Thursday, 28 September 2017 07:12

Disabling SMBv1 in WinPE through MDT

Written by
Rate this item
(5 votes)

image

As a reader of this blog, I suspect that you, like me, are a frequent visitor to TechNet forums. Yesterday, a user posted a question on the Microsoft Deployment Toolkit (MDT) forum asking for guidance on how to disable Version 1 of the Server Message Block (SMB) protocol in MDT generated Windows PE boot images. Version 1 of the Server Message Block (SMB) protocol was developed in the early days of personal computer networking, and as Ned Pyle wrote in a blog post in September of 2016 Stop using SMB1 there are many reasons to cease using it on your networks as it is vulnerable to a man-in-the-middle attack.

Microsoft added the recommendation to disable SMB1 protocol to security baseline and exposed a way to do so through Group Policy editors for local or domain GPOs by releasing new ADMX templates. In addition - based on my tests using current Insider Preview of Windows 10 RS3 (Fall Creators Update) ADK - going forward SMB1 protocol will be disabled by default in Windows PE.

That said, if you want to jump on the "Stop using SMB1" bandwagon early and wish to harden your Windows PE boot images, disabling the SMB1 feature in the current iteration of Windows ADK is possible and, with the boot image update process in MDT, trivially easy. The setting that needs to be manipulated in Windows PE is not doable via GPO management, but there is a different way to do this, which makes use of the little known MDT feature UpdateExit.vbs script.

Note: Michael Niehaus explained the UpdateExit process in great detail in his blog post MDT 2010 New Feature #17: Customizable boot image process.

The C:\Program Files\Microsoft Deployment Toolkit\Samples folder contains the sample UpdateExit.vbs script.

To disable SMB1 place the modified UpdateExit.vbs file into the C:\Program Files\Microsoft Deployment Toolkit\Samples folder, overwriting the version that is already there. When the Update Deployment Share process runs, this exit script will be called to set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 registry value to 0 in the Windows PE WIM image, which is what is needed to disable Server Message Block protocol. When you update the deployment share make sure to select the Completely regenerate the boot images option or make a change that requires re-generating the WIM and ISOs:

' // ***************************************************************************
' // 
' // Copyright (c) Microsoft Corporation.  All rights reserved.
' // 
' // Microsoft Deployment Toolkit Solution Accelerator
' //
' // File:      UpdateExit.vbs
' // 
' // Version:   
' // 
' // Purpose:   Sample "Update Deployment Share" exit script
' // 
' // ***************************************************************************


Option Explicit

Dim oShell, oEnv

' Write out each of the passed-in environment variable values

Set oShell = CreateObject("WScript.Shell")
Set oEnv = oShell.Environment("PROCESS")

WScript.Echo "INSTALLDIR = " & oEnv("INSTALLDIR")
WScript.Echo "DEPLOYROOT = " & oEnv("DEPLOYROOT")
WScript.Echo "PLATFORM = " & oEnv("PLATFORM")
WScript.Echo "ARCHITECTURE = " & oEnv("ARCHITECTURE")
WScript.Echo "TEMPLATE = " & oEnv("TEMPLATE")
WScript.Echo "STAGE = " & oEnv("STAGE")
WScript.Echo "CONTENT = " & oEnv("CONTENT")


' Do any desired WIM customizations (right before the WIM changes are committed)

If oEnv("STAGE") = "WIM" then

	' CONTENT environment variable contains the path to the mounted WIM
	
	
	' // ***************************************************************************
	' // 
	' // Author:    Anton Romanyuk
	' // 
	' // Version:   1.0
	' // 
	' // Purpose:   Apply registry entries to Windows PE boot images.
	' // 
	' //  ------------- DISCLAIMER -------------------------------------------------
	' //  This script code is provided as is with no guarantee or waranty concerning
	' //  the usability or impact on systems.
	' //  ------------- DISCLAIMER -------------------------------------------------
	' //
	' // ***************************************************************************
	
	' // Extra variables
	Dim sCmd, rc, strLog, fso, iErrors 
	
	' The script output will be captured if the return code is greater than zero.  Change this line
	' to say "iErrors = 0" if you don't want to see output in the case of success.  (This means 
	' that return code 1 means success.  MDT doesn't take any action based on the return code, other
	' than logging.)

	iErrors = 1

	Set fso = CreateObject("Scripting.FileSystemObject")

		WScript.Echo "---- Beginning UpdateExit.vbs WIM section ----"
		WScript.Echo "Adding Registry keys to WinPE (UpdateExit.vbs)..."

		'Load SYSTEM registry hive from mounted WinPE WIM (path to CONTENT)
		sCmd = "REG.EXE load HKLM\winpe " & oEnv("CONTENT") & "\Windows\System32\config\SYSTEM"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
		If RC > 0 then 
			iErrors = iErrors + 1
		End if
		
		' This value disables SMB1 protocol
		
		sCmd = "Reg add " & Chr(34) & "HKLM\winpe\ControlSet001\Services\LanmanServer\Parameters" & Chr(34) & " /v SMB1 /t REG_DWORD /d 0 /f"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
			
		If RC > 0 then 
			iErrors = iErrors + 1
		End if
		
		sCmd = "Reg unload HKLM\winpe"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
		If RC > 0 then 
			iErrors = iErrors + 1
		End if

		filetxt.Write(strLog)
		filetxt.Close
		
	WScript.Quit iErrors
	
End if

' Do any desired ISO customizations (right before a new ISO is captured)

If oEnv("STAGE") = "ISO" then

	' CONTENT environment variable contains the path to the directory that
	' will be used to create the ISO.

End if


' Do any steps needed after the ISO has been generated

If oEnv("STAGE") = "POSTISO" then

	' CONTENT environment variable contains the path to the locally-captured
        ' ISO file (after it has been copied to the network).

End if
Read 576 times Last modified on Tuesday, 10 October 2017 12:10

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Recent Posts