top of page

OUR PRECONDITIONS

  • The old network infrastructure, referred to as OldNet:
    Doesn’t support 802.1x.
    Two domains on different VLAN’s with a one way trust, referred to as Enterprise and Educational.
    The two domains have their own network infrastructure, different IP Helpers, DNS, DHCP and so on.

  • The new infrastructure, referred to as NewNet:
    802.1x is required using CISCO ISE and Layer 3 switches.
    Only one fallback net with its own IP range, common for both domains, which also supports WebAuth guest access.
    The two domains still have their own IP range, DHCP, DNS etc. but will use the same PXE-server since PXE boot is taking place on the fallback network.

  • Both the old and the new network infrastructure will be used to deploy Windows 10 x64 and Windows 7 x86.

  • MAB will not be used during OSD, the network team don’t want to spread a special OSD VLAN so clients will get an IP address according to its current location and only certificate-based authentication is allowed.

  • The task sequence needs to support both the new computer and refresh scenario as well as BIOS to UEFI conversion regardless of the currently installed operating system.
    The scripts used for managing 802.1x needs to support Windows 7 and its PowerShell version.

Search
Writer's picturesomeguy100
Jul 1, 20191 min read

Just a moment - 2nd round

Changes:

1. Runs as a service, allowing it to start earlier.

2. Supports showing the dialog to a logged on user while still blocking inputs.

3. Unblock the keyboard/mouse when needed.


So showing a WPF in user context while blocking the keyboard + mouse, no problem at all... Yeah right.

Don't get me wrong, that isn't a problem until a user presses Ctrl+Alt+Del triggering gina/winlogon which always has the upper hand.


So how about reapplying the block afterwards?

Turned out that BlockInput (User32.dll) doesn't work just by running it in the system context.

It must be run in the session that you want to apply the input block to and needs admin privileges.


Long story short (never done this before), made a named pipe and after hitting my head against the wall a couple of times, I got it working.


The WPF is running in user context and it can still trigger a function which is reapplying the inputblock without exposing anything running as system interactively in the user session.


I'm a bit picky, but to those who might be even pickier, set DisableTaskMgr=1 if it's really important that the user shouldn't be able to kill the script.(https://www.thewindowsclub.com/change-ctrl-alt-delete-options-windows).

Works in HKLM too.



Due to the fact that some parts are running in user context, the package needs to be downloaded somewhere where a user can read it.






The service won't ruin the computer if left behind but use "SC delete %ServiceName%" in the end of the TS and in the group which is handling errors.

To bypass the input block, please take a look at my previous post.


You can find the edited scripts here: https://github.com/MattiasC85/UserInfoUI/tree/master/InfoUI%20Service

211 views0 comments

Comments

bottom of page