/kb/975483
WinPE 3.0: http://support.microsoft.com/kb/972831
I have personally been waiting for this support for years, in order to be able to help large companies
with their operating system deployment projects, which were until now on hold because of this
problem. So, when the support engineers emailed me the other day to notify me of the release of
these hotfixes, they made my life… professionally, anyway
However, it was not all roses. The problem I next encountered was that I soon realized that, in order
to make it play nicely, the process was rather more complex that I originally thought. It took a large
effort on my part through all the testing and debugging. As a consequence, I want to share with
everyone the required steps in order to take the pain out of the implementation. This document
describes all the required steps for implementation, for both LiteTouch (LTI) and ZeroTouch (ZTI)
with SCCM.
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 4
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
2 Procedures
As an introduction, I’ll start by explaining that in order for the client computers to be able to connect
to an 802.1x network, they will need to authenticate themselves in one of two ways:
User based: A user name and password is required.
Machine based: A machine certificate is necessary; typically this is received when the
computer joins the domain.
Following on from this, the problem of deploying automatically a computer to an 802.1x network
and subsequently into a domain can be divided into two parts:
WinPE phase: Firstly, we need WinPE to launch the deployment and process the first part of
the MDT or SCCM OSD task sequence (for example: create and format partitions, install the
operating system image file etc.). WinPE needs to authenticate itself on the network
(normally receiving an IP from DHCP in the process). Because WinPE cannot belong to an
Active Directory domain, this part of the process requires user-based authentication using
the valid credentials of a domain user.
Windows 7 Phase: Once WinPE is granted access to the network, and the operating system
image has been installed, the next step of the deployment will be the first boot-up of
Windows 7. Once booted, the MDT or SCCM Task Sequence will be initialized on Windows 7
in order to continue with the deployment process. However, this phase can only continue if
the operating system is granted access on the 802.1x network so that Windows 7 can
connect to the MDT or SCCM servers.
Normally, in these cases, in order to obtain access to the cabled network to be able to join
the computer to the domain, the computer needs to firstly configure itself to use user-based
authentication, providing a valid domain username and password (normally a pop-up
window appears requesting credentials manually). Afterwards, once joined to the domain,
the computer will receive the necessary certificates and configurations so that the
authentication mode can be changed automatically to machine-based, using certificates.
The fundamental task here is to automatically configure the user-based authentication by
providing the necessary credentials upon boot of Windows 7, and before any deployment
task in the task sequence is run.
2.1 WinPE Phase In this section, I’ll explain firstly the requirements and then the steps needed to configure WinPE 3.0
with 802.1x support.
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 5
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
2.1.1 Requirements
1. The initial step is to obtain the relevant Hotfix that provides the 802.1x support for WinPE
from the Microsoft website. For this exercise, we need the file “Windows6.1-KB972831-
x86.cab”.
2. The next step is to configure an already installed Windows 7 computer to have access to the
802.1x network using user-based authentication that you want to use with WinPE. The
network administrator can provide the necessary information, an example is shown below:
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 6
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
3. Following on, the authentication profile needs to be exported to an XML file. For this, you
use the following netsh command:
a. netsh lan export profile folder=D:\8021XUser interface="Local Area Connection"
This will create the file “D:\8021XUser\Local Area Connection.xml” that contains the 802.1x
user-based authentication profile.
4. For the above example, two certificates are also required from the Root Certificate Authority
(CA). As shown in the earlier screenshots:
a. “CATest1.cer”
b. “CATest2.cer”
5. Valid domain user credentials are now required. For example:
a. Domain: Contoso
b. User: User8021X
c. Password: Password8021X
6. On the next page, you’ll see the contents of an XML file. You need to take this text and
paste it into Notepad, and save it as “Wired-WinPE-UserData-PEAP-MSChapv2.xml“. In this
file, you will need to place the above credentials.
Note: It is important that you understand the security implications of placing the credentials
of a valid Active Directory user account in this XML file, which is ultimately available for
anyone to read (assuming that they know where to look). The necessary measure should be
taken to ensure that security is maintained.
The contents of the file will be similar to what is shown next:
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT
CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 1
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
<?xml version="1.0"?>
<EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials"
xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon"
xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
<EapMethod>
<eapCommon:Type>25</eapCommon:Type>
<eapCommon:AuthorId>0</eapCommon:AuthorId>
</EapMethod>
<Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"
xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1"
xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
<baseEap:Eap>
<baseEap:Type>25</baseEap:Type>
<MsPeap:EapType>
<MsPeap:RoutingIdentity>Contoso\User8021X </MsPeap:RoutingIdentity>
<baseEap:Eap>
<baseEap:Type>26</baseEap:Type>
<MsChapV2:EapType>
<MsChapV2:Username>User8021X</MsChapV2:Username>
<MsChapV2:Password>Password8021X</MsChapV2:Password>
<MsChapV2:LogonDomain>Contoso</MsChapV2:LogonDomain>
</MsChapV2:EapType>
</baseEap:Eap>
</MsPeap:EapType>
</baseEap:Eap>
</Credentials>
</EapHostUserCredentials>
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 1
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
7. From a Windows 7 machine with the same architecture as the WinPE that it is being planned
to build (x86 or amd64), we save the files using the Certutil utility:
a. C:\Windows\System32\Certutil.exe
b. C:\Windows\System32\en-US\Certutil.exe.mui
8. Finally it is necessary to use a machine with the “Microsoft Windows AIK v2.0” installed.
2.1.2 Procedure
2.1.2.1 Offline Part (WinPE WIM)
On the machine with the WAIK 2.0 installed, generate a WinPE instance, or use an already generated
WinPE. Follow the following steps:
1. Mount the WinPE WIM file to a folder on the file system so that the 802.1x Hotfix can be
applied to the image. Typically the following commands are used from the WAIK command
prompt:
a. dism /mount-wim /WimFile:C:\CustomPEx86\winpe.wim /index:1
/mountdir:c:\mount
b. dism /image:C:\mount /add-package /PackagePath:"F:\802.1X\Fix\Windows6.1-
KB972831-x86.cab"
2. Following on, the Certutil utility files need to be copied to their corresponding folders in the
mounted image:
a. Certutil.exe c:\mount\Windows\System32
b. Certutil.exe.mui c:\mount\Windows\en-US
3. A new folder (For Instance: “c:\mount\8021x”) should be created in the root of the WinPE
image, where the necessary files for the 802.1x functionality need to be copied. These are:
a. Root CA Certificates “CATest1.cer” and “CATest2.cer”
b. 802.1x user-based authentication profile file “Local Area Connection.xml”
c. XML file which contains the 802.1x user-based authentication profile credentials
“Wired-WinPE-UserData-PEAP-MSChapv2.xml“
4. Finally the WinPE WIM file should be unmounted, committing the changes:
a. dism /unmount-wim /MountDir:C:\mount /commit
2.1.2.2 Online Part (Already Booted WinPE)
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 2
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
A test machine should now be used, which you need to boot into WinPE with the image file that you
just modified. Once booted, enter the following commands into the command prompt window that
automatically opens. These steps will configure the user-based authentication.
1. Start the service “Wired AUTOCONFIG (DOT3SVC) Service”. This service is absolutely
necessary for IEEE 802.1x authentication. It is strange, but in WinPE 3.0 and Windows 7 this
service has a configuration of MANUAL, instead of AUTOMATIC.
a. net start dot3svc
2. The next step is to import the necessary Root CA Certificates:
a. x:\windows\system32\certutil.exe -addstore root x:\8021x\CATest1.cer
b. x:\windows\system32\certutil.exe -addstore root x:\8021x\CATest2.cer
3. Now it is the time to import the 802.1x user-based authentication profile:
a. netsh lan add profile filename="X:\8021x\ Local Area Connection.xml "
interface="Local Area Connection"
4. Afterwards the XML file which contains the 802.1x user-based authentication profile
credentials should be imported:
a. netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-
MSChapv2.xml allusers=yes interface="Local Area Connection"
5. After all the previous steps are completed, the 802.1x user-based authentication should
have been successfully established an IP address from a DHCP Server should have been
obtained. You can double-check this with the following command:
a. Ipconfig /renew
Obviously once you’ve tested the successful 802.1x user-based authentication process; it would be
advisable to build a script in order to automate all the steps that have been just detailed. Once
automated, the user-based 802.1x authentication process must be integrated into the WinPE Boot
processes implemented by MDT (Lite Touch Deployment) and SCCM + MDT (Zero Touch
Deployment).
2.1.3 Integration in Lite Touch Deployment (MDT)
There are several different ways of adding custom commands to the Boot Process of WinPE. First,
I’ll explain how to do it for MDT Lite Touch:
The file “x:\Windows\System32\Winpeshl.ini” controls the WinPE boot process. By default,
it contains the following lines:
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 3
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
In Lite Touch Deployments the executable “BDDRun.exe” is the one that launches the set of
actions that occur in WinPE during the deployment process. BDDRun.exe will initialize
WinPE and after that it will execute synchronously the commands that appear in the file
“X:\Unattend.xml”. This file by default contains:
So that the script “X:\Deploy\Scripts\Litetouch.wsf” will be launched and with it the
Deployment Wizard and the Deployment Task Sequence will also be run.
Therefore, if we want to follow the same philosophy as the default WinPE boot process for MDT Lite
Touch deployments, in order to add a script that launches all the steps described previously in this
document to configure the 802.1X user authentication (assuming that this script is called
“X:\8021x\Configure8021XUser.wsf”) just before the execution of the deployment wizard and
global process, you need to change the “X:\Unattend.xml” file as shown below:
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 4
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
2.1.4 Integration in Zero Touch Deployment (SCCM + MDT)
As mentioned earlier, there are different ways to include custom commands in the WinPE boot
process. Let’s now look at the default WinPE boot process in Zero Touch Deployments (SCCM +
MDT):
For SCCM, the file “x:\Windows\System32\Winpeshl.ini”, controls the boot process:
So the first process launched in WinPE will be “TSBootShell.exe”, which will initialize WinPE
and start the Deployment Process, calling in turn other executables from folder
“X:\sms\bin\i386”. From that moment on it is not easy to follow the process flow in WinPE
because we have several executables calling each other to complete the Deployment task
sequence.
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 5
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
Hence, if we want to follow the same philosophy as the default WinPE boot process for Zero Touch
(SCCM + MDT) deployments, in order to add a script that launches all the steps described previously
in this document to achieve the 802.1X user authentication (assuming that the script is called
“X:\8021x\Configure8021XUser.wsf”), just before the execution of the global deployment process
you need to change the “x:\Windows\System32\Winpeshl.ini” file as shown below:
NOTES:
o You can see that the first process to be launched will be “WPEInit.exe” in order to initialize
WinPE network subsystem. After that it will be the 802.1x authentication script. In the last
step “TSBootShell” will be given control to implement the Deployment process.
o It is important to understand the syntax of the commands in this file. The executable and its
parameters are all together, separated by “,” commas:
o %SYSTEMDRIVE%\Windows\System32\wscript.exe,
%SYSTEMDRIVE%\8021X\CUSTOM_WinPEConfigure8021X.wsf
2.2 Windows 7 Phase Once the Windows 7 operating System image has been installed on the computer, it will boot. At
this point it’s necessary for it to be granted access on the 802.1x network in order to launch and
continue with the deployment task sequence in MDT or SCCM + MDT.
Due to the fact that it doesn’t belong to the domain yet, authentication will first be user-based so
that the computer can connect to the MDT or SCCM server in order to continue with the task
sequence. In this task sequence, you need to add an additional task so that, once the computer is in
the domain, the authentication mode can be switched to machine-based. This can be achieved using
an Active Directory GPO, or directly via a task in the task sequence (importing an authentication
profile that was previously exported from a reference machine).
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 6
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
2.2.1 Procedure
The content of the folder that was added to the earlier modified WinPE image (“X:\8021x”) is
needed. This folder contains the necessary files for the 802.1X authentication. These are:
1. Root CA Certificates “CATest1.cer” y “CATest2.cer”
2. 802.1x user-based authentication profile file “Local Area Connection.xml”
3. XML file which contains the 802.1x user-based authentication profile credentials “Wired-
WinPE-UserData-PEAP-MSChapv2.xml“
You will need to add a task to the task sequence so that this folder is copied from the X: drive to the
local C: drive. This task should be actioned in the WinPE phase once the operating system image is
applied, and before the computer restarts. The folder could be copied to a temporary location, such
as “C:\Windows\Temp\8021x”.
Once all the files are available, the user-based authentication process in Windows 7 will be quite
similar to the one in WinPE (Online Part):
1. First of all, the service “Wired AUTOCONFIG (DOT3SVC) Service” will be started. Sample
command could be:
a. net start dot3svc
NOTE: It is highly recommended to change the Configuration of this Service from MANUAL to
AUTOMATIC, using a vbs script or any other mechanism.
2. The next step will be to import the necessary Root CA Certificates:
a. C:\windows\system32\certutil.exe -addstore root
C:\Windows\Temp\8021X\CATest1.cer
b. C:\windows\system32\certutil.exe -addstore root
C:\Windows\Temp\8021X\CATest2.cer
NOTE: The CertUtil utility is part of Windows 7. If you prefer, these Root CA Certificates
could also be included as part of the Windows 7 corporate Image.
3. Afterwards the XML file which contains the 802.1x user-based authentication profile
credentials needs to be imported:
c. netsh lan add profile filename="C:\Windows\Temp\8021X\ Local Area
Connection.xml " interface="Local Area Connection"
4. Afterwards the XML file which contains the 802.1x user-based authentication profile
credentials needs to be imported:
d. netsh lan set eapuserdata filename=C:\Windows\Temp\8021X\Wired-WinPE-
UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 7
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
VERY IMPORTANT NOTE: At this point (4) I should point out that Microsoft client operating
systems (Windows 7, Windows Vista, Windows XP) do not support “Out-of-the-box” this
method to import 802.1x credentials. The normal behavior is that, once the user-based
authentication profile is configured, a popup window appears asking for credentials.
However, a new Hotfix for Windows 7 has been developed that allows of this method to
import the 802.1x user-based authentication profile credentials. More information in this
article:
o You cannot connect to an 802.1x wired network when you run an automated build
process
http://support.microsoft.com/kb/976210
In conclusion, it is absolutely necessary that the reference Windows 7 image (WIM)
that will be deployed to computers includes this hotfix that will allow the execution
of the command in point 4.
5. After all these previous steps, the 802.1x user-based authentication should have been
successfully configured and it has been possible to get an IP address from a DHCP Server.
Sample command could be:
a. Ipconfig /renew
As before, once you have tested this part, you can automate it with a script and include it in the task
sequence for integration with MDT (Lite Touch) y SCCM + MDT (Zero Touch).
2.2.2 Integration in Lite Touch Deployment (MDT)
The first step is to copy the folder X:\8021x from WinPE to a temporary location on the C: on the
computer, for example: C:\Windows\Temp\8021x. This step must be launched once the operating
system has been applied, and before the computer reboots. In the below example, you can see an
example of how I have achieved this. The task “Copy Files 802.1X” runs a script that copies the
folder:
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 8
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
The 802.1x user-based authentication should occur before launching the task sequence. In MDT
LiteTouch the task sequence is continued once the autologon happens, as configured in the
Unattend.xml file. The exact step where this auto-start of the task sequence is configured is in the
node “oobeSystem" \ "Microsoft-Windows-Shell-Setup". For example:
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 9
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
If we follow the same philosophy as before, in order to introduce a new step, we need to add our
own script here. Assuming that the script is called
“C:\Windows\Temp\8021X\Configure8021XUser.wsf”, an example is shown below:
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 10
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
You should remember to include in the task sequence an additional task that deletes this folder once
the deployment completes. This is important because the XML file that is saved there contains the
credentials of a valid Active Directory user account.
2.2.3 Integration in Zero Touch Deployment (SCCM + MDT)
As before, the first step is to copy the folder X:\802.1x that WinPE contains to the temporary
location, for example “c:\Windows\Temp\8021X”. This step must be launched once the operating
system has been applied, and before the computer reboots. For this, I have used the task “Copy
Files 802.1X” as shown below:
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 11
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
The user-based 802.1x authentication should occur before any task sequence is launched. In SCCM +
MDT the task sequence is launched in the background, before any logon window is even presented
on the desktop. Because of this, using the steps detailed previously (the node oobeSystem
\ Microsoft-Windows-Shell-Setup \ FirstLogonCommands) will not work. Instead, your
configuration script should be placed here:
“<settings pass="specialize"> \ <component name="Microsoft-Windows-Deployment"
processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral"
versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> \ <RunSynchronous>”
Once completed, assuming that the script is called
“C:\Windows\Temp\8021X\Configure8021XUser.wsf”, the Unattend.xml file will look like the one
shown below:
THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK
COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER
REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.
Página 12
Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft
Preparado por David Marín Hebra
"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121
You should remember to include in the task sequence an additional task that deletes this folder once
the deployment completes. This is important because the XML file that is saved there contains the
credentials of a valid Active Directory user account.