Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0

The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0

View products that this article applies to.

Introduction

Windows Preinstall Environment (PE) 3.0 does not support the IEEE 802.X authentication protocol. Therefore, the Windows PE 3.0 client cannot authenticate a switch that is configured for IEEE 802.X authenticated network access.

↑ Back to the top

More Information

After you apply this hotfix, Windows PE 3.0 supports the IEEE 802.X authentication protocol.

Note 802.1X authentication is not supported when you start Windows PE from the following:
  • Microsoft System Center Configuration Manager 2007 Operating System Deployment
  • Microsoft Deployment Toolkit

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

There are no prerequisites to install this hotfix.

Registry information

To use one of the hotfixes in this package, you do not have to make any changes to the registry.

Hotfix replacement information

This hotfix does not replace any other updates or hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
For all supported x86-based versions of Windows PE 3.0
File nameFile versionFile sizeDateTimePlatform
Dot3cfg.dll6.1.7600.2054182,43205-Oct-200905:51x86
Dot3api.dll6.1.7600.2054191,13605-Oct-200905:51x86
Dot3dlg.dll6.1.7600.2054147,10405-Oct-200905:51x86
Dot3msm.dll6.1.7600.20541115,20005-Oct-200905:51x86
Dot3svc.dll6.1.7600.20541214,01605-Oct-200905:51x86
Report.system.netdiagframework.xmlNot Applicable29,35622-Jul-200923:04Not Applicable
Report.system.wired.xmlNot Applicable19,29022-Jul-200923:04Not Applicable
Rules.system.netdiagframework.xmlNot Applicable57,28622-Jul-200923:04Not Applicable
Rules.system.wired.xmlNot Applicable40,90222-Jul-200923:04Not Applicable
Onex.dll6.1.7600.20541199,16805-Oct-200905:51x86
Onexui.dll6.1.7600.205411,111,55205-Oct-200905:51x86
For all supported x64-based versions of Windows PE 3.0
File nameFile versionFile sizeDateTimePlatform
Dot3cfg.dll6.1.7600.2054169,12005-Oct-200906:41x64
Dot3api.dll6.1.7600.2054184,99205-Oct-200906:41x64
Dot3dlg.dll6.1.7600.2054157,85605-Oct-200906:41x64
Dot3msm.dll6.1.7600.20541103,93605-Oct-200906:41x64
Dot3svc.dll6.1.7600.20541252,41605-Oct-200906:41x64
Report.system.netdiagframework.xmlNot Applicable29,35622-Jul-200923:23Not Applicable
Report.system.wired.xmlNot Applicable19,29022-Jul-200923:23Not Applicable
Rules.system.netdiagframework.xmlNot Applicable57,28622-Jul-200923:23Not Applicable
Rules.system.wired.xmlNot Applicable40,90222-Jul-200923:23Not Applicable
Onex.dll6.1.7600.20541235,52005-Oct-200906:41x64
Onexui.dll6.1.7600.163851,080,32014-Jul-200901:41x64
Dot3api.dll6.1.7600.2054191,13605-Oct-200905:51x86
Dot3dlg.dll6.1.7600.1638547,10414-Jul-200901:15x86
Dot3msm.dll6.1.7600.20541115,20005-Oct-200905:51x86
Onex.dll6.1.7600.20541199,16805-Oct-200905:51x86
Onexui.dll6.1.7600.205411,111,55205-Oct-200905:51x86

↑ Back to the top

Add the update to Windows PE 3.0

The following instructions show how to add the following update to Windows PE 3.0. It does not cover any integration with System Center Configuration Manager or with other products.
972831 The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0
You must have the following files and prerequisites available or installed:
  • A technician computer that has the Windows Automated Installation Kit (AIK) for Windows 7 installed
  • 394904_intl_i386_zip.exe or 394905_intl_x64_zip.exe, depending on architecture of your Windows PE image
  • The following VBS script and two XML files. They are located in the Script samplessection:
    • StartDot3.VBS
    • USERDATA-EAP-TLS.xml
    • Wired-WinPE-EAP-TLS.xml
  • Your root certificate, saved as RootCert.cer
  • Any subordinate CA certificates, saved as SubCACert.cer
  • Your User Certificate pfx, saved as Usercert.pfx
  • The x86 or x64 versions of certutil.exe and certutil.exe.mui from a Windows 7-based computer, depending on architecture of your Windows PE image
NoteThe following example builds an x86 version of Windows PE.

On a Windows 7-based, Windows Server 2008-based, or Windows Server 2008 R2-based computer, install the Windows 7 AIK.  
  1. On your technician computer, click Start, point to All Programs, point to Windows AIK, right-click Deployment Tools Command Prompt, and then click Run as administrator.

    The menu shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools. By default, all tools are installed in the C:\Program Files\Windows AIK\Tools folder.
  2. At the command prompt, run the Copype.cmd script. The script requires two arguments: hardware architecture and destination location.

    For example, run copype.cmd <architecture> <destination>, where <architecture> can be x86, amd64, or ia64, and <destination> is the path of the local directory.

    For example, run this command:
    copype.cmd x86 c:\winpe_x86
    The script creates the following directory structure and copies all the necessary files for that architecture:
    \winpe_x86
    \winpe_x86\ISO
    \winpe_x86\mount
  3. Copy the base image (Windows PE.wim) into the \Winpe_x86\ISO\sources folder, and rename the file to boot.wim. 
    copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim
  4. Mount the base Windows PE image. In this step, you mount the base image to a local directory so that you can add or remove packages. 
    Dism /Mount-Wim /WimFile:C:\winpe_x86\ISO\sources\boot.wim /index:1 /MountDir:C:\winpe_x86\mount
  5. Add the following packages to the image. Be aware that each command should be a single line, and the command must not wrap.

    Add WINPE-WMI package 
    dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\winpe-wmi.cab"

    dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\en-us\winpe-wmi_en-us.cab"
    Add WINPE-Scripting package 
    dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\winpe-scripting.cab"

    dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\en-us\winpe-scripting_en-us.cab"
    Add WINPE-HTA package 
    dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\winpe-hta.cab"

    dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\en-us\winpe-hta_en-us.cab"
  6. Extract the contents of the 394904_intl_i386_zip.exe update to the c:\972831 folder.
  7. Add the update for 802.1X support to the image: 
    dism.exe /image:C:\winpe_x86\mount /add-package /packagepath:"c:\972831\Windows6.1-KB972831-86.cab"
  8. Create a folder to contain additional files for 802.1X support. To do this, run the following command: 
    md C:\winpe_x86\mount\winpe
  9. Copy certutil.exe and certutil.exe.mui from a Windows 7-based computer to the c:\winpe_x86\mount\winpe folder. These files can be found in the %windir%\system32 folder.

    Note You must copy the correct version of these files, based on the architecture of your Windows PE image.
  10. Edit the Wired-WinPE-EAP-TLS.xml file, and change the following line to enter the Root CA certificate thumbprint/hash for the correct certification authority: 
    <TrustedRootCA>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</TrustedRootCA>
  11. Copy your connection profile to the Windows PE directory by using EAP-TLS: 
    Copy Wired-WinPE-EAP-TLS.xml C:\winpe_x86\mount\winpe
  12. Edit the USERDATA-EAP-TLS.xml file, and change the following lines for Username and UserCert: 
    <eapTls:Username>contoso\username</eapTls:Username>

    <eapTls:UserCert>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</eapTls:UserCert>
  13. Copy your connection profile to the Windows PE directory by using EAP-TLS: 
    copy USERDATA-EAP-TLS.xml C:\winpe_x86\mount\winpe
  14. Copy your root certificate and any subordinate CA certificates to the c:\winpe_x86\mount\winpe folder.
  15. Copy your User Certificate pfx to the c:\winpe_x86\mount\winpe folder.
  16. Edit StartDot3.vbs file, and change the following line: 
    certutil –user –p PASSWORD -importpfx \winpe\USERcert.pfx NOEXPORT,NOCHAIN
    Note In this line, you must change PASSWORD to the password that was assigned to the certificate when it was exported.
  17. Copy StartDot3.Vbs to the c:\winpe_x86\mount\winpe folder.
  18. Edit startnet.cmd to run StartDot3.vbs automatically: 
    notepad C:\winpe_x86\mount\windows\system32\startnet.cmd
  19. Add .\winpe\StartDot3.vbs after the wpeinit command, and then save the startnet.cmd file.
  20. Unmount and commit changes to the .WIM: 
    Dism /Unmount-Wim /MountDir:C:\winpe_x86\mount /Commit
  21. Create your bootable media by using the steps that are outlined in the Windows 7 AIK Help file under the following topics:
    • "To create a bootable CD-ROM"
    • "To create a bootable UFD"

Script samples

Microsoft provides programming examples for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose. This article assumes that you are familiar with the programming language being demonstrated and the tools used to create and debug procedures. Microsoft support professionals can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific needs.
If you have limited programming experience, you may want to contact a Microsoft Certified Partner or Microsoft Advisory Services. For more information, visit these Microsoft websites:

Microsoft Certified Partners - https://partner.microsoft.com/global/30000104

Microsoft Advisory Services - http://support.microsoft.com/gp/advisoryservice

For more information about the support options that are available and about how to contact Microsoft, visit the following Microsoft website: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

StartDot3.VBS

‘================================
‘StartDot3.VBS
‘================================
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")

commandLine = "certutil -addstore Root \winpe\Rootcert.cer"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "certutil -addstore CA \winpe\SubCAcert.cer"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "certutil –user –p PASSWORD -importpfx \winpe\USERcert.pfx NOEXPORT,NOCHAIN"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "net start dot3svc"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "netsh lan add profile filename=\winpe\Wired-WinPE-EAP-TLS.xml"
Return  = WshShell.Run(commandLine, 0, true)

commandLine = "netsh lan set eapuserdata filename=\winpe\Wired-WinPE-UserData-EAP-TLS.xml allusers=yes interface=*"
Return  = WshShell.Run(commandLine, 0, true)

USERDATA-EAP-TLS.xml
<?xml version="1.0"?>
<EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
 <EapMethod>
  <eapCommon:Type>13</eapCommon:Type>
  <eapCommon:AuthorId>0</eapCommon:AuthorId>
 </EapMethod>
 <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:eapTls="http://www.microsoft.com/provisioning/EapTlsUserPropertiesV1">
  <baseEap:Eap>
  <baseEap:Type>13</baseEap:Type>
   <eapTls:EapType>
    <eapTls:Username>contoso\username</eapTls:Username>
    <eapTls:UserCert>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</eapTls:UserCert>
   </eapTls:EapType>
  </baseEap:Eap>
 </Credentials>
</EapHostUserCredentials>

Wired-WinPE-EAP-TLS.xml

<?xml version="1.0"?>
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
 <MSM>
  <security>
   <OneXEnforced>false</OneXEnforced>
   <OneXEnabled>true</OneXEnabled>
   <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
    <authMode>user</authMode>
    <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
<TrustedRootCA>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</TrustedRootCA>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</EAPConfig>
   </OneX>
  </security>
 </MSM>
</LANProfile>

↑ Back to the top

References

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

↑ Back to the top

Keywords: kbexpertiseadvanced, kbfix, kbautohotfix, kbqfe, kbhotfixserver, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 972831
Revision : 2
Created on : 9/18/2018
Published on : 9/18/2018
Exists online : False
Views : 509