The Network Manager at Westminster School presents solutions to sticky problems...

Monday, 21 June 2010

SCCM, WinPE and 802.1x - The Director's Cut

I've been busy. After many months of asking questions I seem to have come up with a definitive 'working in all scenarios' guide to enabling 802.1x in WinPE and working with System Center Configuration Manager. It seems my previous post on this was a little premature but provided a testing a ground for the technology.

So the problems that occurred following my last post were:

  • The 802.1x only occurred only at initial boot and subsequent reboots failed to authenticate. This was because the TSBootshell.ini file was only run when initially running the task sequence and not when continuing a task sequence.
  • Changing the WIM file after updating the package resulted a package hash mismatch (as the hash is calculated when SCCM updates the package, not when the DPs are refreshed.) This meant that the image could only be used for initial boot and failed when the image was downloaded (either from within Windows or when switching architecture.)
While 802.1x worked, there were obvious flaws. But with a bit more poking at the TechNet forums I managed to over come these. So this post is not all my own knowledge and work, there are other people in the background proving each point.

I explained in my last post why certain files are needed, so please read this as I will shorten this post by not rewriting this information.

So here goes:

Stage 1 Prepare the files for WinPE
You will need to prepare two xml files (see This Technet Post for the XML content) for authentication purposes. I shall call them profile.xml for the LAN Profile and uprofile.xml for the EAP Host User Credentials.
Prepare a file called TSConfig.ini that contains:

[CustomHook]
CommandLine="x:\Windows\system32\cscript.exe x:\windows\System32\8021x.vbs"



Prepare a file called 8021x.vbs that contains:

Set objshell = CreateObject("Wscript.Shell")
Q = chr(34)
objshell.Run "%comspec% /c net start dot3svc", 0, True
objshell.Run "%comspec% /c netsh lan set autoconfig enabled=yes interface=" & Q & "Local Area Connection" & Q, 0, True
objshell.Run "%compsec% /c netsh lan add profile filename=%systemdrive%\windows\system32\profile.xml interface=" & Q & "Local Area Connection" & Q, 0, True
objshell.Run "%comspec% /c netsh lan set eapuserdata filename = %systemdrive%\windows\system32\uprofile.xml allusers=yes interface=" & Q & "Local Area Connection" & Q, 0, True
objshell.Run "%comspec% /c netsh lan reconnect interface =" & Q & "Local Area Connection" & Q, 0, True
objshell.Run "%comspec% /c del %SYSTEMDRIVE%\windows\system32\uprofile.xml /Q", 0, True
...


I have added additional script after this point to detect encrypted drives and ask the user to format it. There is a good reason for this. You are about to create a custom WinPE image. If the image is over 100Mb, and you have already used bitlocker on your machines, then the usual size of the boot partition is just 100Mb. If there is a need to download the image to the PC (as happens when you switch architectures or initiate the rebuild from Control Panel) the sequence fails because of insufficient space. But you can add any other scripts in at this point for your own purposes and they will run before the Task Sequence starts.

Stage 2 Prepare the WinPE Image
Mount a vanilla WinPE image using DISM and add the packages in order (or they will fail):
  • winpe-scripting.cab
  • winpe-wmi.cab
  • winpe-wds-tools.cab
  • windows6.1-KB972831-x86.MSU (or the x64 for the 64bit WinPE...)
Copy TSConfig.ini to the root of the mounted image. Copy the other 3 files to the Windows\System32 directory in the mounted image.

Commit the image and present this as the source for the boot image in the Configuration Manager Console. Now you can update the Image and it will work in all modes. The tsconfig.ini contains a hook that will be executed before any task sequence begins. Note, that this runs before the policy is checked, but after any task media password.

Stage 3 Prepare the Windows images
Windows also needs to authenticate in the first stages of installation or the build will fail. So all of the following needs to be done in Windows before you capture your reference image for SCCM:
  • Set the dot3svc (Wired Autoconfig) Service to Automatic
  • Copy the profile.xml, uprofile.xml and 8021x.vbs files (as above) to Windows\System32
  • Install the Windows 7 hotfix KB976210
After these are done, you can then capture an image for use with SCCM.

Stage 4 Amend the custom settings
If you followed the MS guidelines when adding the MDT2010 to SCCM, you will have task sequences that refer to a Custom Settings Package. Locate the source files for this package and amend the Unattend.xml

Locate the section "Mircosoft-Windows-Deployment" and note that there are 3 commands under sub section. Add a 4 as follows:

<runsynchronouscommand action="add">
  <description>Configure 802.1x</description>
  <order>4</order>
  <path>cscript.exe c:\windows\system32\8021x.vbs</path>
</runsynchronouscommand>


The way it works:
Booting to PXE downloads the image, before the task sequence runs it looks for a file called TSConfig.xml in the root of the WinPE image. It then executes any commandline entries it finds in the CustomHook section. This runs the scripts necessary to initiate an 802.1x connection with a user name and password in the profile.xml and uprofile.xml files. (We set up an account for connection that can be enabled as and when we decide to rebuild our PCs.)

If the architecture needs changing, the appropriate WinPE image is now downloaded (without HASH issues) and booted from, once again initiating the 802.1x from the scripts in CustomHook.

Once the image is applied and Windows Boots for the first time, the RunSynchronous Command is run before any other commands are run and 802.1x is established. After joining the domain, group policy takes over and the Computer is instructed to authenticate using its computer account.

And that is about it
This effectively adds all the components needed for a successful connection and build that will work without being the ugly hack it was before.