Wednesday, December 11, 2019

Windows 10 Install.WIM too big for USB

I've developed methods to image one-off devices with the corporate image, however, there are times when I need to use a vanilla install to test something or prove it’s not a problem with the image. While I used to have a vanilla TS in ConfigMgr and MDT, I had several cases where I needed to go even more vanilla without drivers being injected. Therefore, I have a USB stick with the latest Windows install from VLSC. Sometimes I also DISM in the Home edition for All-In-One (AIO) use. A friend wanted to know how I made it since the install.wim is > 4GB since about 1709 I believe.

Why the limit? 

The 4 GB barrier is a hard limit of FAT32: the file system uses a 32-bit field to store the file size in bytes, and 2^32 bytes = 4 GB (actually, the real limit is 4 GB minus one byte, or 4,294,967,295 bytes, because you can have files of zero length). This means that you cannot copy a file that is larger than 4 GB to any plain-FAT volume.

Alternatives

You can use exFAT or NTFS, however these are not always bootable across devices.

You can use Rufus to burn the ISO, however it creates its own bootloader that only works with UEFI and I sometimes have a need for MBR. The stock Windows ISO just works so I wanted that functionality.


The consumer Windows ISO gets around this by compressing the WIM to an ESD as well as not including editions such as Enterprise that have additional files. I did this at first, however it was barely under the 4GB limit so would not scale. So I went even more simple. Create two partitions; that’s it –  one FAT32 the other NTFS.

Howto

I use diskpart, however you can also do this via the GUI using Disk Management and format dialogs. However it takes longer then diskpart. You can proceed through this in just a few minutes. It took me longer to write about it then to actually do it! First is to identify the disk so you don’t break something else. In this example I have an 8GB stick that is disk 6.

DISKPART> lis dis

   Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online         1863 GB   350 MB        *  
  Disk 1    Online          476 GB  1024 KB        *
  Disk 2    No Media           0 B      0 B
  Disk 3    No Media           0 B      0 B
  Disk 4    No Media           0 B      0 B
  Disk 5    No Media           0 B      0 B
  Disk 6    Online         7810 MB      0 B

 DISKPART> sel dis 6

 Disk 6 is now the selected disk.

Then do a clean to remove any formatting on the stick.

DISKPART> clean

 DiskPart succeeded in cleaning the disk.

Create the first partition and format it as FAT32. You only need about 600MB but I do a GB for future use.

DISKPART> create partition primary size=1000

 DiskPart succeeded in creating the specified partition.

 DISKPART> format fs=fat32 quick

   100 percent completed

 DiskPart successfully formatted the volume.

Set to active so it boots, and assign a drive letter

DISKPART> active

 DiskPart marked the current partition as active.

 DISKPART> assign

 DiskPart successfully assigned the drive letter or mount point.

Create a second volume using the remaining space. If you have a large stick and want to use it for other stuff, you can create about 5GB NTFS and create a third volume for file storage, but I just use a folder on this volume if I need NIC drivers to install later, for example.

DISKPART> create partition primary

 DiskPart succeeded in creating the specified partition.

Format it as NTFS

DISKPART> format fs=ntfs quick

   100 percent completed

 DiskPart successfully formatted the volume.

Finally, assign it a drive letter. (Do not make it active.)

DISKPART> assign

 DiskPart successfully assigned the drive letter or mount point.

Now that the two volumes are created, you copy all the files from the Windows ISO to the FAT32 volume minus the sources folder. Then create a sources folder on the FAT32 volume and copy boot.wim to it from the ISO. Finally, copy the sources folder to the NTFS volume.

All done. This USB stick will boot on any system the ISO will. As new Windows 10 releases come out, I just copy the ISO contents to these two volumes.

I didn't have the heart to tell my friend about my multiboot USB that I keep on my key-ring with all sorts of ISOs including the Windows installs, my AdminPE, and Disk Sanitizer ISOs. I'll share that setup sometime.

Update

Mike Terrill talked about this as well a bit ago.

-Kevin


Posted by at No comments:

Sunday, November 24, 2019

Windows 7 on Ryzen 3000

My kids’ gaming PC died in early 2019. The motherboard or CPU fried and took the other with it.  It was an FX-8370 (AM3+) based MSI system with R9 270X Video Card. I gave them a choice: I build a new one around Ryzen 2, or they wait for Ryzen 3 and get more. I am happy they chose the latter, so we waited until Ryzen 3 came out. I decided to wait more for the MSI MAX boards which have a larger firmware (BIOS) chip. I finally got tired of waiting and was going to get an ASRock Steel Legend and found the MAX on NewEgg when I started ordering. I went with this config:
I already had the power supply, GPU, and storage from the old one to reuse. After assembly, I was pleased it came up on first try. I put Windows 10 and let my youngest play FortNite on it for a few hours. Who needs CPUBurn when you have a gaming kid...!

Before it went into "production" I wanted to get Windows 7 on it for ... Reasons. MSI, AMD, and other sites only say Windows 7 is supported on these Ryzen processors:
  • Bristol Ridge (APU)
  • Summit Ridge (Ryzen 1)
  • Pinnacle Ridge (Ryzen 2)
Since mine is a Ryzen 3000, its code name is Matisse and therefore unsupported. Which is fine really, as Windows 7 goes EOL in a very short few months. This motherboard is B450 based so it should have some support compared to the newer X570 chipset. As I've proven many times over with my deployment work, just because it’s unsupported doesn't mean it won't work. So away I went!

I put a 250GB SSD I keep as a spare on port 1 of the mobo and boot off my Windows 7 AIO USB. It also includes the NVMe, TPM2, and Post SP1 rollup on it. Get to the welcome screen, and nothing. Keyboard and mouse are dead. Try a couple other ports and even the "slow" ones by the NIC used for keyboard and mouse compatibility. NOTHING. Change some USB compatibility settings in the BIOS. STILL NOTHING. Unable to interact with the wizard makes it real hard to inject drivers. It might be a short trip. Instead, I swing by my dad’s and grab an old HP PS2 keyboard since this is a gaming board. Works! Get through the wizard to where it asks what partition to install onto and it wants drivers since it cannot see the storage.

Next problem. l pull a trick from ConfigMgr and MDT: inject drivers. I grab the MSI Windows 7 drivers as well as AMD's all-in-one and inject those drivers into the boot.wim on the AIO USB and reboot. No luck. I then mount the Windows PE BOOT.WIM and put the drivers on it in a folder so I can browse them in the wizard. Still no luck. Note to self: The installer's main volume is index 2 of BOOT.WIM and this is what you could browse. I also try the Windows 10 BOOT.WIM and it errors out in fantastic ways I need to revisit.

I then decide to use an older storage controller but don’t have any available so order one and got this ASM1061-based one which I know uses built-in drivers in at least Vista, and it says it is supported back to even XP. After installing it into the machine I get to the same spot, however, I can now browse the SSD as it had a single NTFS partition on it. But I still cannot proceed.

Next problem. I attach the SSD to a Linux VM and copy the MSI and AMD drivers along with others that I think might work as I did not have to mess with the BOOT.WIM since I reverted back to the original sealed one. The error dialog changes slightly from before and hints it could not find the install media. PE will use higher performance drivers. I burn the Windows 7 AIO to a DVD and hook up a BluRay player and SUCCESS!  It did not work off the motherboard but does work off the PCIe controller I got above. Windows 7 got installed!

After boot-up I still have chipset/USB issues as only the PS2 keyboard worked, so I open a shell and install the AMD all-in-one and got USB mouse and keyboard. I also install the NIC and Audio drivers. Out of curiosity, I move the SSD to the internal controller and it boots up fine now that it had the right drivers. It was happy and I could have used it after applying patches.

Now that I got what I wanted out of Windows 7, I move the (Windows 10) SSD and hard drive from the fried system to it and give it to the kids so they can run that for a while. I will keep an eye on sales over the holidays though. I do want to get this system over to M.2 NVMe. So told the kids it will get rebuilt from scratch when I obtain those. This instance of Windows has been in about 5 or 6 different PCs. Additionally, my FX-8350 system is showing its age so I'll move to Ryzen in a few months and hand this down to my backup server. Maybe I'll have to do this again or just move the kids to a 3950X and X570 system while I take the guts from this one. Their games push a system more than my work does.

-Kevin





Posted by at 1 comment:

Thursday, November 21, 2019

Enforce TLS 1.2 via ConfigMgr Compliance Setting

One of the products in our environment is deprecating support for earlier TLS versions 1.0 and 1.1 (Yay!). This means we are being required to support TLS 1.2 for this product on Windows 7, Windows Server 2008 R2, and Windows Server 2012. It is default on more recent OSes, such as Windows 8 and Windows Server 2012 R2 and greater. TLS 1.2 should be enabled via  KB3140245. While installed on the majority, we found it actually was not enabled on all of the fleet even though this KB was applied a while ago.


So Piers came to the rescue with a Compliance Setting to manage this. Luckily TLS is set at the OS level via registry keys so it is not that difficult to manage. Piers enjoys using PowerShell so he went that route to mitigate.

Overview

Piers created a compliance baseline in ConfigMgr which reports on the following:

Windows 7 requirements for TLS 1.2
  • KB3140245 must be installed
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    • "DisabledByDefault"=dword:00000000
Windows 2008 R2 and 2012 requirements for TLS 1.2
(Note this is slightly different.)
  • KB3140245 must be installed
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    • "DisabledByDefault"=dword:00000000
    • "Enabled=dword:00000001"
      • Or "Enabled=dword:0xFFFFFFFF" (It equates to decimal 1 – see info here)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    • "DisabledByDefault"=dword:00000000
    • "Enabled=dword:00000001"
      • Or "Enabled=dword:0xFFFFFFFF"
This is checking both server and workstations for TLS 1.2 enablement at the OS level. This overrides any TLS settings set explicitly for IE, as we understand it, so I don’t believe we need to check IE-specific settings (see the section "How the DefaultSecureProtocols registry entry works" in this article).
  • Firefox has had TLS 1.2 support enabled since version 27
  • For Chrome, TLS 1.2 is automatically enabled from version 29

Configuration


We created several compliance items to detect TLS 1.2 and enable if not. For servers, they were eventually split out for Server and Client functions of TLS for IIS, etc. and to make use of nice features such as Supported Platforms so we can target them specifically for advertisements.


We are using the following discovery script for the client keys:

 $RegPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'  
 $RegName = 'DisabledByDefault'  
 $RegData = '0'  
 $Return = 'Not Found'  
 $RegLookUp = Get-ItemProperty -Name $RegName -Path $RegPath -ErrorAction SilentlyContinue  
 if ($RegLookUp.$RegName -eq $RegData) {  
   $Return = 'Found'  
 }  
 if ( $RegLookUp -and ($RegLookUp.$RegName -ne $RegData) ) {  
   $Return = 'Value='+$RegLookUp.$RegName  
 }  
 Write-Host $Return

He is using a remediation script adapted fromRoger Zander:

 # Reg2CI (c) 2019 by Roger Zander  
 if((Test-Path -LiteralPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client") -ne $true) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -force -ea SilentlyContinue };  
 New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;

The Compliance rule is pretty straightforward. It looks for "Found" from the Discovery Script.


The configuration baselines are pretty straightforward as well.


The Client baseline contains both workstation and Server OS versions.



We have two advertisements: one to monitor, and one to remediate. The monitor is run daily and remediate is run every couple hours.

The advertisement is going to a collection that calls out the affected Operating Systems only.

For the server settings, just change the relevant registry path, as the rest is the same.


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

This is a good read on it from a Dev perspective via a Microsoft Security post.

-Kevin


Posted by at No comments:
Subscribe to: Comments (Atom)