Tag Archives: Group Policy

[Tutorial] Configuring BitLocker to store recovery keys in Active Directory

This guide is more of a reflection on the steps I took to publish the BitLocker recovery keys of machines deployed on an Active Directory domain.  Microsoft has gobs and gobs of information on this subject which can be a tad overwhelming, so I have tried to consolidate this article down as much as possible, citing Microsoft sources where found.  If you have any questions, comments, feedback, please feel free to leave a message below.

Prerequisites

  • Domain Controllers are running Windows Server 2003 SP1 or greater
  • Schema Admin or an Enterprise Admin user account privileges

Step 1: Verify your schema is ready (and extend it if applicable)

Based on what I have read, if your DCs were introduced with Server 2008 Beta 3 or later, your schema will be ready, if you started with anything older, your AD environment will more than likely will not have the schema objects/attributes.

Verify you have the schema changes if running Server 2003 R2 or older:

If you are on Server 2003 you will need to open up ADSI edit and verify you have the schema changes (here you can see we are missing the five schema changes for BitLocker)

ADSI Edit - Server 2003 R2 - BitLocker

Verify you have the schema changes if running Server 2008 or newer:

If you are on Server 2008 or greater and have powershell, you can execute the following command (here you can see we have the necessary schema changes to proceed, if you receive 0 results, you will need to extend your schema):

Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like "ms-FVE-*"}

AD-Schema objects for BitLocker

Extending your schema if you don't have the schema changes above

If you need the schema update (you are missing the five schema objects listed in the above powershell command), you can execute the following command via Command Prompt on your Domain Controller:

Note: If you are on Server 2008 r2, it is recommended you extend your schema to Server 2012 or if you just want the BitLocker attributes, use these two ldf files: https://technet.microsoft.com/en-us/library/jj635854.aspx

ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=mydomain,DC=local" -k -j .

Yes, you do want the trailing period (.) at the end of the command.  It is literally apart of the command, so ensure you execute the command exactly like above (changing your domain of course).   You can see the official technet article here for more information on the command: https://technet.microsoft.com/en-us/library/cc766015(v=ws.10).aspx

If you would like to verify everything went well, Microsoft has posted some output on what the command should write: https://technet.microsoft.com/en-us/library/cc722060(v=ws.10).aspx

Step 2: Set the required permissions for backing up TPM password information

Next, we need to add an access control entry (ACE) so that backing up TPM recovery information is possible.

Head over to the following Microsoft document and download each of the VBS scripts they have displayed: Save the following VBS scripts from the following website: https://technet.microsoft.com/en-us/library/dn466534.aspx#Sample scripts

  1. Ensure you are on one of your domain controllers
  2. Open up a command prompt as an administrator
    Server 2012 - Administrative Command Prompt
  3. Navigate to your BitLocker folder
    BitLocker Folder C Drive
  4. Execute the following command on your domain controller
    1. cscript Add-TPMSelfWriteACE.vbs
      cscript add-tpmselfwriteace for bitlocker
  5. Delegate msTPM-OwnerInformation
    1. Open up Active Directory Users and Computers
      Server Manager - Active Directory Users and Computers
    2. Navigate to the OU that stores your computers, right click, and select Delegate Control...
      Active Directory Users and Computers - Computers - Delegate Control
    3. Click Next > button on the welcome screen
      Delegation of Control Wizard - Welcome
    4. Click the Add... button
      Delegation of Control Wizard - Users or Groups - Add
    5. Type in SELF, hit the Check Names button, and click OK
      Delegation of Control Wizard - Users or Groups - Add - SELF
    6. Click Next >
      Delegation of Control Wizard - Users or Groups - Add - SELF - Next
    7. Select Create a custom task to delegate and click Next >
      Delegation of Control Wizard - Tasks to Delegate - Create a custom task to delegate
    8. Check Only the following objects in the folder, check Computer objects, click Next >
      Delegation of Control Wizard - Active Directory Object Type - Only the following objects in the folder - Computer Objects
    9. Check Property-specific, scroll down and find Write msTPM-OwnerInformation and click Next >
      Delegation of Control Wizard - Permissions - Property-specific - Write msTPM-OwnerInformation
    10. Click Finish
      Delegation of Control Wizard - SELF - Finish

Step 3: Configure group policy to back up BitLocker and TPM recovery information to Active Directory

In this step, we will push out the actual policy that tells the machine to push BitLocker and TPM recovery info to Active Directory.  We will try to follow some of Microsoft's best practices on deploying the group policy here: https://technet.microsoft.com/en-us/library/dd875532(WS.10).aspx

  1. Login to your domain controller
  2. In Server Manager, open up Group Policy Management
    Server Manager - Tools - Group Policy Management
  3. Select the policy you want to edit/deploy for this and hit Edit...
    Group Policy Management - Edit
  4. Expand Computer Configuration, expand Policies, expand Administrative Templates, open Windows Components, and then select BitLocker Drive Encryption
    Group Policy Management Editor - Computer - Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption
  5. Follow the below configuration for each policy (most of these are Microsoft's best practices with a few notes I have made in the Settings)
    CATEGORY SETTING NAME SETTING
    Global Store BitLocker recovery information in Active Directory Domain Services  Set to enabled, check Require BitLocker backup to AD DS, ensure Recovery passwords and key packages is selected
    Global Choose drive encryption method and cipher strength Set to not configured.
    Global Prevent memory overwrite on restart Set to not configured.
    Global Provide the unique identifiers for your organization Set to enabled, and enter an identifier in the BitLocker identification field (based on what I can tell, you can enter your organization name here).
    Operating system drives Choose how BitLocker-protected operating system drives can be recovered Set to enabled, Allow 48-digit recovery password, Allow 256-bit recovery key, omit recovery options from the BitLocker setup wizard, Store recovery passwords and key packages, Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.For more information about storing BitLocker recovery information in AD DS, see Backing Up BitLocker and TPM Recovery Information to AD DS.
    Operating system drives Configure minimum PIN length for startup Set to enabled, and require a personal identification number (PIN) of at least seven numerals.
    Operating system drives Require additional authentication at startup Set to enabled, and require the use of a startup PIN with a Trusted Platform Module (TPM).
    Fixed data drives Choose how BitLocker-protected fixed drives can be recovered Set to enabled, Allow 48-digit recovery password, Allow 256-bit recovery key, omit recovery options from the BitLocker setup wizard, Store recovery passwords and key packages, Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.
    Fixed data drives Configure use of passwords for fixed data drives If your organization does not have a public key infrastructure (PKI), set to enabled, require password complexity, and set a minimum password length of at least 12 characters.
    Fixed data drives Configure use of smart cards on fixed data drives If your organization has a PKI, set to enabled, and require the use of smart cards with fixed data drives.
    Removable data drives Choose how BitLocker-protected removable drives can be recovered Set to enabled, Allow 48-digit recovery password, Allow 256-bit recovery key, omit recovery options from the BitLocker setup wizard, Store recovery passwords and key packages, Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.
    Removable data drives Configure use of passwords for removable data drives Set to enabled, set a minimum password length of at least 12 characters, and require password complexity if your organization does not have a PKI or if there is a need to access BitLocker-protected drives from computers running Windows XP or Windows Vista.
    Removable data drives Configure use of smart cards on removable data drives Set to enabled, and require the use of smart cards with removable data drives if your organization has a PKI.
    Removable data drives Control use of BitLocker on removable drives Set to enabled, Allow users to apply BitLocker protection on removable data drives, and uncheck Allow users to suspend and decrypt BitLocker protection on removable data drives.
    Removable data drives Deny write access to removable data drives not protected by BitLocker Set to enabled, and Do not allow write access to devices configured in another organization.

    noteNOTE
    This policy cannot be enabled if your organization uses recovery keys or startup keys. Recovery keys and startup keys must be stored on unencrypted USB drives.
  6. Next, configure Group Policy to backup the TPM owner information; open Computer Configuration, open Administrative Templates, open System, and then open Trusted Platform Module Services
    Group Policy Management Editor - Computer - Configuration - Administrative Templates - System - Trusted Platform Module Services
  7. Double-click Turn on TPM backup to Active Directory, check Enabled, and click OK
    Group Policy Management Editor - Computer - Configuration - Administrative Templates - System - Trusted Platform Module Services - Turn on TPM backup to ADDS - Enabled

    1. Note: If you are on Server 2008 R2, make sure you select Require TPM backup to AD DS.  Based on what I can find, if you are on Server 2012 R2, this option has been removed.
  8. Define a BitLocker Drive Encryption Data Recovery Agent
    1. Open Computer Configuration, open Policies, open Windows Settings, open Security Settings, open Public Key Policies, and right click on BitLocker Drive Encryption and select Add Data Recovery Agent...
    2. Click Next > on the Add Recovery Agent Wizard
    3. Select a Recovery agent and click Next >
      1. If you are using PKI, select the Browse Directory... button and select a user that has been configured with an EFS certificate.  I found this guide the most helpful on setting this process up (if anyone has a guide to an official Microsoft document explaining the best practices on configuring this, please drop a comment below: http://technetlibrary.com/use-data-recovery-agent-dra-decrypt-encrypted-files-domain/163)
        1. Here is the only official Microsoft article that I could find that explains the configuration of the Data Recovery Agent: https://technet.microsoft.com/en-us/library/dd875560%28v=ws.10%29.aspx#BKMK_proc_dra
      2. If you don't have a PKI environment setup, you can use a self signed certificate by opening up a command prompt and executing the following command: cipher /r:administrator
        1. Copied from the cipher command: This command generates an EFS recovery key and certificate, then writes them to a .PFX file (containing certificate and private key) and a .CER file (containing only the certificate). An administrator may add the contents of the .CER to the EFS recovery policy to create the recovery key for users, and import the .PFX to recover individual files. If SMARTCARD is specified, then writes the recovery key and certificate to a smart card. A .CER file is generated (containing only the certificate). No .PFX file is generated.
    4. Click Finish on the Add Recovery Agent Wizard

Step 4: Install the BitLocker Password Recovery Viewer

  1. On your domain controller, open up Server Manager
  2. Select Manage, Add Roles and Features
    Server 2012 - Manage - Add Roles and Features
  3. Click Next >
    Add Roles and Features Wizard - Before you begin
  4. Click Next >
    Add Roles and Features Wizard - Select installation type
  5. Click Next >
    Add Roles and Features Wizard - Select destination server
  6. Click Next > (You don't need to add any additional roles)
    Add Roles and Features Wizard - Server Roles - Default
  7. Check BitLocker Drive Encryption (click Add Features when prompted) and click Next >
    Add Roles and Features Wizard - Features - BitLocker Drive Encryption - Add features dialog
    Add Roles and Features Wizard - Features - BitLocker Drive Encryption
  8. Click Install
    Add Roles and Features Wizard - Features - BitLocker Drive Encryption - Install
  9. Click Close
    Add Roles and Features Wizard - Features - BitLocker Drive Encryption - Install - Close
  10. Repeat these steps for each domain controller you want to manage BitLocker on

Step 5: Push existing BitLocker protected machines to Active Directory (optional step)

  1. Open an Administrative Command prompt on the client machine that has a BitLocker enabled drive
    Server 2012 - Administrative Command Prompt
  2. Execute the following command to get your current BitLocker information
    manage-bde -protectors -get c:
    command prompt - manage-bde -protectors -get c
  3. Execute the following command to publish this information to AD
    manage-bde -protectors -adbackup c: -id {yourNumericalPasswordID}
    command prompt - manage-bde -protectors -adbackup c-id
  4. Login to one of the domain controllers you installed the BitLocker Recovery Viewer feature and open up Active Directory Users and Computers
    Server Manager - Active Directory Users and Computers
  5. Find your computer object and right click Properties on it
    Active Directory Users and Computers - Computers - Computer - Properties
  6. Select the BitLocker Recovery tab and verify the recovery passwords have been published
    Active Directory Users and Computers - Computers - Computer - Properties - BitLocker Recovery Tab

 

Notes: By default, Windows Vista and greater clients running BitLocker will backup the owner the owner password to the msTPM-OwnerInformation attribute.  If you notice this field is <Not Set> for your Windows 8 and greater machines, ensure you check the TPM Devices container in Active Directory Users and Computers for the recovery information.

To automate the process of looking up the Bitlocker Recovery Password and Owner TPM Recovery Key, I have written a powershell script which can be found here: http://jackstromberg.com/2015/02/exporting-tpm-owner-key-and-bitlocker-recovery-password-from-active-directory-via-powershell/

Server 2012 R2 - Missing Group Policy - Internet Explorer Maintenance

Symptom: When navigating to User Configuration - Policies - Windows Settings via Group Policy Management Editor, Internet Explorer Maintenance is missing from the list of configurable policies.

Server 2012 - Group Policy Management Editor - User Configuration - Policies - Windows Settings

Explanation: Internet Explorer 10 (which is installed by Default on Server 2012 R2) deprecates Internet Explorer Maintenance (IEM) in favor of a more robust tool called Group Policy Preferences.  As you can see in the following Microsoft KB article, a link to the Internet Explorer Maintenance policy alternatives can be found here: http://technet.microsoft.com/library/hh846772.aspx

Solution: Remove the old Internet Explorer Maintenance policies and switch over to use Preferences to manage your domain machines.  This tutorial will not go into using Preferences, however it will go over removing the Internet Explorer Maintenance policies from your GPO.  Since I went ahead and upgraded our environment to Server 2012 R2 I ended up having to configure a new Server 2008 R2 machine.  If someone has an easier solution, please let me know in the comments below.

  1. Login to any member machine of the domain that is running Server 2008 R2 or earlier and does not contain Internet Explorer 10 or greater
  2. Open up Server Manager
    Server Manager
  3. Install Group Policy Management if it is not installed
    1. Select Features and click Add Features
      Server Manager 2008 R2 - Add Features
    2. Select Group Policy Management and click Next >
      Server 2008 R2 - Add Features Wizard - Group Policy Management
    3. Click Install
      Server 2008 R2 - Add Features Wizard - Group Policy Management - Install
    4. Click Close
      Server 2008 R2 - Add Features Wizard - Group Policy Management - Close
  4. Select Features- > Group Policy management -> Expand your forest -> Expand Domains -> Select your domain -> Right click and Edit... one of your policies
    Server Manager 2008 R2 - Features - Group Policy Management - Edit GPO
  5. Expand User Configuration -> Policies -> Software Settings -> Windows Settings and select Internet Explorer Maintenance.
  6. Right click on Internet Explorer Maintenance and select Reset Browser Settings
    Group Policy Management Editor - User Configuration - Policies - Windows Settings - Internet Explorer Maintenance - Reset Browser Settings
  7. Click Yes on the Internet Explorer Maintenance dialog box
    Internet Explorer Maintenance Dialog Box
  8. If all went well, you should now see all of the deprecated Internet Explorer Maintenance policies removed from your Group Policy Object.
    Before
    Group Policy Management - Before
    After
    Group Policy Management - After

Notes:
Official KB on installed Group Policy Manager: http://technet.microsoft.com/en-us/library/cc725932.aspx

Official KB article on replacements for Internet Explorer Maintenance: http://technet.microsoft.com/en-us/library/jj890998.aspx

Forum post showing frustration over this: http://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance?forum=winserver8gen

Configuring Google Chrome via Group Policy

Synopsis: As more companies shift from Internet Explorer to Google Chrome, the ability to administer certain controls over the web browser from a centralized place becomes increasingly difficult.  As such, one of the most sought featured in administering the web browser is the ability to deploy shortcuts to the end users to frequently accessed resources on both the intranet and internet.  Luckily, Google has acknowledged the need to be centrally administered in corporate environments using Active Directory and Group Policy to easily complete this task.

Tutorial:

  1. Grab a copy of the Google Chrome ADM/ADMX templates from here: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
  2. Extract the contents of the policy_templates.zip file once you have downloaded it to your local machine.
  3. Navigate to the windows folder and then navigate into the folder with the template you want to use (in this case, I will be deploying ADMX; read below on which one you should use)
    Chrome Policy Templates

    1. If you are using computers with an operating system newer than Windows Server 2003 or XP, select the ADMX folder
    2. If you are using computers with an operating system older than Windows Server 2008 and Vista, select the ADM folder
  4. If you are using Server 2003, you will use the adm file and follow step 2 below.  If you are using Server 2008 and newer, you will use the admx and adml files mentioned in step 1 below.
    Chrome ADMX and ADML

    1. If you are running Server 2008 or newer, enter the admx folde rand copy the .adml file from the language folder (en-US for example) to %systemroot%\sysvol\yourdomain\policies\PolicyDefinitions\<ll-cc> (ll-cc being the language specific folder, such as en-US) and copy the .admx file from the root of the admx folder to %systemroot%\sysvol\yourdomain\policies\PolicyDefinitions
      1. If you are from another region, copy the file to the correct language folder (if it doesn't exist, go ahead and create it).
      2. If you get an Access Denied prompt, try running Windows Explorer as an Administrator
        Run explorer as administrator
    2. If you are running Server 2003 or older, copy the .adm file to your domain controller from the Google\Policy_Templates\adm\<ll-cc> Google folder and complete the following steps to import it:
      1. Open the Group Policy Object that you want to edit inside of Group Policy Management.
      2. In the console tree, navigate to Group Policy object/Computer Configuration (or User Configuration)/Administrative Templates and right click on Administrative Templates
      3. Click Add/Remove Templates.
      4. Click the Add button and navigate to the .adm file
      5. More details on this process can be found here: http://technet.microsoft.com/en-us/library/cc739134(v=ws.10).aspx
  5. Open up Group Policy Management (Start->Administrative Tools->Group Policy Management)
    Group Policy Management
  6. Right click the Group Policy Object you want, and select Edit...
  7. Under Computer Configuration->Policies->Administrative Templates, you should now see a Google object.  Expand that to find the policies you can deploy.
    Editting Group Policy Object

Here is a screenshot of a few of the policies Google offers (more policies can be found in each of the folders as shown in the screenshot below).

Google Policies

Happy web browsing!

Side notes: The only thing I haven't figured out how to do is successfully deploy bookmarks/favorites to Google Chrome.  It appears at this time, it is not possible to do so via Group Policy.  If anyone has any ideas on how to achieve this, please leave a comment below; it would be greatly appreciated! 🙂

Tutorial: 802.1X Authentication via WiFi - Active Directory + Network Policy Server + Cisco WLAN + Group Policy

Here is how to implement 802.1X authentication in a Windows Server 2008 R2 domain environment using Protected-EAP authentication.  I have designed the tutorial to be worked on in the specific order to prevent downtime if deployed during the day.  By creating the Network Policy server first, once we switch the authentication type from whatever to 802.1X via RADIUS, our Network Policy Server will immediately start processing requests and allowing machines on the domain.  By configuring the Cisco Wireless LAN Controller or Group Policy first, clients will try connecting to a RADIUS server that doesn't exist or present invalid credentials.  If you have any suggestions on how to better the implementation I demonstrate here, please drop a comment below to improve security/stability of these types of deployments. 🙂

Active Directory

First, we need to create a security group in Active Directory to allow a list of specific users and computers to login to the domain.  In this example, we will allow any authenticated user or machine on the domain to authenticate successfully to the RADIUS sever.  In the screenshot below, we can see I have added both Domain Users and Domain Computers to a security group called WirelessAccess. Here is a screenshot with the above settings.

802.1X - AD Security Group

Network Policy Server

  1. Create a new Windows Server 2008 R2 or Windows Server 2012 machine
  2. Add the machine to the domain
  3. Give the machine a static IP: (I'll use 10.10.10.15 throughout this document as a reference to this server)
  4. Open up Server Manager, click Add Roles, click Next on the Before You Begin screen, check Network Policy and Access Services and click Next, click Next on the Introduction screen, check Network Policy Server (leave the rest unchecked) and click Next, click Install.
  5. Once Network Policy Server is installed, launch the Network Policy Server snap-in (via MMC or Administrative Tools)
  6. Inside of Network Policy Server, on NPC (Local), select RADIUS server for 802.1X Wireless or Wired Connections from the dropdown and click Configure 802.1X
    1. On the Select 802.1X Connections Type page, select Secure Wireless Connections, and enter My Company's Wireless.  Click Next.
    2. Click on the Add... button.  Enter the following settings:
      1. Friendly name: Cisco WLAN Controller
      2. Address: 10.10.10.10 (Enter your WLAN Controller's IP address)
      3. Select Generate, click the Genereate button, and then copy down the Shared Secret the wizard generated (we will use this later to get the WLAN Controller to talk to the RADIUS server).  Click OK.
    3. Click Next.
    4. On the Configure an Authentication Method, select Microsoft: Protected EAP (PEAP). Click Next.
    5. Click Next on the Specify User Groups (we will come back to this).
    6. Click Next on the Configure Traffic Controls page.
    7. Click Finish
  7. Click on NPS (Local) -> Policies -> Network Policies. Right click Secure Wireless Connections and click Properties.
  8. Click on the Conditions tab, select NAS Port Type, and click Remove.
  9. Still on the Conditions tab, click Add..., select Windows Groups and click Add..., click Add Groups..., search for WirelessAccess and click OK.  Click OK on the Windows Groups dialog box, click Apply on the Secure Wireless Connections Properties box.  You should now have something like the image below:
    802.1X - Secure Wireless Connections Conditions
  10. Click on the Constraints tab.
    1. Uncheck all options under Less secure authentication methods like the image below:
      802.1X - Secure Wireless Connections Constraints
    2. Click Apply

Cisco WLAN

  1. Login to your Cisco Wireless Lan Controller
  2. Add a RADIUS server to your controller
    1. Click on the Security tab
    2. Select AAA -> Radius -> Authentication on the left side
    3. Click the New... button in the top right
      1. Server IP Address: 10.10.10.15 (The IP address of your NPS server we setup earlier)
      2. Shared Secret Format: ASCII
      3. Shared Secret: The long generated password you wrote down when setting up the Network Policy Server
      4. Confirm Shared Secret: Same password in previous step
      5. Key Wrap: unchecked
      6. Port Number: 1812
      7. Server Status: Enabled
      8. Support for RFC 3576: Enabled
      9. Server Timeout: 2
      10. Network User: Checked
      11. Management: Checked
      12. IP Sec: Unchecked
      13. Here is a screenshot with the above settings
        802.1X - Cisco WLAN - RADIUS
  3. Create or modify a wireless network to use 802.1X
    1. Click on the WLANs tab
    2. Create a new wireless network or select an existing WLAN ID to edit
    3. On the "WLANs > Add/Edit 'My SSID'" page, use the following settings
      1. Security Tab
        1. Layer 2 Tab
          1. Layer 2 Security: WPA+WPA2
          2. MAC Filtering: Unchecked
          3. WPA+WPA2 Parameters
            1. WPA Policy: Unchecked
            2. WPA2 Policy: Checked
            3. WPA2 Encryption: AES checked, TKIP unchecked
            4. Auth Key Mgmt: 802.1X
          1. Here is a screenshot of the above settings
            802.1X - Cisco WLAN - Security
        2. Layer 3 Tab
          1. Layer 3 Security: none
          2. Web Policy: unchecked
        3. AAA Servers Tab
          1. Authentication Servers: checked Enabled
          2. Server 1: Select your RADIUS server from the dropdown
          3. Local EAP Authentication: Unchecked
          4. Authentication priority order for web-auth user: Move RADIUS over to the right
          5. Here is a screenshot of the above settings802.1X - Cisco WLAN - AAA Servers
        4. Click Apply

Group Policy

  1. Go to your domain controller and open up the Group Policy Management console.
  2. Right click the Organizational Unit you want to apply to policy to and select Create a GPO in this domain, and Link it here...
    1. Note, the policy must be linked to the OU containing a group of machines you want to have WiFi access to or a parent of the OU.
  3. Enter in 802.1X WiFi Policy for the Name and click OK
  4. Right click your new GPO and click Edit
  5. Navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Wireless Network (IEEE 802.11) Policies
  6. Right click and select Create A New Wireless Network Policy for Windows Vista and Later Releases
  7. Ensure the following settings are set for your Windows Vista and Later Releases policy
    1. General Tab
      1. Policy Name: My Wireless Policy for Vista and Later Clients
      2. Description: Vista and later wireless network for my company.
      3. Check Use Windows WLAN AutoConfig service for clients
      4. Here is a screenshot with the above settings802.1X - General
      5. Click the Add... button and select Infrastructure
        1. Connection Tab
          1. Profile Name: My Network
          2. Enter in your SSID (Wireless network name that gets broadcasted) and click the Add... button
          3. Check Connect Automatically when this network is in range
          4. Here is a screenshot of the above settings802.1X - Properties
        2. Security Tab
          1. Authentication: WPA2-Enterprise
          2. Encryption: AES
          3. Select a network authentication method: Microsoft Protected EAP (PEAP)
          4. Authentication Mode: User or Computer authentication
          5. Max Authentication Failures: 1
          6. Check Cache user information for subsequent connections to this network
          7. Here is a screenshot of the above settings with the Advanced tab open as well802.1X - Security Settings
        3. Click OK
    2. Network Permissions Tab
      1. Enter your network into Define permissions for viewing and connection to wireless networks if it hasn't been added already.
      2. Uncheck Prevent connections to ad-hoc networks
      3. Uncheck Prevent connections to infrastructure networks
      4. Check Allow user to view denied networks
      5. Check Allow everyone to create all user profiles
      6. Uncheck Only use Group Policy profiles for allowed networks
      7. Leave all Windows 7 policy settings unchecked
      8. Here is a screenshot with the above settings (note, you may change the settings above to be in accordance to your policy.  Just ensure you don't check Prevent connections to infrastructure networks).
        802.1x - Network Permissions
      9. Click OK
  8. Right click and select Create A New Windows XP Policy
  9. Ensure the following settings are set for your Windows XP Policy
    1. General Tab
      1. XP Policy Name: My Wireless Policy for XP Machines
      2. Description: My wireless policy for XP machines.
      3. Networks to access: Any available network (access point preferred)
      4. Check Use Windows WLAN AutoConfig service for clients
      5. Uncheck Automatically connect to non-preferred networks
      6. Here is a screenshot of the above settings.
        802.1X - XP General
    2. Preferred Networks Tab
      1. Click the Add... button and select Infrastructure
        1. Network Properties Tab
          1. Network name (SSID): My SSID
          2. Description: My wireless network
          3. Uncheck Connect even if network is not broadcasting
          4. Authentication: WPA2
          5. Encryption: AES
          6. Check Enable Pairwise Master Key (PMK) Caching
          7. Uncheck This network uses pre-authentication
          8. Here is a picture of the above settings
            802.1X - XP Network Properties
        2. IEEE 802.1X Tab
          1. EAP Type: Microsoft: Protected EAP (PEAP)
          2. Eapol-Start Message: Transmit
          3. Authentication Mode: User or Computer Authentication
          4. Check Authenticate as computer when computer information is available
          5. Uncheck Authente as guest when user or computer information is unavailable
          6. Screenshot of above settings
            802.1X - XP IEEE
        3. Click OK
    3. Click OK

Styling the Windows welcome screen (Interactive Logon)

Many people say you can't format the login screen in Windows to display a legal notice, company message, whatever.  They are indeed true... to a degree.

Earlier this afternoon I came across this issue and was not going to settle for not having spaces between my paragraphs.  To solve this, you can use a ridiculous amount of spaces between paragraphs to simulate the break (I tried multiple special characters for spacing, but all of them either get trimmed or hide the rest of the text).  Additionally, you can use special alt characters for some formatting (quotes, bullets, etc.).  If you don't have a keyboard with a keypad to type the special characters, you can open up word, insert a symbol into the document and copy and paste it over using the Control+C and Control+V keyboard shortcuts.

The only downside to this method is that only 512 characters will show up on Windows 2000 machines, but if you are still on Windows 2000, then I would strongly encourage you to update to a later operating system.