Using ConfigMgr to fix the Shift-F10 security issue for Windows 10 inplace-upgrades
Unless you have been living under a rock the last few days, you haven’t missed the Every Windows 10 in-place Upgrade is a SEVERE Security risk blog post from Sami Laiho about the Shift-F10 security issue for Windows 10. Allowing a non-admin to get access to an BitLocker encrypted volume during an inplace-upgrade process of Windows 10.
However, preventing that from happening is easy if you are using ConfigMgr to deploy and manage your computers.
Note: This fix also works for those of you using MDT Lite Touch do upgrade your Windows 10 versions.
The updated Windows 10 Enterprise x64 v1607 package.
Simply configure the Windows Recovery Environment (WinRE) and Windows 10 itself to not allow Shift-F10, by placing a file named DisableCMDRequest.TAG in the Windows\Setup\Scripts folder of both the winre.wim and install.wim.
Note: To make it a little bit more interesting, the winre.wim file is actually inside the install.wim file. A wim in a wim :)
The Shiny PowerShell script
In this case, my OS Upgrade Package had it’s data source in the E:\Sources\OSD\OS\Windows 10 Enterprise x64 v1607 – Default folder. Simply use the following PowerShell script to create a DisableCMDRequest.TAG file in the two wim files. Then update your DPs for the OS Upgrade package, and you’re good to go.
$MountFolder1 = 'E:\Mount1'
$MountFolder2 = 'E:\Mount2'
$UpgradePackage = 'E:\Sources\OSD\OS\Windows 10 Enterprise x64 v1607 - Default\sources'
# Mount install.wim to first mount folder
Mount-WindowsImage -ImagePath $UpgradePackage\install.wim -Index 1 -Path $MountFolder1
# Mount winre.wim to second mount folder
Mount-WindowsImage -ImagePath $MountFolder1\Windows\System32\Recovery\winre.wim -Index 1 -Path $MountFolder2
# Create folder for DisableCMDRequest.TAG file in winre.wim
New-Item $MountFolder2\Windows\Setup\Scripts -ItemType Directory
#Create DisableCMDRequest.TAG file for winre.wim
New-Item $MountFolder2\Windows\Setup\scripts\DisableCMDRequest.TAG -ItemType File
# Commit changes to winre.wim
Dismount-WindowsImage -Path $MountFolder2 -Save
# Create folder for DisableCMDRequest.TAG file in install.wim
New-Item $MountFolder1\Windows\Setup\Scripts -ItemType Directory
#Create DisableCMDRequest.TAG file for install.wim
New-Item $MountFolder1\Windows\Setup\scripts\DisableCMDRequest.TAG -ItemType File
# Commit changes to install.wim
Dismount-WindowsImage -Path $MountFolder1 -Save
By Johan Arwidmark