The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…

  • Archives

  • Meta

Password or PIN Code “protect” MDT 2010 LiteTouch

Posted by Mikael Nystrom on January 26, 2011

Well, let me start with this:

This is NOT a secure solution, it is more of a-controlling-the-wizard-so-it-will-be-harder-do-something-really-bad-thing. This story started 2-3 weeks ago, a customer wanted to deploy windows 7 using LiteTouch. But they need a function to limit the selection of Task Sequences showed to the technician. Now that somewhat is a challenge but can be done. Here is how you can do this on your own.

image

Creating Selection Profiles for the Wizard

In MDT 2010 there is a variable called WizardSelectionProfile, using that we can create one selection profile for normal use and one for admin use. The only thing we need now is to feed the script with a parameter for what mode the wizard should run in. So:

Create two selection profiles, call them AllTaskSequences and ApprovedTaskSequences. Pretty much like this:

image

image

Update Customsettings.ini

Next thing is to make sure that your customsettings.ini file is correct and here is a sample of that:

[Settings]
Priority=WizardMode, Default
Properties=MyCustomProperty

[ADMIN]
WizardSelectionProfile=AllTaskSequences

[Default]
WizardSelectionProfile=ApprovedTaskSequences

Creating the PIN “application”

The quick and dirty way is to use an old friend of mine called AutoIT, it has been around for as long as I remember, I start using that for many years ago (NT4 something) for deployment and scripting, it has the ability to convert a scriptbased language into a executable file, the script language is very easy and its fast, so AutoIT here we go

Download AutoIT from http://www.autoitscript.com and install it, then open up the editor and create the following script:

$PIN = InputBox(“Security Check”, “Enter PIN for Admin Mode or wait.”, “”, “*”,300 , 160 , 362 , 200 , 10)
if $PIN = “1044” Then
        RunWait(“wscript.exe X:\Deploy\Scripts\LiteTouch.wsf /WizardMode:ADMIN”)
        Exit
    Else
        RunWait(“wscript.exe X:\Deploy\Scripts\LiteTouch.wsf”)
        Exit
EndIf

The PIN code is 1044 (Yes, you can alter this…) and the timeout value before the message box will close is set to 10 seconds (you can see the last 10 in the first line). This means that it will stop and prompt for PIN, if you type the correct you will run with the /WizardMode switch set to ADMIN, if you enter the wrong PIN or wait (or hit cancel) it will run without that switch. You might want to feed MDT with other parameters to override the default value, as an example you might want to add /Debugcapture or /Debug on your “admin” command line.

Next up is to compile the script into an .exe file and you need two of them, one for 32bit and one for 64bit. You do that with this application (it will be installed when you install AutoIT). Now, open it up and create LTIRunx86.exe and then once more for LTIRunx64.exe. Be sure the you check the x64 checkbox when you create LTIRunx64.exe

image

Adding the LTIRun32.exe and LTIRunx64.exe files to the media

You need to new folders in your deployment root, open up explorer and browse to the root folder of your deployment share, like C:\Deploymentshare (In my case it is E:\MDTPrd)

and create ExtraX86 and ExtraX64. In those folders you create Windows and in Windows you create System32, like this:

image

Now, put LTIRunX86.exe in Extrax86\Windows\System32 and put LTIRunX64.exe in Extrax64\Windows\System32

Open up Deployment Workbench and right click on your deployment share and make sure you add those folders in the media like this:

image

image

Modifying the unattended.xml files for WinPE

Now, we need to modify the run command in WinPE and we do that by modifying the template files that is used the the media is created. The files are normally located in C:\Program Files\Microsoft Deployment Toolkit\Templates and are called Unattend_PE_x64.xml and Unattend_PE_x86.xml.

Open them and replace the the text that looks like this(Please, make a copy of them before you make the changes…):

wscript.exe X:\Deploy\Scripts\LiteTouch.wsf

with this:

X:\Windows\system32\LTIRunx86.exe

Update the media

Now, the next step is to update the boot media, right click on your deployment share an select update and wait until you have new boot media.

Testing:

Not that complicated, just boot on the media and if you made everything correct, this is how it will look like:

image

And if you enter the PIN 1044 it will look like this:

image

And if you typed in something else / waited / Canceled it will look like this:

image

Now, as you can imagine, you can do much more around this, as an example you could say that if you type in the correct PIN the Wizard will run with all the “skips” set to NO so that you will run the Wizard, but if you don’t type in the correct PIN or wait, it will a normal “silent” deployment.

Once more, from a security standpoint, this is NOT secure, but in many cases this will be just perfect.

Prohibit the F8 – Command Prompt

If you want you can also modify the winpeshl.ini file so that you cannot press F8 to open the CMD when running the Deployment, that is going to make it a bit harder to bypass the PIN.

The file is located in  C:\Program Files\Microsoft Deployment Toolkit\Templates and it is called winpeshl.ini and it looks like this:

[LaunchApps]
%SYSTEMROOT%\System32\bddrun.exe,/bootstrap

Modify it so that it looks like this:

[LaunchApps]
%SYSTEMROOT%\System32\bddrun.exe,/BootstrapNoSF8

Now, if you update your media and boot once more, it should not be possible to press F8 to get into the command prompt.

Mikael Nystrom
MVP Setup/Deployment

6 Responses to “Password or PIN Code “protect” MDT 2010 LiteTouch”

  1. Agile IT said

    Mike, do you know a trick (using AutoIT) to detect WinPE Installation? Our scenario is we use a simple deployment PIN to launch media MDT on an existing OS. After installing WinPE on the existing OS HD, it reboots again, and prompts for PIN again on first reboot…and then completes the unattended install.

    Is there any variable that I can look for to “bypass” the PIN when running in unattended install mode in PE so we can skip the double PIN entry?

    Thanks in advance for your help, and I appreciate you sharing your work in automating deployments. :)

  2. Caleb Bobbitt said

    Long time listener first time caller :) Its good to see other Dev’s creating solutions to this HUGE problem. In the past i have used PXElinux and homebrewed password apps ( such as the one you created here)to keep unwanted, unathorized entry into the deployment solution. I like your idea on the Selection Profiles, Nice twist. Knowledge of editing the template files to kick off something before litetouch took me a few weeks to figure out ( back in MDT 2008) and seems to be used very little in the community. Im glad you brought attention to this topic. Hopefully MDT 2012 will put a solution in to provide a better worryfree enviroment for our customers. Great work Mikael.

    • Agree, but that did not happen and as I can see, that will never happen so we are stuck in these kind of solutions. Someone asked me yesterday if this would work in the new version of MDT and WinPE and as far as I know it will work.

  3. SKLD1 said

    Hi, this is exactly what I need, but when I try to compile the script, I get this error

    ______________________________________________________________________
    Line 1

    $PIN = InputBox(“Security Check”, “Enter PIN for Admin Mode or wait.”, “”, “*”,300 , 160 , 362 , 200 , 10)
    $PIN = InputBox(> ERROR

    Error:
    ______________________________________________________________________

    Any help you can give would be greatly appreciated

    Ssaazi

    • Check that all the ” really are ” and other character errors. You could try to copy-paste and passing trough Notepad or open it in the AutoIT editor. It is most likely a spelling issue. If not its a 32/64, non-elevation error.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 3,843 other followers

%d bloggers like this: