From a4e4d84ca32e7c6a0348d91ba09e155c57ae2846 Mon Sep 17 00:00:00 2001
From: Kroese <kroese@users.noreply.github.com>
Date: Mon, 14 Apr 2025 11:06:46 +0200
Subject: [PATCH] fix: Disallow RDP login with blank password (#315)

---
 assets/win10arm64-enterprise.xml | 5 -----
 assets/win10arm64-ltsc.xml       | 5 -----
 assets/win10arm64.xml            | 5 -----
 assets/win11arm64-enterprise.xml | 5 -----
 assets/win11arm64-ltsc.xml       | 5 -----
 assets/win11arm64.xml            | 5 -----
 6 files changed, 30 deletions(-)

diff --git a/assets/win10arm64-enterprise.xml b/assets/win10arm64-enterprise.xml
index 6e6c5e9..a745b20 100644
--- a/assets/win10arm64-enterprise.xml
+++ b/assets/win10arm64-enterprise.xml
@@ -326,11 +326,6 @@
           <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "AllowInsecureGuestAuth" /t REG_DWORD /d 1 /f</CommandLine>
           <Description>Allow guest access to network shares</Description>
         </SynchronousCommand>
-        <SynchronousCommand wcm:action="add">
-          <Order>2</Order>
-          <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f</CommandLine>
-          <Description>Allow RDP login with blank password</Description>
-        </SynchronousCommand>
         <SynchronousCommand wcm:action="add">
           <Order>3</Order>
           <CommandLine>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device" /v "DevicePasswordLessBuildVersion" /t REG_DWORD /d 0 /f</CommandLine>
diff --git a/assets/win10arm64-ltsc.xml b/assets/win10arm64-ltsc.xml
index 1f6e763..41a3433 100644
--- a/assets/win10arm64-ltsc.xml
+++ b/assets/win10arm64-ltsc.xml
@@ -329,11 +329,6 @@
           <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "AllowInsecureGuestAuth" /t REG_DWORD /d 1 /f</CommandLine>
           <Description>Allow guest access to network shares</Description>
         </SynchronousCommand>
-        <SynchronousCommand wcm:action="add">
-          <Order>2</Order>
-          <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f</CommandLine>
-          <Description>Allow RDP login with blank password</Description>
-        </SynchronousCommand>
         <SynchronousCommand wcm:action="add">
           <Order>3</Order>
           <CommandLine>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device" /v "DevicePasswordLessBuildVersion" /t REG_DWORD /d 0 /f</CommandLine>
diff --git a/assets/win10arm64.xml b/assets/win10arm64.xml
index 1916c8c..079f7aa 100644
--- a/assets/win10arm64.xml
+++ b/assets/win10arm64.xml
@@ -326,11 +326,6 @@
           <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "AllowInsecureGuestAuth" /t REG_DWORD /d 1 /f</CommandLine>
           <Description>Allow guest access to network shares</Description>
         </SynchronousCommand>
-        <SynchronousCommand wcm:action="add">
-          <Order>2</Order>
-          <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f</CommandLine>
-          <Description>Allow RDP login with blank password</Description>
-        </SynchronousCommand>
         <SynchronousCommand wcm:action="add">
           <Order>3</Order>
           <CommandLine>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device" /v "DevicePasswordLessBuildVersion" /t REG_DWORD /d 0 /f</CommandLine>
diff --git a/assets/win11arm64-enterprise.xml b/assets/win11arm64-enterprise.xml
index 930b7a4..a4651b3 100644
--- a/assets/win11arm64-enterprise.xml
+++ b/assets/win11arm64-enterprise.xml
@@ -355,11 +355,6 @@
           <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 0 /f</CommandLine>
           <Description>Disable SMB signing requirement</Description>
         </SynchronousCommand>
-        <SynchronousCommand wcm:action="add">
-          <Order>3</Order>
-          <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f</CommandLine>
-          <Description>Allow RDP login with blank password</Description>
-        </SynchronousCommand>
         <SynchronousCommand wcm:action="add">
           <Order>4</Order>
           <CommandLine>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device" /v "DevicePasswordLessBuildVersion" /t REG_DWORD /d 0 /f</CommandLine>
diff --git a/assets/win11arm64-ltsc.xml b/assets/win11arm64-ltsc.xml
index 1708990..e8cd3d1 100644
--- a/assets/win11arm64-ltsc.xml
+++ b/assets/win11arm64-ltsc.xml
@@ -354,11 +354,6 @@
           <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 0 /f</CommandLine>
           <Description>Disable SMB signing requirement</Description>
         </SynchronousCommand>
-        <SynchronousCommand wcm:action="add">
-          <Order>3</Order>
-          <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f</CommandLine>
-          <Description>Allow RDP login with blank password</Description>
-        </SynchronousCommand>
         <SynchronousCommand wcm:action="add">
           <Order>4</Order>
           <CommandLine>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device" /v "DevicePasswordLessBuildVersion" /t REG_DWORD /d 0 /f</CommandLine>
diff --git a/assets/win11arm64.xml b/assets/win11arm64.xml
index a92aa18..8f5768a 100644
--- a/assets/win11arm64.xml
+++ b/assets/win11arm64.xml
@@ -355,11 +355,6 @@
           <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 0 /f</CommandLine>
           <Description>Disable SMB signing requirement</Description>
         </SynchronousCommand>
-        <SynchronousCommand wcm:action="add">
-          <Order>3</Order>
-          <CommandLine>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f</CommandLine>
-          <Description>Allow RDP login with blank password</Description>
-        </SynchronousCommand>
         <SynchronousCommand wcm:action="add">
           <Order>4</Order>
           <CommandLine>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device" /v "DevicePasswordLessBuildVersion" /t REG_DWORD /d 0 /f</CommandLine>