Updated: Jun 30, 2022
During MDT or ConfiMgr deployment of Windows 10, press Shift+F10 whilst Windows detects devices. A command prompt with System Privileges will pop up allowing all sorts of shenanigans and without being logged by SIEM, those agents won't be running yet.
Also during Windows 10 upgrades, that Bitlocker drive encryption is disabled allowing the same attack.
This is an old issue raised some 3 to 4 years ago.... Well, today on my test rig during a 1909 deployment, I was just curious, it can't still be vulnerable.... oops.
The fix is pretty straightforward, although I can't take credit, that belongs to Johan Arwidmark and this post here