Added support for 802.1x in Windows PE


EDIT:  This topic has now been blogged in detail here.


 


Since the dawn of time, Windows PE (WinPE) has not had any support for the 802.1x authentication protocol. This meant that any network deployment of Windows via a network secured with 802.1x was a non-starter, causing headaches for a few on my customers; I actually had one customer that ran new network cables to a majority of the desks in order to be able to deploy Windows XP over the network.


However, thanks in part to a colleague of mine who worked on this, Microsoft has released hotfixes that now add 802.1x support to both WinPE 2.1 and WinPE 3.0. You can get the hotfixes and further information at the below links:


WinPE 2.1: http://support.microsoft.com/kb/975483


WinPE 3.0: http://support.microsoft.com/kb/972831


I wanted to share the links now, but in the near future I will write up a post on how to use these hotfixes in your deployments.


 


This post was contributed by Daniel Oxley a consultant with Microsoft Consulting Services Spain


Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .

Comments (16)

  1. Anonymous says:

    @Nick – if you note, you have to request the hotfix from Microsoft support in order to download it.  this is because it is not part of the standard components for WinPE and can be complicated to implement.

    The reason that I have not posted a guide for it yet is that I am still working on it.  It is important to get it right first time, and make it easy to understand.  Unfortunately, work commitments provide me little free time at the moment to work on this (and blogging is something we do in our free time).  Rest assured, that the article will be posted soon.

    @Trevor – 802.1x support was added to WinPE because there were multiple requests made for it, as it was a specific business scenario that our customers had.  The failure to deploy computers over a network was an issue that was being experienced by many customers.

    Please remember that WinPE is purely an environment used for deploying Windows, conseqeuntly the .NET framework is not included.  I can’t comment on whether it will be in future versions or not, but if enough customers require it then, assuming that discuss it with support, a hotfix may very well be provided.

    HTH,

    Daniel

  2. Anonymous says:

    First of all, I want to apologise for the lack of responses from me.  I need to fix this!

    I have not neglected this topic, but as you’ll see soon, this is a rather complicated and long article to write as it covers many topics and areas that can be quite difficult.

    It has taken me a lot longer to get all of the information together, and a lot of the process have been defined through sheer trial and error.  Also, given the fact that I can’t test this all in Hyper-V – the publishing of the post has gotten delayed.

    I am hoping to publish the post this week or early next week, I need to finish going through it and also test all the steps first to make sure it is right.

    Again, apologies for the delay,

    Daniel

  3. Zac H says:

    OMG, this is the best news I’ve heard all year.  I can’t wait for your followup article!  This will make my job about a thousand times easier.

  4. Nick Lowe says:

    Just wondering, how is it that a KB article is published and a Hotfix made available all in lieu of -any- documentation!?

  5. JR says:

    We are still eagerly awaiting Microsoft to show us how it works.  In ConfigMgr 2007 OSD would be really handy.  

  6. Trevor Sullivan says:

    So, Microsoft spent time working on 802.1x support for WinPE, but remains completely silent on supporting PowerShell / .NET in WinPE?

    Smooth …

  7. Nick Lowe says:

    Daniel,

    I was intimating that I felt that Microsoft should have held these hotfixes back until such time that it could provide proper documentation with them, in an official manner.

    In lieu of it, they are practically useless.

    Nothing to do with your blogging, or the documentation that you personally are working on :)

    (I feel, quite strongly, that Microsoft shouldn’t expect people to have to scour blog posts for the requisit infomation to use a feature in your products.)

  8. Andrew says:

    Extremely eager to read through this documentation…

  9. Adam Blake says:

    Hey all,

    Any chance of getting sight of documentation?

    Rgrds,

    Adam

  10. Mike says:

    Microsoft has draft documents for configuring this. I opened a premier support ticket and they sent them to me in an unfinished state. I’m still trying to get it working.

  11. Nick Lowe says:

    Mike – Assuming you’re not under any form of NDA etc, would there be any chance you could put a copy of them up somewhere?

  12. Bjorn Johansson says:

    I don’t see how this WinPE fix can help 802.1x auth unless you create a WinPE disk. Then it’s not really PXE-boot neither, as you boot from a disk or USB.

    when a client tries to connect thru a 802.1x enabled port, after you press F12, it sends out a Bootp request to the the ip address of the ftp-server where it can download the new image, incl WinPe. However, the client don’t get an ip address because of the EAPOL autentication. The client has nothing to ID itself with, except for the MAC-address. Hence, this will not fix 802.1x support for PXE boot. Or have I missed out on something?

  13. Najam says:

    Hi Daniel:

    If the documentation is not ready, could you please guide me that where should I install this update. We have Windows 2008 WDS, should I install on this server? If yes, it couldn’t be installed. Kindly, tell us some basic installation or configuration tips or guidance.

  14. Herbert says:

    I have to agree with Bjorn Johansson unless, something is not being described here. How do we get to WinPE. You need an ip address first before you get that WinPE boots. Can you shed more light on that one. How do I get an address unless Iam authenticated first..