Patch Management Group

 View Only
  • 1.  Security concern when installing feature updates win10 - shift F10

    Trusted Advisor
    Posted Dec 01, 2016 08:00 AM

    Symantec recently released this KB detailing how customers can now install features updates via patch (yay, hoping to test it very soon!).

    This week a blog came out detailing how win10 feature updates present a security risk as clients can easily hit shift F10 during the upgrade process to get admin command line access (during install of these win10 feature updates, bitlocker is suspended/disabled).  More info on the Microsoft shift F10 issue here & some twitter discussion.

    Last night, Johan Arwidmark posted a blog about how to easily block the shift F10 option using ConfigMgr and said it would be easy to replicate with other deployment tools - simply injecting a file (DisableCMDRequest.TAG) into a WIM - but I have no idea how one would do this with the Altiris/Symantec CMS/ITMS tools.  

    Is it possible to block this shift F10 functionality with the Symantec products?  This is a huge risk for us in a K12 environment where students like to tinker and are well aware of such easy bypasses.  

     

     

     



  • 2.  RE: Security concern when installing feature updates win10 - shift F10

    Posted Dec 01, 2016 05:35 PM

    So you could just run this manually in Powershell on the server containing the downloaded Windows 10 Enterprise x64 v1607 package.

    Or to make it repeatable for future updates you could add it as a Run Script Task (Run on Notification Server) as a Powershell script. Create the mount folders and edit the script for the path of your update package. Make sure you give it plenty of time to run, it could take a while. Remember to update distribution points afterwards so the edited patch file gets out to your package servers.



  • 3.  RE: Security concern when installing feature updates win10 - shift F10

    Trusted Advisor
    Posted Dec 02, 2016 07:52 AM

    Hey Andy, thanks for replying.  Could you also use 7zip to open the iso and modify before uploading ?



  • 4.  RE: Security concern when installing feature updates win10 - shift F10

    Posted Dec 05, 2016 11:57 AM

    Don't see why not.



  • 5.  RE: Security concern when installing feature updates win10 - shift F10

    Trusted Advisor
    Posted Feb 07, 2017 09:12 AM

    FYI according to this video MS will disable shift F10 starting with Creators update.  Still vulnerable if user entered a USB key during upgrade, but definitely harder for users to take advantage of if Shift F10 is disabled.

     

    https://www.youtube.com/watch?v=uMi5RE4cJQQ&feature=youtu.be