[MDT-OSD] RE: Implementing 802.1x in WinPE

[Miller, Todd]

I think the answer might be to use an unattend.xml file, but I still have 
something wrong.  It doesn't appear that the script identified in the 
RunSynchronousCommand section is actuialy running.

Can anyone see a problem?

If I copy the command shown in the unattend.XML file and paste it into an 
F8-launched command window, I DO get a good IP address, but  I not sure what is 
stopping this from working.

Here is my unattend.xml file which is (I think correctly) at X:\unattend.xml 
when I F8 to a cmd prompt and get a directory of X:...

It seems like maybe unattend.xml is run on the first boot to WinPE, but maybe 
is not run on every subsequent reboot into WinPE - after the Task Sequence 
engine is estabished?  Is that possible?

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
            <settings pass="windowsPE">
                        <component name="Microsoft-Windows-Setup" 
processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" 
language="neutral" versionScope="nonSxS" 
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State";>
                                    <Display>
                                                <ColorDepth>16</ColorDepth>
                                                
<HorizontalResolution>1024</HorizontalResolution>
                                                <RefreshRate>60</RefreshRate>
                                                
<VerticalResolution>768</VerticalResolution>
                                    </Display>
                                    <RunSynchronous>
                                                <RunSynchronousCommand 
wcm:action="add">
                                                            
<Description>Configure8021x</Description>
                                                            <Order>1</Order>
                                                            <Path>wscript.exe 
x:\sms\pkg\sms10000\deploy\scripts\Connect8021x.wsf</Path>
                                                </RunSynchronousCommand>
                                    </RunSynchronous>
                        </component>
            </settings>
</unattend>



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller, Todd
Sent: Friday, October 23, 2015 11:21 AM
To: mdt...@lists.myitforum.com
Subject: [MDT-OSD] Implementing 802.1x in WinPE

I am working through getting my deployment process to work on 802.1x enabled 
secured ports.  Environment = SCCM 2012 R2 CU4, MDT 2013 not U1, WinPE 5.1 
64bit, OSD with MDT integrated, deploying Win7x64.

We use USB boot sticks not PXE  and for the moment I am only concerned with 
bare metal deployments.


According to the document "Windows 7 Deployment Procedures in 802.1X Wired 
Networks" 
HERE<http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAAahUKEwjq3vDT-9jIAhVCSiYKHXlaCvY&url=http%3A%2F%2Fblogs.technet.com%2Fcfs-filesystemfile.ashx%2F__key%2Ftelligent-evolution-components-attachments%2F01-6127-00-00-03-31-62-58%2FWindows-7-Deployment-Procedures-in-802-1X-Wired-Networks.pdf&usg=AFQjCNGYlqsG2B6LkR6HQrumdZAoF8stCg&sig2=4YNHSf0zoISXQVag_VxALg>.
 The solution requires me to update winpeshl.ini which I think I cannot do with 
MDT.  Changes I make to the source WinPE.wim get overwritten when the MDT 
process builds winpe.xxx00000.wim.    Of course I could them crack open THAT 
wim and edit winpeshl.ini, but I'd have to do it every time the boot image is 
rebuilt which is not infrequently and also that seems kind of "hacky".



Is there a better way other than WinPEshl.ini to ensure a VBScript runs every 
time WinPE starts up and can be automated with MDT/OSD?  I see that some 
suggest to edit the OSDInjection.xml file to copy my modified winpeshl.ini 
instead... Is that the "best" solution?





It seems weird that that Microsoft document which references MDT and ZTI would 
suggest editing the winpeshl.ini file when they know (or should know) that the 
MDT boot disk creation process doesn't allow that.



I did add a call to the VBScript to my pre-execution hook script and that works 
great.  Of course pre-execution hooks are only called on the very first boot 
into WinPE and not called on subsequent boots once the TS is established.




I know there are options like USB->Ethernet adapters with whitelisted MAC 
addresses or building new computers on unsecured ports. Not looking for those 
suggestions at the moment.  Also concerned wirth the WinPE part only right now. 
 I think I have the instructions for what happens once we reboot into the full 
OS figured out.


________________________________
Notice: This UI Health Care e-mail (including attachments) is covered by the 
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and 
may be legally privileged.  If you are not the intended recipient, you are 
hereby notified that any retention, dissemination, distribution, or copying of 
this communication is strictly prohibited.  Please reply to the sender that you 
have received the message in error, then delete it.  Thank you.
________________________________


________________________________
Notice: This UI Health Care e-mail (including attachments) is covered by the 
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and 
may be legally privileged.  If you are not the intended recipient, you are 
hereby notified that any retention, dissemination, distribution, or copying of 
this communication is strictly prohibited.  Please reply to the sender that you 
have received the message in error, then delete it.  Thank you.
________________________________