Configuring WinPE security settings

If the server that contains your data store does not support the Microsoft NT Lan Manager (NTLM) settings for NTLMv2 Level 3, you must change the NTLM settings for the WinPE image on the TFTP server.

Before you begin

The TFTP server must have the Microsoft Windows Automated Installation Kit (WAIK) installed.

To change the NTLM settings


The ImageX command-line tool is deprecated in Windows 8. Use the DISM command-line tool.

For more information, see the following articles:

  1. Use the imagex utility to mount the WinPE image to any empty directory. (The imagex utility comes with WAIK.)


    1. Create an empty directory, for example C:\new. Copy the WinPE image file WinPE.wim to this new directory.
    2. Create a mount directory under C:\new.
      For example: C:\new\mount
    3. Open a command window and change directories to the \Tools\PETools subdirectory of the Windows AIK installation directory.
      For example: C:\Program Files\WinAIK\Tools\PETools
    4. Start the WinPE command prompt by typing pesetenv.cmd.
    5. On the WinPE command line enter:
      imagex /mountrw C:\new\WinPE.wim 1 C:\new\mount
  2. Open the registry editor (regedit).
  4. Choose File > Load Hive.
  5. Select the file:
    %Mounted WinPE Image folder in step1%\Windows\System32\config\SYSTEM
  6. Enter the following key name:
  7. Browse to: HKEY_LOCAL_MACHINE\WinPE_Image_SYSTEM\ControlSet001\Control\Lsa
  8. This step describes how to add an entry if the LMCompatibilityLevel value does not currently exist. If an LMCompatibilityLevel value already exists, you can edit the existing entry to match these values.
    Select Edit > New> DWORD Value, and then add the following registry values:
    Value Name: LMCompatibilityLevel
    Data Type: REG_DWORD
    Value: 3
    Valid Range: 0,3
  10. Choose File > Unload Hive.
  11. Use imagex to unmount the mounted WinPE image:
    imagex /unmount /commit MountFolder
Was this page helpful? Yes No Submitting... Thank you