The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0

Introduction

Windows Preinstall Environment (PE) 3.0 does not support the IEEE 802.X authentication protocol. Therefore, the Windows PE 3.0 client cannot authenticate a switch that is configured for IEEE 802.X authenticated network access.

More Information

After you apply this hotfix, Windows PE 3.0 supports the IEEE 802.X authentication protocol. Note 802.1X authentication is not supported when you start Windows PE from the following:

Microsoft System Center Configuration Manager 2007 Operating System Deployment
Microsoft Deployment Toolkit

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

There are no prerequisites to install this hotfix.

Registry information

To use one of the hotfixes in this package, you do not have to make any changes to the registry.

Hotfix replacement information

This hotfix does not replace any other updates or hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x86-based versions of Windows PE 3.0

File name	File version	File size	Date	Time	Platform
Dot3cfg.dll	6.1.7600.20541	82,432	05-Oct-2009	05:51	x86
Dot3api.dll	6.1.7600.20541	91,136	05-Oct-2009	05:51	x86
Dot3dlg.dll	6.1.7600.20541	47,104	05-Oct-2009	05:51	x86
Dot3msm.dll	6.1.7600.20541	115,200	05-Oct-2009	05:51	x86
Dot3svc.dll	6.1.7600.20541	214,016	05-Oct-2009	05:51	x86
Report.system.netdiagframework.xml	Not Applicable	29,356	22-Jul-2009	23:04	Not Applicable
Report.system.wired.xml	Not Applicable	19,290	22-Jul-2009	23:04	Not Applicable
Rules.system.netdiagframework.xml	Not Applicable	57,286	22-Jul-2009	23:04	Not Applicable
Rules.system.wired.xml	Not Applicable	40,902	22-Jul-2009	23:04	Not Applicable
Onex.dll	6.1.7600.20541	199,168	05-Oct-2009	05:51	x86
Onexui.dll	6.1.7600.20541	1,111,552	05-Oct-2009	05:51	x86

For all supported x64-based versions of Windows PE 3.0

File name	File version	File size	Date	Time	Platform
Dot3cfg.dll	6.1.7600.20541	69,120	05-Oct-2009	06:41	x64
Dot3api.dll	6.1.7600.20541	84,992	05-Oct-2009	06:41	x64
Dot3dlg.dll	6.1.7600.20541	57,856	05-Oct-2009	06:41	x64
Dot3msm.dll	6.1.7600.20541	103,936	05-Oct-2009	06:41	x64
Dot3svc.dll	6.1.7600.20541	252,416	05-Oct-2009	06:41	x64
Report.system.netdiagframework.xml	Not Applicable	29,356	22-Jul-2009	23:23	Not Applicable
Report.system.wired.xml	Not Applicable	19,290	22-Jul-2009	23:23	Not Applicable
Rules.system.netdiagframework.xml	Not Applicable	57,286	22-Jul-2009	23:23	Not Applicable
Rules.system.wired.xml	Not Applicable	40,902	22-Jul-2009	23:23	Not Applicable
Onex.dll	6.1.7600.20541	235,520	05-Oct-2009	06:41	x64
Onexui.dll	6.1.7600.16385	1,080,320	14-Jul-2009	01:41	x64
Dot3api.dll	6.1.7600.20541	91,136	05-Oct-2009	05:51	x86
Dot3dlg.dll	6.1.7600.16385	47,104	14-Jul-2009	01:15	x86
Dot3msm.dll	6.1.7600.20541	115,200	05-Oct-2009	05:51	x86
Onex.dll	6.1.7600.20541	199,168	05-Oct-2009	05:51	x86
Onexui.dll	6.1.7600.20541	1,111,552	05-Oct-2009	05:51	x86

Add the update to Windows PE 3.0

The following instructions show how to add the following update to Windows PE 3.0. It does not cover any integration with System Center Configuration Manager or with other products.

972831 The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0 You must have the following files and prerequisites available or installed:

A technician computer that has the Windows Automated Installation Kit (AIK) for Windows 7 installed
394904_intl_i386_zip.exe or 394905_intl_x64_zip.exe, depending on architecture of your Windows PE image
The following VBS script and two XML files. They are located in the Script samplessection:
- StartDot3.VBS
- USERDATA-EAP-TLS.xml
- Wired-WinPE-EAP-TLS.xml
Your root certificate, saved as RootCert.cer
Any subordinate CA certificates, saved as SubCACert.cer
Your User Certificate pfx, saved as Usercert.pfx
The x86 or x64 versions of certutil.exe and certutil.exe.mui from a Windows 7-based computer, depending on architecture of your Windows PE image

NoteThe following example builds an x86 version of Windows PE.On a Windows 7-based, Windows Server 2008-based, or Windows Server 2008 R2-based computer, install the Windows 7 AIK.

On your technician computer, click Start, point to All Programs, point to Windows AIK, right-click Deployment Tools Command Prompt, and then click Run as administrator.The menu shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools. By default, all tools are installed in the C:\Program Files\Windows AIK\Tools folder.
At the command prompt, run the Copype.cmd script. The script requires two arguments: hardware architecture and destination location. For example, run copype.cmd <architecture> <destination>, where <architecture> can be x86, amd64, or ia64, and <destination> is the path of the local directory. For example, run this command:

copype.cmd x86 c:\winpe_x86The script creates the following directory structure and copies all the necessary files for that architecture:

\winpe_x86\winpe_x86\ISO\winpe_x86\mount
Copy the base image (Windows PE.wim) into the \Winpe_x86\ISO\sources folder, and rename the file to boot.wim.
copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim
Mount the base Windows PE image. In this step, you mount the base image to a local directory so that you can add or remove packages.
Dism /Mount-Wim /WimFile:C:\winpe_x86\ISO\sources\boot.wim /index:1 /MountDir:C:\winpe_x86\mount

Add the following packages to the image. Be aware that each command should be a single line, and the command must not wrap.Add WINPE-WMI package

dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\winpe-wmi.cab"

dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\en-us\winpe-wmi_en-us.cab"

Add WINPE-Scripting package

dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\winpe-scripting.cab"

dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\en-us\winpe-scripting_en-us.cab"

Add WINPE-HTA package

dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\winpe-hta.cab"

dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\en-us\winpe-hta_en-us.cab"

Extract the contents of the 394904_intl_i386_zip.exe update to the c:\972831 folder.

Add the update for 802.1X support to the image:

dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"c:\972831\Windows6.1-KB972831-86.cab"

Create a folder to contain additional files for 802.1X support. To do this, run the following command:

md C:\winpe_x86\mount\winpe
Copy certutil.exe and certutil.exe.mui from a Windows 7-based computer to the c:\winpe_x86\mount\winpe folder. These files can be found in the %windir%\system32 folder. Note You must copy the correct version of these files, based on the architecture of your Windows PE image.
Edit the Wired-WinPE-EAP-TLS.xml file, and change the following line to enter the Root CA certificate thumbprint/hash for the correct certification authority:
<TrustedRootCA>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</TrustedRootCA>
Copy your connection profile to the Windows PE directory by using EAP-TLS:
Copy Wired-WinPE-EAP-TLS.xml C:\winpe_x86\mount\winpe

Edit the USERDATA-EAP-TLS.xml file, and change the following lines for Username and UserCert:

<eapTls:Username>contoso\username</eapTls:Username>

<eapTls:UserCert>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</eapTls:UserCert>

Copy your connection profile to the Windows PE directory by using EAP-TLS:
copy USERDATA-EAP-TLS.xml C:\winpe_x86\mount\winpe
Copy your root certificate and any subordinate CA certificates to the c:\winpe_x86\mount\winpe folder.
Copy your User Certificate pfx to the c:\winpe_x86\mount\winpe folder.
Edit StartDot3.vbs file, and change the following line:
certutil –user –p PASSWORD -importpfx \winpe\USERcert.pfx NOEXPORT,NOCHAIN
Note In this line, you must change PASSWORD to the password that was assigned to the certificate when it was exported.
Copy StartDot3.Vbs to the c:\winpe_x86\mount\winpe folder.

Edit startnet.cmd to run StartDot3.vbs automatically:

notepad C:\winpe_x86\mount\windows\system32\startnet.cmd

Add .\winpe\StartDot3.vbs after the wpeinit command, and then save the startnet.cmd file.

Unmount and commit changes to the .WIM:

Dism /Unmount-Wim /MountDir:C:\winpe_x86\mount /Commit

Create your bootable media by using the steps that are outlined in the Windows 7 AIK Help file under the following topics:
- "To create a bootable CD-ROM"
- "To create a bootable UFD"

Script samples

Microsoft provides programming examples for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose. This article assumes that you are familiar with the programming language being demonstrated and the tools used to create and debug procedures. Microsoft support professionals can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific needs. If you have limited programming experience, you may want to contact a Microsoft Certified Partner or Microsoft Advisory Services. For more information, visit these Microsoft websites:Microsoft Certified Partners - https://partner.microsoft.com/global/30000104Microsoft Advisory Services - http://support.microsoft.com/gp/advisoryservice For more information about the support options that are available and about how to contact Microsoft, visit the following Microsoft website: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

StartDot3.VBS

‘================================
‘StartDot3.VBS
‘================================
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")

commandLine = "certutil -addstore Root \winpe\Rootcert.cer"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "certutil -addstore CA \winpe\SubCAcert.cer"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "certutil –user –p PASSWORD -importpfx \winpe\USERcert.pfx NOEXPORT,NOCHAIN"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "net start dot3svc"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "netsh lan add profile filename=\winpe\Wired-WinPE-EAP-TLS.xml"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "netsh lan set eapuserdata filename=\winpe\Wired-WinPE-UserData-EAP-TLS.xml allusers=yes interface=*"
Return  = WshShell.Run(commandLine, 0, true)

USERDATA-EAP-TLS.xml

<?xml version="1.0"?>
<EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
 <EapMethod>
  <eapCommon:Type>13</eapCommon:Type>
  <eapCommon:AuthorId>0</eapCommon:AuthorId>
 </EapMethod>
 <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:eapTls="http://www.microsoft.com/provisioning/EapTlsUserPropertiesV1">
  <baseEap:Eap>
  <baseEap:Type>13</baseEap:Type>
   <eapTls:EapType>
    <eapTls:Username>contoso\username</eapTls:Username>
    <eapTls:UserCert>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</eapTls:UserCert>
   </eapTls:EapType>
  </baseEap:Eap>
 </Credentials>
</EapHostUserCredentials>

Wired-WinPE-EAP-TLS.xml

<?xml version="1.0"?>
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
 <MSM>
  <security>
   <OneXEnforced>false</OneXEnforced>
   <OneXEnabled>true</OneXEnabled>
   <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
    <authMode>user</authMode>
    <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
<TrustedRootCA>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</TrustedRootCA>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</EAPConfig>
   </OneX>
  </security>
 </MSM>
</LANProfile>

References

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.