top of page

OUR PRECONDITIONS

  • The old network infrastructure, referred to as OldNet:
    Doesn’t support 802.1x.
    Two domains on different VLAN’s with a one way trust, referred to as Enterprise and Educational.
    The two domains have their own network infrastructure, different IP Helpers, DNS, DHCP and so on.

  • The new infrastructure, referred to as NewNet:
    802.1x is required using CISCO ISE and Layer 3 switches.
    Only one fallback net with its own IP range, common for both domains, which also supports WebAuth guest access.
    The two domains still have their own IP range, DHCP, DNS etc. but will use the same PXE-server since PXE boot is taking place on the fallback network.

  • Both the old and the new network infrastructure will be used to deploy Windows 10 x64 and Windows 7 x86.

  • MAB will not be used during OSD, the network team don’t want to spread a special OSD VLAN so clients will get an IP address according to its current location and only certificate-based authentication is allowed.

  • The task sequence needs to support both the new computer and refresh scenario as well as BIOS to UEFI conversion regardless of the currently installed operating system.
    The scripts used for managing 802.1x needs to support Windows 7 and its PowerShell version.

Search
Writer's picturesomeguy100
Jun 3, 20191 min read

Start interactive process as SYSTEM on each (re)boot.

Once again, the main reason for doing this in the first place was Onevinn’s TSBackground. Talked with Johan about it and I believe he thought it was a good idea since TSBackground now have a similar function.

Any references to TSBackground found in the scripts are just remains from the tests.

In the WinPE phase reboots are pretty easy to predict, in the Full OS phase that isn’t always the case.

The Issues:

1. Start something interactively as SYSTEM on each boot after “Setup Windows and ConfigMgr”.

2. Identify all the places where a reboot may or may not happen.


A possible solution:

Create a scheduled task that runs on system start, since then you don’t need to predict the reboots, and make it break out of the session 0 isolation.

That is what I’m doing. On top of that the script also evaluates if “provisioning mode” is set to false and if the console user <> “System”. If any of these are true, the task will be deleted and the same goes for the script itself. Just to minimize the risk of a privilege escalation.

This however makes it incompatible with a pure MDT OSD, since that runs in the administrator context. Should be easy enough to adapt though, if you want to.





https://github.com/MattiasC85/Start-interactive

381 views0 comments

Comentarios

bottom of page