The following settings apply to Windows XP. They affect the behavior of the device on the network, particularly in regards to wireless connections and 802.1X authentication. Each of these settings are configurable automatically using XpressConnect.
Third-party wireless utilities and supplicants may conflict with the built-in wireless manager. XpressConnect will automatically migrate the user away from most utilities, leaving them running but not in-control. However, some utilities interfere to such a degree that they must be disabled.
Wireless Utilities (20004)
Most wireless utilities are compatable with the Windows wireless manager and are handled implicitly by XpressConnect. However, some wireless utilities are simply incompatible with Windows. This setting allows these utilities to be disabled. Utilities are flagged as rogue for a variety of reasons, including an inability to respect the 'Use Windows to configure wireless' flag. Other utilities are flagged as rogue because they cause the association and authentication to the secure SSID to be unpredictable.
XpressConnect is able to detect whether or not a Windows hotfix has been applied to the machine. If necessary, the hotfix may be automatically installed using these instructions. It is possible to add multiple hotfixes. To do so, enter one hotfix and click save. Then, click 'Add Application Settings' again and you will be able to enter an additional hotfix.
This setting will detect if WPA2 is supported. If it is not, it will auto remediate by installing the KB917021 hotfix. NOTE: For remediation by installation to work properly, see the FAQ on the Support tab regarding install-based remediation.
XpressConnect can detect the status of Windows Hotfixes.
Supported settings include:
Installed - Default. The hotfix is considered installed if it is included in the list of installed hotfixes.
XpressConnect is not able to auto remediate this setting. You should configure the help text to contain a URL to a support server from which the hotfix can be downloaded.
This setting controls the SSID in the Windows environment.
Preferred Network (Wireless SSID) (40001)
The 'Wireless SSID' setting controls the SSID and its related configuration used in wireless networks. Within the Windows user interface, SSIDs are listed in the Preferred Networks list. This setting is only applicable to wireless networks.
Best Available: XpressConnect is capable of configuring each machine for the best security scheme supported by the interface. To use this feature, set Network Authentication to WPA2 Preferred, WPA Acceptable and Data Encryption to AES Preferred, TKIP Acceptable. XpressConnect will use the first supported scheme from this list: WPA2/AES, WPA2/TKIP, WPA/AES, WPA/TKIP. The sequence is similar for PSK-based SSIDs. In this example, both Network Authentication and Data Encryption were specified as flexible. If you wish, you may make one fixed and one flexible. For example, you may require WPA2 and allow either TKIP or AES.
XpressConnect can detect the state of an SSID in the Preferred Networks list.
Supported settings include:
Configured - Default. The SSID is considered configured if the SSID is defined with the appropriate network authentication (WPA or WPA-PSK), data encryption (TKIP or AES), and connection behavior (Connect Automatically) settings and is the first SSID listed in the Preferred Networks list.
For WPA-PSK, the SSID will always require remediation to ensure the network key is correct. This is due to the fact that the network key is read-only. For WPA-PSK, the network key is optional. If specified, it will be set automatically. If not specified, Windows will prompt the user to enter the key when it attaches to the SSID.
XpressConnect is able to auto remediate this setting.
Note: If the Security Center service is disabled, the Antivirus and Antispyware checks will treat this condition as 'overridden'. To ensure that Security Center is running, add the 'Security Center Service' setting.
Security Center Service (80015)
XpressConnect can detect the state of Windows Security Center service.
Supported settings include:
Running - Default. Security Center service is considereed running if the service is listed as running.
During auto remediation, XpressConnect will enable Windows Security Center service. By default, a new install of Windows XP & Vista will have Windows Security Center service running.
XpressConnect can detect the state of Windows Auto Update.
Supported settings include:
Enabled - Default. Auto Updates are considereed enabled if the current configuration is anything other than 'Off'.
During auto remediation, XpressConnect will enable Windows Auto Update using the 'Automatic' setting. For manual remediation, XpressConnect contains a default help script and will also open the Windows Auto Update user interface page. By default, a new install of Windows XP & Vista will have Auto Update disabled, but the user will be prompted repeatedly to enable it.
XpressConnect can detect the state of firewalls, including the Windows Firewall as well as third-party firewalls with the appropriate Windows Security Center interface.
Supported settings include:
Enabled - Default. A firewall is considered enabled if a third-party firewall or the Windows Firewall is running.
For auto remediation, XpressConnect will enable the Windows Firewall with the previously existing exception list. For manual remediation, XpressConnect contains a default help script and will also open the Windows Firewall user interface page. By default, a new install of Windows XP will have the Windows Firewall disabled. A new install of Windows Vista will have the Windows Firewall enabled.
XpressConnect can detect the state of third-party antivirus products with the appropriate Windows Security Center interface.
Supported settings include:
Running Or Overridden In Security Center - Default. This is the least strict. The Windows Security Center detects that a third-party antivirus program is running or the user has selected 'I have an antivirus program I will monitor myself' within Security Center. This setting does not consider the up-to-date status. If Security Center service is not running, it will be considered overridden.
Running - The Windows Security Center detects that a third-party antivirus product is running. This setting does not allow the user to override antivirus using the 'I have an antivirus program I will monitor myself' setting. This setting does not consider the up-to-date status.
Running And Up-To-Date - This is the most strict. The Windows Security Center detects a third-party antivirus product is running and the product reports that it is up-to-date. This setting does not allow the user to override antivirus using the 'I have an antivirus program I will monitor myself' setting.
XpressConnect does not support auto remediation of antivirus. By default, a new install of Windows XP & Vista will not contain an antivirus application.
These settings control the behavior of the Windows Wireless Zero Configuration service within Windows XP. This service manages the behavior of wireless as well as the behavior of 802.1X (for wired and wireless).
Use Windows To Configure Wireless (40002)
The Use Windows To Configure Wireless checkbox within the Windows user interface controls the management of wireless. When checked, Windows will natively manage wireless and third-party tools will be ignored. When unchecked, Windows will not natively manage wireless and third-party tools will be neceessary. This setting is only applicable to wireless networks.
XpressConnect can detect the state of the flag which enables or disables Windows wireless.
Supported settings include:
Enabled - Default. When enabled, Windows will natively manage wireless. Third-party wireless management tools will be ignored. This is recommended.
Disabled - When disabled, Windows will assume a third-party tool is managing wireless.
XpressConnect is able to auto remediate this setting. By default, a new install of Windows will have this setting enabled.
Automatically connect to non-preferred networks (40003)
XpressConnect is able to detect the state of the 'Automatically connect to non-preferred networks' setting. This setting controls whether or not Windows roams to undefined networks.
Supported settings include:
Disabled - Default. When selected, Windows will only connect automatically to networks for which a profile exists.
Enabled - When selected, Windows will connect automatically to a network regardless of whether or not a profile exists for the SSID.
XpressConnect is able to auto remediate this setting.
XpressConnect is able to detect the status of the 'Networks to access' setting. This setting controls the types of networks to which the wireless manager will attach.
Supported settings include:
Access point networks only - Default. When selected, Windows will only connect to access points (infrastructure mode).
Any available network - When selected, Windows will allow both connections to access points as well as ad-hoc connections.
XpressConnect is able to auto remediate this setting.
This setting controls whether or not the NIC icon displays in the system tray when connected. XpressConnect can detect this setting.
Supported settings include:
Enabled - Default. If selected, the NIC icon will appear in the system tray when connected.
Disabled - If selected, the NIC icon will not appear in the system tray when connected.
XpressConnect is able to auto remediate this setting. NOTE:On Windows XP, changes to this setting will take effect the next time the NIC is disabled and enabled or after the next reboot.
On Windows Vista, if the network icon is not displayed in the system tray, the 802.1X authentication bubble may not appear. If this setting needs modified on a Vista computer, explorer.exe will be restarted so that the change takes effect immediately. This will cause the desktop to briefly flash.
This setting controls what bubbles are displayed to the user. In particular, this includes the 'Limited Connectivity' message that appears when the NIC does not have an IP address. XpressConnect can detect this setting.
Supported settings include:
Enabled - Default. If selected, the messages regarding limited connectivity will be displayed.
Disabled - If selected, the messages regarding limited connectivity will not be displayed.
XpressConnect is able to auto remediate this setting. NOTE:Changes to this setting will take effect the next time the NIC is disabled and enabled or after the next reboot.
These settings control the behavior of XSupplicant and are therefore only relevant if XSupplicant is being used as the supplicant.
Connection (64060)
XpressConnect can detect the connection name within XSupplicant. XSupplicant uses a 'connection' to group together the NIC, 802.1X profile, and SSID (if applicable).
Supported settings include:
Configured - Default. This setting is considered configured if the connection name exists within XSupplicant and is configured with the appropriate SSID (if applicable), trusted server, and authentication profile. This setting requires that the Connection Name also be specified.
If the connection name does not exist, it will be created. If it does exist, it will be modified based on the remainder of the XSupplicant settings.
XpressConnect is able to auto remediate this setting.
XpressConnect can detect the renew IP setting within the XSupplicant connection.
Supported settings include:
Disabled - Default. When disabled, XSupplicant will not force an IP address renew (via DHCP) after each authentication.
Enabled - When enabled, XSupplicant will force an IP address renew (via DHCP) after each authentication. This helps ensure that the client has an appropriate IP address if the VLAN assignment is changed.
XpressConnect is able to auto remediate this setting.
XpressConnect can detect the state of DHCP related to the IP address.
Supported settings include:
Obtain IP address automatically - Default. When selected, the IP address will be retrieved using DHCP.
If the user is changed from static to DHCP, a revert will properly set the machine's static IP address. XpressConnect is able to auto remediate this setting.
XpressConnect can detect the state of DHCP related to DNS.
Supported settings include:
Obtain DNS server address automatically - Default. When selected, the DNS server address will be retrieved using DHCP. This value is only valid if 'IP by DHCP' is set to 'Obtain IP address automatically'.
If the user is changed from static to DHCP, a revert will properly set the machine's static DNS entries. XpressConnect is able to auto remediate this setting.
This setting controls whether or not Windows attempts to register the connection's address with DNS. XpressConnect can detect and fix this setting.
Supported settings include:
Unchecked - Default. When unchecked, Windows will not register the IP address received from DHCP with DNS.
Checked - When checked, Windows will register the IP address received from DHCP with DNS.
XpressConnect is able to auto remediate this setting. By default, Windows XP and Vista has this setting checked.
The configuration of this setting is located in the interface's properties. Select Internet Protocol and click 'Properties'. Click 'Advanced'. Select the 'DNS' tab. The setting is labeled 'Register this connection's address in DNS.'.
The 'Wireless NICs' setting allows the administrator to control the state of wireless network interface cards. This is useful in scenarios where the user attaches to the network with a wired connection and the network administrator wants to ensure that wireless NICs are neither bridging (possibly leading to a bridge loop) nor wandering (possibly attaching to a rogue access point).
XpressConnect can detect the state of wireless network interface cards.
Supported settings include:
Disabled - Default. When selected, wireless NICs that are not currently being configured will be disabled. This setting will not affect the interface currently being configured.
XpressConnect is able to auto remediate this setting.
XpressConnect can detect the state of wired network interface cards.
Supported settings include:
Disabled - Default. When selected, wired NICs that are not currently being configured will be disabled. This setting will not affect the interface currently being configured.
XpressConnect is able to auto remediate this setting.
This setting will allow Internet Connection Sharing on Windows to be enabled or disabled. If it is to be disabled, the IP Information field should be left blank. If it is to be enabled, the IP Information field should contain the IP information for the private NIC. This must be formatted as IP;SUBNET_MASK;DEFAULT_GATEWAY;DNS1;DNS2. The DNS1 and DNS2 entries are optional. For example, the following are valid: 192.168.0.1;255.255.255.0;192.168.0.1 192.168.0.1;255.255.255.0;192.168.0.1;71.71.71.71 192.168.0.1;255.255.255.0;192.168.0.1;71.71.71.71;61.61.61.61
NOTE: On Mac, connection sharing is internally turned off when an 802.1X connection is used.
This setting controls the acceptable age of the NIC driver. In most cases, this setting is not necessary as XpressConnect will automatically determine whether or not the driver supports the required encryption settings. However, this setting does allow you to warn or block machines that have old drivers. XpressConnect can detect the age of the driver.
Supported settings include:
Newer Than - Default. If selected, the date of driver installed on the user's machine must be newer than the date specified.
XpressConnect is not able to auto remediate this setting. NOTE: In most cases, this setting is not necessary since XpressConnect will inherently verify that the driver supports the required encryption settings. However, this setting is useful if you are planning to increase your minimum security setting in the near future and wish to warn users.
XpressConnect can detect the system clock. This is important when server certificates are used for authentication to ensure the machine does not incorrectly believe the certificate is expired.
Supported settings include:
Configured - Default. The system clock must be within the range specified.
XpressConnect does not support auto remediation of this setting.
NOTE: The date range must be specified in the format MM/DD/YYYY;MM/DD/YYYY, such as 1/1/2006;1/1/2007.
XpressConnect can detect the system clock. This is important when server certificates are used for authentication to ensure the machine does not incorrectly believe the certificate is expired. This setting will query the current timestamp from a URL. If the URL is unavailable, the user will be prompted to confirm their current system clock. If the system clock differs by more than 7 days, the user will be prompted to correct the system clock.
Supported settings include:
In Sync - Default. The system clock must be within the range specified.
XpressConnect supports auto remediation of this setting.
If a PHP, JSP, or ASP deployment package is used, the package contains a timestamp file in tools. In these cases, leave the URL blank and the system will automatically use the timestamp file.
If an HTML deployment package is used, this needs to be the full URL (for example http://1.1.1.1/timestamp.txt) to a timestamp file. The timestamp file needs to contain the current timestamp in the format TIMESTAMP:YYYYMMDD-HHMMSS. There are a couple options as to how this file is handled. First, it may be queried from another server which contains scripting capabilities. The second option is to have a scheduled task regularly update the timestamp text file.
These settings allow additional softare packages to be installed if necessary.
Software (80025)
This setting will allow a generic software package it be installed if necessary. NOTE: For remediation by installation to work properly, see the FAQ on the Support tab regarding install-based remediation. Also, after adding this setting, you will need to edit the setting to specify additional information.
Microsoft .NET framework is frequently required by applications. In particular, the SecureW2 EAP Suite requires .NET 2.0.
XpressConnect can detect the installation status of the .NET version.
Supported settings include:
2.0 - Default. If version 2.0 or greater is not installed, the Microsoft .NET framework version 2.0 will be installed. The Microsoft .NET 2.0 installer is around 20 MB.
During auto remediation, XpressConnect will launch the installation of the .NET version. During revert, the user will be prompted to automatically uninstall .NET or to leave it installed.
SecureW2 is required if EAP type TTLS is utilized.
XpressConnect can detect the installation status of the SecureW2 version.
Supported settings include:
Enterprise Client 3.1.4 (4.1.0-65) ** Requires license - Default. SecureW2 EAP Suite version 3.1.4 will be installed if not present. Version 3.1.4 supports Windows XP, Windows Vista and Windows 7.
NOTE: Use of the Enterprise Client requires an enterprise support contract with SecureW2.
EAP Suite 1.1.2 (4.1.0) - SecureW2 EAP Suite version 1.1.2 will be installed if not present. Version 1.1.2 supports Windows XP and Windows Vista. Traditionally, SecureW2 supported only TTLS. With EAP Suite, additional EAP methods are being added.
EAP Suite 1.1.4 (4.1.0-46) - SecureW2 EAP Suite version 1.1.4 will be installed if not present. Version 1.1.4 supports Windows XP and Windows Vista. Traditionally, SecureW2 supported only TTLS. With EAP Suite, additional EAP methods are being added.
EAP Suite 2.0.4 (4.1.0-49) ** Requires distribution license - SecureW2 EAP Suite version 2.0.4 will be installed if not present. Version 2.0.4 supports Windows XP, Windows Vista and Windows 7. Traditionally, SecureW2 supported only TTLS. With EAP Suite, additional EAP methods are being added.
Enterprise Client 3.1.0 (4.1.0-55) ** Requires license - SecureW2 EAP Suite version 3.1.0 will be installed if not present. Version 3.1.0 supports Windows XP, Windows Vista and Windows 7.
NOTE: Use of the Enterprise Client requires an enterprise support contract with SecureW2.
Enterprise Client 3.1.1 (4.1.0-56) ** Requires license - SecureW2 EAP Suite version 3.1.1 will be installed if not present. Version 3.1.1 supports Windows XP, Windows Vista and Windows 7.
NOTE: Use of the Enterprise Client requires an enterprise support contract with SecureW2.
During auto remediation, XpressConnect will launch the installation of the SecureW2 version. During revert, the user will be prompted to automatically uninstall SecureW2 or to leave it installed. A new install of Windows does not contain SecureW2.
XpressConnect can detect the installation status of a version of XSupplicant.
Supported settings include:
2.0.1 - Default. XSupplicant version 2.0.1 will be installed if not present.
2.0.0 - XSupplicant version 2.0.0 will be installed if not present.
During auto remediation, XpressConnect will launch the XSupplicant installer. During revert, the user will be prompted to automatically uninstall XSupplicant or to leave it installed.
A root CA certificate is the publicly-exposed key of a certificate authority. When using server certificate validation with a self-signed certificate, it is necessary to install the root CA certificate on the user's machine. This setting allows the network administrator to ensure a CA certificate is installed. On Leopard, it will also ensure that the CA certificate is marked as 'trusted'.
XpressConnect can detect the installation status of a root CA certificate.
Supported settings include:
Installed - Default. The certificate is considered installed if it exists in one of the following certificate stores: Root, My, CA, or AuthRoot.
During auto remediation, XpressConnect will install the certificate in the Root certificate store (Windows) or the System keychain (Leopard). A new install of Windows XP, Vista, and Leopard contains a limited set of default root CA certificates.
XpressConnect can detect the presense of a Pharos printer package.
Supported settings include:
Configured - Default. The Pharos package name specified must exist on the system.
The verification of the package name is based on the Pharos package name given during packaging, which on Windows appears in the registry at HKLM\Software\Pharos\Installed Packages\.
These settings control the proxy settings within Internet Explorer for Windows and Safari in Mac.
Automatically Detect Settings (40020)
XpressConnect can detect the IE setting for automatically finding a proxy configuration file.
Supported settings include:
Checked - Default. When checked, IE will attempt to automatically find a proxy configuration file. First, it will look at the URL specified in DHCP option 252. If option 252 is not specified, it will attempt to load the proxy configuration from the predefined DNS name 'wpad'. If a file is not found, it will use a direct connection.
Unchecked - When unchecked, IE will not attempt to automatically find a proxy configuration file.
XpressConnect is able to auto remediate this setting. By default, Windows XP and Vista has this setting unchecked.
XpressConnect can detect the IE setting for specifying a proxy configuration file.
Supported settings include:
Unchecked - Default. When unchecked, IE will not attempt to retrieve a proxy configuration file from the URL. If unchecked, the URL does not need to be specified.
Checked - When checked, IE will retrieve a proxy configuration file from the URL specified. If checked, the URL of the proxy configuration file must also be specified.
XpressConnect is able to auto remediate this setting. By default, Windows XP and Vista has this setting unchecked.
XpressConnect can detect whether or not IE is configured to use a proxy.
Supported settings include:
Unchecked - Default. When unchecked, IE will not use the proxy specified by IP and port. If unchecked, the IP and port do not need to be specified.
Checked - When checked, IE will use the proxy sepecified by IP and port. If checked, the IP and port of the proxy must also be specified. This information is specified in the format '1.1.1.1:80'.
XpressConnect is able to auto remediate this setting. By default, Windows XP and Vista has this setting unchecked.
XpressConnect can detect the Authentication Mode setting, which controls the type of credentials used for authentication.
Supported settings include:
Machine Or User - Default. When selected, Windows will use machine or user credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, machine credentials are used.
Machine Only (Vista Only) - When selected, Windows will use machine credentials only.
NOTE: This value is not valid on Windows XP. It will be treated as 'Machine Or User'.
User Only - When selected, Windows will use user credentials only.
Guest Only (Vista Only) - When selected, Windows will use guest (empty) credentials only.
NOTE: This value is not valid on Windows XP. It will be treated as 'Machine Or User'.
XpressConnect is able to auto remediate this setting. By default, Windows Vista will use 'Machine Or User'.
XpressConnect can detect the AuthMode registry key within Windows XP, which controls the use of machine and user credentials during authentication. Starting with Vista, this setting has been obsoleted due to additional options within the Authentication Mode setting.
Supported settings include:
Computer Authentication With Reauthentication (1) - Default. When selected, Windows will use machine or user credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, machine credentials are used. This is the normal option for user-based authentication.
Computer Authentication Mode (0) - When selected, Windows will try to use the machine credentials and the user credentials. Whichever one is successful first will be used. This option is used when you want to authenticate EITHER the machine OR the user.
Computer Authentication Only (2) - When selected, Windows will use machine credentials only. It will not attempt to authenticate as the user. This option is used for machine-only authentication.
XpressConnect is able to auto remediate this setting. By default, Windows XP will use 'Computer Authentication with Re-Authentication'.
XpressConnect can detect the state of the flag which determines whether or not Windows performs 802.1X authentication on a wired connection.
Supported settings include:
Enabled - Default. When enabled, Windows will perform 802.1X authentication.
Disabled - When disabled, Windows will not perform 802.1X authentication.
XpressConnect is able to auto remediate this setting. By default, Windows will have this setting enabled.
NOTE: This setting applies to Vista and XP SP3 for wired. This setting is ignored on XP SP2. In XP SP2, wired 802.1X is enabled if the authentication mode is set.
XpressConnect can detect the Supplicant Mode setting.
Supported settings include:
Compliant - Default. When selected, Windows will generate EAP-START packets based on the 802.1X standard. This is valid for wired and wireless LANs. This setting is recommended.
XpressConnect is able to auto remediate this setting. By default, Windows XP will use 'Compliant' for wireless connections and 'Include Learning' for wired connections. By default, Windows Vista will use 'Compliant' for both wired and wireless connections. It is recommended to use 'Compliant' for all connections.
XpressConnect can detect the Max Start Requests setting, which specifies the maximum number of EAPOL-Start messages the supplicant will send before assuming the network is not 802.1X. On Vista, this setting is supported for wired and wireless. For XP, it is supported on SP3+ for wired interfaces. It is not supported on XP SP3 wireless nor XP SP2.
Supported settings include:
Configured - Default. This setting is considered configured if the Max Start Requests setting is set to the specified value.
XpressConnect is able to auto remediate this setting. By default, Windows Vista will send 3 EAPOL-Start messages.
NOTE: On XP SP2 (wired or wireless) and XP SP3 wireless, this setting will be ignored.
These setting are only used if the EAP Type is set to 'PEAP'.
Validate Server Certificate (61001)
XpressConnect can detect the status of server certificate validation within the PEAP configuration.
Supported settings include:
Disabled - Default. When selected, the server certificate is not validated.
Enabled - When selected, server certificate validation is performed.
XpressConnect is able to auto remediate this setting. By default, Windows XP will enable this for a new SSID.
Server certificate validation is intended to ensure that the client attempts to authenticate only to known authentication servers. Without validation, there is a concern that the client will attempt to authenticate to a rogue authentication server and the server will then have a hash of the user's password, allowing them to launch an offline dictionary attack.
XpressConnect can detect the status of the 'Connect to these Servers' setting within the PEAP configuration.
Supported settings include:
Disabled - Default. When selected, Windows will not verify the name of the authentication server.
Enabled - When selected, Windows will verify the name of the authentication server within the server's certificate against this setting before attempting authentication.
The verification of the server name is based on the Subject field within the server's certificate. Multiple server names may be specified using a semi-colon separated list. Wildcarding is supported in the format '*.sample.edu'.
This setting is only applicable if Validate Server Certificate is set to 'Enabled'. XpressConnect is able to auto remediate this setting. By default, Windows XP will disable this for a new SSID.
XpressConnect can detect the status of the 'Do Not Prompt to Authorize New Server' setting within the PEAP configuration.
Supported settings include:
Enabled - Default. When selected, Windows will not prompt the user to accept the server certificate if it does not match the 'Connect to These Servers' setting or the 'Trusted Root CAs' list.
Disabled - When selected, Windows will prompt when an unverified server certificate is received.
This setting is only applicable if Validate Server Certificate is set to 'Enabled'.
XpressConnect can detect the selected trusted root certificate authorities within the PEAP configuration.
Supported settings include:
Selected - Default. When selected, server certificate validation will limit acceptable certificates to those signed by the CA(s) specified.
The network administrator specifies the trusted root CA(s) by thumbprint. The XpressConnect Administrative Console lists the name and thumbprint for each certificate authority preinstalled on Windows XP. If the certificate authority is not on this list or you have a self-generated CA (for self-signed certificates), you may obtain the thumbprint by opening the certificate in Windows (double-click on certificate file) and locating the 'Thumbprint' field on the 'Details' tab.
If the certificate authority is not a default Windows XP certificate authority, you should also install the certificate authority (see 'Root CA Certificate' setting in Application Settings).
For auto remediation, the certificate authority's certificate must be installed on the user's machine, either because it previously existed or was installed by the 'Root CA Certificate' setting.
This setting is only applicable if Verify Server Certificate is set to 'Enabled'. By default, Windows XP will select zero CAs for a new SSID.
The certificate thumbprint can be found using the following:
Double-click the certificate file.
Click the 'Details' tab.
Scroll down to the 'Thumbprints' entry.
Copy & paste the value of the 'Thumbprints' entry.
If multiple root CAs are desired, separate the entries with a semi-colon (';').
For example, 'a3 e3 1e 20 b2 e4 6a 32 85 20 47 2d 0c de 95 23 e7 26 0c 6d' is the thumbprint for 'Baltimore EZ by DST'.
For the list of default Trusted Root Certificate Authorities, click here.
These settings are only used if the EAP Type is 'PEAP' and the PEAP inner tunnel is 'Smart card or certificate'. Be careful not confuse this with TLS (which is sometimes referred to as EAP-TLS).
PEAP/TLS Credential Source (61201)
XpressConnect can detect the status of the 'Credential Source' setting within the PEAP/TLS configuration.
Supported settings include:
Use a certificate on this computer - Default. When selected, a certificate is used for authentication.
Use my smart card - When selected, a smartcard is used for authentication.
XpressConnect is able to auto remediate this setting. By default, Windows XP will set this to 'Certificate' when PEAP/TLS is selected.
XpressConnect can detect the status of the 'Simple Certificate Selection' setting within the PEAP/TLS configuration.
Supported settings include:
Enabled - Default. When selected, Windows will attempt to reduce and prioritize the list of certificates when prompting the user to select a certificate for authentication.
Disabled - When selected, Windows will prompt the user to select the appropriate certificate for authentication.
This setting is only applicable if Credential Source is set to 'Certificate'. XpressConnect is able to auto remediate this setting. By default, Windows XP will enable this when PEAP/TLS is selected.
XpressConnect can detect the status of server certificate validation within the PEAP/TLS configuration.
Supported settings include:
Disabled - Default. When selected, the server certificate will not be validated.
Enabled - When selected, server certificate validation is performed.
XpressConnect is able to auto remediate this setting. By default, Windows XP will enable this for a new SSID.
Server certificate validation is intended to ensure that the client attempts to authenticate only to known authentication servers. Without validation, there is a concern that the client will attempt to authenticate to a rogue authentication server.
XpressConnect can detect the status of the 'Connect to These Servers' setting within the PEAP/TLS configuration.
Supported settings include:
Disabled - Default. When selected, Windows will not verify the name of the authentication server.
Enabled - When selected, Windows will verify the name of the authentication server against this setting before attempting authentication.
The verification of the server name is based on the Subject field within the server's certificate. Multiple server names may be specified using a semi-colon separated list.
This setting is only applicable if Validate Server Certificate is set to 'Enabled'. XpressConnect is able to auto remediate this setting. By default, Windows XP will disable this when PEAP-TLS is selected.
XpressConnect can detect the selected trusted root certificate authorities within the PEAP/TLS configuration.
Supported settings include:
Selected - Default. When selected, server certificate validation will limit acceptable certificates to those signed by the CA(s) specified.
The network administrator specifies the trusted root CA(s) by thumbprint. The XpressConnect Administrative Console lists the name and thumbprint for each certificate authority preinstalled on Windows XP. If the certificate authority is not on this list or you have a self-generated CA (for self-signed certificates), you may obtain the thumbprint by opening the certificate in Windows (double-click on certificate file) and locating the 'Thumbprint' field on the 'Details' tab.
If the certificate authority is not a default Windows XP certificate authority, you should also install the certificate authority (see 'Root CA Certificate' setting in Application Settings).
For auto remediation, the certificate authority's certificate must be installed on the user's machine, either because it previously existed or was installed by the 'Root CA Certificate' setting.
This setting is only applicable if Verify Server Certificate is set to 'Enabled'. By default, Windows XP will select zero CAs for a new SSID.
The certificate thumbprint can be found using the following:
Double-click the certificate file.
Click the 'Details' tab.
Scroll down to the 'Thumbprints' entry.
Copy & paste the value of the 'Thumbprints' entry.
If multiple root CAs are desired, separate the entries with a semi-colon (';').
For example, 'a3 e3 1e 20 b2 e4 6a 32 85 20 47 2d 0c de 95 23 e7 26 0c 6d' is the thumbprint for 'Baltimore EZ by DST'.
For the list of default Trusted Root Certificate Authorities, click here.
XpressConnect can detect the status of the 'Simple Certificate Selection' setting within the TLS configuration.
Supported settings include:
Enabled - Default. When selected, Windows will attempt to reduce and prioritize the list of certificates when prompting the user to select a certificate for authentication.
Disabled - When selected, Windows will prompt the user to select the appropriate certificate for authentication.
This setting is only applicable if Credential Source is set to 'Certificate'. XpressConnect is able to auto remediate this setting. By default, Windows XP will enable this when TLS is selected.
XpressConnect can detect the status of server certificate validation within the TLS configuration.
Supported settings include:
Disabled - Default. When selected, the server certificate will not be validated.
Enabled - When selected, server certificate validation is performed.
XpressConnect is able to auto remediate this setting. By default, Windows XP will enable this for a new SSID.
Server certificate validation is intended to ensure that the client attempts to authenticate only to known authentication servers. Without validation, there is a concern that the client will attempt to authenticate to a rogue authentication server.
XpressConnect can detect the status of the 'Connect to These Servers' setting within the TLS configuration.
Supported settings include:
Disabled - Default. When selected, Windows will not verify the name of the authentication server.
Enabled - When selected, Windows will verify the name of the authentication server against this setting before attempting authentication.
The verification of the server name is based on the Subject field within the server's certificate. Multiple server names may be specified using a semi-colon separated list.
This setting is only applicable if Validate Server Certificate is set to 'Enabled'. XpressConnect is able to auto remediate this setting. By default, Windows XP will disable this when TLS is selected.
XpressConnect can detect the selected trusted root certificate authorities within the TLS configuration.
Supported settings include:
Selected - Default. When selected, server certificate validation will limit acceptable certificates to those signed by the CA(s) specified.
The network administrator specifies the trusted root CA(s) by thumbprint. The XpressConnect Administrative Console lists the name and thumbprint for each certificate authority preinstalled on Windows XP. If the certificate authority is not on this list or you have a self-generated CA (for self-signed certificates), you may obtain the thumbprint by opening the certificate in Windows (double-click on certificate file) and locating the 'Thumbprint' field on the 'Details' tab.
If the certificate authority is not a default Windows XP certificate authority, you should also install the certificate authority (see 'Root CA Certificate' setting in Application Settings).
For auto remediation, the certificate authority's certificate must be installed on the user's machine, either because it previously existed or was installed by the 'Root CA Certificate' setting.
This setting is only applicable if Verify Server Certificate is set to 'Enabled'. By default, Windows XP will select zero CAs for a new SSID.
The certificate thumbprint can be found using the following:
Double-click the certificate file.
Click the 'Details' tab.
Scroll down to the 'Thumbprints' entry.
Copy & paste the value of the 'Thumbprints' entry.
If multiple root CAs are desired, separate the entries with a semi-colon (';').
For example, 'a3 e3 1e 20 b2 e4 6a 32 85 20 47 2d 0c de 95 23 e7 26 0c 6d' is the thumbprint for 'Baltimore EZ by DST'.
For the list of default Trusted Root Certificate Authorities, click here.
These settings are only used if the XSupplicant supplicant is used. These settings control the global behavior of XSupplicant.
Logging Directory (64011)
XpressConnect can detect and configure the logging directory within XSupplicant.
Supported settings include:
Configured - Default. When logging is enabled, XSupplicant will write logs to this directory.
The following variables may be used: ${INSTALL_DIR} - The XSupplicant installation directory. ${TEMP} - The user's temp directory. ${DESKTOP} - The user's desktop.
If the logging directory is populated, logging is enabled. If it is blank, logging is disabled.
XpressConnect is able to auto remediate this setting.
XpressConnect can detect and configure the default connection for the interface within XSupplicant.
Supported settings include:
Configured - Default. When configured, XSupplicant will use the connection specified as the default for the interface. This is normally used on the wired interface, to allow it to connect automatically on login.
XpressConnect is able to auto remediate this setting.
These settings are only used if the XSupplicant supplicant is used. These settings control the configuration of a Trusted Server, which is a mechanism for configuring server certificate validation.
Trusted Server (64040)
XpressConnect can detect the trusted server name within XSupplicant.
Supported settings include:
Configured - Default. This setting is considered configured if the trusted server name exists within XSupplicant and is configured with the appropriate settings. This setting requires that the Display Name also be specified.
If the trusted server does not exist by name, it will be created. If it does exist, it will be modified based on the remainder of the XSupplicant trusted server-related settings.
XpressConnect is able to auto remediate this setting.
XpressConnect can detect the server certificate validation setting within the trusted server.
Supported settings include:
Disabled - Default. When selected, XSupplicant will not verify the name of the authentication server prior to passing credential information.
Enabled - When selected, XSupplicant will verify the name of the authentication server within the server's certificate against this setting before attempting authentication.
If server certificate validation is enabled, the Common Name must also be specified. Optionally, the certificate may be specified using the Server Certificate setting.
XpressConnect is able to auto remediate this setting.
XpressConnect can detect the server certificate authorities within the XSupplicant configuration.
Supported settings include:
Selected - Default. When selected, server certificate validation will limit acceptable certificates to those signed by the CA(s) specified.
The network administrator specifies the server certificate by thumbprint. The name and thumbprint for each certificate authority preinstalled on Windows XP is available here. If the certificate authority is not on this list or you have a self-generated CA (for self-signed certificates), you may obtain the thumbprint by opening the certificate in Windows (double-click the certificate file) and locating the 'Thumbprint' field on the 'Details' tab.
If the certificate authority is not a default Windows XP certificate authority, you should also install the certificate authority (see 'Root CA Certificate' setting in Application Settings).
For auto remediation, the certificate authority's certificate must be installed on the user's machine, either because it previously existed or was installed by the 'Root CA Certificate' setting.
This setting is only applicable if Validate Server Certificate is set to 'Enabled'. By default, XSupplicant will not specify a server certificate.
The certificate thumbprint can be found using the following:
Double-click the certificate file.
Click the 'Details' tab.
Scroll down to the 'Thumbprints' entry.
Copy & paste the value of the 'Thumbprints' entry.
If multiple root CAs are desired, separate the entries with a semi-colon (';').
For example, 'a3 e3 1e 20 b2 e4 6a 32 85 20 47 2d 0c de 95 23 e7 26 0c 6d' is the thumbprint for 'Baltimore EZ by DST'.
For the list of default Trusted Root Certificate Authorities, click here.
These settings are only used if the XSupplicant supplicant is used. These settings control the 802.1X authentication behavior of XSupplicant.
Profile (64080)
XpressConnect can detect the profile name within XSupplicant.
Supported settings include:
Added - Default. This setting is considered correct if the profile name exists within XSupplicant. This setting requires that the Profile Name also be specified.
If the profile name does not exist, it will be created. If it does exist, it will be modified based on the remainder of the XSupplicant settings. Within XSupplicant, a Profile is a container for a set of 802.1X authentication settings.
XpressConnect is able to auto remediate this setting.
XpressConnect can detect the tunnel protocol setting within XSupplicant.
Supported settings include:
MSCHAPv2 - Default. When selected, the inner tunnel will use MSCHAPv2. This is valid for PEAP and TTLS.
GTC - Default. When selected, the inner tunnel will use GTC. This is only valid for PEAP.
MD5 - Default. When selected, the inner tunnel will use MD5. This is only valid for TTLS.
PAP - When selected, the inner tunnel will use PAP. This is only valid for TTLS.
CHAP - When selected, the inner tunnel will use CHAP. This is only valid for TTLS.
MSCHAP - When selected, the inner tunnel will use MSCHAP. This is only valid for TTLS. Note: Do not confuse this with the more frequently used MSCHAPv2 protocol.
XpressConnect is able to auto remediate this setting.
These settings are only used if EAP Type is set to 'SecureW2 (TTLS)'. NOTE: To ensure that SecureW2 is installed, select 'SecureW2' in the 'Application Settings'.
Profile (62000)
XpressConnect can detect the profile name within SecureW2.
Supported settings include:
Configured - Default. This setting is considered configured if the profile name exists within SecureW2 and the SSID is configured to utilize the profile. This setting requires that the Profile Name also be specified.
If the profile name does not exist, it will be created. If it does exist, it will be modified based on the remainder of the SecureW2 settings.
XpressConnect is able to auto remediate this setting. By default SecureW2 will use a profile named 'DEFAULT'.
XpressConnect can detect the SecureW2 setting 'Use Alternate Identity'.
Supported settings include:
Enabled - Default. When selected, an alternate identity is used for the outer tunnel. If this value is specified, Use Anonymous Identity should be enabled or Alternate Outer Identity should be configured.
Disabled - When selected, the user's identity is used for the outer tunnel.
XpressConnect is able to auto remediate this setting. By default, SecureW2 will enable this for a new profile.
XpressConnect can detect the SecureW2 setting 'Alternate Outer Identity'.
Supported settings include:
Configured - Default. When selected, the specified outer identity will be used for the outer tunnel. This requires the outer identity to be specified.
This setting is only applicable if Use Alternate Identity is set to 'Enabled'. If this setting is configured, Use Anonymous Identity should be set to 'Disabled'.
XpressConnect is able to auto remediate this setting. By default, SecureW2 will disable this for a new profile.
XpressConnect can detect the selected trusted root certificate authorities within the SecureW2 configuration.
Supported settings include:
Selected - Default. When selected, server certificate validation will limit acceptable certificates to those signed by the CA(s) specified.
The network administrator specifies the trusted root CA(s) by thumbprint. The name and thumbprint for each certificate authority preinstalled on Windows XP is available here. If the certificate authority is not on this list or you have a self-generated CA (for self-signed certificates), you may obtain the thumbprint by opening the certificate in Windows (double-click the certificate file) and locating the 'Thumbprint' field on the 'Details' tab.
If the certificate authority is not a default Windows XP certificate authority, you should also install the certificate authority (see 'Root CA Certificate' setting in Application Settings).
Multiple trusted root certificate authorities may be specified by creating a semi-colon separated list of thumbprints.
For auto remediation, the certificate authority's certificate must be installed on the user's machine, either because it previously existed or was installed by the 'Root CA Certificate' setting.
This setting is only applicable if Verify Servr Certificate is set to 'Enabled'. By default, SecureW2 will select zero CAs for a new profile.
The certificate thumbprint can be found using the following:
Double-click the certificate file.
Click the 'Details' tab.
Scroll down to the 'Thumbprints' entry.
Copy & paste the value of the 'Thumbprints' entry.
If multiple root CAs are desired, separate the entries with a semi-colon (';').
For example, 'a3 e3 1e 20 b2 e4 6a 32 85 20 47 2d 0c de 95 23 e7 26 0c 6d' is the thumbprint for 'Baltimore EZ by DST'.
For the list of default Trusted Root Certificate Authorities, click here.
XpressConnect can detect the SecureW2 setting 'Verify Server Name'.
Supported settings include:
Configured - Default. When selected, the name of the authentication server will be verified before an authentication is attempted. If selected, the server name must be specified.
The verification of the server name is based on the CN field within the server's certificate. Multiple server names may be specified using a semi-colon separated list. Wildcarding is supported in the formate '.company.com', where any server presenting a certificate with a CN field ending in '.company.com' is accepted.
This setting is only applicable if Verify Server Certificate is set to 'Enabled'. XpressConnect is able to auto remediate this setting. By default, SecureW2 will disable this for a new profile.
XpressConnect can detect the SecureW2 setting 'EAP Type'.
Supported settings include:
EAP-MD5 - Default. MD5 is used for authentication.
EAP-MSCHAPv2 - MSCHAPv2 is used for authentication.
This setting is only applicable if Authentication Method is set to 'EAP'. XpressConnect is able to auto remediate this setting. By default, SecureW2 will leave this unspecified for a new profile.
XpressConnect can detect the SecureW2 setting 'Prompt User for Credentieals'.
Supported settings include:
Enabled - Default. During authentication, the user will be prompted to enter a user name and password. If User Name or User Password is configured, it will be used as the default.
Disabled - When selected, the user will only be prompted for credentials if the User Name or User Password is not populated.
XpressConnect is able to auto remediate this setting. By default, SecureW2 will enable this for a new profile.
XpressConnect can detect the SecureW2 setting 'User Name'.
Supported settings include:
Configured - Default. When selected, the user name within SecureW2 will be populated based on the specified user name. When pre-prompting is enabled, the ${USER_NAME} variable will be replaced with the user name specified by the user during pre-prompting. When pre-prompting is disabled, the ${USER_NAME} variable will be replaced with the network's default user name, as specified on the Summary tab.
XpressConnect is able to auto remediate this setting. By default, SecureW2 will leave this unspecified for a new profile.
XpressConnect can detect the SecureW2 setting 'User Password', which is the user's cached password.
Supported settings include:
Configured - Default. When selected, the user password within SecureW2 will be populated based on the password provided by the user on the pre-prompting for credentials page. If pre-prompting is disabled, the password will be cached based on the network's default password, which is configured on the Summary tab.
XpressConnect is able to auto remediate this setting. By default, SecureW2 will leave tis unspecified for a new profile.
XpressConnect can detect the SecureW2 setting 'Hide Domain'.
Supported settings include:
Hidden - Default. When selected, the SecureW2 credential form will hide the domain field.
Visible - When selected, the SecureW2 credential form will display the domain field.
XpressConnect is able to auto remediate this setting. By default, SecureW2 will disable this setting for a new profile, which will cause the domain field to be displayed. This setting was introduced in SecureW2 Enterprise Client 3.1.0. It is not supported in earlier versions of SecureW2.
XpressConnect can detect the SecureW2 setting 'Disable Save User Credentials'.
Supported settings include:
Hidden - Default. When selected, the SecureW2 credential form will hide the 'save credentials' checkbox.
Visible - When selected, the SecureW2 credential form will display the 'save credentials' checkbox.
XpressConnect is able to auto remediate this setting. By default, SecureW2 will disable this setting for a new profile, which will cause the domain field to be displayed. This setting was introduced in SecureW2 Enterprise Client 3.1.0. It is not supported in earlier versions of SecureW2.
These settings will processes and services to be controlled.
Wired AutoConfig Service (80011)
XpressConnect is able to detect the state of the Wired AutoConfig service. This service is responsible for 802.1X on wired connections on Vista and XP SP3. This setting is ignored on XP SP2.
Supported settings include:
Enabled - Default. When selected, the Wired AutoConfig service will be enabled. This is necessary for 802.1X on a wired interface.
Disabled - When selected, the Wired AutoConfig service will be disabled. This will prevent 802.1X from occurring.
XpressConnect is able to remediate this auto setting. By default, Windows Vista and XP SP3 will have this service disabled. To utilize 802.1X on a wired connection, this service must be enabled.
NOTE: This setting is ignored on XP SP2. For XP SP2, the wzcsvc service is automatically enabled.
Running - Default. The process is considered running if it is listed on the Processes tab of the Windows Task Manager.
Disabled - The process is considered disabled if it is not running.
To enforce the state of a process, the network administrator must specify the name of the executable (ex. Calc.exe) as displayed on the Processes tab of the Windows Task Manager. This value is case-insensitive. The state of multiple processes may be enforced. For auto remediation, the application must exist on the user's computer and the executable file must be on the path.
Running - Default. The service is considered running if its status is 'Started' on the Windows Services form.
Disabled - The service is considered disabled if its status is not 'Started' on the Windows Services form.
To enforce the state of a service, the network administrator must specify the name of the service as displayed in the 'Service Name' field of the service's properties page (ex. W32time for Windows Time service). This value is case-insensitive. The state of multiple services may be enforced.
It is unnecessary to specify Wireless Zero Configuration (WZCSVC) as XpressConnect automatically manages this service. For auto remediation, the service must exist on the user's computer and the user must have permissions to modify its state.
Within NAP, quarantine enforcement clients (QEC) handle the actual enforcement of quarantine. By default, all QECs are disabled. This setting allows the DHCP QEC to be enabled. XpressConnect can detect this setting.
Supported settings include:
Enabled - If selected, the DHCP quarantine enforcement client (QEC) for NAP will be enabled.
XpressConnect is able to auto remediate this setting. On a new install of Windows XP SP3 or Vista, the DHCP QEC is disabled.
Within NAP, quarantine enforcement clients (QEC) handle the actual enforcement of quarantine. By default, all QECs are disabled. This setting allows the EAP and Wireless EAP QECs to be enabled. XpressConnect can detect this setting.
Supported settings include:
Enabled - If selected, the EAP and Wireless EAP quarantine enforcement clients (QECs) for NAP will be enabled.
XpressConnect is able to auto remediate this setting. On a new install of Windows XP SP3 or Vista, the 802.1X QECs are disabled.
Third-party wireless utilities and supplicants may conflict with the built-in wireless manager. XpressConnect will automatically migrate the user away from most utilities. These settings are deprecated; use the 'Wireless Utilities' setting in the 'Application Settings' tab.
Atheros Configuration Service (ACS) (20001)
Normally, XpressConnect will migrate users away from Atheros-based utilities without permanently disabling the Atheros service. Under certain circumstances, you may wish to disable it completely. If so, this setting will allow you to do so.
These settings allow configuration of group policy-related behavior.
Network Start Timeout (80022)
XpressConnect can detect and configure the Group Policy network start timeout policy value. This value defines the number of seconds to wait before trying to run the Group Policy startup script again. To find the value that will work for your configuration, define a decimal value of 60, and then increase the value until the problem is resolved. For additional information, see Microsoft KB840669.
Supported settings include:
Configured - Default. The network start timeout must be equal to the value specified.
If remediation is necessary, XpressConnect will configure the registry key within the Policies space.
NOTE: The seconds specified must be between 30 seconds and 600 seconds.
Wireless Utilities (20004)
