top of page

OUR PRECONDITIONS

  • The old network infrastructure, referred to as OldNet:
    Doesn’t support 802.1x.
    Two domains on different VLAN’s with a one way trust, referred to as Enterprise and Educational.
    The two domains have their own network infrastructure, different IP Helpers, DNS, DHCP and so on.

  • The new infrastructure, referred to as NewNet:
    802.1x is required using CISCO ISE and Layer 3 switches.
    Only one fallback net with its own IP range, common for both domains, which also supports WebAuth guest access.
    The two domains still have their own IP range, DHCP, DNS etc. but will use the same PXE-server since PXE boot is taking place on the fallback network.

  • Both the old and the new network infrastructure will be used to deploy Windows 10 x64 and Windows 7 x86.

  • MAB will not be used during OSD, the network team don’t want to spread a special OSD VLAN so clients will get an IP address according to its current location and only certificate-based authentication is allowed.

  • The task sequence needs to support both the new computer and refresh scenario as well as BIOS to UEFI conversion regardless of the currently installed operating system.
    The scripts used for managing 802.1x needs to support Windows 7 and its PowerShell version.

Search
Writer's picturesomeguy100
Oct 14, 20182 min read

Create a fake driver

The .Inf-file itself.

 

[Version]
Signature = "$WINDOWS NT$"
Provider = %Msft%
Class = Net
ClassGuid = {4D36E97d-E325-11CE-BFC1-08002BE10318}
DriverVer = 06/06/2018,1.2.0.5
CatalogFile = tstamd64.cat

[Manufacturer] 
%DR%=DR,NTx86,NTamd64 ; We got both x64 and x86
[DestinationDirs]
DefaultDestDir = 11 ; 11 is system32
ExampleFileSystem.DriverFiles = 11
ExampleFileSystem.TSconfig = 24 ; 24 is %Systemroot%

[DR.NTamd64]
%PLUGINNAME%=OC_Inst,DUMMY\ADSI

[DR.NTx86]
%PLUGINNAME%=OC_Inst.NTx86,DUMMY\ADSI
[SourceDisksNames]
1 = %Disk1%
; Restricted is the folder where the files resides with the folder of the inf-file as the root.
[SourceDisksFiles]
CheckForNetwork.vbs = 1
WindowHide.exe = 1
WindowHidex86.exe = 1
Cert.pfx = 1,Restricted
Conf.txt = 1,Restricted
Import.txt = 1,Restricted
importcert.ps1 = 1,Restricted
key.aes = 1,Restricted
RootCA.cer = 1,Restricted
Ethernet.xml = 1,Restricted
TSConfigTemplate.ini = 1
TSConfig.cmd = 1
winpeshl.ini = 1
TSBootShell.cmd = 1

[OC_Inst]
CopyFiles = ExampleFileSystem.DriverFiles
CopyFiles = ExampleFileSystem.TSconfig
AddReg	= ExampleFileSystem.AddRegistry

[OC_Inst.NTx86]
CopyFiles = ExampleFileSystem.DriverFiles.NTx86
CopyFiles = ExampleFileSystem.TSconfig
AddReg	= ExampleFileSystem.AddRegistry

[DefaultInstall]
CopyFiles = ExampleFileSystem.DriverFiles
CopyFiles = ExampleFileSystem.TSconfig
AddReg	= ExampleFileSystem.AddRegistry

; ,2 translates to Always copy and ,6=(2+4) overwrite if the file already exists
[ExampleFileSystem.DriverFiles]
CheckForNetwork.vbs,,,2
WindowHide.exe,,,2
Cert.pfx,,,2
Conf.txt,,,2
Import.txt,,,2
importcert.ps1,,,2
key.aes,,,2
RootCA.cer,,,2
Ethernet.xml,,,2
TSBootShell.cmd,,,6

; Here's an example where we want to copy an exe-file but change its name.
;(WindowsHide)
[ExampleFileSystem.DriverFiles.NTx86]
CheckForNetwork.vbs,,,2
WindowHide.exe,WindowHidex86.exe,,2
Cert.pfx,,,2
Conf.txt,,,2
Import.txt,,,2
importcert.ps1,,,2
key.aes,,,2
RootCA.cer,,,2
Ethernet.xml,,,2
TSBootShell.cmd,,,6

[ExampleFileSystem.TSconfig]
TSConfigTemplate.ini,,,6
winpeshl.ini,,,6
TSConfig.cmd,,,6

; This is where we make sure that the VB-script always starts.
; Checkfornetwork.vbs is the script that initiates the network and starts 
; the 802.1x-script if everything seems fine.

[ExampleFileSystem.AddRegistry]
HKLM,SYSTEM\Setup,cmdline,0x00000000,cscript.exe .\CheckForNetwork.vbs

[Strings]
Msft = "Organization"
DR = "DeploymentResearch"
PLUGINNAME = "802.1x Fake Driver"
ServiceDesc = "Example File System Driver"
ServiceName = "ExampleFileSystem"
ParameterPath = "SYSTEM\Setup"
DESCRIPTION = "Integrates ADSI into Windows PE"
FRIENDLYNAME = "Fool SCCM"
Disk1 = "Example File System Driver CD"

The batch-file to create the cat-file and sign it.

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\inf2cat.exe" /v /driver:%~dp0 /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,6_3_X86,6_3_X64,10_X86,10_X64
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\SignTool.exe" sign /v /s PrivateCertStore /n SignCert(Test) /tr http://timestamp.digicert.com %~dp0tstamd64.cat
pause
 

The driver will still show up as unsigned in the console, but if the driver isn't signed or if the certificate used to sign it isn't trusted by the sccm site server you won't be able to use it.

My guess of why it says unsigned is that the signing certificate isn't chained back to a Microsoft driver signing CA. But maybe someone who reads this knows and can educate me. =)


143 views0 comments

Comments

bottom of page