Windows Pxe Boot Image

  • PXE booting a Windows image with Hyper-V Create a new VM through the New Virtual Machine Wizard. Follow the guided steps and make sure to choose the “Install an operating system from a network-based installation server” option.
  • PXE booting makes it both easier and cheaper to manage a network, and the ability to serve custom Ubuntu images from a Windows Server can help make your environment more robust. You can use these images to give users the same basic environment to work from, have an easily-restorable system (just power-cycle the machine), perform diagnostics on.
  1. Windows Pxe Boot Image Free
  2. Windows Pxe Boot Image
  3. Windows Pxe Boot Image Windows 10
  4. Pxe Boot Image Download
  5. Pxe Boot Iso Image Windows 10
  6. Windows Pxe Boot Image Files
  7. Windows 10 Pxe Boot Image
-->

If this is the case, right click on the boot image that you want your DP to offer for all PXE requests, go to properties-Data Source and check the box 'Deploy this boot image from the PXE-enabled distribution point'. Un-check the same box for the boot image you want to remove. I hope this helps, Rafael.

Applies to: Configuration Manager (current branch)

A boot image in Configuration Manager is a Windows PE (WinPE) image that's used during an OS deployment. Boot images are used to start a computer in WinPE. This minimal OS contains limited components and services. Configuration Manager uses WinPE to prepare the destination computer for Windows installation.

Default boot images

Configuration Manager provides two default boot images: One to support x86 platforms and one to support x64 platforms. These images are stored in the x64 or i386 folders in the following share on the site server: <SiteServerName>SMS_<sitecode>osdboot. The default boot images are updated or regenerated depending on the action that you take.

Consider the following behaviors for any of the actions described for default boot images:

  • The source driver objects must be valid. These objects include the driver source files. If the objects aren't valid, the site doesn't add the drivers to the boot images.

  • Boot images that aren't based on the default boot images, even if they use the same Windows PE version, aren't modified.

  • Redistribute the modified boot images to distribution points.

  • Recreate any media that uses the modified boot images.

  • If you don't want your customized/default boot images automatically updated, don't store them in the default location.

Note

The Configuration Manager log tool (CMTrace) is added to all boot images in the Software Library. When you're in Windows PE, start the tool by typing cmtrace from the command prompt.

CMTrace is the default viewer for log files in Windows PE.

Use updates and servicing to install the latest version of Configuration Manager

When you upgrade the Windows Assessment and Deployment Kit (ADK) version, and then use updates and servicing to install the latest version of Configuration Manager, the site regenerates the default boot images. This update includes the new WinPE version from the updated Windows ADK, the new version of the Configuration Manager client, drivers, and customizations. The site doesn't modify custom boot images.

Note

The site always uses the production version of the Configuration Manager client in default boot images. Even if you configure automatic client upgrades to use a pre-production collection, that feature doesn't apply to boot images.

Upgrade from Configuration Manager 2012 to current branch

When you upgrade Configuration Manager 2012 to current branch, the site regenerates the default boot images. This update includes the new WinPE version from the updated Windows ADK and the new version of the Configuration Manager client. All boot image customizations remain unchanged. The site doesn't modify custom boot images.

Update distribution points with the boot image

When you use the Update Distribution Points action from the Boot Images node in the console, the site updates the target boot image with the client components, drivers, and customizations.

You can reload the boot image with the latest version of WinPE from the Windows ADK installation directory. The General page of the Update Distribution Points wizard provides the following information:

  • The current Windows ADK version installed on the site server
  • The current production client version
  • The Windows ADK version of WinPE in the boot image
  • The version of the Configuration Manager client in the boot image

If the versions in the boot image are out of date, use the option to Reload this boot image with the current Windows PE version from the Windows ADK.

Important

Windows Pxe Boot Image Free

This action is available for both default and custom boot images. During this process to reload the boot image, the site doesn't retain any manual customizations made outside of Configuration Manager. These customizations include third-party extensions. This option rebuilds the boot image using the latest version of WinPE and the latest client version. Only the configurations that you specify on the properties of the boot image are reapplied.

The Boot Images node also includes a new column for (Client Version). Use this column to quickly view the Configuration Manager client version in each boot image.

After you update the Windows ADK on the site server, the console won't immediately show the new version. If you use one these actions to update a boot image, the site uses the latest ADK version. To get the console to display the current ADK version, restart the WMI service. For more information, see Starting and Stopping the WMI Service.

Customize a boot image

Windows Pxe Boot Image

When a boot image is based on the WinPE version from the supported version of the Windows ADK, you can customize or modify a boot image from the console. When you upgrade a site and install a new version of the Windows ADK, custom boot images aren't updated with the new version of Windows ADK. When that happens, you can't customize the boot images in the Configuration Manager console. However, they continue to work as they did before the upgrade.

When a boot image is based on a different version of the Windows ADK installed on a site, you must customize the boot images. Use another method to customize these boot images, such as using the Deployment Image Servicing and Management (DISM) command-line tool. DISM is part of the Windows ADK. For more information, see Customize boot images.

Add a boot image

During site installation, Configuration Manager automatically adds boot images that are based on a WinPE version from the supported version of the Windows ADK. Depending on the version of Configuration Manager, you can add boot images based on a different WinPE version from the supported version the Windows ADK. An error occurs when you try to add a boot image that contains an unsupported version of WinPE.

Configuration Manager also supports Windows PE versions for boot images that aren't customizable from the Configuration Manager console:

  • Windows PE 3.1Note 1

For example, use the Configuration Manager console to customize boot images based on Windows PE 10 from the Windows ADK for Windows 10. For a boot image based on Windows PE 3.1, customize it from a different computer using the version of DISM from the Windows AIK for Windows 7. Then add the custom boot image to the Configuration Manager console.

For more information, see the following articles:

Note

Note 1: Support for Windows PE 3.1

Only add a boot image to Configuration Manager based on Windows PE version 3.1. Upgrade the Windows AIK for Windows 7 (based on Windows PE 3.0) with the Windows AIK Supplement for Windows 7 SP1 (based on Windows PE 3.1). Download the Windows AIK Supplement for Windows 7 SP1 from the Microsoft Download Center.

Use the following process to add a boot image in Configuration Manager:

  1. In the Configuration Manager console, go to the Software Library workspace, expand Operating Systems, and then select the Boot Images node.

  2. On the Home tab of the ribbon, in the Create group, select Add Boot Image. This action starts the Add Boot Image Wizard.

  3. On the Data Source page, specify the following options:

    • In the Path box, specify the path to the boot image WIM file. The specified path must be a valid network path in the UNC format. For example: ServerNameShareNameBootImageName.wim

    • Select the boot image from the Boot Image drop-down list. If the WIM file contains multiple boot images, select the appropriate image.

  4. On the General page, specify the following options:

    • In the Name box, specify a unique name for the boot image.

    • In the Version box, specify a version number for the boot image.

    • In the Comment box, specify a brief description of how you use the boot image.

  5. Complete the wizard.

The boot image is now listed in the Boot Image node. Before using the boot image to deploy an OS, distribute the boot image to distribution points.

Tip

In the Boot Image node of the console, the Size (KB) column displays the decompressed size for each boot image. When the site sends a boot image over the network, it sends a compressed copy. This copy is typically smaller than the size listed in the Size (KB) column.

Distribute boot images

Boot images are distributed to distribution points in the same way as you distribute other content. Before you deploy an OS or create media, distribute the boot image to at least one distribution point.

For more information on how to distribute a boot image, see Distribute content.

To use PXE to deploy an OS, consider the following points before you distribute the boot image:

  • Configure the distribution point to accept PXE requests.
  • Distribute both an x86 and an x64 PXE-enabled boot image to at least one PXE-enabled distribution point.
  • Configuration Manager distributes the boot images to the RemoteInstall folder on the PXE-enabled distribution point.

For more information about using PXE to deploy operating systems, see Use PXE to deploy Windows over the network.

Modify a boot image

Add or remove device drivers to the image, or edit the properties of the boot image. The drivers that you add or remove can include network or storage drivers. Consider the following factors when you modify boot images:

  • Before adding drivers to the boot image, import and enable them in the device driver catalog.

  • When you modify a boot image, the boot image doesn't change any of the associated packages that the boot image references.

  • After you make changes to a boot image, update the boot image on the distribution points that already have it. This process makes the most current version of the boot image available to clients. For more information, see Manage content you've distributed.

Modify the properties of a boot image

  1. In the Configuration Manager console, go to the Software Library workspace, expand Operating Systems, and then select the Boot Images node.

  2. Select the boot image that you want to modify.

  3. On the Home tab of the ribbon, in the Properties group, select Properties.

  4. Set any of the following settings to change the behavior of the boot image:

Images

On the Images tab, if you change the properties of the boot image by using an external tool, select Reload.

Drivers

On the Drivers tab, add the Windows device drivers that WinPE requires to boot. Consider the following points when you add device drivers:

  • Make sure that the drivers that you add to the boot image match the architecture of the boot image.

  • To only display drivers for the architecture of the boot image, select Hide drivers that do not match the architecture of the boot image. The architecture of the driver is based on the architecture reported in the INF from the manufacturer.

  • WinPE already comes with many drivers built-in. Add only network and storage drivers that aren't included in WinPE.

  • Add only network and storage drivers to the boot image, unless there are requirements for other drivers in WinPE.

  • To only display storage and network drivers, select Hide drivers that are not in a storage or network class (for boot images). This option also hides other drivers that aren't typically needed for boot images, such as video or modem drivers.

  • To hide drivers that don't have a valid digital signature, select Hide drivers that are not digitally signed.

Note

Import device drivers into the drivers catalog before you add them to a boot image. For information about how to import device drivers, see Manage drivers.

Customization

On the Customization tab, select any of the following settings:

  • Select the Enable Prestart Commands option to specify a command to run before the task sequence runs. When you enable this option, also specify the command line to run and any support files required by the command.

    Warning

    Add cmd /c to the start of the command line. If you don't specify cmd /c, the command won't close after it runs. The deployment continues to wait for the command to finish and won't start any other configured commands or actions.

    Tip

    During task sequence media creation, the wizard writes the package ID and prestart command line to the CreateTSMedia.log file. This information includes the value for any task sequence variables. This log is on the computer that runs the Configuration Manager console. Review this log file to verify the values for the task sequence variables.

  • Set the Windows PE Background settings to specify whether you want to use the default WinPE background or a custom background.

  • Configure the Windows PE scratch space (MB), which is temporary storage (RAM drive) used by WinPE. For example, when an application is run within WinPE and needs to write temporary files, WinPE redirects the files to the scratch space in memory to simulate the presence of a hard disk. By default, this amount is 512 MB for devices with more than 1 GB of RAM, otherwise the default is 32 MB.

  • Select Enable command support (testing only) to open a command prompt by using the F8 key while the boot image is deployed. This option is useful for troubleshooting while you're testing your deployment. Using this setting in a production deployment isn't advised because of security concerns.

  • Set default keyboard layout in WinPE: Configure the default keyboard layout for a boot image. If you select a language other than en-us, Configuration Manager still includes en-us in the available input locales. On the device, the initial keyboard layout is the selected locale, but the user can switch the device to en-us if needed.

Tip

Use the Set-CMBootImage PowerShell cmdlet to configure these settings from a script.

Optional Components

On the Optional Components tab, specify the components that are added to Windows PE for use with Configuration Manager. For more information about available optional components, see WinPE: Add packages (Optional Components Reference).

The following components are required by Configuration Manager and always added to boot images:

  • Scripting (WinPE-Scripting)
  • Startup (WinPE-SecureStartup)
  • Network (WinPE-WDS-Tools)
  • Scripting (WinPE-WMI)

Windows Pxe Boot Image

The Components list shows additional items that are added to this boot image. To add more components, select the gold asterisk. To remove a component, select it from the list, and then select the red X.

The following components are commonly used by customers:

  • Microsoft .NET (WinPE-NetFX): This component is a prerequisite for PowerShell. It's one of the larger optional components.
  • Windows PowerShell (WinPE-PowerShell): This component requires .NET, and adds limited PowerShell support. If you run custom PowerShell scripts during the WinPE phase of your task sequence, add this component. There are other components that may be required for other PowerShell cmdlets.
  • HTML (WinPE-HTA): If you run custom HTML applications during the WinPE phase of your task sequence, add this component.

For more information about adding languages, see Configure multiple languages.

Data Source

On the Data Source tab, update any of the following settings:

  • To change the source file of the boot image, set Image path and Image index.

  • To create a schedule for when the site updates the boot image, select Update distribution points on a schedule.

  • If you don't want the content of this package to age out of the client cache to make room for other content, select Persist content in client cache.

  • To specify that the site only distributes changed files when it updates the boot image package on the distribution point, select Enable binary differential replication (BDR). This setting minimizes the network traffic between sites. BDR is especially useful when the boot image package is large and the changes are relatively small.

  • If you use the boot image in a PXE-enabled deployment, select Deploy this boot image from the PXE-enabled distribution point. For more information, see Use PXE to deploy Windows over the network.

Data Access

On the Data Access tab, you can configure package share settings. If needed in your environment, set the option to Copy the content in this package to a package share on distribution points. You then have the additional option to Use a custom name for the package share and specify the custom Share name. Additional disk space is required on distribution points when you enable this option. It applies to all distribution points that receive this boot image.

Distribution Settings

On the Distribution Settings tab, select any of the following settings:

  • In the Distribution priority list, specify the priority level. Configuration Manager uses this priority list when the site distributes multiple packages to the same distribution point.

  • If you want to enable on-demand content distribution to preferred distribution points, select Enable for on-demand distribution. When you enable this setting, if a client requests the content for the package and the content isn't available on any distribution points, then the management point distributes the content. For more information, see On-demand content distribution.

  • To specify how you want the site to distribute the boot image to distribution points that are enabled for prestaged content, set the Prestaged distribution point settings. For more information about prestaged content, see Prestage content.

Content Locations

On the Content Locations tab, select the distribution point or distribution point group, and use the following actions:

  • Validate: Check the integrity of the boot image package on the selected distribution point or distribution point group.

  • Redistribute: Distribute the boot image to the selected distribution point or distribution point group again.

  • Remove: Delete the boot image from the selected distribution point or distribution point group.

Security

On the Security tab, view the administrative users that have permissions to this object.

Configure a boot image for PXE

Before you can use a boot image for a PXE-based deployment, configure the boot image to deploy from a PXE-enabled distribution point.

  1. In the Configuration Manager console, go to the Software Library workspace, expand Operating Systems, and then select the Boot Images node.

  2. Select the boot image that you want to modify.

  3. On the Home tab of the ribbon, in the Properties group, select Properties.

  4. On the Data Source tab, select Deploy this boot image from the PXE-enabled distribution point. For more information, see Use PXE to deploy Windows over the network.

Configure multiple languages

Tip

You can configure the default keyboard layout on the properties of a boot image. For more information, see Customization.

Boot images are language neutral. This functionality allows you to use one boot image to display the task sequence text in multiple languages while in WinPE. Include the appropriate language support from the boot image Optional Components tab. Then set the appropriate task sequence variable to indicate which language to display. The language of the deployed OS is independent from the language in WinPE. The language that WinPE displays to the user is determined as follows:

  • When a user runs the task sequence from an existing OS, Configuration Manager automatically uses the language configured for the user. When the task sequence automatically runs as the result of a mandatory deployment deadline, Configuration Manager uses the language of the OS.

  • For OS deployments that use PXE or media, set the language ID value in the SMSTSLanguageFolder variable as part of a prestart command. When the computer boots to WinPE, messages are displayed in the language that you specified in the variable. If there's an error accessing the language resource file in the specified folder, or you don't set the variable, WinPE displays messages in the default language.

    Note

    When you protect media with a password, the text that prompts the user for the password is always displayed in the WinPE language.

Use the following procedure to set the WinPE language for PXE or media-initiated OS deployments.

Set the Windows PE language for a PXE or media-initiated OS deployment

  1. Before you update the boot image, verify that the appropriate task sequence resource file (tsres.dll) is in the corresponding language folder on the site server. For example, the English resource file is in the following location: <ConfigMgrInstallationFolder>OSDbinx6400000409tsres.dll

  2. As part of your prestart command, set the SMSTSLanguageFolder environment variable to the appropriate language ID. The language ID must be specified by using decimal and not hexadecimal format. For example, to set the language ID to English, specify the decimal value 1033, not the hexadecimal value 00000409 of the folder name.

Next steps

If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.

Recommended tools:

  • Windows image (blog uses Windows 10 Professional)

General overview:

  • PXE booting a Windows image with Hyper-V
  • Backdoor attacks
  • Password Scraping attacks

PXE booting a Windows image with Hyper-V

Create a new VM through the New Virtual Machine Wizard. Follow the guided steps and make sure to choose the “Install an operating system from a network-based installation server” option. Check the settings menu after the wizard is complete and make sure “Legacy Network Adapter” is at the top of the Startup order.

Save and start the VM. The PXE network install should start and begin the Microsoft Deployment Toolkit deployment wizard.

Run through the wizard and start the installation task sequence for the target image. This can take a while.

Mounting a Windows image

Once the setup is completely finished (including the Windows operating system setup), you should have a working Windows VM. Make sure to shutdown the VM safely and download the Kali Linux iso. Go to the Settings menu and choose the location of your DVD drive image file.

Now, change the boot order so that “CD” is at the top of the BIOS startup order.

Save the settings and start the VM. Choose to boot into the “Live (forensic mode)”.

Once Kali is booted, mount the Windows partition with the following sample commands. Make sure to change the example /dev/sda2 partition use case.

Backdoor Attacks

1. Add a local Administrator during setup.

This is probably the simplest way to gain elevated access to the system image. After going through the Windows PE boot process, go back into the Settings menu for the VM. Set “IDE” to be at the top in the “Startup order” of the BIOS section.

Save the settings, start the VM, and connect to the console. The VM should enter the initial Windows setup process. Pressing Shift+F10 will bring up a system console. Note that this is different than pressing F8 during the Windows PE deployment phase. Enter the following commands to add your local Administrator user.

Check the Administrators group membership.

Now that the user has been created and added to the Administrators group, wait for the VM to finish setup and log in.

Once logged in, you will have local Administrator privileges! We can go a step further and obtain local system with PsExec.

The local system cmd prompt can be used to check if the computer account has domain user privileges. This can be a good starting point for mapping out the domain with a tool like BloodHound/SharpHound.

2. Mount image disk – Add batch or executable files to all users.

The shortcuts or files located in C:Users%username%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup will run when the users log in at startup. Change directories to the Administrator’s Startup directory and create a batch file with the following commands.

The batch file will run when the Administrator user logs in. If this attack is combined with attack scenario #4, the Administrator user can log in with a blank password. Check to see that the startup user is created and added to the Administrators group after login.

3. Mount image disk – Overwrite sethc.exe or other accessibility options.

Replacing sethc.exe (Sticky Keys) is a classic privilege escalation technique. sethc.exe is located at %windir%System32sethc.exe. The command below copies cmd.exe and renames it to sethc.exe.

If sticky keys is enabled, a local system cmd prompt will pop up when “Shift” is clicked five times in a row.

4. Mount image disk – Use chntpw tool to overwrite Administrator password.

The chntpw tool can clear the password for a Windows user. The SAM and SYSTEM files are located in the %windir%System32config directory.

The netspi user’s password is cleared and the account can be logged into without entering a password.

Password Scraping Attacks

5. Scrape VM memory files for passwords during install or login.

My colleague James Houston deserves a huge shout out for coming up with this attack. The general idea here is to use the snapshot or suspension functionality to capture passwords in the VM’s memory. This can be done during the actual PXE boot deployment process, installation, or login steps. This example will retrieve the password for the deployment service account during the MDT deployment process.

The deployment user is used to join computers to the domain in the “Computer Details” step of the deployment task sequence.

At this point, either suspend or take a snapshot of the VM’s current state. In Hyper-V, use the Checkpoint functionality to take a snapshot. Under the Checkpoint menu in Settings, make sure that “Standard checkpoints” is selected. This will ensure application and system memory is captured. The snapshot location is also set in this menu.

Browse to the snapshot file location and look for the corresponding files for your hypervisor.

  • VMWare: .vmem, .vmsn (snapshot memory file), .vmss (suspended memory file)
  • Hyper-V: .BIN, .VSV, .VMRS (virtual machine runtime file)

Since this example uses Hyper-V, copy off the .VMRS file to search for passwords. I used Kali Linux along with strings and grep to locate the service account and password. Searching for keywords like “User” or “Password” is a great start if the username or password was not displayed during the Windows Deployment Wizard.

6. Mount image disk – Review local Unattend/Sysprep files.

Unattend and Sysprep files can contain passwords used for deployment and setup. The following locations contain files related to Sysprep.

  • %windir%Panther
  • %windir%PantherUnattend
  • %windir%System32Sysprep
Windows Pxe Boot Image

In this case, the unattend.xml file has been sanitized but it is always worth checking these locations for passwords and sensitive information.

Windows Pxe Boot Image Windows 10

7. Mount image disk – Copy the SAM file and pass the hash with the Administrator account.

The SAM and SYSTEM files are located in the %windir%System32config directory.

This file can be copied off to your local machine and Mimikatz can be used to extract the hashes. The Administrator hash can be used in pass the hash attacks with CrackMapExec or Invoke-TheHash.

This can be an extremely effective technique to elevate privileges if the domain has shared local Administrator passwords.

Pxe Boot Image Download

8. Mount image disk – Copy the SAM file and crack the Administrator account.

Like above, once the SAM and SYSTEM files are copied to your local machine, the Administrator account can be cracked with Hashcat or John the Ripper. A sample Hashcat command is below. Visit the hashcat wiki for setup and basic usage.

Pxe Boot Iso Image Windows 10

Post Login Password Dumps

Once the techniques above have given access to the PXE booted image, we can dump passwords. Mimikatz is a great tool for password dumping.

sekurlsa::logonpasswords will dump passwords from LSASS memory.

lsadump::secrets dumps the LSA secrets.

Windows Pxe Boot Image Files

vault::cred dumps saved credentials from the Credential Manager. However, if a saved credential is set as a domain password type, this command will not retrieve the credential successfully. The Mimikatz wiki has a good explanation on how to extract these credentials.

Windows 10 Pxe Boot Image

Mitigation and Prevention

There are inherent security risks associated with the use of PXE deployments that do not require authentication or authorization of any kind, especially on user LANs. It is highly recommended that PXE installations require credentials to begin the installation process. For example, this can be configured on a distribution server simply by checking “Require a password when computers use PXE” in System Center Configuration Manager.

One of the main takeaways from the attacks above is that applications or software that contain sensitive data should not be included in any images. In addition, shared local Administrator passwords or service account passwords should not be used on images (or anywhere in the domain). Images can be compromised and this should help reduce the risk to machines on the domain. Finally, PXE deployments should only be available on isolated networks. Check out these best practices from Microsoft for more information on securing PXE boot deployments.

References

Thanks to Scott Sutherland (@_nullbind), Alex Dolney (@alexdolney), and James Houston for their wisdom and guidance!

  • https://www.vmware.com/products/personal-desktop-virtualization.html
  • https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/
  • https://www.kali.org/downloads/
  • https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
  • https://github.com/BloodHoundAD/BloodHound
  • https://github.com/BloodHoundAD/SharpHound
  • https://github.com/byt3bl33d3r/CrackMapExec
  • https://github.com/Kevin-Robertson/Invoke-TheHash
  • https://hashcat.net/wiki/
  • https://github.com/gentilkiwi/mimikatz
  • https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials
  • https://docs.microsoft.com/en-us/sccm/osd/plan-design/security-and-privacy-for-operating-system-deployment