PXE booting, MDT and 802.1x


Oh dear.

We implemented site wide 802.1x when we moved.

This has caused numerous issues which we are still tracking down and killing with fire.

Again "only-when-we-needed-it" struck as we had a new starter and need to build a machine.

Ah.   No PXE.  However thankfully we were able to make a bootable USB using 802.1x and get our build working again from MDT in our 802.1 environment.

Here's how we did it.  


Caveats: 

I'm assuming you know MDT and how PXE works.
We use Computer certificates as the 8021x auth method.
802.1x is working in our environment
GPO is used to start the wired 802.1x service on built machines.
GPO is used to configure the network profile to use 802.1x

What you need

Get a USB stick to take your WinPE 4GB may be enough
Make sure you are running an up to date working MDT installation!
Create a machine certificate which has a long expiry date, you don't want to be making USB WinPE images every month!!
Export the machine certificate with the key as a PFX
Grab the root and intermediary certificates too, as cer files base64 encoded

On a machine which has no 802.1x GPO applied make a wired network profile for 802.1x and export it as XML


Here's mine - greyed out as my machine has GPO applied (Sorry) but it should give you the basic idea. Make sure it works before you export it!



Export this profile using the following change foldername and interfacename

netsh lan export profile folder=c:\foldername interface="interfacename" 

Make a batch file to enable 802.1x service - here's mine, change that password in the certutil line to the one you used when you exported the PFX


REM start the Wired AutoConfig service net Start dot3svcREM Import Root certificate
certutil.exe -addstore Root "%~dp0certs\root.cer" certutil.exe -addstore CA "%~dp0certs\issuing.cer"
REM Import Computer Certificate certutil.exe -ImportPFX -f -p PASSWORD "%~dp0Certs\ComputerAuthCert.pfx"
REM Import Computer Auth Profile to all LAN interfaces netsh lan add profile filename="%~dp0Ethernet.xml" interface=* REM Force all interfaces to reconnect netsh lan reconnect interface=*

Also make an unattend.xml file with the following content

<?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="windowsPE"> <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"> <Display> <ColorDepth>32</ColorDepth> <HorizontalResolution>1024</HorizontalResolution> <RefreshRate>60</RefreshRate> <VerticalResolution>768</VerticalResolution> </Display> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Description>Start 802.1</Description> <Order>1</Order> <Path>cmd /c X:\enable8021x.bat</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Description>Lite Touch PE</Description> <Order>2</Order> <Path>wscript.exe X:\Deploy\Scripts\LiteTouch.wsf</Path> </RunSynchronousCommand> </RunSynchronous> </component> </settings> </unattend>



Install Tools

Install the Windows Assessment and Deployment Kit - Windows 10 to a machine which has USB ports!
Just select the Deployment Tools - next, next etc finish
Install the WinPE for ADK - next, next etc finish

Get Started!

On the MDT server start the Deployment Workbench right click the required deployment share and select properties
Select the Windows PE tab
Choose the right platform (x86 or x64)
Check IEE 802.1x network authentication protocol
Click Ok
Update Deployment Share
Completely regenerate the boot image
On the ADK machine, run the Deployment and Imaging Tools Environment as Administrator
Create a new WinPE folder structure using something like

copype amd64 C:\WinPE_8021x

Copy the WinPE boot image made on the MDT server (deployment share\Boot\LiteTouchPE_x64.wim) into the WinPE_8021x\media\sources folder on your ADK machine rename it to replace the boot.wim file
Basically what you have done here is replaced the default boot.wim with your boot image which contains your drivers and connect to your deployment point
Mount the WinPE

dism /Mount-Image /ImageFile:"C:\WinPE_8021x\media\sources\boot.wim" /index:1 /MountDir:"C:\WinPE_8021x\mount"

Now CD to the mounted image

cd C:\WinPE_8021x\mount


copy the wired interface xml file into the root folder of the mounted image now make a folder called "certs" as this is where my batch file from earlier is looking for those certs you got! copy all certificates into the "certs" folder Now unmount and commit the changes

dism /Unmount-Image /MountDir:"C:\WinPE_8021x\mount" /commit 

Put your USB device into a port and put a 2GB NTFS partition onto it and assign a drive letter - I used diskpart Now make your USB boot disk!

MakeWinPEMedia /UFD C:\WinPE_8021x F: 

Try it out It should boot and connect to your MDT Deployment Share Your build will work however once Windows has installed and it reboots 8021x will kick in and stop the build process!! So a little tinkering in the build Task Sequence is needed

MDT Task Sequence Changes

First you need to make the files available to the built machine before it gets on the network, luckily MDT comes with some wsf scripts we can copy.


Copy the enable8021.bat, certificates and network profile xml file to the DeploymentShare\Scripts\ folder.

Duplicate the DeploymentShare\Scripts\LTICopyScripts.wsf and call it something relevant LTICopyCompanyScripts.wsf or something.  This stops any MDT upgrades overwriting your hard work!

Edit the new script to copy your files, remember to correct all references of the old filename too as this will help in troubleshooting.

<job id="LTICopyCompanyScripts">

<script language="VBScript" src="ZTIUtility.vbs"/>

<script language="VBScript">

' // ***************************************************************************
' //
' // Copyright (c) Microsoft Corporation.  All rights reserved.
' //

' // Microsoft Deployment Toolkit Solution Accelerator
' //

' // File:      LTICopyCompanyScripts.wsf
' //
' // Version:   6.3.8456.1000
' //
' // Purpose:   Copy the LTI/ZTI scripts to the local drive.
' //

' // Usage:     cscript.exe [//nologo] LTICopyCompanyScripts.wsf [/debug:true]
' //

' // ***************************************************************************
Option Explicit
RunNewInstance

'//---------------------------------------------------------------------------

'//  Main Class
'//----------------------------------------------------------------------------
Class LTICopyCompanyScripts
'//----------------------------------------------------------------------------
'//  Class instance variable declarations
'//----------------------------------------------------------------------------
Public ScriptsToCopy
Public SourcePath
Public TargetPath
'//----------------------------------------------------------------------------
'//  Constructor to initialize needed global objects
'//----------------------------------------------------------------------------
Private Sub Class_Initialize
' Create a list of scripts to copy - these are used in getting 8021x to work!  ScriptsToCopy  =("enable8021x.bat","root.cer","issuing.cer","ethernet.xml","ComputerAuthCert.pfx")
SourcePath = oUtility.ScriptDir & "\"
TargetPath = oUtility.LocalRootPath & "\Scripts\"
End Sub
...
Save this file and open MDT WorkBench. Open the required Task Sequence Add a step to Run Command Line after the Copy Script step in PostInstall
This will run your new WSF script to copy those files on to the new machine. Now edit the Unattend.xml - the button is on the OS Info tab.
Open 4 specialize and insert New RunSynchronousCommand configured as shown


Save this and close the window and Task Sequence.
Do an Update Deployment Share and try your build!

Good luck

Comments

Popular posts from this blog

NetScaler VPX and Exchange 2010

Security Policy 1001