In this post, I will reveal a security flaw in Autopilot, Microsoft's new solution to deploy Windows machines to end users. I will show you how end users easily can get administrator rights during the installation process.

The first thing every hacker needs to get into your network is a compromised endpoint. To install bad things in your network knowingly or unknowingly, hackers need admin rights for the user they have compromised. You need BitLocker to keep people from getting admin rights if they have physical access. And users can't install their own machines because then they would be admins—the first user account created in Windows is always an admin by default.

The most recommended security concept to fight against malware for years has been to remove admin rights from end users. This is why I was so happy when Microsoft introduced their new solution for replacing the old disk imaging: Autopilot! With Autopilot, you can provision your company's computers and, in a way, transform them from consumer devices to enterprise devices. The process is highly automated, and the only thing it requires is:

  1. The company buys a device from a manufacturer.
  2. The device's identification information (given by the manufacturer or retrieved with a script by the company) is registered in a cloud service.
  3. The user receives the device and unboxes it.
  4. The user powers on the machine.
  5. The traditional out-of-the-box experience (OOBE) starts.
  6. The user logs on with an Azure Active Directory (AD) account and password.
  7. The computer is identified as an Autopilot device.
  8. The computer provisions things like changing the SKU to Enterprise, installing apps, configuring security settings like enforcing BitLocker, and joining an Azure AD (and potentially an on-prem) domain.
  9. The user has an operational enterprise device with no intervention from the IT department and the computer never having seen the company premises.

Now back to the admin rights. The good thing for security is that Microsoft markets Autopilot as a solution where you don't have to give the end user admin rights at any point. A configuration setting when the company builds the setup bars Autopilot from granting admin privileges. Great! Now we can deliver machines to end users straight from the manufacturer, have them upgraded and configured correctly, and never give users admin rights!

Or… are you sensing a "but" here? 😉

Here we have a computer started with Windows 10 1909 OOBE, and the first screen looks like this:

First screen of a new computer in Out Of The Box Experience

First screen of a new computer in Out Of The Box Experience

We continue through the screens normally until we can log in with our Azure AD credentials like here:

Choosing to configure the computer for enterprise use

Choosing to configure the computer for enterprise use

Sign in screen for Microsoft or Azure AD accounts

Sign in screen for Microsoft or Azure AD accounts

Now if I continue normally, I will never get admin rights. But if at any point I hit Shift + F10, I get a command prompt with admin rights like here:

Command prompt with full admin rights after pressing Shift + F10

Command prompt with full admin rights after pressing Shift + F10

I can now create an admin account in various ways, for example, like this:

Adding an admin account to the newly unboxed computer

Adding an admin account to the newly unboxed computer

After I've finished the installation, I can use the "hacker" account when I need admin rights or add my Azure AD account to the local administrators group with this command:

😊

From a bad guy's perspective, I would say it's very tempting to find a computer in a box delivered to a company or just resetting the computer if it has already been provisioned!

And yes, I know, this breaks the immutable law of security: "If someone has physical access to your computer, it's not your computer anymore," and all bets are off in that sense. But Microsoft, please, can you make it at least slightly more difficult than just hitting Shift + F10?

Read 4sysops without ads by becoming a member!

Your question was not answered? Ask in the forum!

5+
Share
28 Comments
  1. Unless you have password protected BIOS and encrypted hard-drive, you can always boot from USB media and do the local admin hack trick. 

    If a company uses such feature as Autopilot, I doubt they dont use a GPO that will remove all admin access/disable that local account after provisioning the PC.

    4+

    • Maurice Heine 2 weeks ago

      A lot of AutoPilot companies use MDM instead of GPO's and they may rely on AutoPilot to ensure that there are no local admins...

      0

  2. Nigel Brown 3 weeks ago

    Two things - the experiece you showed is not Autopilot - this is standard OOBE. Second - corporate policy can (should) remove / disable local admin once policy is in affect. This is standard deployment stuff (having a local admin to deploy, and then removing) and I would not consider this any sort of security hole. 

    0

    • Author

      This is the exactly same experience for Autopilot and OOBE. Compared to an attended installation of an end user machine you have no idea how compromised the machine is. If I deliver you a machine with BitLocker on it, prebuilt in your deployment solution, you won't get admin rights - this way you can. Of course if you are doing self-provisioning you need accept certain risk. My point is just that it might not have to A. Be THIS easy. B. That debugging window could run something else that full admin. 

      1+

  3. Vasile Jichin 3 weeks ago

    It s the same thing more or less with task sequence debugging, I doubt that this will be removed.

    0

  4. Lakes 2 weeks ago

    Autopilot does not conclude until all policies are in effect. The policies should include disabling of all local admin accounts

    0

  5. Jakob Heidelberg 2 weeks ago

    If you want security - then don't try to get a Windows endpoint on-board that has been controlled by somebody else. Yeah, you can diabled all local admins, I don't care, my stuff runs in a scheduled task, a service, a WMI trigger or some other persistence mechanism. This way of deploying endpoints is bound to fail. You're welcome to accept the risk, but just understand the risk.

    0

  6. Carter 2 weeks ago

    The Shift f10 key saved me.  I was board at work messing in the window registry and change a setting to make windows think it was starting for the first time then rebooted my computer.  Well my computer had a pending windows update and when it booted it came up booting for the first time but then it came up updating windows.  That confused the OS and it c awww me back say it can't update when betting for the first time and then rebooted resulting into a forever loop.  

    Luckily it was the end of the day so I went home and researched how to get a command prompt during Post boot and found the shift f10 and was about to get backing the regedit and change the value.  My IT never knew about it.

    0

  7. Wilson King 2 weeks ago

    This is not a security problem. You can make as many local admin accounts as you want, but as soon as that machine is joined onto the domain, then group policy will remove those accounts. After that, you can't add your domain account to the local administrators group because you no longer have any local admin rights. Others have pointed this out too.

    0

    • The thing is once an attacker obtained admin rights, he can manipulate the system in a way to regain access after his admin account has been removed via Group Policy. As things stand now, every script kiddy can do this. It does not really require a hacker or sophisticated malware. Thus, this is certainly a severe security hole and could be prevented if the entire deployment process was encrypted by default.

      It seems Microsoft either lacks the engineers to get this done, the management doesn't really care about security or both. My guess is the latter applies. I mean the fact that the Shift + F10 thing still exists, speaks a clear language. Everyone who knows how to use a keyboard can exploit this.

      0

      • OK Michael, but this is nothing new... It was already said, unless you have password protected BIOS and encrypted hard drive, you can ALWAYS get admin access using old tricks. 

        1+

        Users who have LIKED this comment:

        • avatar
  8. Jakob Heidelberg 2 weeks ago

    Not a security problem that malware can be running silently in system context without enterprise admins know about it? You must be kidding?

    1+

    Users who have LIKED this comment:

    • avatar
    • Wilson King 2 weeks ago

      No, I wasn't kidding. We are talking about a system that just came from the manufacture and is in the middle of performing OOBE for its first time. You are physically present at the machine and physically pressed Shift + F10 on the keyboard. What malware is running on the machine at this time? None. What malware could be on the machine? Its a brand new fresh install that hasn't even hit the desktop yet. Explain to me at which point the machine is vulnerable to malware? Are you talking about malware you will load from a USB drive after you press Shift + F10? Again, that's you physically at the machine. Are you talking about malware that find's its way in over listening network ports? What malware is on the machine during this OOBE and describe a valid hypothetical situation other than just "but malware, bro".

       

      1+

  9. Honestly the title of the post is really way too misleading. Noone searching on the internet for “hack admin rights” is expexting to read of how that can be done on OOBE machine...

    0

  10. Jakob Heidelberg 2 weeks ago

    *You are physically present at the machine and physically pressed...*

    No.  That's the problem right there. The way Autopilot is used, a regular user (not just "you") can go buy a PC and enroll with Autopilot, but it shouldn't be possible for him/her to get privileged access during enrollment process.

    By being admin (e.g. having shell) for just a short amount of time, a malicious user can control the endpoint, potentially forever.

    Let me give you an example: I could setup a scheduled task running every minute as System, executing a script file under "c:\script.file". Now all a "regular" user has to do to install or do whatever as System, is to manipulate that file after OOBE has completed.

    I could give you a lot of methods, some I mentioned above too, but I'll leave it to you imagination.

    0

    • Sorry Jacob, how is that a good example? A regular user do not have a NTFS/UAC covered permissions to edit such file...

      0

      • Jakob Heidelberg 2 weeks ago

        I guess you'd like me to spell out everything, but a decent hacker will know the insignificant step of either modifying the NTFS permissions of the particular file with a one-liner, or placing it in a folder where regular users have write/modify permissions. I just gave an example of a method, not the complete recipe.

        Come on, let's get to the back to the point: if you give a random user the possibility of accessing an admin shell,  just for a short amount of time, then you can't trust the machine anymore. A system admin will doubt it, but a hacker knows.

        1+

        • Wilson King 2 weeks ago

          Okay, so in your example I place a script at C:\temp\myscript.cmd and then I modify NTFS permissions to give some new user account access? Perhaps the very user account that I added to the local administrators group. But, as soon as GPO applies, that admin account is no longer there, or its disabled. If you modify the NTFS permissions of that file and give it read/write access to standard user accounts, then the script will execute under a standard user context and be denied whatever bad things it was going to do. So, still, no problem here.

          0

        • OK Jacob, so let's go thru the possibilities here. I just bought a PC for Anne King from margeting and have sent it using DPD or PPL to her home....

          1) The DPD guy will give the laptop to a hacker, instead of Anne, and such hacker is present on her address and he knows her (or other guy from that company) AD password so he can join the domain and complete the process.

          2) Same as 1 but the hacker will just infect the machine and then give it to Anne as fake DPD guy...

          3) Anne takes the laptop from a DPD guy, but then she gives it to a hacker to infect it before she joins the domain.

          4) Anne is misusing this "feature" herself and she uses her own written script that no security or IDP software discovers when she tries to misuse the code and attack the network...

          Did I forgot something? Cmon, this probability is almost like me winning in a lottery few millions euros...

          Yes, if something should be deployed automatically, you need admin rights to do so. It should not be that easily accessible by "standard" user, but I would not call this a "hacking" admin rights... Its the same old thing that exists for years...

          1+

          Users who have LIKED this comment:

          • avatar
          • Maurice Heine 2 weeks ago

            Even worse: Anne is the hacker. Everyone here seems to forget that a lot of threats are internal!

            0

            • Everyone here seems to forget that a lot of threats are internal!

              No, we did not forget. Please keep some level of polite behavior.

              What you are referring to is usually a situation that happens over years, when employee is not satisfied and he tries to attack the company. It is hardly imaginable, that you hire a completely new person, that will fake his identity, skills, pass all the reviews and then he will show as a hacker when he gets the machine.

              0

              • Maurice Heine 2 weeks ago

                Not sure how that was impolite, it certainly wasn't intended as such, but okay...

                Swap "everyone" for "some people" 🙂 

                In any case, disgruntled employees also get new hardware every now and then... They may even be disgruntled because they don't get admin rights, as is the case in many IT companies.

                My colleagues feel they "need" admin privileges because they are IT Pro's. Convincing them that one doesn't mean the other can be quite challenging! So obtaining admin rights in this case wouldn't even be a malicious act, but can still have serious consequences.

                0

                • Sorry Maurice,

                  how to say that  - I just feel uncomfortable from other comments and I felt this to be a little not nice. Maybe I over-reacted.

                  The case you describe has really very low, almost zero, probability to happen. Yes, it can happen.

                  Whatever your colleagues think, it is not up to IT department to care about. There are certain laws, that clearly state that IT equipment at your work are 100% owned by the company and you have zero right to use it at your own will. Of course, this is always very difficult area, to make a balance in such things, but in the end, if the device is company owned, it is only up to the goodnes of such company to manage the device, not the employee.

                  0

        • And - also already mentioned by others. To misuse this you need to have a physical access to the machine. Well, in such case (if the HDD is not encrypted already), you almost always win, despite this Shift+F10 exists. 

          0

        • A system admin will doubt it, but a hacker knows.

          Sounds like you are saying admins are stupid and hackers are smart 🙂 There is no big difference between admin and hacker. Most of the "hackers" are using exploits already available on the internet. Its not really difficult to hack something if you know where to look and what to target... 🙂

          0

  11. Maurice Heine 2 weeks ago

    I think that one valid point that Sami makes in this post, is that Microsoft gives the illusion that if you use Autopilot, you don't have to worry about admin rights.

    Most people replying here seem to be experienced admins and claim they would not fall for this trick. Then again, most also seem to think that modern desktops are by definition domain joined... Our company is working on getting rid of our dependency on AD and moving to the cloud instead. Intune manages our systems, but stuff like LAPS isn't available out-of-the-box in Intune. We have to rethink the use of admin accounts and so does Microsoft/

    Pointing out flaws like this helps make people aware of these kind of risks and hopefully pushes them (and Microsoft) to to countermeasures.

    2+

  12. rebelemerald 2 weeks ago

    Yes there is always a way to break things. As an end user you shouldn't be hacking your way to admin rights on you machine by purposely breaking SOP. If you are that user then you are the security risk.

    I would like it if users were required to use a wired network (and connect to power). 

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account