You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Search in All Title Contents

Using ConfigMgr to fix the Shift-F10 security issue for Windows 10 inplace-upgrades

Nov 30 2016

Unless you have been living under a rock the last few days, you haven’t missed the Every Windows 10 in-place Upgrade is a SEVERE Security risk blog post from Sami Laiho about the Shift-F10 security issue for Windows 10. Allowing a non-admin to get access to an BitLocker encrypted volume during an inplace-upgrade process of Windows 10.

However, preventing that from happening is easy if you are using ConfigMgr to deploy and manage your computers.

Note: This fix also works for those of you using MDT Lite Touch do upgrade your Windows 10 versions.


The updated Windows 10 Enterprise x64 v1607 package.


The Fix

Simply configure the Windows Recovery Environment (WinRE) and Windows 10 itself to not allow Shift-F10, by placing a file named DisableCMDRequest.TAG in the Windows\Setup\Scripts folder of both the winre.wim and install.wim.

Note: To make it a little bit more interesting, the winre.wim file is actually inside the install.wim file. A wim in a wim :)


The Shiny PowerShell script

In this case, my OS Upgrade Package had it’s data source in the E:\Sources\OSD\OS\Windows 10 Enterprise x64 v1607 – Default folder. Simply use the following PowerShell script to create a DisableCMDRequest.TAG file in the two wim files. Then update your DPs for the OS Upgrade package, and you’re good to go.

$MountFolder1 = 'E:\Mount1'
$MountFolder2 = 'E:\Mount2'
$UpgradePackage = 'E:\Sources\OSD\OS\Windows 10 Enterprise x64 v1607 - Default\sources'

# Mount install.wim to first mount folder
Mount-WindowsImage -ImagePath $UpgradePackage\install.wim -Index 1 -Path $MountFolder1

# Mount winre.wim to second mount folder
Mount-WindowsImage -ImagePath $MountFolder1\Windows\System32\Recovery\winre.wim -Index 1 -Path $MountFolder2

# Create folder for DisableCMDRequest.TAG file in winre.wim
New-Item $MountFolder2\Windows\Setup\Scripts -ItemType Directory

#Create DisableCMDRequest.TAG file for winre.wim
New-Item $MountFolder2\Windows\Setup\scripts\DisableCMDRequest.TAG -ItemType File

# Commit changes to winre.wim
Dismount-WindowsImage -Path $MountFolder2 -Save

# Create folder for DisableCMDRequest.TAG file in install.wim
New-Item $MountFolder1\Windows\Setup\Scripts -ItemType Directory

#Create DisableCMDRequest.TAG file for install.wim
New-Item $MountFolder1\Windows\Setup\scripts\DisableCMDRequest.TAG -ItemType File

# Commit changes to install.wim
Dismount-WindowsImage -Path $MountFolder1 -Save


By Johan Arwidmark

Happy deployment, and thanks for reading!

What our lawyers makes us say:

This information is provided "AS IS" with no warranties, confers no rights and is not supported by the authors or Deployment Artist.

Copyright © 2017 by Deployment Artist (the company behind deployment research). All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don't pass off our work as yours, it's not nice.

Blog Archive