How to Add Wireless PEAP Profile Username and Password for during MDT Deployment

Question

I have a windows 7 pro 64-bit reference image running in a Hyper-V client for MDT 2013 deployment on server 2012. The computers are standalone with no AD and I have no control over the network configuration. I want to provision laptops to automatically connect to our wireless ap. These laptops are shared by a large number of young students who do not have single sign-on credentials and are sharing finite number of laptops.

I had successfully used netsh to create and deploy a wireless profile in the past during deployment, but now our school district has upgraded the wireless to a WPA2-enterprise profile with PEAP and I can only add username and password interactively. I tried to export the PEAP profile, and while the profile works, it doesn't contain the username and password even if I use key=clear command in netsh (apparently that doesn't work for PEAP).

I tried to suspend the reference image and add the username and password to the image during deployment, but hyper-v doesn't allow binding a wireless adapter to a hyper-v client, so I can't set up the wireless profile in the reference image interactively.

Is there a way to edit the exported PEAP xml wireless profile file to add the username and password?

I was thinking of pulling a copy of the suspended reference image during a reboot (while image is "off") and transferring that image to a physical computer like the hyper-v server, but with a wireless adapter and then booting and hoping I could bind the adapter to the username and then reboot and transfer image back to server and continue. I can't give wireless password to users, so I would have to physically enter it on every laptop. Any suggestions?

Answer 1

If your computers are on a Windows AD domain, the correct way to automatically add wireless profiles would be using a GPO. You can find these setting under: Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (802.11) Policies.

I've build networks that have different SSIDs for BYOD and Internal computers. Since I don't want company computers to be manually added to BYOD (DMZ) network, I've

• Configured the preferred network settings with [x] Use Windows WLAN AutoConfig service for clients and then configured my network in "Connect to available networks..." section. There you can add the network SSID and set the authentication and encryption methods.
• On "Network Permissions" tab you can hide (add SSID with Permission: deny) the BYOD networks from even showing on the company computers to avoid your users accidentally using them, which would prevent them to use the internal resourses.

Using Computer authentication

As you have WPA2-Enterprise PEAP authentication, you probably have RADIUS server installed (users will authenticate with the same passwords they use for computers). Now, you are trying to automatically save one of user passwords to your client wireless network configuration.

However, the best practice in this situation would be using Computer authentication instead of User authentication (in Authentication Mode of your preferred SSID configuration). With this, you can avoid saving any passwords to your GPO.

In order to use Computer authentication your RADIUS server must allow using computer accounts for authentication. If you are using Microsoft Network Policy Server, just add group Domain Computers (or any other computer group containing these laptops) to your NPS > Policies > Network Policies > Secure Wireless Connections (PEAP) profiles as value of condition Machine Groups.