Well, let me start with this:
This is NOT a secure solution, it is more of a-controlling-the-wizard-so-it-will-be-harder-do-something-really-bad-thing. This story started 2-3 weeks ago, a customer wanted to deploy windows 7 using LiteTouch. But they need a function to limit the selection of Task Sequences showed to the technician. Now that somewhat is a challenge but can be done. Here is how you can do this on your own.
Creating Selection Profiles for the Wizard
In MDT 2010 there is a variable called WizardSelectionProfile, using that we can create one selection profile for normal use and one for admin use. The only thing we need now is to feed the script with a parameter for what mode the wizard should run in. So:
Create two selection profiles, call them AllTaskSequences and ApprovedTaskSequences. Pretty much like this:
Update Customsettings.ini
Next thing is to make sure that your customsettings.ini file is correct and here is a sample of that:
[Settings]
Priority=WizardMode, Default
Properties=MyCustomProperty
[ADMIN]
WizardSelectionProfile=AllTaskSequences
[Default]
WizardSelectionProfile=ApprovedTaskSequences
Creating the PIN “application”
The quick and dirty way is to use an old friend of mine called AutoIT, it has been around for as long as I remember, I start using that for many years ago (NT4 something) for deployment and scripting, it has the ability to convert a scriptbased language into a executable file, the script language is very easy and its fast, so AutoIT here we go
Download AutoIT from http://www.autoitscript.com and install it, then open up the editor and create the following script:
$PIN = InputBox(“Security Check”, “Enter PIN for Admin Mode or wait.”, “”, “*”,300 , 160 , 362 , 200 , 10)
if $PIN = “1044” Then
RunWait(“wscript.exe X:\Deploy\Scripts\LiteTouch.wsf /WizardMode:ADMIN”)
Exit
Else
RunWait(“wscript.exe X:\Deploy\Scripts\LiteTouch.wsf”)
Exit
EndIf
The PIN code is 1044 (Yes, you can alter this…) and the timeout value before the message box will close is set to 10 seconds (you can see the last 10 in the first line). This means that it will stop and prompt for PIN, if you type the correct you will run with the /WizardMode switch set to ADMIN, if you enter the wrong PIN or wait (or hit cancel) it will run without that switch. You might want to feed MDT with other parameters to override the default value, as an example you might want to add /Debugcapture or /Debug on your “admin” command line.
Next up is to compile the script into an .exe file and you need two of them, one for 32bit and one for 64bit. You do that with this application (it will be installed when you install AutoIT). Now, open it up and create LTIRunx86.exe and then once more for LTIRunx64.exe. Be sure the you check the x64 checkbox when you create LTIRunx64.exe
Adding the LTIRun32.exe and LTIRunx64.exe files to the media
You need to new folders in your deployment root, open up explorer and browse to the root folder of your deployment share, like C:\Deploymentshare (In my case it is E:\MDTPrd)
and create ExtraX86 and ExtraX64. In those folders you create Windows and in Windows you create System32, like this:
Now, put LTIRunX86.exe in Extrax86\Windows\System32 and put LTIRunX64.exe in Extrax64\Windows\System32
Open up Deployment Workbench and right click on your deployment share and make sure you add those folders in the media like this:
Modifying the unattended.xml files for WinPE
Now, we need to modify the run command in WinPE and we do that by modifying the template files that is used the the media is created. The files are normally located in C:\Program Files\Microsoft Deployment Toolkit\Templates and are called Unattend_PE_x64.xml and Unattend_PE_x86.xml.
Open them and replace the the text that looks like this(Please, make a copy of them before you make the changes…):
wscript.exe X:\Deploy\Scripts\LiteTouch.wsf
with this:
X:\Windows\system32\LTIRunx86.exe
Update the media
Now, the next step is to update the boot media, right click on your deployment share an select update and wait until you have new boot media.
Testing:
Not that complicated, just boot on the media and if you made everything correct, this is how it will look like:
And if you enter the PIN 1044 it will look like this:
And if you typed in something else / waited / Canceled it will look like this:
Now, as you can imagine, you can do much more around this, as an example you could say that if you type in the correct PIN the Wizard will run with all the “skips” set to NO so that you will run the Wizard, but if you don’t type in the correct PIN or wait, it will a normal “silent” deployment.
Once more, from a security standpoint, this is NOT secure, but in many cases this will be just perfect.
Prohibit the F8 – Command Prompt
If you want you can also modify the winpeshl.ini file so that you cannot press F8 to open the CMD when running the Deployment, that is going to make it a bit harder to bypass the PIN.
The file is located in C:\Program Files\Microsoft Deployment Toolkit\Templates and it is called winpeshl.ini and it looks like this:
[LaunchApps]
%SYSTEMROOT%\System32\bddrun.exe,/bootstrap
Modify it so that it looks like this:
[LaunchApps]
%SYSTEMROOT%\System32\bddrun.exe,/BootstrapNoSF8
Now, if you update your media and boot once more, it should not be possible to press F8 to get into the command prompt.
Mikael Nystrom
MVP Setup/Deployment
Share this:
Categories: Deployment, TechEd
The Deployment Bunny 
Mike, do you know a trick (using AutoIT) to detect WinPE Installation? Our scenario is we use a simple deployment PIN to launch media MDT on an existing OS. After installing WinPE on the existing OS HD, it reboots again, and prompts for PIN again on first reboot…and then completes the unattended install.
Is there any variable that I can look for to “bypass” the PIN when running in unattended install mode in PE so we can skip the double PIN entry?
Thanks in advance for your help, and I appreciate you sharing your work in automating deployments. :)
Not easy, I yoy need to play with drives, marker files and all kinds of “mess”, or yoy need to have 2 versions of the PE or something like that…
Long time listener first time caller :) Its good to see other Dev’s creating solutions to this HUGE problem. In the past i have used PXElinux and homebrewed password apps ( such as the one you created here)to keep unwanted, unathorized entry into the deployment solution. I like your idea on the Selection Profiles, Nice twist. Knowledge of editing the template files to kick off something before litetouch took me a few weeks to figure out ( back in MDT 2008) and seems to be used very little in the community. Im glad you brought attention to this topic. Hopefully MDT 2012 will put a solution in to provide a better worryfree enviroment for our customers. Great work Mikael.
Agree, but that did not happen and as I can see, that will never happen so we are stuck in these kind of solutions. Someone asked me yesterday if this would work in the new version of MDT and WinPE and as far as I know it will work.
Hi, this is exactly what I need, but when I try to compile the script, I get this error
______________________________________________________________________
Line 1
$PIN = InputBox(“Security Check”, “Enter PIN for Admin Mode or wait.”, “”, “*”,300 , 160 , 362 , 200 , 10)
$PIN = InputBox(> ERROR
Error:
______________________________________________________________________
Any help you can give would be greatly appreciated
Ssaazi
Check that all the ” really are ” and other character errors. You could try to copy-paste and passing trough Notepad or open it in the AutoIT editor. It is most likely a spelling issue. If not its a 32/64, non-elevation error.