Migration from Windows to eLux 7
Migration from Windows to eLux 7
Overview
The win2elux.exe migration tool enables automated migration of endpoints running Windows to eLux 7.
When you execute win2elux.exe, a new partition is created on your local hard drive. This partition serves as the starting point for the migration process, where the eLux 7 operating system, as defined by the image, is installed.
The migration can be executed:
- Locally or from a network location
- As part of automation tools like Microsoft SCCM to enabled deployment of win2elux.exe and remote initialization
After migration, the device boots directly into eLux 7.
How the migration works
The migration script must be executed on the device that needs to be migrated, when the migration script is executed:
- A temporary recovery partition is created on the local disk.
- Migration files are copied to the partition.
- The device restarts automatically.
- eLux 7 is installed using the specified Image Definition File (IDF).
- The device boots into eLux.
- Optional onboarding to Scout can occur automatically.
Requirements
Device requirements
- Device must be running Windows 10 or below. Windows 11 is NOT supported.
- Device must boot using UEFI.
- Legacy BIOS mode is not supported.
- Network connectivity must be available during migration.
- Sufficient disk space must exist for the recovery partition.
Important:
- Devices not booted in UEFI mode cannot be migrated.
- Migration is supported whether Secure Boot or BitLocker are enabled or disabled.
Software requirements
- Sign in to myelux.com.
-
Navigate to:
Products & Downloads > Tools > Migration tools
- Download the latest win2elux.zip package.
Perform the migration
Extract the migration tool
From the device to be migrated, extract the provided migration tool package to a known location on the computer:
Run the migration script
Open the Command Prompt as Administrator and run the tool with the required parameters.
Example 1: Migrate the Windows endpoint to the given eLux image and reboot automatically and begins installation.
Execute the script:
win2elux.exe URL=<IDF_URL>
<!--NeedCopy-->
Example:
win2elux.exe URL=https://repository.example.com/elux/image.idf
<!--NeedCopy-->
Example 2: Migrate the Windows endpoint to the given eLux image, write a log file, use a proxy and don’t reboot
Example:
win2elux.exe URL=https://repository.example.com/elux/image.idf Log=migration.log Proxy=http://proxy.citrix.com Port=8888 Reboot=0
<!--NeedCopy-->
win2elux.exe command line reference
Usage: win2elux.exe [URL=<URL>] [Proxy=<proxy>] [Port=<proxyport>] [ARCHIVE=<localpath>] [OnlyCheck=<0|1>] [Reboot=<0|1>] [Debug=<0|1>] [Log=<logfile>]
<!--NeedCopy-->
| Parameter | Info | Description |
|---|---|---|
| URL | Required | Define to the relevant software container and the image definition file (IDF) which specifies the scope of the installation |
| Proxy | Defines a proxy server, e.g. 1.1.1.1
|
|
| Port | Defines the port of the proxy server, e.g. 8090
|
|
| Archive | Path to the local win2elux.zip ramdisk file (localpath) | |
| Log | Defines a storage path for the log file, such as C:\Temp\migration.log. By default, the log file is saved in the same directory as the win2elux tool. Alternatively, you can use a network drive to ensure a persistent log file. |
|
| OnlyCheck |
0 or 1
|
Perform a dry run without any modifications (default is 0). This parameter verifies if the requirements for UEFI, network, disk space are met and generates a log file. |
| Reboot |
0 or 1
|
Define if the endpoint should reboot after the installation (default is 1) If the reboot option is 0, the migration will not start automatically, but on the next boot |
| Debug |
0 or 1
|
Verbose installation messages are not displayed in the console output by default (set to 0). The installation process stops in case of errors and provides error messages for different scenarios. If the parameter is not provided, the device will restart in case of an error without displaying an error message. |
Advanced configuration using RAM disk
A RAM disk configuration can be used when additional configuration is required during migration, such as:
- IEEE 802.1X authentication to initiate the first connection to the network during the migration process.
- HTTPS repositories requiring certificate trust.
- Zero-touch onboarding to Scout Server and Scout Cloud Gateway.
The configuration is provided as a RAM disk archive that must be named 8021conf.xz and included inside the migration package. This archive contains the required configuration for the migration process and is loaded into memory during execution for temporary use by the migration tool. The RAM disk is created as a cpio archive compressed with XZ and must be generated on a Linux-compatible system, Windows Subsystem for Linux (WSL) can be used to create the RAM disk.
Tip: You can create the directory structure for each configuration, by extract the example archive
8021conf.xzfrom the working folder using the following commands.mkdir conf && cd conf && xz -cd ../8021conf.xz | cpio -iv <!--NeedCopy-->
After executing the command above, the directory structure will be created under the conf folder.
Configuring 802.1X authentication for migration
This configuration allows the administrator to initiate device migration when connecting to a network that enforces 802.1X authentication. During the migration process, the device uses a generic certificate, defined in the wpa.conf file, to establish the initial network connection.
After the migration is completed, the device receives a configuration from the Scout Server that defines how it should connect going forward. The device then reconnects to the network using a device-specific certificate and configuration defined in wpa.conf.elux, enabling access to the Scout Server and retrieval of the initial configuration.
Note SCEP use cases: If SCEP certificate support is required during migration to replace the generic certificate used in the migration process, the custom_scep_renew-1.1.0-1.UC_ELUX7-1.0.zip package must be included to enable the SCEP request.
Note: Only include 802.1X configuration when required. Including it on a migration that will connect to a non-802.1X networks will cause migration failure.
Create the following directory structure with the required files:
.
├── etc
│ └── wpa_supplicant
│ ├── client.key
│ ├── client.pem
│ ├── serverca.key
│ ├── serverca.pem
│ ├── serverca.sig
│ ├── wpa.conf
│ └── wpa.conf.elux
<!--NeedCopy-->
-
certificatefiles used by the migration tool to connect to the 802.1x network. The certificates used during and after migration must have the same filename. -
wpa.confis used during migration process. -
wpa.conf.eluxis applied after the migration to enable eLux to reach the Scout server.
Example configuration for wpa.conf:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=0
network={
key_mgmt=IEEE8021X
eapol_flags=0
eap=TLS
identity="eLuxMigration"
ca_cert="/etc/wpa_supplicant/serverca.pem"
client_cert="/etc/wpa_supplicant/client.pem"
private_key="/etc/wpa_supplicant/client.key"
private_key_passwd="PASSWORD_HERE"
}
<!--NeedCopy-->
Example configuration for wpa.conf.elux:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=0
network={
key_mgmt=IEEE8021X
eapol_flags=0
eap=TLS
identity="eLuxMigration"
ca_cert="/setup/cacerts/scep/serverca.pem"
client_cert="/setup/cacerts/scep/client.pem"
private_key="/setup/cacerts/scep/client.key"
private_key_passwd="PASSWORD_HERE"
}
<!--NeedCopy-->
After sucessfully migrate the device, the client and server certificates defined above will be deleted from the device.
Adding SSL certificates for migration
This configuration allows the migration tool to trust the web server hosting the IDF image used to prepare the device during migration. If the web server is not trusted, the migration process will fail when attempting to access the website to download the required packages.
To establish HTTPS trust during the migration process, create the following directory structure and add the web server’s root certificate.
.
├── etc
│ └── ssl
│ └── certs
│ ├── sslrootcertificate.pem
<!--NeedCopy-->
Enabling zero-touch onboarding
This configuration automatically onboards the device to the Scout Server or Scout Cloud Gateway, eliminating the need for users to manually enter the server URL and token during the onboarding process.
Create the json file and save as zero_touch_onboarding.json under the following structure:
.
├── user
│ └── setup
│ └── elux
│ ├── zero_touch_onboarding.json
<!--NeedCopy-->
Example of zero_touch_onboarding.json file for onboarding through SCG:
{
"scgUrl": "scg.example.com",
"scgToken": "onboarding-token"
}
<!--NeedCopy-->
Example of zero_touch_onboarding.json file for onboarding through Scout Server:
{
"scgUrl": "scout-server.example.com",
"scgToken": ""
}
<!--NeedCopy-->
Note: This configuration applies only to onboarding initiated through the migration tool. After a factory reset, the device will not automatically trigger onboarding again.
Create the RAM disk configuration archive
Generate the RAM disk archive:
./initrd-xz.sh <conf-folder> 8021conf.xz
<!--NeedCopy-->
Example:
./initrd-xz.sh /tmp/migration_tool/conf 8021conf.xz
<!--NeedCopy-->
Tip: (Optional) In case you can check the content of the
8021conf.xzfile, execute the following command:xz -dc 8021conf.xz <!--NeedCopy-->
Add it to the migration package:
zip win2elux.zip 8021conf.xz
<!--NeedCopy-->
Running the migration script with RAM disk package
From the Windows device to be migrated, execute the script:
win2elux.exe URL=<IDF_URL> ARCHIVE=<win2elux.zip path or URL>
<!--NeedCopy-->
Example:
./win2elux.exe URL=https://repository.example.com/elux/image.idf ARCHIVE=win2elux.zip
<!--NeedCopy-->
The device restarts automatically and begins installation.
Debugging
When calling the win2elux.exe to perform the migration, you can enable the debugging by adding the DEBUG=1 parameter. In case the migration fails due to 802.1X issues, you will be dropped into a debug shell and check for the log file /tmp/wpasupplicant.log for more details and any other log file under /tmp/*.
win2elux.zip URL=<IDF_URL> DEBUG=1
<!--NeedCopy-->
Logs are written to:
/tmp/
Example log:
/tmp/wpasupplicant.log
Use debug logs to diagnose:
- Network authentication failures
- Download issues
- Migration interruptions
Result of migration
After successful migration:
- eLux replaces the existing operating system.
- Temporary migration files are removed, including certificates used for 802.1x authentication when configured.
- The device boots directly into eLux.
- The device can automatically onboard to Scout if configured.