Wrestling with Windows S Mode

Background

I was setting up a new PC for a client yesterday. It shipped with Windows 11 Home edition, and I agreed to upgrade to Windows 11 Pro using a license key he’d purchased.

I prefer to do a fresh install to minimize bloatware, and created a bootable USB drive with the installation media for that purpose. During installation, instead of allowing me to select the edition I wanted to install, it just defaulted to Windows 11 Home:

The installation did not include an Edition Configuration file (EI.cfg) in the .\Sources folder of the installation media, so I created one:

EI.cfg

[Channel]
_Default
[VL]
0

After restarting the installation, I could now choose the Windows 11 Pro edition and complete the installation. On completion, I logged into the PC, and to my dismay, it was configured as “Windows 11 Pro S Mode“…

About S Mode…

The ‘S’ stands for s***…

It’s a neutered version of the OS that only allows you to install S Mode-compatible applications from the Microsoft store, disables access to most configuration options, other browsers apart from Microsoft Edge, and disables access to Command Prompt and PowerShell. Who would want this?

Hint: not me, and if you’re reading this, not you either.

Catch 22!

Although I’d successfully installed Windows 11 Pro, I could not activate it because the OEM had preinstalled the Windows 11 Home license key in the BIOS. To update the key, I needed to disable S Mode, but I couldn’t do that without first activating Windows…

Getting Around It…

I tried…

  • Manually inputting the Windows 11 key using a PID.txt file in the .\Sources folder of the installation media to override the Windows 11 Home key on installation.
  • Logging in with a new Microsoft account, assuming the Windows 11 Home Edition digital license was bound to the Microsoft account I used to log in to the system for the first time before reinstallation.
  • Bypassing the Microsoft account creation process during installation. While I was able to use Shift+F10 to access the Command Prompt in some contexts of the installation process, neither oobe\bypassnro nor start ms-cxh:localonly worked.

To make things even more complicated, the touchpad and the Wireless NIC were not recognized by default! The latter had to be manually installed to progress through the installation process. As to the former, I simply had to do without (i.e., using keyboard shortcuts) until I got into the OS proper. I considered slipstreaming the drivers into the installation media, but it didn’t seem worthwhile…

Once More Into the Breach!

At this point, I had three options remaining:

  1. Give up, reinstall Windows 11 Home edition, and leave well enough alone.
  2. Reinstall Windows 11 Home edition, and then explore other options.
  3. Install Windows 10 Pro edition, then upgrade it to Windows 11.

Options 1 and 2 weren’t mutually exclusive, so I decided to start by installing the Home edition and then try to remove S Mode, which worked. Now that I had a Get button to use (it wasn’t present when Windows wasn’t activated), I could proceed.

Removing S Mode restored my option to update the license key, and after a reboot, I successfully upgraded to Windows 11!

Lessons Learned

This ordeal taught me that the correct upgrade path from Windows 11 Home S Mode to Windows 11 Pro is:

  1. Complete the initial setup as is on first boot, or if you want to get rid of the bloatware, reinstall the OS with Home Edition first
  2. Remove S Mode via the Microsoft Store on the activated Windows instance
  3. Change the license key to Windows 11 Pro and let it complete the upgrade
  4. Activate the new Windows 11 Pro installation

Because this particular system used a pre-installed Windows key, any attempt to install a different Windows 11 edition resulted in an [S Mode induced] Soft Lock Loop (see Catch 22 above). The only way off that crazy train is to install the same version it shipped with, and only then will you have the option to ‘Get’ the ‘Switch Out of S Mode’ app from the Microsoft Store, and the rest falls into place.

How To: Authenticated SMTP When Security Defaults/Modern Authentication Are Enabled

Background

Many legacy applications use authenticated SMTP to send email notifications. Since most organizations use Exchange Online as their email provider, leveraging it as a mail relay for service accounts is helpful and convenient. About five or so years ago, Microsoft began enabling Security Defaults for all new tenants and, shortly after, began deprecating Basic Authentication in Exchange.

While it’s possible to utilize smtp.office365.com as a relay for appliances such as printers and scanners, this may or may not be feasible in a particular use case, as was my situation. After many hours of research, trial, and error, I’d finally worked through all the pieces to get authenticated SMTP working with Security Defaults and Modern Authentication enabled.

Prerequisites

You’ll need to ensure the following is configured for the account you want to use:

  • MFA is enabled for the target user account in the Microsoft Entra admin center
  • The SmtpClientAuthenticationDisabled property (Exchange Online PowerShell) is set to $false (meaning that authenticated SMTP is enabled for this user)
  • Generate and record an App Password for the user
  • Disable POP3 and IMAP to prevent TLS downgrade attacks (optional, but highly recommended)

Putting it All Together

Instead of targeting smtp.office365.com on port 587 as our mail relay, we’ll use [YourTenantID].protection.outlook.com on port 25 with the StartTLS property (required).

We can use PowerShell to test this:

Send-MailMessage -SmtpServer [YourTenantID].protection.outlook.com -UseSsl -Port 25 -From me@mydomain.com -To you@yourdomain.com -Subject "Test Email" -Body "Testing, 1, 2, 3?"

Yes, I know the Sent-MailMessage cmdlet is obsolete and doesn’t guarantee secure connections to SMTP servers, but in this case, we’re only using it to test our settings and connectivity.

If it works, we know that any remaining fault lies with the application configuration and/or the environment it resides in, not your Microsoft 365 setup.

Getting StrongDM Comply Running on Windows 11 using WSL

I started this blog as a repository where I could document solutions to very niche problems I’d encountered, and this problem is about as niche as it gets…

Background

A colleague suggested StrongDM Comply as a free and open-source solution for generating SOC 2 Compliance policies. It’s a handy utility designed to run on Mac and Linux, but since I work on a Windows 11 PC, I needed to explore my options.

My first thought was to use Docker, but the image I found was a few years old and would exit immediately after starting. Three other options came to mind:

  • Dual boot a Linux distro
  • Turn up a Linux VM
  • Use the Windows Subsystem for Linux (WSL)

I only needed this for a single application, so WSL seemed to be the best solution for my [very] particular use case.

Installing WSL

Open PowerShell as an Administrator, then run:

 wsl --install

Note: This will require a reboot to finalize the installation. This command requires Windows 10 version 2004 (build 19041 or higher) or Windows 11 to function.

The default subsystem is Ubuntu, but you can choose other distributions if you like. See https://learn.microsoft.com/en-us/windows/wsl/install for additional details and instructions.

Setting Up the Linux Terminal

To access your new environment, you’ll need to install Windows Terminal from the Microsoft Store. Once installed, you can use the dropdown arrow to open a new Ubuntu terminal:

You’ll be prompted to set a UNIX username and password, and then you’ll receive a welcome screen and terminal prompt. The first command you’ll run is:

sudo apt update && sudo apt upgrade

This will get you a list of Ubuntu packages that have available updates and install them for you.

Cloning the Comply Repository

The installation instructions on the GitHub page are deprecated, so we’ll do it a little differently, using Git to clone (copy down) the repository:

git clone https://github.com/strongdm/comply.git

Dependencies

There are two dependencies Comply needs to function:

  1. Pandoc – a universal document converter
  2. PdfLatex – a tool that converts LaTeX sources into PDF (required by Pandoc to generate PDFs)

To install Pandoc, we’ll use APT again:

sudo apt install pandoc

…and then verify that it installed successfully:

pandoc --version

Installing PdfLatex is a little more involved, but these are the instructions that worked for me (From Yosep Kim):

# Install the TexLive base...
sudo apt-get install texlive-latex-base
# Install recommended fonts to avoid possible errors...
sudo apt-get install texlive-fonts-recommended
sudo apt-get install texlive-fonts-extra
# Install extra packages...
sudo apt-get install texlive-latex-extra

Compiling The App

Now that all of the dependencies are installed, we can compile the app using  Go, but first, we’ll need to install the Go package:

sudo apt install golang-go

With that done, we navigate to the “comply” directory and can compile the app using Go:

cd comply
go build

Note: This needs to be run from the folder where the go.mod resides, usually /comply relative to where you ran the ‘git clone’ command above.

Running Comply

At this point, Comply (and all of its dependencies) are installed and ready to run. This consists of:

  1. Creating an empty directory
  2. Initializing a new Comply project
  3. Building the PDF documents
  4. Running the Web Server

Here’s what that looks like:

mkdir [myCompanyName]
cd [myCompanyName]
../comply init
../comply build
../comply serve

You can access your newly created PDFs by opening File Explorer, expanding the Linux > Ubuntu folders, and then browsing to the sub-folder you created (e.g., Linux > Ubuntu > home > [Username] > comply > ExecutiveOutcomes > Output):

PDFs are created using the markdown (.MD) format documents, which you can modify using a text editor (e.g., nano, vi, etc.) within the Linux subsystem:

When you’ve finished updating your documentation, you can serve up a web interface using the aptly named “serve” parameter:

../comply serve

Then, browse to the index.html file:

There you have it! I think it’s a fantastic little tool (once you get it running), and would recommend it anyone looking for who needs customizable SOC2 Compliance documentation.

Input Form Validation Bypass Using the Browser Console

Disclaimer: The techniques described in this post are intended for educational purposes only, and specific details have been intentionally omitted.

These methods should only be used on systems you own, manage, or have explicit permission to access. Unauthorized access to computer systems is illegal and unethical. Always obtain proper authorization before performing intrusive or manipulative actions on a web application. I assume no responsibility for any misuse of the information provided!

Background

Recently, as part of my client’s periodic password change activities, they encountered a problem where the Password field on the web interface’s login screen supported fewer characters than what the password was set to, locking them out of the device.

To make matters worse (for reasons I can’t get into here), the web browser and a text editor were the only tools available to investigate, troubleshoot, and bypass the interface’s limitations.

Investigation and Troubleshooting

Using the web browser’s Developer Tools, I was able to inspect the Password input field to better understand what was happening:

<input name="pass" type="Password" size="16" maxlength="16" value="">

Looking at the last password vault entry, I saw that the password was 29 characters long, so I tried entering the same password truncated to 16 characters, but it wasn’t accepted.

Luckily, there were other identical devices in the environment, so I logged into another one and inspected the Change Password field on a hunch. Sure enough, it was longer!

<input name="passChange" type="Password" size="20" maxlength="20" value="***">

This told me that when the password was changed, it was truncated to 20 characters, not 16!

Getting Warmer…

Now that I had a clear[er] understanding of the problem and the correct password, I tried to manipulate the client-side HTTP by increasing the size and maxlength values to 20, but encountered server-side code calling a form validation function, preventing me from submitting password greater than 16 characters:

if (pass.value.length > 16) err.addError (pass, "Invalid or Missing Password"); 
    err.showError(); 
    return !err.hasError();

In order to get around the script, I tried bypassing the form using the browser’s console to manually set the user name and password and then submit the form without clicking on the submit button, triggering the validation function:

document.getElementsByName("user")[0].value = "[myUsername]";
document.getElementsByName("pwd")[0].value = "[myTruncatedPassword]";
document.forms["[myLogonForm]"].submit();

…and…

It Worked!

This got me back into the device, so I first navigated to the password change setting and reset it to an acceptable length, then verified that I could get back in using the new password.

Lastly, I wrote a detailed summary for the client to share with the device’s manufacturer so [hopefully] they’ll update future revisions to use consistent password lengths.

Becoming a CISSP, Part II: Getting Certified

The CISSP Application

After provisionally passing the CISSP, I contacted a coworker who’d agreed to endorse me. For those who are unaware, passing the CISSP Exam does not automatically grant you the certification; you’re also required to:

  1. Meet ISC2’s CISSP experience requirements
  2. An existing CISSP member in good standing has to endorse you

Note: If you pass the exam but don’t possess the relevant experience, you will NOT be granted certification! Instead, you’ll become an “Associate of ISC2” and have 6 years to meet the experience requirements.

This entailed going through my resume and correlating my experience to their applicable CISSP Domains.  My application was submitted for endorsement within a couple of days, and the wait began…

I couldn’t help but feel deflated. I’d worked so hard to prepare for the exam and aced it, yet I still couldn’t call myself a CISSP! When faced with the inevitable, I did what I always do: I tried to put it out of my mind and move on.

Acceptance

About 4 weeks later, I received an email from ISC2 indicating that my application had been accepted and asking for my $125 annual maintenance fee. Upon payment, I received a follow-up email with my CISSP certification number.

I could at last breathe easy, knowing that it was finally over, and I could now celebrate my achievement in earnest! I did not yet have my physical certificate. It would be another 4 weeks before I arrived, and with it, disappointment…

The Card

While preparing for my CISSP, I stumbled on a couple of videos from a group called “Host Uknown”:

  1. Host Unkown presents: I’m a C I Double S P
  2. Benefits of being a CISSP

I found these to be a hilarious and welcome distraction amidst the stress of preparing for the CISSP exam. In particular, the second video led me to expect a card in addition to my physical certificate.

When the envelope containing my certificate arrived, I was disappointed to find that it didn’t include a card! Instead, I got a cheesy little pin… My disappointment was immeasurable. So much so that I actually reached out to ISC2, and was told this was something they discontinued due to COVID. While I can’t see why that would matter, I was powerless to do anything about it… save for maybe scanning my certificate and converting it to an SVG, then shrinking it down to business card-size, printing off and laminating it…

To be continued…