Jump to content

Zach Skidmore

802.1X Configuration in Windows PE 5.0

Recommended Posts

Hey all:

Our institution has migrated to using 802.1x on our network. We need to configure our Windows PE 5.0 image for SCCM 2012 to connect to 802.1x.


While there are multiple articles on the internet on how to do it, There doesn't appear to be a hotfix for Windows PE 5, only for PE 3. I have checked our PE image and it does not have the Wired auto config service files in it, so it doesn't appear to be built in to PE 5.


Anyone know where to get the hotfix for PE 5? Any help is appreciated

Share this post

Link to post
Share on other sites

Hi M8,


Since Win PE 4.0 its part of the PE Distribution. In SCCM go to your Bootimage properties...

Then open the tab "Optional Components" and ad

Microsoft .NET (WinPE-Dot3Svc)


This integrates the 802.1x Service into the Boot Image.


You have then to activate it during the task Sequence by a package that does basically the following:

REM Import personal/Machine Certificate
certutil -p password -importPFX cert.pfx
REM Importiere Root Zertifikat...
certutil.exe -addstore root CETRIFICATE.cer
Rem Start The Network Service and set it to automatic restart
sc config Dot3svc start= auto
net start Dot3svc
REM Import Networkprofile that was exported from a running win7/8 system
netsh lan add profile filename=NetProfile.xml

This is how it used to work for usin PE 4.0 Microsoft states there are no changes in PE 5.0 but after upgdading our bootimages 802.1x does not work.

Anyone here got an idea what might have changed?




Share this post

Link to post
Share on other sites

It seems that we identified the problem with the help of Microsoft Support..



Win 8.1 and Win PE5.0 can not successfully connect via EAP-TLS if the Zertificate of the Radius Server does not have a CDP Extension.


We fixed it with a workarround:


Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
ValueName: NoRevocationCheck
Value: 1


After that Win 8.1 and Win PE 5.0 where able to connect.

Be aware it is a workarround and is bypassing some security..

so it should not be a permanent solution.




Share this post

Link to post
Share on other sites

Hi quite new to the whole 802.1x stuff our network team kindly dropped this into production. the script above at what stage in the seq do you add it ?


also on the standalone boot image how do i integrate the certs/xml files ? is this done in the prestart commands ?


any help or pointer gratefully received.


thanks Rob

Share this post

Link to post
Share on other sites



Struggling to make my MDT Deployment work on 802.1x. I followed David's blog https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/telligent.evolution.components.attachments/01/6127/00/00/03/31/62/58/Windows%207%20Deployment%20Procedures%20in%20802%201X%20Wired%20Networks.pdf and stuck halfway.


After booting with MDT Boot media (8021x Enabled) the client is getting the IP from DHCP but failing to connect to deploymentshare$, not even pinging any IP on the network. Any ideas?

Share this post

Link to post
Share on other sites


Its been quite a some time if there was any post or any perfect solution I found for MDT 2013 U2 Windows 10 upgrade from windows 7.

Here is the background and what has been tried so far, but there was no luck. Any help will be appreciated.

We are setting up windows 10 Migration infra for one of our clients. It went through without any issues on a regular network, however, we were asked to test the same on the secured network as well.

Unfortunately, it did not work the secured network so called 802.1x, this is the first time we have come across this scenario.


In our deployment scenario, we have an MDT 2013 U2 only. We are initiating the migration task sequence deployment (On Windows 7 machine- in OS mode) by accessing the deployment share over the network via LTIApply.wsf under script folder.

Note : All the required Network drivers are available in Winpe.

Everything works fine until the machine is rebooted to PE mode. Once the machine gets into PE mode it does not get the IP address due to the secure network. After going through multiple blogs below are the things that we tried, but no luck till now.



1.      WinPE Generated adding additional features( IEEE 802.1x, .Net Framework)

2.      Injected Windows6.1-KB972831-x64.msu in WinPE

3.      Automated script to start service dot3svc

4.      Exported Root certificate from existing client machine and added in WinPE through Script

5.      Included LAN profile in WinPE, which was extracted from existing Client.

I also wanted to include the .pfx into Winpe but unfortunately I could not export it from the other win7 client machine as the option in cert manager is greyed out. 

I have no clues what else I can try to get this working. let me know if anyone of you has gone through the same or ever worked on the same kind of scenario.

 Please let me know if something else needs to be in place to get this working


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.