none
WinPE 5 802.1x Support with SCCM 2012 R2 RRS feed

  • Question

  • Please see updated information a few posts down.

    I am trying to get 802.1x support working to deploy windows 7-8 machines using MDT2012.  I have checked IEEE 802.1x network authenication protocol under features of the deployment share properties.  I am trying to follow the guide on the deploymentguys.  I have my files on the boot image and can do a net start dot3svc, we are not using certificates at the moment for our 802.1x so I am skipping that line.  doing a netsh lan add profile filename="X:\8021x\ Local Area Connection.xml " interface="Ethernet2" does work.  I am having a problem with the third step when I run the following command netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Ethernet2"  All i get is error setting user data for interface ethernet2, the operation is not supported.

    How does one get 802.1x working in WinPE 4.0?

    Heres the latest updated in this first post so you dont have to scroll way to the bottom to get the latest relevant information:

    So here's the current situation and hopefully someone has seen it before.

    My boot image has the prestart command set to x:\8021x\configure8021x.cmd.  If i make a USB boot media this command will run and work with an 8021x wire plugged in.  If I PXE boot with a non8021x wire plugged in this command will run.  If I PXE Boot with an 8021x wire plugged in it does not run the command.  If the boot image gets staged from the windows software center it also will not run my command.

    Does anyone know why the staged boot image and booting from PXE are not running my prestart command?  It seems that during PXE and staged boot that the network initializes BEFORE it runs any prestart commands?


    • Edited by ventura_Ace Friday, March 20, 2015 7:43 PM reflects my latest post so easier for you to read
    Tuesday, November 19, 2013 3:01 PM

All replies

  • Hello Ventura,

    I have the same question as you.

    I find the following documents maybe useful:

    http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx

    http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-03-31-62-58/Windows-7-Deployment-Procedures-in-802-1X-Wired-Networks.pdf

    I think we can communicate each other if have any progress on this case.

    Thank you


    Frank@Hiweb 冯立超@瀚博资讯

    Tuesday, December 10, 2013 2:50 AM
  • Yep. I saw both of those articles. I've read threw it and am just stuck on the one part which I don't quite understand. When I do the lan set eapuserdata command it says it's not supported. I'm not sure what I'm missing and so far I haven't heard from anyone that knows for sure either.
    Tuesday, December 10, 2013 3:28 AM
  • I ran into the same issue as you, it saying the operation is not supported.

    Have you ever sort this out ?

    Thanks,

     
    Monday, November 10, 2014 4:27 AM
  • No I have not.  I just stopped working on it and have been deploying machines in our office rather than at desks.  We transitioned to SCCM 2012 R2 with MDT 2013 but I'm sure will run into this issue again sooner rather than later as everyone but computer services is on 802.1x now.
    Monday, November 10, 2014 6:18 PM
  • I've spent hours on this, can't figure it out, frustrated.
    Tuesday, November 11, 2014 3:56 AM
  • Well I am back at trying to figure this out for WinPE 5.0 and SCCM usage.  I still get the operation is not supported however I wonder if it has to do with me doing this from a VM and not a physical machine?  Also I wonder if this is failing because I have my password set with a ", " so for example it would be "Reno, NV1" for example.

    I found directions that state the following, although im not sure what error this would give, perhaps operation is not supported?? Although I am not using & <> '" in my password just space and comma.

    4. Import the 802.1x user credential profile.

    a. Netsh lan set eapuserdata filename=X:\8021x\Wired-WinPE-UserData-PEAP-MSCHAPv2.xml allusers=yes interface=”Local Area Connection”

    Warning – Do not use any XML escape characters in your user account password. This will cause this command to fail. These are &, <, >, ‘, and .

    We also aren't using any certs so I just skipped that part.  

    I also didn't do the patching step as I am using WinPE 5.0 and didn't think I needed to do that.


    • Edited by ventura_Ace Tuesday, December 2, 2014 9:46 PM
    Tuesday, December 2, 2014 9:19 PM
  • I decided to try it on a physical pc as well as create a new sccm mdt boot image that this time is x86 and I still get the same error.  What is it about the wired-winpe xml file that the command does not like?

    On another note I removed the netsh lan from the command and it looks like it works, it doesn't give any errors nor any success messages just goes to a fresh prompt so x:\ in this case. so the command is now set eapuserdata filename=X:\8021x\Wired-WinPE-UserData-PEAP-MSCHAPv2.xml allusers=yes interface=”Local Area Connection”

    Is it actually working or does it say success after the command is properly executed?

    Wednesday, December 3, 2014 7:35 PM
  • without netsh lan, I think you actually set an environmental variable, rathan than loading the credential.

    Monday, December 8, 2014 3:32 AM
  • Well progress on this issue has been made.  So why I was getting the operation not supported is because I was exporting our corporate 8021x LAN profile which gets put in place by group policy, which i assumed would work.  So i unjoined the windows 7 machine from the domain and was then able to modify the LAN profile to be what is exactly in the documentation with images.  

    Then the above command works and I no longer get the operation is not supported and I am able to move on to the next steps which is to create a script file which contains the net start and the netsh commands i was using above to test it. Great!

    Now my next issue comes up when the instructions tell me to modify the winpeshl.ini file which it says is located at X:\windows\System32\Winpeshl.ini.  So I mount the boot.wim file that I did earlier and I browse to the location in question however the first thing I notice is that when I open the winpeshl.ini file to go to modify it I expect to see:

    [LAUNCHAPPS]
    “%SYSTEMDRIVE%\sms\bin\i386\TsBootShell.exe”

    Instead what I find is it says:

    [LAUNCHAPPS]
    %Windir%\system32\netstart.exe, -prompt
    %SYSTEMDRIVE%\sources\recovery\recenv.exe

    So I thought ok I will create a copy of this file and rename it to winpeshl.ini.bak and then modify it to say what It says it should be in the instructions which is:

    [LAUNCHAPPS]
    winpeinit.exe
    %SYSTEMDRIVE%\Windows\System32\wscript.exe, %SYSTEMDRIVE%\8021x\Configure8021xUser.wsf
    “%SYSTEMDRIVE%\sms\bin\i386\TsBootShell.exe”

    Next I unmount the boot.wim file and overwrite the copy I had.  Next I update the distribution points and PXE boot a test machine. What I see next is what I dont understand.  Upon booting and hiting F8 to get to a command line I cd into x:\windows\system32\ and notice that I do indeed still have my winpeshl.ini.bak file so I open the winpeshl.ini file I had thought I modified earlier and low and behold it contains this which is different when I look at it when I mounted the wim file:

    [LAUNCHAPPS]
    “%SYSTEMDRIVE%\sms\bin\i386\TsBootShell.exe”

    So something is modifying this file and setting it this way effectively overwriting what I put in so that my script can run and configure the 8021x user settings.

    Is there some updated documentation somewhere, how do I proceed from here??  

    The next steps after this would be to modify the unattend.xml file at a certain location to run the Configure8021xUserWindows.wsf script which does the winpe script just instead of running from X: it runs from C: as it says in the documentation.   But I can't move on to test this yet without getting the winpe part working.

    Wednesday, March 18, 2015 3:24 PM
  • So doing a bit of searching I found out that I need to copy my custom winpeshl.ini file into the boot image using the osdinjection.xml file.  I tested this on a sample file and it does copy over my sample file however I can not seem to get my custom winpeshl.ini file to overwrite.  It's like it is injecting it first and then something else is overwriting it back to defaults again shortly there after!

    Any one have any ideas??

    Wednesday, March 18, 2015 8:00 PM
  • So doing a bit of searching I found out that I need to copy my custom winpeshl.ini file into the boot image using the osdinjection.xml file.  I tested this on a sample file and it does copy over my sample file however I can not seem to get my custom winpeshl.ini file to overwrite.  It's like it is injecting it first and then something else is overwriting it back to defaults again shortly there after!

    Any one have any ideas??

    It's my understanding that the CM console will be modifying the winpeshl.ini when you use the console to generate/maintain the boot image (because CM needs WinPE to launch the TSengine so that OSD can occur).

    I think this means that you'll need to  create the boot images and maintain them, outside of CM, then add the boot mage into CM without ever modifying it in CM console.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, March 18, 2015 8:49 PM
  • I tried also creating a TSConfig.ini file and that didn't seem to work so then I tried this method:

    http://blogs.technet.com/b/michaelgriswold/archive/2014/07/29/which-prestart-command-will-i-get.aspx

    of right clicking the boot image and specifying a pre-start command but that didn't seem to work either, unless of course I am doing something wrong with the command or will 2012 R2 not work with a TSConfig.ini file how I want it to work?

    Wednesday, March 18, 2015 10:20 PM
  • Does anyone know if when you use the prestart command settings in the properties of the boot image if it initalizes a network connection first and then reads whatever command you have from the source directory?

    The reason I ask is because I placed my Configure8021x.cmd file as the command line in a prestart command.  When i have a non 8021x wire plugged in it will run this however if i first pxe boot on the non 8021x wire and then quickly switch it over to the 8021x wire it never loads.

    Thursday, March 19, 2015 9:04 PM
  • So here's the current situation and hopefully someone has seen it before.

    My boot image has the prestart command set to x:\8021x\configure8021x.cmd.  If i make a USB boot media this command will run and work with an 8021x wire plugged in.  If I PXE boot with a non 8021x wire plugged in this command will run.  If I PXE Boot with an 8021x wire plugged in it does not run the command.  If the boot image gets staged from the windows software center it also will not run my command.

    Does anyone know why the staged boot image and booting from PXE are not running my prestart command?  It seems that during PXE and staged boot that the network initializes BEFORE it runs any prestart commands?

    Friday, March 20, 2015 7:41 PM
  • So since no-one has any ideas about the boot image thing i've side bared that and have been trying to figure out the domain join/ unattend.xml file modification step as described in the joining the domain step from this link.

    http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx

    I have my unattend file modified to include my command and it does run but if i put the join domain right after the setup windows and config manager the task sequence fails.  If i put it before the setup config manager step the task sequence will complete but it will not get joined to the domain.  Perhaps I have something wrong??  Has anyone gotten this portion to work?

    Wednesday, April 1, 2015 8:54 PM
  • I have my unattend file modified to include my command and it does run but if i put the join domain right after the setup windows and config manager the task sequence fails.  

    What is the failure? Check the logfiles (netsetup.log, etc)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, April 2, 2015 6:05 AM
  • in the smsts log file it says failed to initalize sysprep answer file 0x800700A1 then below says failed to run action join domain. the specified path is invalid error 0x800700A1 source windows.  I don't see a netsetup log file
    Thursday, April 2, 2015 6:00 PM
  • I know this is a pretty old post, but getting 802.1x working in OSD is pretty hard and there is not a lot of good information available, so I am going to post this anyway despite the age of the topic.  I happened upon this post in the first few search results so I am sure others will come along behind me.

    You need to get your 802.1x authentication to run EACH time WinPE boots and reboots, and the only real way to do that is to make a registry edit in your Boot.wim.  The good news is that you can modify the boot.wim once and those changes cary over every time you update your boot wim to load in new drivers etc...

    Check out this post over on windows-noob.  While the script there in that post is not exactly what you are looking for, the method of how to inject a vbscript into the WinPE boot process that works great with ConfigMgr SCCM OSD MDT boot processes is a successful way to get 802.1x working during the WinPE phases of OSD task sequences

    http://www.windows-noob.com/forums/topic/12150-how-can-i-check-for-network-connectivity-before-starting-a-task-sequence-in-system-center-2012-r2-configuration-manager/?hl=checkfornetwork

    I actually took the script that was there and modified it to do a 802.1x authentication and loop waiting for an IP address.  The how to edit the registry is the important piece of the puzzle. 

    Now I am working on getting the Windows 7 phase working.  I can't seem to get the 802.1x working before Minisetup tries to join the domain.  I'm getting close though.

    Wednesday, December 9, 2015 2:41 PM
  • Hi Todd, have you been able to get the Windows 7 phase working in 802.1x? I am at the same stage as you where I can only get the WinPE bit to .1x... Please let me know.

    Cheers

    Wednesday, January 27, 2016 1:56 PM
  • Hi Todd,

    I am struggling to make my MDT Deployment work on 802.1x. I followed David's blog https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/telligent.evolution.components.attachments/01/6127/00/00/03/31/62/58/Windows%207%20Deployment%20Procedures%20in%20802%201X%20Wired%20Networks.pdf and stuck halfway. After booting with MDT Boot media (8021x Enabled) the client is getting the IP from DHCP but failing to connect to deploymentshare$, not even pinging any IP on the network. Any ideas?


    Khan MCTS,MCSE Saudi Arabia

    Thursday, June 2, 2016 7:50 AM
  • I have a solution to this and have been trying to find the time to blog out the instructions.  I just have not been able to find the time to do it.

    During the Task sequence, before booting into Windows for the first time, you need to prepare the machine so that when it reboots, windows already "knows" how to attach to the 802.1x protected network.  This involves copying a folder to the disk that runs a script to prepare the settings on the machine.  Then you add calling that script in your unattend.xml file in the section where you can call additional scripts.

    The domain join is going to fail during the OS installation part, because your installation process will try to join the domain before minisetup gets to the spot in unattend.xml where it runs your script that prepares the machine to be able to join an 802.1x network.

    So after the step in the task sequence "Setup Windows and ConfigMgr" you need to add an additional "Join Domain or Workgroup" and limit it to only run if the computer is still joined to a workgroup (wmi query -- Select * from Win32_ComputerSystem where Workgroup != Null)

    Sorry I don;t have more time to blog this out I wish I did.  It is one of the more complicated problems I've had to solve.

    Friday, July 15, 2016 2:49 PM
  • Hi Todd, Any chance of sharing the vb script that you modified for 802.1x please? Thanks.

    "I actually took the script that was there and modified it to do a 802.1x authentication and loop waiting for an IP address.  The how to edit the registry is the important piece of the puzzle. "

    Monday, September 19, 2016 11:21 PM
  • Hey Todd (or anyone else) does anyone have a copy of a script that will copy the files / start 802.1x once in MDT? We've managed to get the PE to boot and authenticate, but once it reboots and starts the unattend, we're stuck.

    Thanks

    Tuesday, October 17, 2017 8:26 AM