How to securely map a drive for Deployment Server 7.x / 8.0 / 8.1 and 8.5 – Part I

In 2012 I wrote a Symantec Connect Aricle about: How to Securely Map a Drive in WinPE for Deployment Server 7.1. In this Article I want to renew how this works in DS 7.6, DS 8.0, DS 8.1 and DS 8.5.

Introduction: Why you may need this?

When you are using out-of-the-box tasks this is maybe not so important, but if you are using custom scripts and you want to do something different as the default – you should take a look at this article because this becomes very interesting to secure your passwords when mapping a drive to eather the SMP Server or any Site Server.

Loginw.exe is a cool comand-line Utitlity that is available since Deployment Server 6.5 and is still used in GSS 3.3. The big advantage of using Loginw.exe is, that it is wrapped into the 8-Step Wizard of Boot Disk Creator in GSS. In this Wizard at Step 5 you are asked for a Username and a Password to map a drive to the DS 6.x /GSS Server (long time using the default F:\ Driveletter – later with GSS 3.x the default M:\ Driveletter) At this point loginw.exe is used by the wizard to create a .pwl File. (in the background…)

You are still able to see this file if you are try edit a Boot Configuration. The Filename is always the first 8 letters of the username provided. (This is a historical thing – because in the early days of the Deployment Server MS-DOS was used to map a drive and there was a 8.3 limitation of Filenames within MS-DOS – so this is still „8.3“

Because DS 7.x, 8.0, 8.1 and 8.5 are still not using the Wizard like in DS 6.x and GSS 3.3 you have to manually generate the .PWL File using Loginw.exe. Loginw.exe is still part of the Installationfiles when you are installing ITMS or Deployment Server 7.x or 8.x.

Part 1: How to generate a secure Password File for DS 8.x

Step by Step…

To use loginw.exe you have to know which options you have. To display all the available options just run:

C:\Program Files\Altiris\Deployment\BDC\bootwiz\Platforms\WinPE\x64\Optional\Boot\loginw.exe /? 

You can see that loginw.exe has 4 modes (Authenticate mode, Ping mode, IP mode and Generate mode). In this Article we are focusing on the Generate mode and Authentication mode.

To generate a .pwl File follow the steps below.

On your SMP Server open the following File Location (see Screenhot) and look for a file called loginw.exe. Please make sure you are using the correct version (WinPE x64 or WinPE x86)

C:\Program Files\Altiris\Deployment\BDC\bootwiz\Platforms\WinPE\x64\Optional\Boot (for WinPE x64)C:\Program Files\Altiris\Deployment\BDC\bootwiz\Platforms\WinPE\x86\Optional\Boot (for WinPE x86)

To create a .pwl File open a elaveted command prompt on your SMP Server and type the following command:

Loginw –g Administrator:Pa$$w0rd –f SymcSMP.pwl

After pressing enter a file with the name: SymcSMP.pwl File will be created in the following Directory:

C:\Program Files\Altiris\Deployment\BDC\bootwiz\Platforms\WinPE\x64\Optional\Boot (for WinPE x64).

After creating the „SymcSMP.pwl“ File copy the File to the following Directory:

C:\Program Files\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\x64\Base (for WinPE x64)
C:\Program Files\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\x86\Base (for WinPE x86)

To update the „BDC Package*“ (with the SymcSMP.pwl File) you should start the following scheduled tasks on your SMP Server:

This is to make sure that the SymcSMP.pwl File is now part of your BDC Package*.

*The BDC Package is a Package available out-of-the-box after installing Deployment Solution 7.x or 8.x it includes the imported WinPE Version (3.x,4.x,5.1 or WinPE 10) and also many other .dll Files and some executable like loginw.exe, pectagent.exe…)

After the scheduled task is completed recreate your WinPE Bootfiles. To do this open the SMP-Console and navigate to Settings -> Deployment -> Manage Preboot Configurations.Click on the the Preboot Environment and select „Recreate Preboot Environment“.

After 15-30 min your Preboot Environment should be ready to use. Check the Task Manager for a Process called Bootwiz.exe, Dism.exe and DismHost.exe until it is not finished you will see these processes running in Task manager (screenshot).

Note: Symantec still doesn´t provide a progress bar to check if Bootdisk Creator (BDC) is still running or finished. With the release of 8.5 there is a new icon which displays the status…(https://epm-blog.com/2019/10/19/did-you-know-series-part-3-whats-new-in-itms-8-5-ru3)

You could also check your PXE Server and open the SMA Log and look for something similar to the screenshot.

To verify that the SymcSMP.pwl File is part of your WinPE Environment do the following:

Boot a Computer into WinPE and make sure that the File SymcSMP.pwl file is listed on the X:\ Drive…Please make sure you have a backup of your generated .PWL File. The reason is that after an upgrade the file in most cases is missing. If you do not have a backup just create a new .pwl File

In Part II I´ll show you how to use loginw in a run script task (planned to be released in June)