Configuring 802.1x Authentication for Windows Deployment – Part 3 – Integrating 802.1x Authentication into a Bare Metal Task Sequence

This is Part 3 in my Configuring 802.1x Authentication for Windows Deployment series. Be sure to check out all of the other parts here.

You will need all of the files you created in Part 1 for this part.

During a Bare Metal/Wipe & Load OSD Task Sequence, the Task Sequence will start in WinPE and copy down the OS installation files. Once Windows as been installed, the Task Sequence will boot out of WinPE and into the new OS. WinPE doesn’t pass any of the authentication information to the new OS, so you will need to re-authenticate with 802.1x. To accomplish this, you need to copy your 802.1x authentication script down locally and add an entry to your Unattend.XML to launch the script at during the correct pass in Windows setup.

Unattend.XML

You can edit your Unattend.XML using the Windows System Image Manager that’s part of Windows ADK or you can manually edit it. The script needs to run during specialize pass.

After loading your OS media into WSIM, follow the steps below to add the commandline for your 802.1x authentication script.

Add the following as the Path. It should point to the location where you will copy your auth package to in the next step.

cmd /c C:\Temp\ImportComputerAuthProfile.bat

This is what the resulting XML should look like.

<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunAsynchronous>
                <RunAsynchronousCommand wcm:action="add">
                    <Path>cmd /c C:\Temp\ImportComputerAuthProfile.bat</Path>
                    <Order>2</Order>
                    <Description>Import Computer Auth Profile</Description>
                </RunAsynchronousCommand>
            </RunAsynchronous>
        </component>
    </settings>
</unattend>

<

h1>Adding everything to your Bare Metal Task Sequence

<

h1>
Create a new Package in ConfgMgr and include all of your script files in the package. Then add a new Run Command Line Task Sequence step before Install Operating System step. Set the Package source to the new package your created.

The path in this command line needs to match the path in the Unattend.XML file.

xcopy.exe ".\*.*" c:\Temp\ /E /C /I /Q /H /R /Y /S

That’s it for your Bare Metal Task Sequence. If you’ve been following the steps and testing, you should be able to build a Bare Metal build using Computer Authentication on an 802.1x protected network.

Part 4 Covers In-Place Upgrades

You Might Also Like

3 Comments

  • Reply
    Valera
    June 11, 2019 at 7:19 am

    Hi, thanks for this guide. It’s really helpful.
    I’m stuck at the change between WinPE and Windows 10.

    Everything works as you described it. But at the first restart, the script from the unattend.xml (ImportComputerAuthProfile.bat) starts (CMD Window appears). At the same moment. Windows restart the machine. But I don’t know why. Windows don’t wait until the script runs to end. After this restart, the TS Stuck for ever in “Please wait” screen.
    Why the System don’t wait until the Script is run complete.
    I’ve tried it with another script, which timeouts for 2 Minutes. Here the system doesn’t wait too and restarts the machine after 1-3 Seconds.

    I’ve made everything like you described it. Have you an idea what I made wrong? Sorry for bad English… :/

  • Reply
    Ben
    August 31, 2019 at 8:49 pm

    Thanks for the guide!

    I too am also stuck with the batch script running during OOBE but closing after importing the certificates. I have added echo logging steps so I am pretty sure that the script is being forced closed before all the steps have executed. I am attempting to integrate this solution in a Windows x64 1809 Enterprise build if that makes any difference.

    Any advice or suggestions would be greatly appreciated as I have been at this for a couple of days now without any progress.

    Cheers

    Ben

  • Reply
    Ben
    September 1, 2019 at 3:49 am

    I think I answered my own question…

    The command line defined in the unattend.xml has be run synchronously, not async.

    https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deployment-runsynchronous-runsynchronouscommand

  • Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    3,544