Thursday, 28 September 2017 07:12

Disabling SMBv1 in WinPE through MDT

Written by
Rate this item
(6 votes)

image

As a reader of this blog, I suspect that you, like me, are a frequent visitor to TechNet forums. Yesterday, a user posted a question on the Microsoft Deployment Toolkit (MDT) forum asking for guidance on how to disable Version 1 of the Server Message Block (SMB) protocol in MDT generated Windows PE boot images. Version 1 of the Server Message Block (SMB) protocol was developed in the early days of personal computer networking, and as Ned Pyle wrote in a blog post in September of 2016 Stop using SMB1 there are many reasons to cease using it on your networks as it is vulnerable to a man-in-the-middle attack.

Microsoft added the recommendation to disable SMB1 protocol to security baseline and exposed a way to do so through Group Policy editors for local or domain GPOs by releasing new ADMX templates. In addition - based on my tests using current Insider Preview of Windows 10 RS3 (Fall Creators Update) ADK - going forward SMB1 protocol will be disabled by default in Windows PE.

That said, if you want to jump on the "Stop using SMB1" bandwagon early and wish to harden your Windows PE boot images, disabling the SMB1 feature in the current iteration of Windows ADK is possible and, with the boot image update process in MDT, trivially easy. The setting that needs to be manipulated in Windows PE is not doable via GPO management, but there is a different way to do this, which makes use of the little known MDT feature UpdateExit.vbs script.

Note: Michael Niehaus explained the UpdateExit process in great detail in his blog post MDT 2010 New Feature #17: Customizable boot image process.

The C:\Program Files\Microsoft Deployment Toolkit\Samples folder contains the sample UpdateExit.vbs script.

To disable SMB1 place the modified UpdateExit.vbs file into the C:\Program Files\Microsoft Deployment Toolkit\Samples folder, overwriting the version that is already there. When the Update Deployment Share process runs, this exit script will be called to set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 registry value to 0 in the Windows PE WIM image, which is what is needed to disable Server Message Block protocol. When you update the deployment share make sure to select the Completely regenerate the boot images option or make a change that requires re-generating the WIM and ISOs:

' // ***************************************************************************
' // 
' // Copyright (c) Microsoft Corporation.  All rights reserved.
' // 
' // Microsoft Deployment Toolkit Solution Accelerator
' //
' // File:      UpdateExit.vbs
' // 
' // Version:   
' // 
' // Purpose:   Sample "Update Deployment Share" exit script
' // 
' // ***************************************************************************


Option Explicit

Dim oShell, oEnv

' Write out each of the passed-in environment variable values

Set oShell = CreateObject("WScript.Shell")
Set oEnv = oShell.Environment("PROCESS")

WScript.Echo "INSTALLDIR = " & oEnv("INSTALLDIR")
WScript.Echo "DEPLOYROOT = " & oEnv("DEPLOYROOT")
WScript.Echo "PLATFORM = " & oEnv("PLATFORM")
WScript.Echo "ARCHITECTURE = " & oEnv("ARCHITECTURE")
WScript.Echo "TEMPLATE = " & oEnv("TEMPLATE")
WScript.Echo "STAGE = " & oEnv("STAGE")
WScript.Echo "CONTENT = " & oEnv("CONTENT")


' Do any desired WIM customizations (right before the WIM changes are committed)

If oEnv("STAGE") = "WIM" then

	' CONTENT environment variable contains the path to the mounted WIM
	
	
	' // ***************************************************************************
	' // 
	' // Author:    Anton Romanyuk
	' // 
	' // Version:   1.0
	' // 
	' // Purpose:   Apply registry entries to Windows PE boot images.
	' // 
	' //  ------------- DISCLAIMER -------------------------------------------------
	' //  This script code is provided as is with no guarantee or waranty concerning
	' //  the usability or impact on systems.
	' //  ------------- DISCLAIMER -------------------------------------------------
	' //
	' // ***************************************************************************
	
	' // Extra variables
	Dim sCmd, rc, strLog, fso, iErrors 
	
	' The script output will be captured if the return code is greater than zero.  Change this line
	' to say "iErrors = 0" if you don't want to see output in the case of success.  (This means 
	' that return code 1 means success.  MDT doesn't take any action based on the return code, other
	' than logging.)

	iErrors = 1

	Set fso = CreateObject("Scripting.FileSystemObject")

		WScript.Echo "---- Beginning UpdateExit.vbs WIM section ----"
		WScript.Echo "Adding Registry keys to WinPE (UpdateExit.vbs)..."

		'Load SYSTEM registry hive from mounted WinPE WIM (path to CONTENT)
		sCmd = "REG.EXE load HKLM\winpe " & oEnv("CONTENT") & "\Windows\System32\config\SYSTEM"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
		If RC > 0 then 
			iErrors = iErrors + 1
		End if
		
		' This value disables SMB1 protocol
		
		sCmd = "Reg add " & Chr(34) & "HKLM\winpe\ControlSet001\Services\LanmanServer\Parameters" & Chr(34) & " /v SMB1 /t REG_DWORD /d 0 /f"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
			
		If RC > 0 then 
			iErrors = iErrors + 1
		End if
		
		sCmd = "Reg unload HKLM\winpe"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
		If RC > 0 then 
			iErrors = iErrors + 1
		End if

		filetxt.Write(strLog)
		filetxt.Close
		
	WScript.Quit iErrors
	
End if

' Do any desired ISO customizations (right before a new ISO is captured)

If oEnv("STAGE") = "ISO" then

	' CONTENT environment variable contains the path to the directory that
	' will be used to create the ISO.

End if


' Do any steps needed after the ISO has been generated

If oEnv("STAGE") = "POSTISO" then

	' CONTENT environment variable contains the path to the locally-captured
        ' ISO file (after it has been copied to the network).

End if
Read 5218 times Last modified on Tuesday, 10 October 2017 12:10
  1. Comments (0)

  2. Add yours
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
0 Characters
Attachments (0 / 3)
Share Your Location

Recent Posts

  • An alternative ESU MAK Activation Solution
    This blog post was shared with me by a colleague of mine, Daniel Dorner, a Microsoft Premier Field Engineer. It’s…
    Written on Wednesday, 04 December 2019 21:04
  • The Case of Missing UE-V Templates
    My customers often deal with unexpected Windows behavior and this case is no different. This particular one is especially interesting…
    Written on Tuesday, 03 September 2019 12:20
  • The Case of Corrupted Store Apps
    A few days ago I began experiencing issues with built-in Windows apps where various apps would flash open and close…
    Written on Wednesday, 14 August 2019 13:36
  • The Case of Changing Default Printer
    While I sometimes long for the day when I no longer have to deal with unexpected Windows 10 behavior, there’s…
    Written on Wednesday, 14 August 2019 20:36
  • Windows 10 1903: Useful Resources for IT Professionals
    Windows 10, version 1903 is now available via Windows Update for Business, Windows Server Update Services (WSUS) and the Volume…
    Written on Friday, 07 June 2019 11:21
  • Windows 10 1903 Built-In Apps: What to Keep
    The development of the Windows 10, version 1903 is finished and the update is now available for download from Visual…
    Written on Monday, 03 June 2019 06:59