This article provides technical guidance on how to securely map network drives within the WinPE (Preboot) environment for Deployment Solution, part of IT Management Suite (ITMS). The primary goal is to replace clear-text credentials in custom scripts with an encrypted .pwl file using the loginw.exe utility.

NOTE:
The loginw.exe utility was identified as obsolete and was deprecated in ITMS 7.x and later. As a result, it is no longer included or supported in ITMS 8.8.x.
However, Ghost Solution Suite (GSS) still relies on loginw.exe and associated .pwl files for certain functionality.

1. Generate the Encrypted Password File (.pwl)

You must first create the encrypted credential file using loginw.exe in "Generate" mode.

• Execute the command: Open an elevated command prompt on your SMP server and navigate to the loginw.exe location:

  • Path (x64): C:\Program Files\Altiris\Deployment\BDC\bootwiz\Platforms\WinPE\x64\Optional\Boot\

• Run the generation string:

  loginw.exe -g "YourUserName:YourPassword" -f "SecureMapping.pwl"

  • Notes: If using a Domain user account, don't worry about the Domain at this point.  If the -f flag is omitted, the utility defaults to using the first 8 characters of the username as the filename.

2. Inject the .pwl File into the Preboot Environment

To ensure the file is available when the client boots into WinPE, it must be added to the Base OEM directory.

• Copy the file: Move your generated .pwl file to the following directory:

  • C:\Program Files\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\x64\Base

  • Note: If the file already exists, delete it before moving the new file in place.
    
    

• Update the Package: Trigger the following scheduled tasks on the SMP to refresh the BDC package:

  1. NS.Package Distribution Point Update Schedule

  2. NS.Package Refresh

3. Recreate the Preboot Environment

• Navigate to Settings > Deployment > Manage Preboot Configurations in the SMP Console.

• Select your configuration and click Recreate Preboot Environment.

• Verification: Monitor the Task Manager for Bootwiz.exe and Dism.exe. The process is complete once these tasks finish.

4. Implement the Secure Map Script

Use the following syntax in your custom deployment script tasks to authenticate and map the drive:

The Token %NSSERVER% can also be used if you want to map a drive to the SMP/NS.

Security Considerations

• Least Privilege: Use a local service account with read-only access to the specific NTFS shares required for imaging.

• Avoid Clear-Text: Never use net use with the /user and password switches in plain text scripts, as these are logged and visible in the console.

• Backup: Always maintain a backup of your .pwl files; they are often removed during DS version upgrades.

   

Troubleshooting

• File Not Found in WinPE: If the .pwl file is missing from X:\ after booting, ensure the scheduled tasks were run and the Preboot Environment was fully recreated.

• Authentication Failure: Verify the domain name (-d) and ensure the computer name/IP (-c) is reachable.

A write up by a member of the Community can be found here: How to Securely Map a Drive in WinPE for Deployment Server

Another good KB: Best Security Practices for PXE and Pre-boot OS while imaging

Best Practice: Use a Local user account, not a Domain account.  Give that Local account access to only the NTFS shares needed where the Images reside.

These are the Command Line switches that are available for Loginw.exe: