Shift + F10 Vulnerability

During MDT or ConfiMgr deployment of Windows 10, press Shift+F10 whilst Windows detects devices. A command prompt with System Privileges will pop up allowing all sorts of shenanigans and without being logged by SIEM, those agents wont be running yet.

 

Also during Windows 10 upgrades, that Bitlocker drive encryption is disabled allowing the same attack.

 

This is an old issues raised some 3 to 4 years ago.... Well today on my test rig during a 1909 deployment, I was just curious, it cant still be vulnerable.... oops.

 

The fix is pretty straight forward, although I cant take credit, that belongs to Johan Arwidmark and this post here

 

 

#Declare Mount Folders for DISM Offline Update

$mountFolder1 = 'D:\Mount1'

$mountFolder2 = 'D:\Mount2'

$WinImage = 'D:\MDTDeployment\Operating Systems\Windows 10 x64 1909\sources'

#Mount install.wim to first mount folder

 

Mount-WindowsImage -ImagePath $WinImage\install.wim -Index 1 -Path $mountFolder1

#Mount winre.wim to second mount folder

 

Mount-WindowsImage -ImagePath $mountFolder1\Windows\System32\Recovery\winre.wim -Index 1 -Path $mountFolder2

 

#Create folder for DisableCMDRequest.TAG file in Winre.wim

 

New-Item $mountFolder2\Windows\setup\scripts -ItemType Directory

 

#Create DisableCMDRequest.TAG file for Winre.wim

 

New-Item $mountFolder2\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File

 

#Commit changes to Winre.wim

 

Dismount-WindowsImage -Path $mountFolder2 -Save

 

#Create folder for DisableCMDRequest.TAG in install.wim

 

New-Item $mountFolder1\Windows\setup\scripts -ItemType Directory

 

#Create DisableCMDRequest.TAG file for install.wim

 

New-Item $mountFolder1\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File

 

#Commit changes to Winre.wim

 

Dismount-WindowsImage -Path $mountFolder1 -Save