Windows 7 Deployment Procedures in 802.1X Wired Networks

Windows 7 Deployment Procedures in 802.1X Wired Networks Lite Touch and Zero Touch 27.02.2013 Version 0.1 Draft Prepared by David Marín Hebra Consultant THE PROCEDURES DESCRIBED IN THIS DOCUMENT ARE CURRENTLY UNSUPPORTED BY MICROSOFT, AND ARE THE RESULT OF WORK

Revisions and Signatures Registry of Changes Date Author Version Reference 02/03/2010 David Marín 0.1 Draft Initial Version Reviewers Name Approved Version Position Date Página 1

Table of Contents 1 Introduction... 3 2 Procedures... 4 2.1 WinPE Phase... 4 2.1.1 Requirements... 4 2.1.2 Procedure... 1 2.1.3 Integration in Lite Touch Deployment (MDT)... 2 2.1.4 Integration in Zero Touch Deployment (SCCM + MDT)... 4 2.2 Windows 7 Phase... 5 2.2.1 Procedure... 5 2.2.2 Integration in Lite Touch Deployment (MDT)... 7 2.2.3 Integration in Zero Touch Deployment (SCCM + MDT)... 9 Página 2

1 Introduction Traditionally, Microsoft operating system deployment has always had a very important blocker, installation across 802.1x wired networks. Consequently, in any company that used a wired 802.1x network it has never been possible to deploy desktops from Distribution Points with the old BDD Business Desktop Deployment and the new MDT Microsoft Deployment Toolkit (Lite Touch). Neither was it possible from SMS 2003 nor SCCM 2007 Infrastructure (Zero Touch). The only solution was based on implementing network segments not secured by 802.1x authentication, in which the desktops were first deployed, and then moved to their final 802.1x VLANs. Customers really didn t like this approach and they didn t really consider it as an acceptable workaround. The principal cause of this problem has always been that WinPE never offered support for 802.1x authentication, consequently complicating any deployment projects. However, in December of 2009, the WinPE product group developed and published the necessary add-ins for versions 2.1 and 3.0 of WinPE; available here: WinPE 2.1: http://support.microsoft.com/kb/975483 WinPE 3.0: http://support.microsoft.com/kb/972831 I have personally been waiting for this support for years, in order to be able to help large companies with their operating system deployment projects, which were until now on hold because of this problem. So, when the support engineers emailed me the other day to notify me of the release of these hotfixes, they made my life professionally, anyway However, it was not all roses. The problem I next encountered was that I soon realized that, in order to make it play nicely, the process was rather more complex that I originally thought. It took a large effort on my part through all the testing and debugging. As a consequence, I want to share with everyone the required steps in order to take the pain out of the implementation. This document describes all the required steps for implementation, for both LiteTouch (LTI) and ZeroTouch (ZTI) with SCCM. Página 3

2 Procedures As an introduction, I ll start by explaining that in order for the client computers to be able to connect to an 802.1x network, they will need to authenticate themselves in one of two ways: User based: A user name and password is required. Machine based: A machine certificate is necessary; typically this is received when the computer joins the domain. Following on from this, the problem of deploying automatically a computer to an 802.1x network and subsequently into a domain can be divided into two parts: WinPE phase: Firstly, we need WinPE to launch the deployment and process the first part of the MDT or SCCM OSD task sequence (for example: create and format partitions, install the operating system image file etc.). WinPE needs to authenticate itself on the network (normally receiving an IP from DHCP in the process). Because WinPE cannot belong to an Active Directory domain, this part of the process requires user-based authentication using the valid credentials of a domain user. Windows 7 Phase: Once WinPE is granted access to the network, and the operating system image has been installed, the next step of the deployment will be the first boot-up of Windows 7. Once booted, the MDT or SCCM Task Sequence will be initialized on Windows 7 in order to continue with the deployment process. However, this phase can only continue if the operating system is granted access on the 802.1x network so that Windows 7 can connect to the MDT or SCCM servers. Normally, in these cases, in order to obtain access to the cabled network to be able to join the computer to the domain, the computer needs to firstly configure itself to use user-based authentication, providing a valid domain username and password (normally a pop-up window appears requesting credentials manually). Afterwards, once joined to the domain, the computer will receive the necessary certificates and configurations so that the authentication mode can be changed automatically to machine-based, using certificates. The fundamental task here is to automatically configure the user-based authentication by providing the necessary credentials upon boot of Windows 7, and before any deployment task in the task sequence is run. 2.1 WinPE Phase In this section, I ll explain firstly the requirements and then the steps needed to configure WinPE 3.0 with 802.1x support. 2.1.1 Requirements 1. The initial step is to obtain the relevant Hotfix that provides the 802.1x support for WinPE from the Microsoft website. For this exercise, we need the file Windows6.1-KB972831- x86.cab. Página 4

2. The next step is to configure an already installed Windows 7 computer to have access to the 802.1x network using user-based authentication that you want to use with WinPE. The network administrator can provide the necessary information, an example is shown below: 3. Following on, the authentication profile needs to be exported to an XML file. For this, you use the following netsh command: a. netsh lan export profile folder=d:\8021xuser interface="local Area Connection" This will create the file D:\8021XUser\Local Area Connection.xml that contains the 802.1x user-based authentication profile. Página 5

4. For the above example, two certificates are also required from the Root Certificate Authority (CA). As shown in the earlier screenshots: a. CATest1.cer b. CATest2.cer 5. Valid domain user credentials are now required. For example: a. Domain: Contoso b. User: User8021X c. Password: Password8021X 6. On the next page, you ll see the contents of an XML file. You need to take this text and paste it into Notepad, and save it as Wired-WinPE-UserData-PEAP-MSChapv2.xml. In this file, you will need to place the above credentials. Note: It is important that you understand the security implications of placing the credentials of a valid Active Directory user account in this XML file, which is ultimately available for anyone to read (assuming that they know where to look). The necessary measure should be taken to ensure that security is maintained. The contents of the file will be similar to what is shown next: Página 6

COMPLETED SOLELY AND EXCLUSIVELY BY THE AUTHOR. PLEASE DO NOT CONTACT MICROSOFT SUPPORT FOR ANY HELP WHATSOEVER <?xml version="1.0"?> <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/eaphostusercredentials" xmlns:eapcommon="http://www.microsoft.com/provisioning/eapcommon" xmlns:baseeap="http://www.microsoft.com/provisioning/baseeapmethodusercredentials"> <EapMethod> <eapcommon:type>25</eapcommon:type> <eapcommon:authorid>0</eapcommon:authorid> </EapMethod> <Credentials xmlns:eapuser="http://www.microsoft.com/provisioning/eapuserpropertiesv1" xmlns:xsi="http://www.w3.org/2001/xmlschemainstance" xmlns:baseeap="http://www.microsoft.com/provisioning/baseeapuserpropertiesv1" xmlns:mspeap="http://www.microsoft.com/provisioning/mspeapuserpropertiesv1" xmlns:mschapv2="http://www.microsoft.com/provisioning/mschapv2userpropertiesv1"> <baseeap:eap> <baseeap:type>25</baseeap:type> <MsPeap:EapType> <MsPeap:RoutingIdentity>Contoso\User8021X </MsPeap:RoutingIdentity> <baseeap:eap> <baseeap:type>26</baseeap:type> <MsChapV2:EapType> <MsChapV2:Username>User8021X</MsChapV2:Username> <MsChapV2:Password>Password8021X</MsChapV2:Password> <MsChapV2:LogonDomain>Contoso</MsChapV2:LogonDomain> </MsChapV2:EapType> </baseeap:eap> </MsPeap:EapType> </baseeap:eap> </Credentials> </EapHostUserCredentials> Página 1

7. From a Windows 7 machine with the same architecture as the WinPE that it is being planned to build (x86 or amd64), we save the files using the Certutil utility: a. C:\Windows\System32\Certutil.exe b. C:\Windows\System32\en-US\Certutil.exe.mui 8. Finally it is necessary to use a machine with the Microsoft Windows AIK v2.0 installed. 2.1.2 Procedure 2.1.2.1 Offline Part (WinPE WIM) On the machine with the WAIK 2.0 installed, generate a WinPE instance, or use an already generated WinPE. Follow the following steps: 1. Mount the WinPE WIM file to a folder on the file system so that the 802.1x Hotfix can be applied to the image. Typically the following commands are used from the WAIK command prompt: a. dism /mount-wim /WimFile:C:\CustomPEx86\winpe.wim /index:1 /mountdir:c:\mount b. dism /image:c:\mount /add-package /PackagePath:"F:\802.1X\Fix\Windows6.1- KB972831-x86.cab" 2. Following on, the Certutil utility files need to be copied to their corresponding folders in the mounted image: a. Certutil.exe c:\mount\windows\system32 b. Certutil.exe.mui c:\mount\windows\en-us 3. A new folder (For Instance: c:\mount\8021x ) should be created in the root of the WinPE image, where the necessary files for the 802.1x functionality need to be copied. These are: a. Root CA Certificates CATest1.cer and CATest2.cer b. 802.1x user-based authentication profile file Local Area Connection.xml c. XML file which contains the 802.1x user-based authentication profile credentials Wired-WinPE-UserData-PEAP-MSChapv2.xml 4. Finally the WinPE WIM file should be unmounted, committing the changes: a. dism /unmount-wim /MountDir:C:\mount /commit 2.1.2.2 Online Part (Already Booted WinPE) A test machine should now be used, which you need to boot into WinPE with the image file that you just modified. Once booted, enter the following commands into the command prompt window that automatically opens. These steps will configure the user-based authentication. Página 1

1. Start the service Wired AUTOCONFIG (DOT3SVC) Service. This service is absolutely necessary for IEEE 802.1x authentication. It is strange, but in WinPE 3.0 and Windows 7 this service has a configuration of MANUAL, instead of AUTOMATIC. a. net start dot3svc 2. The next step is to import the necessary Root CA Certificates: a. x:\windows\system32\certutil.exe -addstore root x:\8021x\catest1.cer b. x:\windows\system32\certutil.exe -addstore root x:\8021x\catest2.cer 3. Now it is the time to import the 802.1x user-based authentication profile: a. netsh lan add profile filename="x:\8021x\ Local Area Connection.xml " interface="local Area Connection" 4. Afterwards the XML file which contains the 802.1x user-based authentication profile credentials should be imported: a. netsh lan set eapuserdata filename=x:\8021x\wired-winpe-userdata-peap- MSChapv2.xml allusers=yes interface="local Area Connection" 5. After all the previous steps are completed, the 802.1x user-based authentication should have been successfully established an IP address from a DHCP Server should have been obtained. You can double-check this with the following command: a. Ipconfig /renew Obviously once you ve tested the successful 802.1x user-based authentication process; it would be advisable to build a script in order to automate all the steps that have been just detailed. Once automated, the user-based 802.1x authentication process must be integrated into the WinPE Boot processes implemented by MDT (Lite Touch Deployment) and SCCM + MDT (Zero Touch Deployment). 2.1.3 Integration in Lite Touch Deployment (MDT) There are several different ways of adding custom commands to the Boot Process of WinPE. First, I ll explain how to do it for MDT Lite Touch: The file x:\windows\system32\winpeshl.ini controls the WinPE boot process. By default, it contains the following lines: Página 2

In Lite Touch Deployments the executable BDDRun.exe is the one that launches the set of actions that occur in WinPE during the deployment process. BDDRun.exe will initialize WinPE and after that it will execute synchronously the commands that appear in the file X:\Unattend.xml. This file by default contains: So that the script X:\Deploy\Scripts\Litetouch.wsf will be launched and with it the Deployment Wizard and the Deployment Task Sequence will also be run. Therefore, if we want to follow the same philosophy as the default WinPE boot process for MDT Lite Touch deployments, in order to add a script that launches all the steps described previously in this document to configure the 802.1X user authentication (assuming that this script is called X:\8021x\Configure8021XUser.wsf ) just before the execution of the deployment wizard and global process, you need to change the X:\Unattend.xml file as shown below: Página 3

2.1.4 Integration in Zero Touch Deployment (SCCM + MDT) As mentioned earlier, there are different ways to include custom commands in the WinPE boot process. Let s now look at the default WinPE boot process in Zero Touch Deployments (SCCM + MDT): For SCCM, the file x:\windows\system32\winpeshl.ini, controls the boot process: So the first process launched in WinPE will be TSBootShell.exe, which will initialize WinPE and start the Deployment Process, calling in turn other executables from folder X:\sms\bin\i386. From that moment on it is not easy to follow the process flow in WinPE because we have several executables calling each other to complete the Deployment task sequence. Hence, if we want to follow the same philosophy as the default WinPE boot process for Zero Touch (SCCM + MDT) deployments, in order to add a script that launches all the steps described previously Página 4

in this document to achieve the 802.1X user authentication (assuming that the script is called X:\8021x\Configure8021XUser.wsf ), just before the execution of the global deployment process you need to change the x:\windows\system32\winpeshl.ini file as shown below: NOTES: o o You can see that the first process to be launched will be WPEInit.exe in order to initialize WinPE network subsystem. After that it will be the 802.1x authentication script. In the last step TSBootShell will be given control to implement the Deployment process. It is important to understand the syntax of the commands in this file. The executable and its parameters are all together, separated by, commas: o %SYSTEMDRIVE%\Windows\System32\wscript.exe, %SYSTEMDRIVE%\8021X\CUSTOM_WinPEConfigure8021X.wsf 2.2 Windows 7 Phase Once the Windows 7 operating System image has been installed on the computer, it will boot. At this point it s necessary for it to be granted access on the 802.1x network in order to launch and continue with the deployment task sequence in MDT or SCCM + MDT. Due to the fact that it doesn t belong to the domain yet, authentication will first be user-based so that the computer can connect to the MDT or SCCM server in order to continue with the task sequence. In this task sequence, you need to add an additional task so that, once the computer is in the domain, the authentication mode can be switched to machine-based. This can be achieved using an Active Directory GPO, or directly via a task in the task sequence (importing an authentication profile that was previously exported from a reference machine). 2.2.1 Procedure The content of the folder that was added to the earlier modified WinPE image ( X:\8021x ) is needed. This folder contains the necessary files for the 802.1X authentication. These are: 1. Root CA Certificates CATest1.cer y CATest2.cer 2. 802.1x user-based authentication profile file Local Area Connection.xml 3. XML file which contains the 802.1x user-based authentication profile credentials Wired- WinPE-UserData-PEAP-MSChapv2.xml Página 5

You will need to add a task to the task sequence so that this folder is copied from the X: drive to the local C: drive. This task should be actioned in the WinPE phase once the operating system image is applied, and before the computer restarts. The folder could be copied to a temporary location, such as C:\Windows\Temp\8021x. Once all the files are available, the user-based authentication process in Windows 7 will be quite similar to the one in WinPE (Online Part): 1. First of all, the service Wired AUTOCONFIG (DOT3SVC) Service will be started. Sample command could be: a. net start dot3svc NOTE: It is highly recommended to change the Configuration of this Service from MANUAL to AUTOMATIC, using a vbs script or any other mechanism. 2. The next step will be to import the necessary Root CA Certificates: a. C:\windows\system32\certutil.exe -addstore root C:\Windows\Temp\8021X\CATest1.cer b. C:\windows\system32\certutil.exe -addstore root C:\Windows\Temp\8021X\CATest2.cer NOTE: The CertUtil utility is part of Windows 7. If you prefer, these Root CA Certificates could also be included as part of the Windows 7 corporate Image. 3. Afterwards the XML file which contains the 802.1x user-based authentication profile credentials needs to be imported: c. netsh lan add profile filename="c:\windows\temp\8021x\ Local Area Connection.xml " interface="local Area Connection" 4. Afterwards the XML file which contains the 802.1x user-based authentication profile credentials needs to be imported: d. netsh lan set eapuserdata filename=c:\windows\temp\8021x\wired-winpe- UserData-PEAP-MSChapv2.xml allusers=yes interface="local Area Connection" VERY IMPORTANT NOTE: At this point (4) I should point out that Microsoft client operating systems (Windows 7, Windows Vista, Windows XP) do not support Out-of-the-box this method to import 802.1x credentials. The normal behavior is that, once the user-based authentication profile is configured, a popup window appears asking for credentials. However, a new Hotfix for Windows 7 has been developed that allows of this method to import the 802.1x user-based authentication profile credentials. More information in this article: o You cannot connect to an 802.1x wired network when you run an automated build process http://support.microsoft.com/kb/976210 Página 6

In conclusion, it is absolutely necessary that the reference Windows 7 image (WIM) that will be deployed to computers includes this hotfix that will allow the execution of the command in point 4. 5. After all these previous steps, the 802.1x user-based authentication should have been successfully configured and it has been possible to get an IP address from a DHCP Server. Sample command could be: a. Ipconfig /renew As before, once you have tested this part, you can automate it with a script and include it in the task sequence for integration with MDT (Lite Touch) y SCCM + MDT (Zero Touch). 2.2.2 Integration in Lite Touch Deployment (MDT) The first step is to copy the folder X:\8021x from WinPE to a temporary location on the C: on the computer, for example: C:\Windows\Temp\8021x. This step must be launched once the operating system has been applied, and before the computer reboots. In the below example, you can see an example of how I have achieved this. The task Copy Files 802.1X runs a script that copies the folder: The 802.1x user-based authentication should occur before launching the task sequence. In MDT LiteTouch the task sequence is continued once the autologon happens, as configured in the Página 7

Unattend.xml file. The exact step where this auto-start of the task sequence is configured is in the node oobesystem" \ "Microsoft-Windows-Shell-Setup". For example: If we follow the same philosophy as before, in order to introduce a new step, we need to add our own script here. Assuming that the script is called C:\Windows\Temp\8021X\Configure8021XUser.wsf, an example is shown below: Página 8

You should remember to include in the task sequence an additional task that deletes this folder once the deployment completes. This is important because the XML file that is saved there contains the credentials of a valid Active Directory user account. 2.2.3 Integration in Zero Touch Deployment (SCCM + MDT) As before, the first step is to copy the folder X:\802.1x that WinPE contains to the temporary location, for example c:\windows\temp\8021x. This step must be launched once the operating system has been applied, and before the computer reboots. For this, I have used the task Copy Files 802.1X as shown below: Página 9

The user-based 802.1x authentication should occur before any task sequence is launched. In SCCM + MDT the task sequence is launched in the background, before any logon window is even presented on the desktop. Because of this, using the steps detailed previously (the node oobesystem \ Microsoft-Windows-Shell-Setup \ FirstLogonCommands) will not work. Instead, your configuration script should be placed here: <settings pass="specialize"> \ <component name="microsoft-windows-deployment" processorarchitecture="x86" publickeytoken="31bf3856ad364e35" language="neutral" versionscope="nonsxs" xmlns:wcm="http://schemas.microsoft.com/wmiconfig/2002/state" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> \ <RunSynchronous> Once completed, assuming that the script is called C:\Windows\Temp\8021X\Configure8021XUser.wsf, the Unattend.xml file will look like the one shown below: Página 10

You should remember to include in the task sequence an additional task that deletes this folder once the deployment completes. This is important because the XML file that is saved there contains the credentials of a valid Active Directory user account. Página 11