I am generating a WindowsPE boot stick with the Microsoft Automation Installation Kit 10 (host is Windows 10) for a amd64
target platform.
Because i dont need network connections from within the WinPE, id like to completely and securely disable them.
I have a rough understanding of the WinPE bootchain so i know that i can pass a configuration file to wpeinit
which would allow me to disable the network. The 10 year old mystery remains: how would that file have to be structured? A minimal example of
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<EnableNetwork>false</EnableNetwork>
</unattend>
does not throw an error message but also does not work. Its called from within startnet.cmd
like this:
wpeinit -unattend:"%SystemRoot%\system32\Unattend.xml"
allthough i also have seen wpeinit /unattend: ...
.
The %SystemRoot%\system32\wpeinit.log
logfile states:
2017-08-02 13:26:16.061, Info WPEINIT is processing the unattend file [X:\windows\system32\Unattend.xml]
…
2017-08-02 13:26:16.295, Info ==== Initializing Network Access and Applying Configuration ====
2017-08-02 13:26:16.295, Info No EnableNetwork unattend setting was specified; the default action for this context is to enable networking support.
The provided examples dont help me much either, i think this might be for automated installation, not configuration.
I verify that networks are disabled via the following commands
netsh interface ipv4 show interfaces
netsh interface ipv6 show interfaces
There is the possibility of disabling the connection via netsh like
netsh interface set interface "Local Area Connection" DISABLED
but im afraid that WinPE might have tried to access a DHCP already or was reachable via network for a short period of time.
So how can a networkless WinPE be achieved? Thanks!
Is not calling wpeinit
from startnet.cmd
an option since i need devices initialized with their drivers? Some posts suggest so.
Best Answer
Heureka! I was so close that i finally managed to get it working (one reference in the question actually had the answer, only for
x86
).Important lessons learned:
components
are required, see their documentation, especially theMicrosoft-Windows-Setup
one which allows<EnableNetwork>
configurationWithout further ado, this is the
Unattend.xml
which gets copied by the generation process to%SystemRoot%\system32
:called via the modified
startnet.cmd
which leads to the following log entry:
ATTENTION: the sole existance of the file in the
System32
folder leads to its evaluation. So the parameter towpeinit
is actually not needed if the file resides at that location.