Using 802.1X with ConfigMgr 2007/2012 – Contributed by Mats Olsson

This article was contributed by Mats Olsson, fellow deployment geek from Sweden:

Update: Moved the sample script to GitHub:

Ever needed a Certificate on your machine for 802.1X or a Certificate protected wireless network? Are you using ConfigMgr 2007/2012 for OSD?

In my case the answer was yes to both questions.

Back in the Windows XP SP2 days it was just a matter of two registry keys. For Windows XP SP3 or newer you need to configure it through XML files.

With MDT you can do a simple GPUpdate /force to auto-enroll a certificate (your PKI-setup must allow this). ConfigMgr however blocks GPO processing during OSD (see: ).

In theory you can install the system first, wait for the GPO:s to apply after installation and so on but if you need to install things that you can't reach without a certificate or do you really want to wait extra time during a mass-deployment?

We did not, so deploying Windows 7 with ConfigMgr became a little challenge for us.

The first problem was to replace GPUpdate with something else that could get a certificate to the machine during OSD.

You can make a script that generates a certificate request and if you have auto-enrollment on that template it should work. However it means that you will be hardcoding a certificate template name in your requests and that's not a good solution.

Certutil.Exe has a pulse argument that will cause Certutil to process auto-enrollment requests and Certutil does work during SCCM OSD. This will not require any hardcoding so it was the way I selected.

The second problem is how to get the proper config loaded. The easiest way (in my eyes) is to load Configuration profiles from XML using netsh commands.

To make this work in a Zero Touch way I wrote the ZTI-8021X.wsf script. The script will use Certutil -pulse to get a cert. It will verify that it got the cert before trying to load the connection profiles from Lan.XML and/or Wlan.XML. Finally it will set the Wired zero config service to Automatic and start it.

On XP you will need to place Certutil and needed files in a folder that is in the path variable (for example in system32)

To make this work there is a number of steps to do:

Make sure that you have auto-enrollment activate on the right certificate template

You need to configure a reference system so that it uses certificate auth for wired or/and wireless networks

On that system we need to export the working config(s) by running "netsh lan export profile folder=C:\Windows\Temp" or/and "netsh wlan export profile folder=C:\Windows\Temp"

You may get more than one profile and you will have to determine which one is the correct one.

Rename the correct profiles to Lan.xml and Wlan.xml (or just the one you need if you don't use both)

Place Lan.xml and Wlan.xml together with the ZTI-8021X.wsf and ZTIUtility.vbs scripts. I use to put the files in my toolkit package)

Edit your task sequence and add a run command to run ZTI-8021X.wsf

This should give you a machine that has a certificate in the machine store and you should have the system configured to use 802.1X auth.

I have tested this on XPSp3, W7 32 and 64 bit.

By Mats Olsson

About the author

Johan Arwidmark

0 0 votes
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
7 years ago

Rc = 1 is often files missing, but can of course be other things as well. Did you add the script to your MDT files package?

I recommend using the ServiceUI trick in your task sequence to test scripts interactively.

/ Johan

7 years ago

Sorry to dig up this oldie but goodie.

I have this integrated in a task sequence for testing, and it gives me the error "ZTI ERROR – Non-zero return code by ZTI-8021X, rc = 1"

Does this spark any thoughts on the matter?