Password or PIN Code “protect” MDT 2010 LiteTouch
Posted by Mikael Nystrom on January 26, 2011
Well, let me start with this:
This is NOT a secure solution, it is more of a-controlling-the-wizard-so-it-will-be-harder-do-something-really-bad-thing. This story started 2-3 weeks ago, a customer wanted to deploy windows 7 using LiteTouch. But they need a function to limit the selection of Task Sequences showed to the technician. Now that somewhat is a challenge but can be done. Here is how you can do this on your own.
Creating Selection Profiles for the Wizard
In MDT 2010 there is a variable called WizardSelectionProfile, using that we can create one selection profile for normal use and one for admin use. The only thing we need now is to feed the script with a parameter for what mode the wizard should run in. So:
Create two selection profiles, call them AllTaskSequences and ApprovedTaskSequences. Pretty much like this:
Next thing is to make sure that your customsettings.ini file is correct and here is a sample of that:
Creating the PIN “application”
The quick and dirty way is to use an old friend of mine called AutoIT, it has been around for as long as I remember, I start using that for many years ago (NT4 something) for deployment and scripting, it has the ability to convert a scriptbased language into a executable file, the script language is very easy and its fast, so AutoIT here we go
Download AutoIT from http://www.autoitscript.com and install it, then open up the editor and create the following script:
$PIN = InputBox(“Security Check”, “Enter PIN for Admin Mode or wait.”, “”, “*”,300 , 160 , 362 , 200 , 10)
if $PIN = “1044″ Then
RunWait(“wscript.exe X:\Deploy\Scripts\LiteTouch.wsf /WizardMode:ADMIN”)
The PIN code is 1044 (Yes, you can alter this…) and the timeout value before the message box will close is set to 10 seconds (you can see the last 10 in the first line). This means that it will stop and prompt for PIN, if you type the correct you will run with the /WizardMode switch set to ADMIN, if you enter the wrong PIN or wait (or hit cancel) it will run without that switch. You might want to feed MDT with other parameters to override the default value, as an example you might want to add /Debugcapture or /Debug on your “admin” command line.
Next up is to compile the script into an .exe file and you need two of them, one for 32bit and one for 64bit. You do that with this application (it will be installed when you install AutoIT). Now, open it up and create LTIRunx86.exe and then once more for LTIRunx64.exe. Be sure the you check the x64 checkbox when you create LTIRunx64.exe
Adding the LTIRun32.exe and LTIRunx64.exe files to the media
You need to new folders in your deployment root, open up explorer and browse to the root folder of your deployment share, like C:\Deploymentshare (In my case it is E:\MDTPrd)
and create ExtraX86 and ExtraX64. In those folders you create Windows and in Windows you create System32, like this:
Now, put LTIRunX86.exe in Extrax86\Windows\System32 and put LTIRunX64.exe in Extrax64\Windows\System32
Open up Deployment Workbench and right click on your deployment share and make sure you add those folders in the media like this:
Modifying the unattended.xml files for WinPE
Now, we need to modify the run command in WinPE and we do that by modifying the template files that is used the the media is created. The files are normally located in C:\Program Files\Microsoft Deployment Toolkit\Templates and are called Unattend_PE_x64.xml and Unattend_PE_x86.xml.
Open them and replace the the text that looks like this(Please, make a copy of them before you make the changes…):
Update the media
Now, the next step is to update the boot media, right click on your deployment share an select update and wait until you have new boot media.
Not that complicated, just boot on the media and if you made everything correct, this is how it will look like:
And if you enter the PIN 1044 it will look like this:
And if you typed in something else / waited / Canceled it will look like this:
Now, as you can imagine, you can do much more around this, as an example you could say that if you type in the correct PIN the Wizard will run with all the “skips” set to NO so that you will run the Wizard, but if you don’t type in the correct PIN or wait, it will a normal “silent” deployment.
Once more, from a security standpoint, this is NOT secure, but in many cases this will be just perfect.
Prohibit the F8 – Command Prompt
If you want you can also modify the winpeshl.ini file so that you cannot press F8 to open the CMD when running the Deployment, that is going to make it a bit harder to bypass the PIN.
The file is located in C:\Program Files\Microsoft Deployment Toolkit\Templates and it is called winpeshl.ini and it looks like this:
Modify it so that it looks like this:
Now, if you update your media and boot once more, it should not be possible to press F8 to get into the command prompt.