Windows Autopilot

Hacking or useful IT tool? You decide.

In my job I tend to do a reasonable amount of research.  (And by research, I don’t mean searching for a term in your favorite search engine and clicking on the first five non-advertising links in the result.)  As part of that research, I came across a reference in the Google Chrome Enterprise documentation that was intriguing.  If you aren’t familiar with Chromebooks, you may not be aware that the process of getting them into a centrally-managed state requires connecting them to Wi-fi, pushing a few keystrokes, and entering your organization’s admin account ID and password.  That gets a little tedious, so the page referenced above talks about a solution that can simplify bulk enrollment scenarios where you need to do this for a lot of new devices:

Enroll Chrome devices using a Rubber Ducky USB

You can program a USB Rubber Ducky to emulate the keystrokes you use to enroll Chrome devices. Start by encoding the USB device with a script.

That one got my attention.  What the heck is a Rubber Ducky USB (besides something with a cute name)?  And where do I get one?  A quick bit of “research” (this time really just searching using my favorite search engine) pointed me to the Hak5 website.  From there, I can see what it is: it’s a keyboard injection attack tool, for “hotplug attacks.” Plug it into a USB port and it will play a series of keystrokes (with appropriate delays inserted) to quickly run a series of operations.  “As seen on Mr. Robot.”  “What’s the quickest way to seal a Windows password hash?”  Some great marketing material there.  (If you want to be frightened, read about all the other devices they sell.)  But hey, I’m a gadget guy, I had to order one in the name of research.  It arrived through the trusty US Postal Service, with a small blue envelope containing the product:

image

Inside, you can see that it comes in an anti-static bag:

image

There is “some assembly required”:

image

But most of that is cosmetic.  The device itself is on the left.  It has a USB connector on one side, and a microSD card on the other to hold the script.  The other pieces make it look more like a normal USB drive (if you want), called a “covert case,” except for the one piece (second from the right) that is a USB to micro USB adapter.

So now it’s time to write my first Ducky Script (the name of the language invented for this device, described here).  I thought I would start really simple, since I’ve got a Surface Book sitting next to me that I used to test out Windows Autopilot white glove scenarios.  I could write a script that presses the Windows key five times.  The suggestion is to specify a one-second delay to allow time for plug-and-play, so I wrote this:

DELAY 1000
WINDOWS
WINDOWS
WINDOWS
WINDOWS

That then needs to be “compiled” into a binary file named “inject.bin” which needs to be put on the microSD card that gets inserted into the Rubber Ducky USB device.  OK, so how do you do that?  There are some downloads available from Hak5 that will do that.  One of those is an HTML page with a JavaScript encoder included.  That sounded simple enough, so I downloaded it and tried to use it.  Just one problem:  That script says that specifying WINDOWS (or the GUI equivalent) requires pressing another key at the same time.  Umm, no, that’s not true.  So how do I just press the one key?  The source for the Java version is available on GitHub, so I looked at that and discovered that it handles an “optional” second key, so it supports what I want.  So which is the lesser of two evils, trying to fix the JavaScript or trying to run the Java version?  I have no great desire to run Java on my computer.  However, I do have a different computer that does have Java installed, so time to switch devices. 

On that computer, I could encode the script:

image

Trying that out, it still didn’t work.  I could see that it was typing keystrokes, but each one came through as the letter “e.”  So process-wise, things are good, but the Windows key presses are causing some challenges.  Back to “research,” which made me realize I was already in the right place.  The same Java source that I was looking at early already addressed an issue:

Fix: wrong USB HID code for WINDOWS/GUI when not used as modifier

But even though I see the pull request from a different fork, and a new 2.6.4 download that should include that change, it still doesn’t work.  (The joys of open-source projects that aren’t well-maintained.)  At least I can see the specific change that was made, so back to what I avoided earlier, fixing the JavaScript.  I added my own “MYGUI” key and encoded the tweaked script:

image

And finally, success.  I inserted the key and it advanced to the “What would you like to do?” screen, just as you would expect when pressing the Windows key five times at the start of OOBE.  The next step then is to automate the rest of the process.  That’s a little tricky due to the timing of each step, but I eventually got this to work:

image

To translate that:  Wait a second, press the Windows key five times, wait a second for the “What would you like to do?” screen, press the down key, wait a half-second, press the enter key to select the Windows Autopilot item, wait a second, press the tab key twice, press enter to accept the selection, wait 20 seconds for Autopilot to do stuff (check for updates, download the profile, display the QR code), then press the tab key 3 times and press enter to start the white glove process.  (While technically that shows that the pages are accessible to keyboard-only users, that doesn’t mean they are easily accessible.  Ugh.)

But overall it does prove that such a device is useful to automate repetitive asks.  Some other things that shouldn’t be too much trouble to script (probably easier than what I went through above):

  • Capture and upload the hardware hash.  (Press Shift-F10, run PowerShell commands, enter credentials.)
  • Capture Autopilot logs.  (Press Shift-F10, run MDMDiagnosticsTool.exe, upload the resulting CAB somewhere.)

Maybe another day.

If by chance you are interested in the changes I made to the JavaScript encoder, it was this line:

var defaultUSKbdLayout = {‘MYGUI’: ‘08,00,E3’,‘CTRL’: ‘01,00,00’, …

The line is much longer than that.  All I did was to insert this text toward the beginning of the line:

‘MYGUI’: ‘08,00,E3’,

to define a the new “MYGUI” key.  Happy hacking.

Categories: Windows Autopilot

2 replies »

  1. Hey Michael,
    Could give us a little deep dive to the new announced feature at intune which is called:
    “Bring-your-own-devices can use VPN to deploy” from the last service release 2006 ?

    Does this feature means, that the Autopilot will set up the whole system without any connection to the DC or Intune Connector? How does the computer object at DC gets created?

    Best Regards,
    Jonny

    Like

Leave a Reply to Jonny Klaas Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s