PXE boot menu with System Center Configuration Manager
We are considering expanding the capabilities of System Center Configuration Manager (a product for managing IT infrastructure) when booting user PCs over a network using PXE. We create a boot menu based on PXELinux with System Center functionality and add anti-virus scanning, diagnostic and recovery images. At the end of the article, we touch on the features of System Center 2012 Configuration Manager in conjunction with Windows Deployment Services (WDS) when booting via PXE.
We perform all actions on a test environment that already has System Center 2012 Configuration Manager SP1 installed, a domain controller, and a number of test machines. It is assumed that SCCM is already deploying over the network using PXE.
Entry
The test environment consists of several virtual machines. All machines have Microsoft Windows Server 2008 R2 (x64) guest OS installed, E1000 network adapter, SCSI Controller: LSI Logic SAS
Name (Roles)
IP address / DNS name
Functional
SCCM (System Center Configuration Manager)
192.168.57.102
sccm2012.test.local
Installed System Center Configuration Manager 2012 SP1
DC (AD,DHCP,DNS)
192.168.57.10
dc1.test.local
The role of the domain controller, DHCP server and DNS server
TEST (Test machine)
192.168.57.103
test.test.local
For testing
G.W. (Gateway)
192.168.57.1
Routing between networks. Gateway Role
1. Add PXELinux to SCCM
We perform actions on the machine where System Center Configuration Manager is installed
Let's determine the directory where the WDS files are located for downloading, for this we look in the registry for the value of the parameter RootFolder in a branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesWDSServerProvidersWDSTFTP
Default value C:RemoteInstall
The files to download from the SCCM deployment point are located in the directories smsbootx86 и smsbootx64 depending on the architecture.
First, set up a directory for 32-bit architecture, by default c:Remoteinstallsmsbootx86
Download the archive with the latest syslinux . Copy from syslinux-5.01.zip to c:Remoteinstallsmsbootx86 the following files: memdisk, chain.c32, ldlinux.c32, libcom32.c32, libutil.c32, pxechn.c32, vesamenu.c32, pxelinux.0
Additional files are needed to avoid such an error.
В c:Remoteinstallsmsbootx86 rename pxelinux.0 в pxelinux.com
In the folder c:remoteinstallsmsbootx86 make a copy abortpxe.com and rename it to abortpxe.0
If not rename to extension .0, then for example the instruction
Kernel abortpxe.com
will fail with the following error: Booting kernel failed: Bad file number
For PXELINUX, the download file extension should be set according to the plate
none or other Linux kernel image
.0 PXE bootstrap program (NBP) [PXELINUX only]
.bin "CD boot sector" [ISOLINUX only]
.bs Boot sector [SYSLINUX only]
.bss Boot sector, DOS superblock will be patched in [SYSLINUX only]
.c32 COM32 image (32-bit COMBOOT)
.cbt COMBOOT image (not runnable from DOS)
.com COMBOOT image (runnable from DOS)
.img Disk image [ISOLINUX only]
In order not to press the F12 key several times when loading SCCM through the menu, rename pxeboot.com to pxeboot.com.f12, copy pxeboot.n12 to pxeboot.com
If this is not done, then when choosing, we will receive such a message every time Note: Do not forget to rename these files in the x64 folder as well. when it loads x86wdsnbp.com from the x86 folder, the loader determines the processor architecture and the next file is loaded from the folder with the corresponding architecture. Thus, for x64, the subsequent file will not be x86pxeboot.com, x64pxeboot.com
Download / create background.png, resolution 640x480, copy to the same folder. Create a folder ISO where we will place ISO images. Create a folder pxelinux.cfg for configs.
In the pxelinux.cfg folder, create a default file, in a non-unicode encoding, with the content default (Click to display)
# используем графическое меню
DEFAULT vesamenu.c32
PROMPT 0
timeout 80
TOTALTIMEOUT 9000
MENU TITLE PXE Boot Menu (x86)
MENU INCLUDE pxelinux.cfg/graphics.conf
MENU AUTOBOOT Starting Local System in 8 seconds
# Boot local HDD (default)
LABEL bootlocal
menu label Boot Local
menu default
localboot 0x80
# if it doesn't work
#kernel chain.c32
#append hd0
# Вход в меню по паролю Qwerty, алгоритм MD5
label av
menu label Antivirus and tools
menu PASSWD $1$15opgKTx$dP/IaLNiCbfECiC2KPkDC0
kernel vesamenu.c32
append pxelinux.cfgav.conf
label sccm
menu label Start to SCCM
COM32 pxechn.c32
APPEND sccm2012.test.local::smsbootx86wdsnbp.com -W
label pxe64
menu label Start to x64 pxelinux
COM32 pxechn.c32
APPEND sccm2012.test.local::smsbootx64pxelinux.com
LABEL Abort
MENU LABEL Exit
KERNEL abortpxe.0
In the folder pxelinux.cfg create a file graphics.conf with content graphics.conf (Click to display)
MENU MARGIN 10
MENU ROWS 16
MENU TABMSGROW 21
MENU TIMEOUTROW 26
MENU COLOR BORDER 30;44 #00000000 #00000000 none
MENU COLOR SCROLLBAR 30;44 #00000000 #00000000 none
MENU COLOR TITLE 0 #ffffffff #00000000 none
MENU COLOR SEL 30;47 #40000000 #20ffffff
MENU BACKGROUND background.png
NOESCAPE 0
ALLOWOPTIONS 0
In the folder pxelinux.cfg create a file av.conf with content av.conf (Click to display)
DEFAULT vesamenu.c32
PROMPT 0
MENU TITLE Antivirus and tools
MENU INCLUDE pxelinux.cfg/graphics.conf
label main menu
menu label return to main menu
kernel vesamenu.c32
append pxelinux.cfg/default
label drweb
menu label DrWeb
kernel memdisk
append iso raw initrd=isodrweb.iso
label eset
menu label Eset
kernel memdisk
append iso raw initrd=isoeset_sysrescue.iso
label kav
menu label KAV Rescue CD
KERNEL kav/rescue
APPEND initrd=kav/rescue.igz root=live rootfstype=auto vga=791 init=/init kav_lang=ru udev liveimg doscsi nomodeset quiet splash
#Загружаем ISO по полному пути, можно загружать с другого TFTP
label winpe
menu label WinPE from another TFTP
kernel sccm2012.test.local::smsbootx86memdisk
append iso raw initrd=sccm2012.test.local::smsbootx86isoWinPE_RaSla.iso
label clonezilla
menu label Clonezilla
kernel memdisk
append iso raw initrd=isoclonezilla.iso
As a result, the c:remoteinstallsmsbootx86 directory contains the structure
For the x64 architecture, we similarly copy and create the same structure in the folder c:remoteinstallsmsbootx64
Addition
When using the command menu PASSWD the password can be set either as is, or use a hashing algorithm by adding the corresponding signature at the beginning of the parameter
Algorithm
Signature
MD5
$ $ 1
SHA-1
$ $ 4
SHA-2-256
$ $ 5
SHA-2-512
$ $ 6
So for password Qwerty and MD5 algorithm
menu PASSWD $1$15opgKTx$dP/IaLNiCbfECiC2KPkDC0
You can generate a password, for example, through an online hash generator www.insidepro.com/hashes.php?lang=rus, line MD5(Unix)
2. Set up PXELinux boot
Now we will indicate how to load pxelinux.com and get the menu.
Specifying the pxelinux.com bootloader via the WDS functionality does not work in SCCM. View Commands
are not processed. You can verify that boot images are not set by running the output WDS server configuration command
wdsutil /get-server /show:images
Therefore, in SCCM 2012, you cannot specify your file for PXE download to the SMSPXE provider. Therefore, we will configure the active area of the DHCP server.
In the parameters of the DHCP active area, set the parameters according to the plate
DHCP option
Parameter name
Value
066
Boot server hostname
sccm2012.test.local
067
Bootfile name
smsbootx86pxelinux.com
006
DNS Servers
192.168.57.10
015
DNS Domain Name
test.local
In option 066 we specify the FQDN name of the sccm server, in option 067 we specify the path to the x86 bootloader pxelinux.com starting from the TFTP root, in option 006 we specify the IP address of the DNS server. If a short server name is used in option 066, in option 015 we specify the DNS suffix of the domain.
Addition
Described the DHCP configuration in more detail mvgolubevhere. But on DC option 150, TFTP server IP address, was missing from the DHCP scope settings, and specifying option 150 via netsh did not work.
3. Checking work
The basic settings are completed and you can start checking. We indicate on the test computer in the BIOS it is loaded over the network and loaded into the menu
Select item «Start to SCCM» and if a task sequence is assigned to the computer, then after a while the "Task Sequence Wizard" window will appear prompting you to enter a password
Reboot the machine, go back to the menu, select in the menu «Antivirus and tools» and enter the password Qwerty
We select an arbitrary item and observe the loading of the ISO image into memory
Waiting and seeing the result
Verification completed
4. Additional settings and features
Routing setup
If the client, DHCP server and server containing the network loader are in the same network segment, no additional configuration is required. However, if the client and the DHCP server or WDS/SCCM server are located on different network segments, it is recommended that you configure your routers to forward broadcast packets from the client to the active DHCP server and the active WDS/SCCM server. In English literature, this process is known as "IP Helper table updates". In this case, the client, after obtaining an IP address, contacts the server containing the network loader directly via DHCP packets in order to download the network loader.
For Cisco routers, use the command
ip helper-address {ip address}
where {ip address} DHCP server or WDS/SCCM server address. This command also sends the following UDP broadcast packets
Port
Protocol
69
Tftp
53
Domain Name System (DNS)
37
Time service
137
NetBIOS Name Server
138
NetBIOS Datagram Server
67
Bootstrap Protocol (BOOTP)
49
TACACS
The second method for the client to obtain information about the network loader directly from the DHCP server is to specify options 60,66,67 on the DHCP server. Using DHCP option 60 with value «PXEClient» to all DHCP scopes, only if the DHCP server is hosted on the same server as Windows Deployment Services. In this case, the client communicates directly with the Windows Deployment Services server using TFTP on UDP port 4011 instead of using DHCP. This method is not recommended by Microsoft due to issues with load balancing, incorrect handling of DHCP options and Windows Deployment Services response options on the client side. And also because using only two DHCP options 66 and 67 allows you to bypass the parameters set on the network boot server.
You also need to open the following UDP ports on the Windows Deployment Services server
port 67 (DHCP)
port 69 (TFTP)
port 4011 (PXE)
and port 68 if DHCP authorization is required on the server.
It follows from the syslinux documentation that when
localboot 0
loading will go from a local disk. And when specifying a specific value 0x00 from the primary (primary) floppy disk, when specifying 0x80 from the primary (primary) hard disk. By changing the command to
localboot 0x80
the local OS has loaded.
If there is a need to boot from a specific disk, partition or command localboot does not work, then you can use the capabilities of the module chain.c32. After loading it, use the append command to specify a specific disk or disk partition, disk numbering starts from 0, partition numbering starts from 1. if partition 0 is specified, the MBR is loaded. When specifying a disk, the partition can be omitted.
Order and description of downloading files via PXE
As mentioned at the beginning of the article, the directory where the WDS files are located for download is contained in the value of the parameter RootFolder in the registry branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesWDSServerProvidersWDSTFTP
Default value C:RemoteInstall
Here in the parameter ReadFilter directories are specified where the TFTP server looks for files to download, starting from the root. With SCCM 2012 SP1 installed, this setting is
boot*
tmp*
SMSBoot*
SMSTemp*
SMSImages*
If you change the parameter value to * then all files located in the directory will be processed RemoteInstall.
The SCCM 2012 deployment point role is specified in the registry value ProvidersOrderlocated in the branch HKLMSystemCurrentControlSetWDSServerProvidersWDSPXE
Parameter ProvidersOrder can take values
SMSPXE
PXE service point in SCCM
SMS.PXE.Filter
PXE script handler from MDT (Microsoft Deployment Toolkit)
BINLSVC
Standard WDS and RIS engine
With SCCM installed, the parameter ProvidersOrder has the meaning SMSPXE. By changing the parameter, you can change the order in which providers are loaded.
In the catalog RemoteInstall the following standard files are located
wdsnbp.com
A network boot program designed for Windows Deployment Services that performs the following tasks:
1. Architecture detection.
2. Maintenance of waiting computers. When the auto-add policy is enabled, this network boot program is sent to waiting computers to suspend network boot and inform the server of the client computer's architecture.
3. Using network boot links (including using DHCP options 66 and 67)
PXEboot.com
(Default) Requires the user to press F12 to continue network boot
PXEboot.n12
Does not require the user to press the F12 key and starts network booting immediately
AbortPXE.com
Boots the computer using the next boot item in the BIOS without waiting
bootmgr.exe
Windows Boot Manager (Bootmgr.exe or Bootmgr.efi). Loads the Windows bootloader using firmware from a specific disk partition or over a network connection (in case of network boot)
Bootmgfw.efi
The EFI version of PXEboot.com and PXEboot.n12 (in EFI, the choice to boot or not to boot PXE is in the EFI shell, not the network boot program). Bootmgfw.efi combines the capabilities of PXEboot.com, PXEboot.n12, abortpxe.com, and bootmgr.exe. It currently only exists for x64 and Itanium architectures.
Default.bcd
Boot Configuration Data Store (BCD), REGF format, can be loaded into REGEDIT, replaces the Boot.ini text file
Loading occurs in the following order as described above
1. Download wdsnbp.com.
2. Next, pxeboot.com of the appropriate architecture is loaded
3. PXEBoot.com downloads bootmgr.exe and the BCD boot configuration data store
4. Bootmgr.exe reads the BCD boot configuration data operating system entries and loads the Boot.sdi file and the Windows PE image (boot.wim)
5. Bootmgr.exe starts loading Windows PE by accessing Winload.exe in the Windows PE image
If the RemoteInstall there are folders
Boot
Images
Mgmt
Templates
Tmp
WdsClientUnattend
their presence means that before adding the distribution point role in SCCM 2012 (PXE service points in SCCM 2007), there was some configuration action on the installed Windows Deployment Services (WDS) that automatically created these folders.
For the distribution point role (PXE service point in SCCM 2007), only the following folders are sufficient