Monday, 06 November 2017 07:49

Enabling SMBv1 in MDT WinPE Boot Images

Written by
Rate this item
(3 votes)

image

As a reader of this blog, I suspect that you, like me, are a frequent visitor to TechNet forums. Earlier today, a user posted a question on the Microsoft Deployment Toolkit (MDT) forum asking for guidance on how to enable Version 1 of the Server Message Block (SMB) protocol in MDT generated Windows PE boot images. In case you have not heard, you should stop using SMB1. In Windows 10, version 1709 (Fall Creators Update) and Windows Server, version 1709 (RS3), the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. This also applies to the latest version of Windows ADK (Windows Assessment and Deployment Kit). The full removal has begun.

image

That being said, there is a caveat: there are still few valid use cases left where SMB1 is still required. For instance, you may still be running a product that explicitly requires SMBv1.

Case and point, SMBv1 is bad, really bad and you should never, ever re-enable it. But - if this is your only option - enabling the SMB1 feature in MDT boot images is trivially easy using the little known MDT feature UpdateExit.vbs script.

Note: Michael Niehaus explained the UpdateExit process in great detail in his blog post MDT 2010 New Feature #17: Customizable boot image process.

The C:\Program Files\Microsoft Deployment Toolkit\Samples folder contains the sample UpdateExit.vbs script.

To enable SMB1 place the modified UpdateExit.vbs file into the C:\Program Files\Microsoft Deployment Toolkit\Samples folder, overwriting the version that is already there. When the Update Deployment Share process runs, this exit script will be called to set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 registry value to 1 in the Windows PE WIM image, which is what is needed to enable Server Message Block protocol. When you update the deployment share make sure to select the Completely regenerate the boot images option or make a change that requires re-generating the WIM and ISOs:

' // ***************************************************************************
' // 
' // Copyright (c) Microsoft Corporation.  All rights reserved.
' // 
' // Microsoft Deployment Toolkit Solution Accelerator
' //
' // File:      UpdateExit.vbs
' // 
' // Version:   
' // 
' // Purpose:   Sample "Update Deployment Share" exit script
' // 
' // ***************************************************************************


Option Explicit

Dim oShell, oEnv, sRole

' Write out each of the passed-in environment variable values

Set oShell = CreateObject("WScript.Shell")
Set oEnv = oShell.Environment("PROCESS")

WScript.Echo "INSTALLDIR = " & oEnv("INSTALLDIR")
WScript.Echo "DEPLOYROOT = " & oEnv("DEPLOYROOT")
WScript.Echo "PLATFORM = " & oEnv("PLATFORM")
WScript.Echo "ARCHITECTURE = " & oEnv("ARCHITECTURE")
WScript.Echo "TEMPLATE = " & oEnv("TEMPLATE")
WScript.Echo "STAGE = " & oEnv("STAGE")
WScript.Echo "CONTENT = " & oEnv("CONTENT")


' Do any desired WIM customizations (right before the WIM changes are committed)

If oEnv("STAGE") = "WIM" then

	' CONTENT environment variable contains the path to the mounted WIM
	
	
	' // ***************************************************************************
	' // 
	' // Author:    Anton Romanyuk
	' // 
	' // Version:   1.0
	' // 
	' // Purpose:   Apply registry entries to and enable features in Windows PE boot
	' //            images.
	' // 
	' //  ------------- DISCLAIMER -------------------------------------------------
	' //  This script code is provided as is with no guarantee or waranty concerning
	' //  the usability or impact on systems.
	' //  ------------- DISCLAIMER -------------------------------------------------
	' //
	' // ***************************************************************************
	
	' // Extra variables
	Dim sCmd, rc, strLog, fso, iErrors 
	
	' The script output will be captured if the return code is greater than zero.  Change this line
	' to say "iErrors = 0" if you don't want to see output in the case of success.  (This means 
	' that return code 1 means success.  MDT doesn't take any action based on the return code, other
	' than logging.)

	iErrors = 1

	Set fso = CreateObject("Scripting.FileSystemObject")

		WScript.Echo "---- Beginning UpdateExit.vbs WIM section ----"
		WScript.Echo "Adding Registry keys to WinPE (UpdateExit.vbs)..."

		'Load SYSTEM registry hive from mounted WinPE WIM (path to CONTENT)
		sCmd = "REG.EXE load HKLM\winpe " & oEnv("CONTENT") & "\Windows\System32\config\SYSTEM"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
		If RC > 0 then 
			iErrors = iErrors + 1
		End if
		
		sCmd = "Reg add " & Chr(34) & "HKLM\winpe\ControlSet001\Services\LanmanServer\Parameters" & Chr(34) & " /v SMB1 /t REG_DWORD /d 1 /f"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
			
		If RC > 0 then 
			iErrors = iErrors + 1
		End if
		
		sCmd = "Reg unload HKLM\winpe"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
		If RC > 0 then 
			iErrors = iErrors + 1
		End if

		For each sRole in Array("SMB1Protocol")
			sCmd = "DISM.EXE /Image:""" & oEnv("CONTENT") & """ /enable-feature /featurename:" & sRole
			WScript.Echo "About to run: " & sCmd
			
			RC = oShell.Run(sCmd, 0, true)
			WScript.Echo "Return code from command = " & RC
			
			If RC > 0 then 
				iErrors = iErrors + 1
			End if
		Next
		
	WScript.Quit iErrors
	
End if

' Do any desired ISO customizations (right before a new ISO is captured)

If oEnv("STAGE") = "ISO" then

	' CONTENT environment variable contains the path to the directory that
	' will be used to create the ISO.

End if


' Do any steps needed after the ISO has been generated

If oEnv("STAGE") = "POSTISO" then

	' CONTENT environment variable contains the path to the locally-captured
        ' ISO file (after it has been copied to the network).

End if
Read 363 times Last modified on Monday, 06 November 2017 09:22

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Recent Posts