Monday, 06 November 2017 07:49

Enabling SMBv1 in MDT WinPE Boot Images

Written by
Rate this item
(3 votes)

image

As a reader of this blog, I suspect that you, like me, are a frequent visitor to TechNet forums. Earlier today, a user posted a question on the Microsoft Deployment Toolkit (MDT) forum asking for guidance on how to enable Version 1 of the Server Message Block (SMB) protocol in MDT generated Windows PE boot images. In case you have not heard, you should stop using SMB1. In Windows 10, version 1709 (Fall Creators Update) and Windows Server, version 1709 (RS3), the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. This also applies to the latest version of Windows ADK (Windows Assessment and Deployment Kit). The full removal has begun.

image

That being said, there is a caveat: there are still few valid use cases left where SMB1 is still required. For instance, you may still be running a product that explicitly requires SMBv1.

Case and point, SMBv1 is bad, really bad and you should never, ever re-enable it. But - if this is your only option - enabling the SMB1 feature in MDT boot images is trivially easy using the little known MDT feature UpdateExit.vbs script.

Note: Michael Niehaus explained the UpdateExit process in great detail in his blog post MDT 2010 New Feature #17: Customizable boot image process.

The C:\Program Files\Microsoft Deployment Toolkit\Samples folder contains the sample UpdateExit.vbs script.

To enable SMB1 place the modified UpdateExit.vbs file into the C:\Program Files\Microsoft Deployment Toolkit\Samples folder, overwriting the version that is already there. When the Update Deployment Share process runs, this exit script will be called to set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 registry value to 1 in the Windows PE WIM image, which is what is needed to enable Server Message Block protocol. When you update the deployment share make sure to select the Completely regenerate the boot images option or make a change that requires re-generating the WIM and ISOs:

' // ***************************************************************************
' // 
' // Copyright (c) Microsoft Corporation.  All rights reserved.
' // 
' // Microsoft Deployment Toolkit Solution Accelerator
' //
' // File:      UpdateExit.vbs
' // 
' // Version:   
' // 
' // Purpose:   Sample "Update Deployment Share" exit script
' // 
' // ***************************************************************************


Option Explicit

Dim oShell, oEnv, sRole

' Write out each of the passed-in environment variable values

Set oShell = CreateObject("WScript.Shell")
Set oEnv = oShell.Environment("PROCESS")

WScript.Echo "INSTALLDIR = " & oEnv("INSTALLDIR")
WScript.Echo "DEPLOYROOT = " & oEnv("DEPLOYROOT")
WScript.Echo "PLATFORM = " & oEnv("PLATFORM")
WScript.Echo "ARCHITECTURE = " & oEnv("ARCHITECTURE")
WScript.Echo "TEMPLATE = " & oEnv("TEMPLATE")
WScript.Echo "STAGE = " & oEnv("STAGE")
WScript.Echo "CONTENT = " & oEnv("CONTENT")


' Do any desired WIM customizations (right before the WIM changes are committed)

If oEnv("STAGE") = "WIM" then

	' CONTENT environment variable contains the path to the mounted WIM
	
	
	' // ***************************************************************************
	' // 
	' // Author:    Anton Romanyuk
	' // 
	' // Version:   1.0
	' // 
	' // Purpose:   Apply registry entries to and enable features in Windows PE boot
	' //            images.
	' // 
	' //  ------------- DISCLAIMER -------------------------------------------------
	' //  This script code is provided as is with no guarantee or waranty concerning
	' //  the usability or impact on systems.
	' //  ------------- DISCLAIMER -------------------------------------------------
	' //
	' // ***************************************************************************
	
	' // Extra variables
	Dim sCmd, rc, strLog, fso, iErrors 
	
	' The script output will be captured if the return code is greater than zero.  Change this line
	' to say "iErrors = 0" if you don't want to see output in the case of success.  (This means 
	' that return code 1 means success.  MDT doesn't take any action based on the return code, other
	' than logging.)

	iErrors = 1

	Set fso = CreateObject("Scripting.FileSystemObject")

		WScript.Echo "---- Beginning UpdateExit.vbs WIM section ----"
		WScript.Echo "Adding Registry keys to WinPE (UpdateExit.vbs)..."

		'Load SYSTEM registry hive from mounted WinPE WIM (path to CONTENT)
		sCmd = "REG.EXE load HKLM\winpe " & oEnv("CONTENT") & "\Windows\System32\config\SYSTEM"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
		If RC > 0 then 
			iErrors = iErrors + 1
		End if
		
		sCmd = "Reg add " & Chr(34) & "HKLM\winpe\ControlSet001\Services\LanmanServer\Parameters" & Chr(34) & " /v SMB1 /t REG_DWORD /d 1 /f"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
			
		If RC > 0 then 
			iErrors = iErrors + 1
		End if
		
		sCmd = "Reg unload HKLM\winpe"
		WScript.Echo "About to run command: " & sCmd
		rc = oShell.Run(sCmd, 0, True)
		
		WScript.Echo "Return code from command = " & rc
		If RC > 0 then 
			iErrors = iErrors + 1
		End if

		For each sRole in Array("SMB1Protocol")
			sCmd = "DISM.EXE /Image:""" & oEnv("CONTENT") & """ /enable-feature /featurename:" & sRole
			WScript.Echo "About to run: " & sCmd
			
			RC = oShell.Run(sCmd, 0, true)
			WScript.Echo "Return code from command = " & RC
			
			If RC > 0 then 
				iErrors = iErrors + 1
			End if
		Next
		
	WScript.Quit iErrors
	
End if

' Do any desired ISO customizations (right before a new ISO is captured)

If oEnv("STAGE") = "ISO" then

	' CONTENT environment variable contains the path to the directory that
	' will be used to create the ISO.

End if


' Do any steps needed after the ISO has been generated

If oEnv("STAGE") = "POSTISO" then

	' CONTENT environment variable contains the path to the locally-captured
        ' ISO file (after it has been copied to the network).

End if
Read 4296 times Last modified on Monday, 06 November 2017 09:22
  1. Comments (2)

  2. Add yours

Comments (2)

This comment was minimized by the moderator on the site

Hey Anton,


Thank you for submitting this. Unfortunately, I'm still getting the same error in unsupported SMBv1 error in WinPE when trying to authenticate my deployment share. I'm trying to deploy a Win10x84 1803 image built in MDT and deployed...

Hey Anton,


Thank you for submitting this. Unfortunately, I'm still getting the same error in unsupported SMBv1 error in WinPE when trying to authenticate my deployment share. I'm trying to deploy a Win10x84 1803 image built in MDT and deployed with WDS over PXE.

I performed a reg load on the .wim file and confirmed that the SMB parameter was set to "1". I also ensured that I rebuilt the boot image completely and replaced it in WDS.

I did notice one issue while updating the Deployment share. Any idea why trying to enable the SMB1Protocol feature would return a code of "50" and would this be the reason why WinPE is still not allowing SMB1 authentication?


---- Beginning UpdateExit.vbs WIM section ----
Adding Registry keys to WinPE (UpdateExit.vbs)...
About to run command: REG.EXE load HKLM\winpe C:\Users\SA-JNI~1\AppData\Local\Temp\MDTUpdate.5824\Mount\Windows\System32\config\SYSTEM
Return code from command = 0
About to run command: Reg add "HKLM\winpe\ControlSet001\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 1 /f
Return code from command = 0
About to run command: Reg unload HKLM\winpe
Return code from command = 0
About to run: DISM.EXE /Image:"C:\Users\SA-JNI~1\AppData\Local\Temp\MDTUpdate.5824\Mount" /enable-feature /featurename:SMB1Protocol
Return code from command = 50

Exit code = 2

Read More
This comment was minimized by the moderator on the site

Tried reproducing the issue in my lab, but got the expected results (ADK 1803, MDT build 8450, OS: Windows 10, 1709). Could you check your C:\Windows\Logs\Dism\dism.log - it may contain a clue as to why DISM is throwing return code 50.

CONTENT =...

Tried reproducing the issue in my lab, but got the expected results (ADK 1803, MDT build 8450, OS: Windows 10, 1709). Could you check your C:\Windows\Logs\Dism\dism.log - it may contain a clue as to why DISM is throwing return code 50.

CONTENT = C:\Users\tolwy\AppData\Local\Temp\MDTUpdate.3628\Mount
---- Beginning UpdateExit.vbs WIM section ----
Adding Registry keys to WinPE (UpdateExit.vbs)...
About to run command: REG.EXE load HKLM\winpe C:\Users\ADM-RO~1.DOM\AppData\Local\Temp\MDTUpdate.3628\Mount\Windows\System32\config\SYSTEM
Return code from command = 0
About to run command: Reg add "HKLM\winpe\ControlSet001\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 1 /f
Return code from command = 0
About to run command: Reg unload HKLM\winpe
Return code from command = 0
About to run: DISM.EXE /Image:"C:\Users\tolwy\AppData\Local\Temp\MDTUpdate.3628\Mount" /enable-feature /featurename:SMB1Protocol
Return code from command = 0

Exit code = 1


Exit code 1 is expected, by the way.

Read More
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
0 Characters
Attachments (0 / 3)
Share Your Location

Recent Posts