Merge 8e647e8c49 into d49b21f881

Update comment
It reflects my feelings towards Microsoft when it comes to security a lot better
2024-12-27 00:11:30 -06:00 · 2024-11-25 17:15:29 +01:00 · 2024-11-24 18:16:55 +01:00 · 2024-11-24 13:37:06 +01:00 · 2024-11-24 12:52:59 +01:00 · 2024-11-24 12:51:53 +01:00
3 changed files with 50 additions and 8 deletions
--- a/functions/microwin/Microwin-NewFirstRun.ps1
+++ b/functions/microwin/Microwin-NewFirstRun.ps1
@ -63,6 +63,22 @@ function Microwin-NewFirstRun {
    {

    }
+
+    # Get BCD entries and set bootmgr timeout accordingly
+    try
+    {
+        # Check if the number of occurrences of "path" is 2 - this fixes the Boot Manager screen issue (#2562)
+        if ((bcdedit | Select-String "path").Count -eq 2)
+        {
+            # Set bootmgr timeout to 0
+            bcdedit /set `{bootmgr`} timeout 0
+        }
+    }
+    catch
+    {
+
+    }
+
 '@
    $firstRun | Out-File -FilePath "$env:temp\FirstStartup.ps1" -Force
 }
--- a/functions/microwin/Microwin-NewUnattend.ps1
+++ b/functions/microwin/Microwin-NewUnattend.ps1
@ -31,7 +31,7 @@ function Microwin-NewUnattend {
                            <Group>Administrators</Group>
                            <Password>
                                <Value>PW-REPLACEME</Value>
-                                <PlainText>true</PlainText>
+                                <PlainText>PT-STATUS</PlainText>
                            </Password>
                        </LocalAccount>
                    </LocalAccounts>
@ -42,7 +42,7 @@ function Microwin-NewUnattend {
                    <LogonCount>1</LogonCount>
                    <Password>
                        <Value>PW-REPLACEME</Value>
-                        <PlainText>true</PlainText>
+                        <PlainText>PT-STATUS</PlainText>
                    </Password>
                </AutoLogon>
                <OOBE>
@ -295,15 +295,40 @@ function Microwin-NewUnattend {
    </settings>
 '@
    if ((Microwin-TestCompatibleImage $imgVersion $([System.Version]::new(10,0,22000,1))) -eq $false) {
-    # Replace the placeholder text with an empty string to make it valid for Windows 10 Setup
-    $unattend = $unattend.Replace("<#REPLACEME#>", "").Trim()
+        # Replace the placeholder text with an empty string to make it valid for Windows 10 Setup
+        $unattend = $unattend.Replace("<#REPLACEME#>", "").Trim()
    } else {
-    # Replace the placeholder text with the Specialize pass
-    $unattend = $unattend.Replace("<#REPLACEME#>", $specPass).Trim()
+        # Replace the placeholder text with the Specialize pass
+        $unattend = $unattend.Replace("<#REPLACEME#>", $specPass).Trim()
    }
+
+    # User password in Base64. According to Microsoft, this is the way you can hide this sensitive information.
+    # More information can be found here: https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/hide-sensitive-data-in-an-answer-file
+    # Yeah, I know this is not the best way to protect this kind of data, but we all know how Microsoft is - "the Apple of security" (in a sense, it takes them
+    # an eternity to implement basic security features right. Just look at the NTLM and Kerberos situation!)
+
+    $b64pass = ""
+
    # Replace default User and Password values with the provided parameters
    $unattend = $unattend.Replace("USER-REPLACEME", $userName).Trim()
-    $unattend = $unattend.Replace("PW-REPLACEME", $userPassword).Trim()
+    try {
+        # I want to play it safe here - I don't want encoding mismatch problems like last time
+
+        # NOTE: "Password" needs to be appended to the password specified by the user. Otherwise, a parse error will occur when processing oobeSystem.
+        # This will not be added to the actual password stored in the target system's SAM file - only the provided password
+        $b64pass = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("$($userPassword)Password"))
+    } catch {
+        $b64pass = ""
+    }
+    if ($b64pass -ne "") {
+        # If we could encode the password with Base64, put it in the answer file and indicate that it's NOT in plain text
+        $unattend = $unattend.Replace("PW-REPLACEME", $b64pass).Trim()
+        $unattend = $unattend.Replace("PT-STATUS", "false").Trim()
+        $b64pass = ""
+    } else {
+        $unattend = $unattend.Replace("PW-REPLACEME", $userPassword).Trim()
+        $unattend = $unattend.Replace("PT-STATUS", "true").Trim()
+    }

    # Save unattended answer file with UTF-8 encoding
    $unattend | Out-File -FilePath "$env:temp\unattend.xml" -Force -Encoding utf8
--- a/functions/microwin/Microwin-RemovePackages.ps1
+++ b/functions/microwin/Microwin-RemovePackages.ps1
@ -45,7 +45,8 @@ function Microwin-RemovePackages {
                $_ -NotLike "*Foundation*" -AND
                $_ -NotLike "*LanguageFeatures*" -AND
                $_ -NotLike "*VBSCRIPT*" -AND
-                $_ -NotLike "*License*"
+                $_ -NotLike "*License*" -AND
+                $_ -NotLike "*Hello-Face*"
            }

        $failedCount = 0
Author	SHA1	Message	Date
CodingWonders	3b00dcce86	Merge `8e647e8c49` into `d49b21f881`	2024-11-25 17:15:29 +01:00
CodingWonders	8e647e8c49	Update comment It reflects my feelings towards Microsoft when it comes to security a lot better	2024-11-24 18:16:55 +01:00
CodingWonders	c5968243eb	Fix name of excluded package	2024-11-24 13:37:06 +01:00
CodingWonders	706f65f631	Obscure passwords with Base64 and fix indentation Fixes #3064	2024-11-24 12:52:59 +01:00
CodingWonders	9dcf8dd50e	Exclude Windows Hello stuff from package removal	2024-11-24 12:51:53 +01:00
CodingWonders	a45402e9d8	Set Boot Manager entry timeout to 0 Fixes #2562	2024-11-22 18:24:00 +01:00