Monday, July 21, 2014

Password Protect Task Sequence

Overview

As my firms EUC (End User Computing aka Workplace) Architect, I am working on our tablet strategy and that requires Windows 8.1 Task Sequences. I noticed in reports that there were far more Windows 8.1 systems then I am creating in my work for this project. I was finding that techs are trying it out, and causing other issues, so I had to come up with a quick solution to keep the riff raff out so to speak. So in short, I have now mandated that any non production Task Sequences are password protected. This just keeps the honest people honest really.

In your Task Sequence, set a Variable for OSDPassword and put in a password. I create a group at the top of each Task Sequence to hold stuff like this called 'Set Up Shop'. This way, each TS can have its own password in place. Also super easy to change.


Then later in the TS, you call the PromptForPassword vbs via its package. I put it between the 'Partition Disk' step(s) and the 'Apply OS' steps, but before the HTA (Tech Interview). Why not as the first step in the TS? Since ConfigMgr 2012 is download and run, it will still run on a bare hardware environment where there have been no volumes created.


During the deployment you will see a dialog box asking for the password. Real simple, no  X attempts before it fails out, obfuscating the password from shoulder surfers, or any other checks and balances. Like a car alarm, Its meant to keep the honest people honest.


Download

If you add any checks and balances I would love for you to send it upstream to me.

This script is provided as-is, no warranty is provided or implied.The author is NOT responsible for any damages or data loss that may occur through the use of this script.  Always test, test, test before rolling anything into a production environment.

You can get the script here.

4 comments:

  1. I like when typing in the password that **** come to be how can I do that ?

    ReplyDelete
  2. Hello Cor. As I mentioned in the posting it was a simple thing to keep unauthorized people from running the TS. Its used on Test TS mostly. There was no intention for it to be super secure as the password is set as a TS variable so you can export variables to get it without much effort so much more would have to be done vs just obfuscating the password dialog to secure this. I will definitely share an updated version if one is ever done though. thank you

    ReplyDelete
  3. I know this post is almost 2 years old, but I just found it and already put it into "production" on my test win10 job. I did make some changes though... added a testing mode to try it outside of the sccm/TS environment, added a retry loop for when my fingers don't work right, added exit codes to make certain sccm actually fails the task sequence if someone puts in the wrong pw and then exits the retry loop (yours looks like it would just continue the task sequence even with a bad pw), and an auto-closing confirmation popup that lets you know you typed it correctly. yeah, it's about twice as long, but much more useful to me. but i have to admit, before this script, i never knew about the 3 lines you used to break out of the TSprogressUI, and i'm already re-using those in other scripts to massively simplify some task sequences and get user input in others. so thanks for that!

    here's the modified script - let me know what you think!

    http://gibson99.com/download/PromptForPassword/PromptForPassword2.vbs.txt

    ReplyDelete
    Replies
    1. Hey Gibson99. Not sure how i missed your comment. Thanks for the changes! I will make them upstream. If they cancel then the TS fails out unless you set a continue on error.

      Before that I used some AutoIt script. I got the TSProgressUI from a friend of mine Nick.

      https://t3chn1ck.wordpress.com/2012/04/09/hiding-a-task-sequence-progress-ui/

      Delete