Shift + F10 Vulnerability

​

During MDT or ConfiMgr deployment of Windows 10, press Shift+F10 whilst Windows detects devices. A command prompt with System Privileges will pop up allowing all sorts of shenanigans and without being logged by SIEM, those agents won't be running yet.

​

Also during Windows 10 upgrades, that Bitlocker drive encryption is disabled allowing the same attack.

This is an old issue raised some 3 to 4 years ago.... Well, today on my test rig during a 1909 deployment, I was just curious, it can't still be vulnerable.... oops.

​

The fix is pretty straightforward, although I can't take credit, that belongs to Johan Arwidmark and this post here

#Declare Mount Folders for DISM Offline Update

​

$mountFolder1 = 'D:\Mount1'

​

$mountFolder2 = 'D:\Mount2'

​

$WinImage = 'D:\MDTDeployment\Operating Systems\Windows 10 x64 1909\sources'

​

#Mount install.wim to first mount folder

 

Mount-WindowsImage -ImagePath $WinImage\install.wim -Index 1 -Path $mountFolder1

​

#Mount winre.wim to second mount folder

 

Mount-WindowsImage -ImagePath $mountFolder1\Windows\System32\Recovery\winre.wim -Index 1 -Path $mountFolder2

 

#Create folder for DisableCMDRequest.TAG file in Winre.wim

 

New-Item $mountFolder2\Windows\setup\scripts -ItemType Directory

 

#Create DisableCMDRequest.TAG file for Winre.wim

 

New-Item $mountFolder2\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File

 

#Commit changes to Winre.wim

 

Dismount-WindowsImage -Path $mountFolder2 -Save

 

#Create folder for DisableCMDRequest.TAG in install.wim

 

New-Item $mountFolder1\Windows\setup\scripts -ItemType Directory

 

#Create DisableCMDRequest.TAG file for install.wim

 

New-Item $mountFolder1\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File

 

#Commit changes to Winre.wim

 

Dismount-WindowsImage -Path $mountFolder1 -Save