During MDT or ConfiMgr deployment of Windows 10, press Shift+F10 whilst Windows detects devices. A command prompt with System Privileges will pop up allowing all sorts of shenanigans and without being logged by SIEM, those agents wont be running yet.
Also during Windows 10 upgrades, that Bitlocker drive encryption is disabled allowing the same attack.
This is an old issues raised some 3 to 4 years ago.... Well today on my test rig during a 1909 deployment, I was just curious, it cant still be vulnerable.... oops.
The fix is pretty straight forward, although I cant take credit, that belongs to Johan Arwidmark and this post here