Shift + F10 Vulnerability
During MDT or ConfiMgr deployment of Windows 10, press Shift+F10 whilst Windows detects devices. A command prompt with System Privileges will pop up allowing all sorts of shenanigans and without being logged by SIEM, those agents won't be running yet.
Also during Windows 10 upgrades, that Bitlocker drive encryption is disabled allowing the same attack.
This is an old issue raised some 3 to 4 years ago.... Well, today on my test rig during a 1909 deployment, I was just curious, it can't still be vulnerable.... oops.
The fix is pretty straightforward, although I can't take credit, that belongs to Johan Arwidmark and this post here
#Declare Mount Folders for DISM Offline Update
$mountFolder1 = 'D:\Mount1'
$mountFolder2 = 'D:\Mount2'
$WinImage = 'D:\MDTDeployment\Operating Systems\Windows 10 x64 1909\sources'
#Mount install.wim to first mount folder
Mount-WindowsImage -ImagePath $WinImage\install.wim -Index 1 -Path $mountFolder1
#Mount winre.wim to second mount folder
Mount-WindowsImage -ImagePath $mountFolder1\Windows\System32\Recovery\winre.wim -Index 1 -Path $mountFolder2
#Create folder for DisableCMDRequest.TAG file in Winre.wim
New-Item $mountFolder2\Windows\setup\scripts -ItemType Directory
#Create DisableCMDRequest.TAG file for Winre.wim
New-Item $mountFolder2\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File
#Commit changes to Winre.wim
Dismount-WindowsImage -Path $mountFolder2 -Save
#Create folder for DisableCMDRequest.TAG in install.wim
New-Item $mountFolder1\Windows\setup\scripts -ItemType Directory
#Create DisableCMDRequest.TAG file for install.wim
New-Item $mountFolder1\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File
#Commit changes to Winre.wim
Dismount-WindowsImage -Path $mountFolder1 -Save