How to configure IPSec in WinPE 2.0

By arwidmark / July 31, 2007


This explains the necessary steps for configuring certificate based IPSec in Win PE 2.0.

For improvement suggestions (or bugs) in this guide, please drop a note to johan [dot] arwidmark [at] truesec [dot] com, or at (alias jarwidmark).

You might also find me in the public Microsoft desktop deployment newsgroups (microsoft.public.deployment.desktop)


Johan Arwidmark
Microsoft MVP – Setup & Deployment

The guide covers the following steps

o   Create the IPSec Policy

o   Installing the certificate in WinPE

Step 1 – Creating the IPSec Policy

  1. On the deployment server, create a IPSec Policy
  2. Using Regedit, export the assigned IPSec policy to a text file  (*.reg). The policy is stored in  (HKLM\Software\policies\Microsoft\windows\ipsec\policy\local
  3. On a client, install the IPSec certificate and then using the certificates mmc, export the IPSec certificate, and include the Root CA in the export

Step 2 – Install the Certificate in WinPE

  1. From a Vista machine, copy the certutil.exe and  en-US\certutil.exe to system32 of your WinPE Image
  2. Using Regedit.exe import the previously exported IPSec policy to the Registry
  3. Using an undocumented switch to certutil, -ImportPFX, import the previously exported certificate into WinPE
  4. Start the IPSec Policy Agent in WinPE



About the author