Welcome

This explains the necessary steps for configuring certificate based IPSec in Win PE 2.0.

For improvement suggestions (or bugs) in this guide, please drop a note to johan [dot] arwidmark [at] truesec [dot] com, or at myitforum.com (alias jarwidmark).

You might also find me in the public Microsoft desktop deployment newsgroups (microsoft.public.deployment.desktop)

Regards,

Johan Arwidmark
Microsoft MVP – Setup & Deployment

The guide covers the following steps

o   Create the IPSec Policy

o   Installing the certificate in WinPE

Step 1 – Creating the IPSec Policy

1. On the deployment server, create a IPSec Policy
2. Using Regedit, export the assigned IPSec policy to a text file  (*.reg). The policy is stored in  (HKLM\Software\policies\Microsoft\windows\ipsec\policy\local
3. On a client, install the IPSec certificate and then using the certificates mmc, export the IPSec certificate, and include the Root CA in the export

Step 2 – Install the Certificate in WinPE

1. From a Vista machine, copy the certutil.exe and  en-US\certutil.exe to system32 of your WinPE Image
2. Using Regedit.exe import the previously exported IPSec policy to the Registry
3. Using an undocumented switch to certutil, -ImportPFX, import the previously exported certificate into WinPE
4. Start the IPSec Policy Agent in WinPE