windows 7 deployment procedures in 802.1x wired...

Windows 7 Deployment Procedures in 802.1X

Wired Networks

Lite Touch and Zero Touch

03.03.2010

Version 0.1 Draft

Prepared by

David Marín Hebra

Consultant

THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK

COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER

REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.




Página 1

Windows 7 Deployment Procedures in 802.1X Wired Networks, Lite Touch and Zero Touch Deployments, Versión 0.1 Draft

Preparado por David Marín Hebra

"Windows 7 Deployment Procedures in 802 1X Wired Networks.docx" Última modificación el 3 Mar. 10, Rev 121

Revisions and Signatures

Registry of Changes

Date Author Version Reference

02/03/2010 David Marín 0.1 Draft Initial Version

Reviewers

Name Approved Version Position Date




Página 2




Table of Contents

1 Introduction .......................................................................................................................... 3

2 Procedures ............................................................................................................................ 4

2.1 WinPE Phase ................................................................................................................................ 4

2.1.1 Requirements ...................................................................................................................... 5

2.1.2 Procedure ............................................................................................................................ 1

2.1.3 Integration in Lite Touch Deployment (MDT) ..................................................................... 2

2.1.4 Integration in Zero Touch Deployment (SCCM + MDT) ...................................................... 4

2.2 Windows 7 Phase ......................................................................................................................... 5

2.2.1 Procedure ............................................................................................................................ 6

2.2.2 Integration in Lite Touch Deployment (MDT) ..................................................................... 7

2.2.3 Integration in Zero Touch Deployment (SCCM + MDT) .................................................... 10




Página 3




1 Introduction

Traditionally, Microsoft operating system deployment has always had a very important blocker,

installation across 802.1x wired networks. Consequently, in any company that used a wired 802.1x

network it has never been possible to deploy desktops from Distribution Points with the old BDD

“Business Desktop Deployment” and the new MDT “Microsoft Deployment Toolkit” (Lite Touch).

Neither was it possible from SMS 2003 nor SCCM 2007 Infrastructure (Zero Touch).

The only solution was based on implementing network segments not secured by 802.1x

authentication, in which the desktops were first deployed, and then moved to their final 802.1x

VLANs. Customers really didn’t like this approach and they didn´t really consider it as an acceptable

workaround.

The principal cause of this problem has always been that WinPE never offered support for 802.1x

authentication, consequently complicating any deployment projects. However, in December of

2009, the WinPE product group developed and published the necessary add-ins for versions 2.1 and

3.0 of WinPE; available here:

WinPE 2.1: http://support.microsoft.com/kb/975483

WinPE 3.0: http://support.microsoft.com/kb/972831

I have personally been waiting for this support for years, in order to be able to help large companies

with their operating system deployment projects, which were until now on hold because of this

problem. So, when the support engineers emailed me the other day to notify me of the release of

these hotfixes, they made my life… professionally, anyway

However, it was not all roses. The problem I next encountered was that I soon realized that, in order

to make it play nicely, the process was rather more complex that I originally thought. It took a large

effort on my part through all the testing and debugging. As a consequence, I want to share with

everyone the required steps in order to take the pain out of the implementation. This document

describes all the required steps for implementation, for both LiteTouch (LTI) and ZeroTouch (ZTI)

with SCCM.

http://support.microsoft.com/kb/975483





Página 4




2 Procedures

As an introduction, I’ll start by explaining that in order for the client computers to be able to connect

to an 802.1x network, they will need to authenticate themselves in one of two ways:

User based: A user name and password is required.

Machine based: A machine certificate is necessary; typically this is received when the

computer joins the domain.

Following on from this, the problem of deploying automatically a computer to an 802.1x network

and subsequently into a domain can be divided into two parts:

WinPE phase: Firstly, we need WinPE to launch the deployment and process the first part of

the MDT or SCCM OSD task sequence (for example: create and format partitions, install the

operating system image file etc.). WinPE needs to authenticate itself on the network

(normally receiving an IP from DHCP in the process). Because WinPE cannot belong to an

Active Directory domain, this part of the process requires user-based authentication using

the valid credentials of a domain user.

Windows 7 Phase: Once WinPE is granted access to the network, and the operating system

image has been installed, the next step of the deployment will be the first boot-up of

Windows 7. Once booted, the MDT or SCCM Task Sequence will be initialized on Windows 7

in order to continue with the deployment process. However, this phase can only continue if

the operating system is granted access on the 802.1x network so that Windows 7 can

connect to the MDT or SCCM servers.

Normally, in these cases, in order to obtain access to the cabled network to be able to join

the computer to the domain, the computer needs to firstly configure itself to use user-based

authentication, providing a valid domain username and password (normally a pop-up

window appears requesting credentials manually). Afterwards, once joined to the domain,

the computer will receive the necessary certificates and configurations so that the

authentication mode can be changed automatically to machine-based, using certificates.

The fundamental task here is to automatically configure the user-based authentication by

providing the necessary credentials upon boot of Windows 7, and before any deployment

task in the task sequence is run.

2.1 WinPE Phase In this section, I’ll explain firstly the requirements and then the steps needed to configure WinPE 3.0

with 802.1x support.




Página 5




2.1.1 Requirements

1. The initial step is to obtain the relevant Hotfix that provides the 802.1x support for WinPE

from the Microsoft website. For this exercise, we need the file “Windows6.1-KB972831-

x86.cab”.

2. The next step is to configure an already installed Windows 7 computer to have access to the

802.1x network using user-based authentication that you want to use with WinPE. The

network administrator can provide the necessary information, an example is shown below:




Página 6




3. Following on, the authentication profile needs to be exported to an XML file. For this, you

use the following netsh command:

a. netsh lan export profile folder=D:\8021XUser interface="Local Area Connection"

This will create the file “D:\8021XUser\Local Area Connection.xml” that contains the 802.1x

user-based authentication profile.

4. For the above example, two certificates are also required from the Root Certificate Authority

(CA). As shown in the earlier screenshots:

a. “CATest1.cer”

b. “CATest2.cer”

5. Valid domain user credentials are now required. For example:

a. Domain: Contoso

b. User: User8021X

c. Password: Password8021X

6. On the next page, you’ll see the contents of an XML file. You need to take this text and

paste it into Notepad, and save it as “Wired-WinPE-UserData-PEAP-MSChapv2.xml“. In this

file, you will need to place the above credentials.

Note: It is important that you understand the security implications of placing the credentials

of a valid Active Directory user account in this XML file, which is ultimately available for

anyone to read (assuming that they know where to look). The necessary measure should be

taken to ensure that security is maintained.

The contents of the file will be similar to what is shown next:

THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT

CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER REGARDING THE CONTENT DETAILED HERE AS THEY WILL BE UNABLE TO ASSIST YOU IN ANY WAY.

Página 1




<?xml version="1.0"?>

<EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials"

xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon"

xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">

<EapMethod>

<eapCommon:Type>25</eapCommon:Type>

<eapCommon:AuthorId>0</eapCommon:AuthorId>

</EapMethod>

<Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-

instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"

xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1"

xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">

<baseEap:Eap>

<baseEap:Type>25</baseEap:Type>

<MsPeap:EapType>

<MsPeap:RoutingIdentity>Contoso\User8021X </MsPeap:RoutingIdentity>

<baseEap:Eap>

<baseEap:Type>26</baseEap:Type>

<MsChapV2:EapType>

<MsChapV2:Username>User8021X</MsChapV2:Username>

<MsChapV2:Password>Password8021X</MsChapV2:Password>

<MsChapV2:LogonDomain>Contoso</MsChapV2:LogonDomain>

</MsChapV2:EapType>

</baseEap:Eap>

</MsPeap:EapType>

</baseEap:Eap>

</Credentials>

</EapHostUserCredentials>




Página 1




7. From a Windows 7 machine with the same architecture as the WinPE that it is being planned

to build (x86 or amd64), we save the files using the Certutil utility:

a. C:\Windows\System32\Certutil.exe

b. C:\Windows\System32\en-US\Certutil.exe.mui

8. Finally it is necessary to use a machine with the “Microsoft Windows AIK v2.0” installed.

2.1.2 Procedure

2.1.2.1 Offline Part (WinPE WIM)

On the machine with the WAIK 2.0 installed, generate a WinPE instance, or use an already generated

WinPE. Follow the following steps:

1. Mount the WinPE WIM file to a folder on the file system so that the 802.1x Hotfix can be

applied to the image. Typically the following commands are used from the WAIK command

prompt:

a. dism /mount-wim /WimFile:C:\CustomPEx86\winpe.wim /index:1

/mountdir:c:\mount

b. dism /image:C:\mount /add-package /PackagePath:"F:\802.1X\Fix\Windows6.1-

KB972831-x86.cab"

2. Following on, the Certutil utility files need to be copied to their corresponding folders in the

mounted image:

a. Certutil.exe c:\mount\Windows\System32

b. Certutil.exe.mui c:\mount\Windows\en-US

3. A new folder (For Instance: “c:\mount\8021x”) should be created in the root of the WinPE

image, where the necessary files for the 802.1x functionality need to be copied. These are:

a. Root CA Certificates “CATest1.cer” and “CATest2.cer”

b. 802.1x user-based authentication profile file “Local Area Connection.xml”

c. XML file which contains the 802.1x user-based authentication profile credentials

“Wired-WinPE-UserData-PEAP-MSChapv2.xml“

4. Finally the WinPE WIM file should be unmounted, committing the changes:

a. dism /unmount-wim /MountDir:C:\mount /commit

2.1.2.2 Online Part (Already Booted WinPE)




Página 2




A test machine should now be used, which you need to boot into WinPE with the image file that you

just modified. Once booted, enter the following commands into the command prompt window that

automatically opens. These steps will configure the user-based authentication.

1. Start the service “Wired AUTOCONFIG (DOT3SVC) Service”. This service is absolutely

necessary for IEEE 802.1x authentication. It is strange, but in WinPE 3.0 and Windows 7 this

service has a configuration of MANUAL, instead of AUTOMATIC.

a. net start dot3svc

2. The next step is to import the necessary Root CA Certificates:

a. x:\windows\system32\certutil.exe -addstore root x:\8021x\CATest1.cer

b. x:\windows\system32\certutil.exe -addstore root x:\8021x\CATest2.cer

3. Now it is the time to import the 802.1x user-based authentication profile:

a. netsh lan add profile filename="X:\8021x\ Local Area Connection.xml "

interface="Local Area Connection"

4. Afterwards the XML file which contains the 802.1x user-based authentication profile

credentials should be imported:

a. netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-

MSChapv2.xml allusers=yes interface="Local Area Connection"

5. After all the previous steps are completed, the 802.1x user-based authentication should

have been successfully established an IP address from a DHCP Server should have been

obtained. You can double-check this with the following command:

a. Ipconfig /renew

Obviously once you’ve tested the successful 802.1x user-based authentication process; it would be

advisable to build a script in order to automate all the steps that have been just detailed. Once

automated, the user-based 802.1x authentication process must be integrated into the WinPE Boot

processes implemented by MDT (Lite Touch Deployment) and SCCM + MDT (Zero Touch

Deployment).

2.1.3 Integration in Lite Touch Deployment (MDT)

There are several different ways of adding custom commands to the Boot Process of WinPE. First,

I’ll explain how to do it for MDT Lite Touch:

The file “x:\Windows\System32\Winpeshl.ini” controls the WinPE boot process. By default,

it contains the following lines:




Página 3




In Lite Touch Deployments the executable “BDDRun.exe” is the one that launches the set of

actions that occur in WinPE during the deployment process. BDDRun.exe will initialize

WinPE and after that it will execute synchronously the commands that appear in the file

“X:\Unattend.xml”. This file by default contains:

So that the script “X:\Deploy\Scripts\Litetouch.wsf” will be launched and with it the

Deployment Wizard and the Deployment Task Sequence will also be run.

Therefore, if we want to follow the same philosophy as the default WinPE boot process for MDT Lite

Touch deployments, in order to add a script that launches all the steps described previously in this

document to configure the 802.1X user authentication (assuming that this script is called

“X:\8021x\Configure8021XUser.wsf”) just before the execution of the deployment wizard and

global process, you need to change the “X:\Unattend.xml” file as shown below:




Página 4




2.1.4 Integration in Zero Touch Deployment (SCCM + MDT)

As mentioned earlier, there are different ways to include custom commands in the WinPE boot

process. Let’s now look at the default WinPE boot process in Zero Touch Deployments (SCCM +

MDT):

For SCCM, the file “x:\Windows\System32\Winpeshl.ini”, controls the boot process:

So the first process launched in WinPE will be “TSBootShell.exe”, which will initialize WinPE

and start the Deployment Process, calling in turn other executables from folder

“X:\sms\bin\i386”. From that moment on it is not easy to follow the process flow in WinPE

because we have several executables calling each other to complete the Deployment task

sequence.




Página 5




Hence, if we want to follow the same philosophy as the default WinPE boot process for Zero Touch

(SCCM + MDT) deployments, in order to add a script that launches all the steps described previously

in this document to achieve the 802.1X user authentication (assuming that the script is called

“X:\8021x\Configure8021XUser.wsf”), just before the execution of the global deployment process

you need to change the “x:\Windows\System32\Winpeshl.ini” file as shown below:

NOTES:

o You can see that the first process to be launched will be “WPEInit.exe” in order to initialize

WinPE network subsystem. After that it will be the 802.1x authentication script. In the last

step “TSBootShell” will be given control to implement the Deployment process.

o It is important to understand the syntax of the commands in this file. The executable and its

parameters are all together, separated by “,” commas:

o %SYSTEMDRIVE%\Windows\System32\wscript.exe,

%SYSTEMDRIVE%\8021X\CUSTOM_WinPEConfigure8021X.wsf

2.2 Windows 7 Phase Once the Windows 7 operating System image has been installed on the computer, it will boot. At

this point it’s necessary for it to be granted access on the 802.1x network in order to launch and

continue with the deployment task sequence in MDT or SCCM + MDT.

Due to the fact that it doesn’t belong to the domain yet, authentication will first be user-based so

that the computer can connect to the MDT or SCCM server in order to continue with the task

sequence. In this task sequence, you need to add an additional task so that, once the computer is in

the domain, the authentication mode can be switched to machine-based. This can be achieved using

an Active Directory GPO, or directly via a task in the task sequence (importing an authentication

profile that was previously exported from a reference machine).




Página 6




2.2.1 Procedure

The content of the folder that was added to the earlier modified WinPE image (“X:\8021x”) is

needed. This folder contains the necessary files for the 802.1X authentication. These are:

1. Root CA Certificates “CATest1.cer” y “CATest2.cer”

2. 802.1x user-based authentication profile file “Local Area Connection.xml”

3. XML file which contains the 802.1x user-based authentication profile credentials “Wired-

WinPE-UserData-PEAP-MSChapv2.xml“

You will need to add a task to the task sequence so that this folder is copied from the X: drive to the

local C: drive. This task should be actioned in the WinPE phase once the operating system image is

applied, and before the computer restarts. The folder could be copied to a temporary location, such

as “C:\Windows\Temp\8021x”.

Once all the files are available, the user-based authentication process in Windows 7 will be quite

similar to the one in WinPE (Online Part):

1. First of all, the service “Wired AUTOCONFIG (DOT3SVC) Service” will be started. Sample

command could be:

a. net start dot3svc

NOTE: It is highly recommended to change the Configuration of this Service from MANUAL to

AUTOMATIC, using a vbs script or any other mechanism.

2. The next step will be to import the necessary Root CA Certificates:

a. C:\windows\system32\certutil.exe -addstore root

C:\Windows\Temp\8021X\CATest1.cer

b. C:\windows\system32\certutil.exe -addstore root

C:\Windows\Temp\8021X\CATest2.cer

NOTE: The CertUtil utility is part of Windows 7. If you prefer, these Root CA Certificates

could also be included as part of the Windows 7 corporate Image.


credentials needs to be imported:

c. netsh lan add profile filename="C:\Windows\Temp\8021X\ Local Area

Connection.xml " interface="Local Area Connection"


credentials needs to be imported:

d. netsh lan set eapuserdata filename=C:\Windows\Temp\8021X\Wired-WinPE-

UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"




Página 7




VERY IMPORTANT NOTE: At this point (4) I should point out that Microsoft client operating

systems (Windows 7, Windows Vista, Windows XP) do not support “Out-of-the-box” this

method to import 802.1x credentials. The normal behavior is that, once the user-based

authentication profile is configured, a popup window appears asking for credentials.

However, a new Hotfix for Windows 7 has been developed that allows of this method to

import the 802.1x user-based authentication profile credentials. More information in this

article:

o You cannot connect to an 802.1x wired network when you run an automated build

process


In conclusion, it is absolutely necessary that the reference Windows 7 image (WIM)

that will be deployed to computers includes this hotfix that will allow the execution

of the command in point 4.

5. After all these previous steps, the 802.1x user-based authentication should have been

successfully configured and it has been possible to get an IP address from a DHCP Server.

Sample command could be:

a. Ipconfig /renew

As before, once you have tested this part, you can automate it with a script and include it in the task

sequence for integration with MDT (Lite Touch) y SCCM + MDT (Zero Touch).

2.2.2 Integration in Lite Touch Deployment (MDT)

The first step is to copy the folder X:\8021x from WinPE to a temporary location on the C: on the

computer, for example: C:\Windows\Temp\8021x. This step must be launched once the operating

system has been applied, and before the computer reboots. In the below example, you can see an

example of how I have achieved this. The task “Copy Files 802.1X” runs a script that copies the

folder:





Página 8




The 802.1x user-based authentication should occur before launching the task sequence. In MDT

LiteTouch the task sequence is continued once the autologon happens, as configured in the

Unattend.xml file. The exact step where this auto-start of the task sequence is configured is in the

node “oobeSystem" \ "Microsoft-Windows-Shell-Setup". For example:




Página 9




If we follow the same philosophy as before, in order to introduce a new step, we need to add our

own script here. Assuming that the script is called

“C:\Windows\Temp\8021X\Configure8021XUser.wsf”, an example is shown below:




Página 10




You should remember to include in the task sequence an additional task that deletes this folder once

the deployment completes. This is important because the XML file that is saved there contains the

credentials of a valid Active Directory user account.

2.2.3 Integration in Zero Touch Deployment (SCCM + MDT)

As before, the first step is to copy the folder X:\802.1x that WinPE contains to the temporary

location, for example “c:\Windows\Temp\8021X”. This step must be launched once the operating

system has been applied, and before the computer reboots. For this, I have used the task “Copy

Files 802.1X” as shown below:




Página 11




The user-based 802.1x authentication should occur before any task sequence is launched. In SCCM +

MDT the task sequence is launched in the background, before any logon window is even presented

on the desktop. Because of this, using the steps detailed previously (the node oobeSystem

\ Microsoft-Windows-Shell-Setup \ FirstLogonCommands) will not work. Instead, your

configuration script should be placed here:

“<settings pass="specialize"> \ <component name="Microsoft-Windows-Deployment"

processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral"

versionScope="nonSxS"

xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> \ <RunSynchronous>”

Once completed, assuming that the script is called

“C:\Windows\Temp\8021X\Configure8021XUser.wsf”, the Unattend.xml file will look like the one

shown below:




Página 12




You should remember to include in the task sequence an additional task that deletes this folder once

the deployment completes. This is important because the XML file that is saved there contains the

credentials of a valid Active Directory user account.

windows 7 deployment procedures in 802.1x wired...

Documents