none
Modifying the BOOT.WIM after "update distribution points"

    Question

  • I have been working on 802.1x and deployment with SCCM 2007, windows 7. So far there has been great work with how to actually get WinPE working with 802.1x see http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/d246a2e0-2418-4906-ad04-5f14f858a1cd

    Now I have a problem. In order to 'break into' the boot process of the ZTI Image I have to edit it AFTER SCCM has injected the OSD binaries and scripts. Then I can change winpeshl.ini or tsbootshell.ini to insert the scripts necessary to start dot3svc and authenticate on the network.

    Now I can do this and then refresh all distribution points and it works to a point. It works if you boot directly from the PXE server. However, if your task sequence has to switch boot images (the image you booted to is not the image the deployment is set to run from, like 64/32 bit issues, etc) then when the boot image is downloaded, you get a hash mismatch because, guess what, you edited the WIM file after the Update command, which I understand is when the hash is generated.

    How do I customize the pre-tsm boot sequence in order to add authentication scripts?


    Anthony Sheehy - MCP, MCITP
    Friday, April 30, 2010 3:49 PM

Answers

  • First, there is no way for anyone to edit boot.XXX000NN.wim and make it work. boot.XXX000NN.wim is always just a copy of boot.wim plus SCCM binaries.

    If I understand it correctly, you want your code to run as part of the SCCM TS.

    There are two ways to do this, depending on when you want your code to run.

    1. If you want to have your code run before the TS does anything, then you have to create a pre-execution hook. Your code will run before the TS does anything. This will allow you to configure the network before the TS starts using the network. Normally, people use the pre-exec hook to prompt for user input. But you can use it for anything. the Here is the link for doing that: http://technet.microsoft.com/en-us/library/bb694075.aspx

    2. If you want to have your code run during the course of the TS execution, you simply add a command-line action.

     

    Tuesday, May 04, 2010 6:50 PM

All replies

  • You need to edit the source of the WinPE and make sure you Update Distribution Points.  You cannot edit the dsitributed file on the distribution point.


    John | Program Manager | System Center Configuration Manager
    Friday, April 30, 2010 9:13 PM
    Moderator
  • Hi John.V, I am not editing the file on the distribution point.

    BOOT images are treated differently to other sources, like an OS for instance. When you import a boot WIM file (e.g. boot.wim) you can customize the WIM file in the source directory. When you then select to update Distribution Points, it picks up the custom WIM, inserts drivers, inserts it's own startup code for the TSM Boot, and saves the edited file back in the source directory before creating copies on the DPs.

    Now in order to do what I say above, I need to edit this new source WIM in order to break into the boot sequence and add the 802.1x authentication code before the task sequence starts. If it does not, the WinPE machine cannot authenticate on the network and http is blocked (being redirected to a login screen for guest users.) Hence the Task Sequence Fails.

    The problem I am seeing is that if you edit the new Source file (boot.XXX000B3.wim) that is in the source directory, I can do a Refresh distribution points and all points get the new edited wim file, however, the hash is different from the the database because the hash is created at Update, not Refresh. This does not affect booting from a PXE service point as for some reason, probably because there is no mechanism for it, the hash is not checked and WinPE boots with the edited file that was refreshed. The problem occurs if the OS you want to deploy uses another boot image (for example, the PC boots to an x86 boot image and the OS being deployed is x64) at which point the task sequence downloads the new refreshed WIM from the DP and discovers, surprise surprise, the hash does not match. This also occurs if you try to run the task sequence from the client from inside the OS.

    Is there a way I can insert my code into a scripts (or customize the zti start script with a hook to the new script) on the CCM so that when I Update, and it copies the code into the WIM file with the rest of the ZTI code. Then I will not have to edit the new boot source file and will not have hash mismatches.


    Anthony Sheehy - MCP, MCITP
    Saturday, May 01, 2010 9:22 AM
  • You should not edit the boot.XXX000NN.wim file. Instead, you should edit the boot.wim file.

    When you select the 'update DP' option, SCCM will take boot.wim, add drivers and other files to it, and write the result to boot.XXX000NN.wim. This is what gets copied to the DPs.

    Monday, May 03, 2010 9:52 PM
  • Dear Kerwin,

    This is exactly my problem. Forgive my fustration, but if you read what I have written, you will see that I understand the process. I understand that SCCM injects drivers and code, and also takes over the boot sequence. What I cannot see is how to make SCCM 802.1x compliant without breaking into the boot.XXX000NN.wim file.

    THIS IS WHAT I AM ASKING, not to be told you just shouldn't. At present, WinPE has been fixed to handle 802.1x. Windows 7 has been patched to allow initial 802.1x without presenting a dialog, but SCCM does not yet officially support 802.1x. So I am looking for a way to inject my own code into the that which is injected into the boot.wim and will not break SCCMs intergrity checks.

    What I am asking is where can I insert my authentication code at the start of the ZTI task sequence, so that when the boot.XXX000NN.wim file is created, SCCM also inserts my code and I do not have to worry about hash mismatches...


    Anthony Sheehy - MCP, MCITP
    Tuesday, May 04, 2010 6:48 AM
  • First, there is no way for anyone to edit boot.XXX000NN.wim and make it work. boot.XXX000NN.wim is always just a copy of boot.wim plus SCCM binaries.

    If I understand it correctly, you want your code to run as part of the SCCM TS.

    There are two ways to do this, depending on when you want your code to run.

    1. If you want to have your code run before the TS does anything, then you have to create a pre-execution hook. Your code will run before the TS does anything. This will allow you to configure the network before the TS starts using the network. Normally, people use the pre-exec hook to prompt for user input. But you can use it for anything. the Here is the link for doing that: http://technet.microsoft.com/en-us/library/bb694075.aspx

    2. If you want to have your code run during the course of the TS execution, you simply add a command-line action.

     

    Tuesday, May 04, 2010 6:50 PM
  • First, there is no way for anyone to edit boot.XXX000NN.wim and make it work. boot.XXX000NN.wim is always just a copy of boot.wim plus SCCM binaries.

    If I understand it correctly, you want your code to run as part of the SCCM TS.

    There are two ways to do this, depending on when you want your code to run.

    1. If you want to have your code run before the TS does anything, then you have to create a pre-execution hook. Your code will run before the TS does anything. This will allow you to configure the network before the TS starts using the network. Normally, people use the pre-exec hook to prompt for user input. But you can use it for anything. the Here is the link for doing that: http://technet.microsoft.com/en-us/library/bb694075.aspx

    2. If you want to have your code run during the course of the TS execution, you simply add a command-line action.

     


    This is what I was looking for. Thank you!
    Anthony Sheehy - MCP, MCITP
    Friday, May 07, 2010 9:01 AM