thadkew Posted July 21, 2010 Report post Posted July 21, 2010 I have successfully set up our environment to PXE (thanks to Anyweb's many guides) and have the boot media set to use a password to get to the list of available Task Sequences, but I was wondering if there were a way to password protect a task sequence that is selected. For example: anyone can select the task to deploy Windows XP or Windows7, however, if someone selects Windows Server 2008, something will prompt for another password and the sequence will fail if it's not correct. Does that make any sense or is it possible? Thanks in advance! Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 21, 2010 Report post Posted July 21, 2010 yes it's possible and here's how to do it *note this happens in Windows PE* PromptForPassword.wsf create a blank text file in notepad called promptforpassword.wsf paste the following into it <job id="PromptForPassword"> <script language="VBScript" > Dim env,oTSProgressUI,MyPass Set env = CreateObject("Microsoft.SMS.TSEnvironment") set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI") oTSProgressUI.CloseProgressDialog() env("ALLOWOSDBUILD") = "NO" MyPass=Inputbox("Please enter the Password to continue") If MyPass = "password" then env("ALLOWOSDBUILD") = "YES" End If </script> </job> Shutdown.wsf Create another blank text file in notepad called Shutdown.wsf, this file will be placed in a sub folder of the scripts folder of your MDT Files package (eg: scripts\ts password) The Shutdown.wsf file should look like this, note that it depends on the MDT toolkit files package to be loaded prior to running. <job id="setEnv"> <script language="VBScript" src="..\ZTIUtility.vbs"/> <script language="VBScript"> Dim oTSProgressUI set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI") oTSProgressUI.CloseProgressDialog() On error resume next Dim fso, WShell, oFile Set WShell = CreateObject("WScript.Shell") Set fso = CreateObject("scripting.filesystemobject") scriptroot = oEnvironment.Item("SCRIPTROOT") MsgBox "Please click OK to shutdown the computer.",0, "Task Sequence Aborted" WShell.Run "wpeutil shutdown",0, True </script> </job> Create the Package Create a package called Prompt for Password and place the password script file above in the package, distribute it to distribution points. Add the shutdown.wsf script to a folder called TS Password and copy that folder to the Scripts subfolder of your MDT files package, redistribute that to it's distribution Points. Create the Task Sequence In ConfigMgr create a blank custom MDT task sequence, and for the first step have a Use Tollkit Package (this step is needed for the shutdown.wsf script later). Once done, add a new Run Command Line step to your task sequence, the step will call the promptforpassowrd.wsf file in the package you've just created, like so Command line: cscript "promptforpassword.wsf" Package: Prompt For Password Next create a Shutdown Step, The Shutdown step in the task sequence will check for the variable called ALLOWOSDBUILD, if ALLOWOSDBUILD = no then the Task Sequence will run another script (shutdown.wsf) otherwise it will continue as normal. So for the Shutdown step click on the options tab and set it as follows This group/step will run if the following conditions are met: Task Sequence Variable ALLOWOSDBUILD not equals "YES" Command line: cscript "shutdown.wsf" Package: MDT Files so long story short, if someone enters the right password, they are allowed to continue, if they don't the task sequence shuts down. if you want I can post a demo of this via webcast.. Update if you want a HTA to run within windows to prompt the user to enter a password then read this post on Technet, the code from that post is listed below, thanks Nick <html> <head> <title>HTA Test</title> <HTA:APPLICATION ID="objTest" APPLICATIONNAME="REBUILD" SCROLL="yes" SINGLEINSTANCE="yes" > </head> <script LANGUAGE="VBScript"> Sub TestSub set WshShell = WScript.CreateObject("WScript.Shell") if PasswordArea.value = "password" Then Msgbox "Thanks password is correct. Task sequence will now continue" WshShell.RegWrite "HKLM\Software\REBUILD\Rebuild","00000000","REG_DWORD" Self.Close Else Msgbox "Sorry, password is not correct. Please try again" End If End Sub </SCRIPT> <body> <P>MICROSOFT SCCM</p> <P>SYSTEM REBUILD</P> <input type="password" name="PasswordArea" size="30"><P> <input id=runbutton class="button" type="button" value="ENTER" name="run_button" onClick="TestSub"> </body> cheers niall 1 Quote Share this post Link to post Share on other sites More sharing options...
thadkew Posted July 22, 2010 Report post Posted July 22, 2010 yes it's possible and here's how to do it <snip> You, Sir, are a KING among men... Thank you!!!! Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 22, 2010 Report post Posted July 22, 2010 thanks, by the way you can even make the Task Sequence 'invisible' to computers in RAP (Run Advertised Programs) by doing as follows: right click on your task sequence, choose Properties click on the Advanced tab Select an operating system from the list which is NOT in use in your organisation *eg: Windows Vista X64, or Windows 2000* click Apply, once done, you will not see the Task Sequence listed in RAP on any of your Windows XP or Windows 7 or Windows Server computers, but you will be able to PXE boot and run the Task Sequence as normal. Quote Share this post Link to post Share on other sites More sharing options...
boognish Posted July 27, 2010 Report post Posted July 27, 2010 if you want I can post a demo of this via webcast.. cheers niall That would be great if its not too much work Quote Share this post Link to post Share on other sites More sharing options...
thadkew Posted July 27, 2010 Report post Posted July 27, 2010 That would be great if its not too much work I can tell you that it works great. I got it set up and it works exactly the way i need it to do. Thank you so much, anyweb!!!! Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 30, 2010 Report post Posted July 30, 2010 here's a sample Task Sequence to see it in action, simply import the XML file into SCCM 2007 sp2 (with MDT 2010 integrated) and you are nearly ready to go, you will have to edit the task sequence to point to your packages, one package is the prompt for password containing the original wsf file, the second package is your mdt files package (which contains a subfolder in scripts called TS Password, which in turn contains the shutdown.wsf script) Prompt For Password.xml In my example task sequence I install an application (microsoft security essentials) after successful password completion, however you could install an entire OS or more as you would with any task sequence, it's up to you. Here's a description of the Task Sequence Steps:- Restart to Windows PE This does a check in the options tab to see if we are in WinPE, if not, it restarts the computer into WinPE so you will need to attach a boot image to this Task Sequence. The reason for this check is that we cannot interact with the user on the desktop in Windows itself, only in WinPE. The options we set are: This group/step will run if the following conditions are met: If All the conditions are true: Task Sequence Variable _SMSTSinWInPE equals False Prompt For Password This step runs the actual promptforpassword.wsf script directly from the package we put it in, you could clean this up even more by placing the script in the mdtfiles/scripts/ts password folder (more on that later). I've also got yet another check in here (not needed if you include the previous step) to see that we are in WinPE (see the options tab). This script returns a value for the AllowOSDBuild variable, either YES or NO depending on whether you enter the password correctly or not. Use Toolkit Package This step loads the MDT Files package (needed for the next step) and you should know by now that we have copied the TS Password folder containing shutdown.wsf to the scripts sub directory of the MDT Files package. Shutdown This step executes the script called shutdown.wsf contained in the TS Password subfolder (in the scripts directory of MDT Files package). This script will shutdown the computer if: * AllowOSDBuild=NO or * If you click on Cancel at the password prompt screen. Below is a copy of the Shutdown Step options Rest of Task Sequence If the user enters the correct password the the Rest of the Task sequence steps will be ran as normal, in this example I install an application after rebooting back into Windows, (you can put whatever you want here, like installing an OS or migrating from XP to 7 or whatever !). Quote Share this post Link to post Share on other sites More sharing options...
boognish Posted July 30, 2010 Report post Posted July 30, 2010 Im getting the following error. Shutdown.wsf is in the TS password directory Cannot retrieve referenced URL : ..\ZTIUtility.vbs My TS is always aborting after i put in the password Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted August 5, 2010 Report post Posted August 5, 2010 are you loading the mdt files package in a previous step, it contains that vbs file... Quote Share this post Link to post Share on other sites More sharing options...
boognish Posted August 6, 2010 Report post Posted August 6, 2010 are you loading the mdt files package in a previous step, it contains that vbs file... That's the way I have it set. I would assume that the toolkit files are loading because the shutdown.wsf is being called. My password would simply replace "password" in this, correct? If MyPass = "password" then env("ALLOWOSDBUILD") = "YES" End If Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted September 20, 2010 Report post Posted September 20, 2010 yes that's correct Quote Share this post Link to post Share on other sites More sharing options...
Tjindarr Posted September 28, 2010 Report post Posted September 28, 2010 Is there anyway to change the pass.wsf so that when you type the password its not in cleartext but in *******? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted September 28, 2010 Report post Posted September 28, 2010 good question, how about this http://www.msfn.org/board/topic/126348-something-to-ask/ Quote Share this post Link to post Share on other sites More sharing options...
pollewops Posted September 30, 2010 Report post Posted September 30, 2010 A way to display the passwords using "dots" is by using a HTA instead of a WSF file. See my used scripts in the attachment. PromptForPassword.zip 1 Quote Share this post Link to post Share on other sites More sharing options...
Tjindarr Posted April 8, 2011 Report post Posted April 8, 2011 how would i go about implementing this into a task sequence? is it as easy as the one above? A way to display the passwords using "dots" is by using a HTA instead of a WSF file. See my used scripts in the attachment. PromptForPassword.zip Quote Share this post Link to post Share on other sites More sharing options...
Tjindarr Posted April 11, 2011 Report post Posted April 11, 2011 how would i go about implementing this into a task sequence? is it as easy as the one above? Nevermind got it sorted Thanks pollewops for an awsome script. And anyweb for the "how to display hta" guide Quote Share this post Link to post Share on other sites More sharing options...
silverSl!DE Posted January 11, 2012 Report post Posted January 11, 2012 just one dump question: how do i create the MDT toolkit files package? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted January 11, 2012 Report post Posted January 11, 2012 integrate mdt 2010 update 1 with configmgr, go through the wizard in task sequences to create a Microsoft Deployment Toolkit task sequence, easy. done. Quote Share this post Link to post Share on other sites More sharing options...
ogeccut Posted February 17, 2012 Report post Posted February 17, 2012 Thanks guys, this works great. However........Lets say a user inputs a wrong password.....and we shutdown!!!! Then a user boots again and.....i am guessing wrong password is saved in MININT directory on the local drive and there will be no more prompt to enter a password. I am going to try to edit the script to delete MININT right before the shutdown from shutdown.wsf. Quote Share this post Link to post Share on other sites More sharing options...
ogeccut Posted February 17, 2012 Report post Posted February 17, 2012 I tested and got this working this in MDT: <job id="setEnv"> <script language="VBScript" src="..\ZTIUtility.vbs"/> <script language="VBScript"> Dim oTSProgressUI 'set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI") 'oTSProgressUI.CloseProgressDialog() ' Clean up any existing C:\MININT directory If oFSO.FolderExists("C:\MININT") then On Error Resume Next oFSO.DeleteFolder "C:\MININT", true On Error Goto 0 End If ' Clean up any existing C:\_smstasksequence directory If oFSO.FolderExists("C:\_smstasksequence") then On Error Resume Next oFSO.DeleteFolder "C:\_smstasksequence", true On Error Goto 0 End If On error resume next Dim fso, WShell, oFile Set WShell = CreateObject("WScript.Shell") Set fso = CreateObject("scripting.filesystemobject") scriptroot = oEnvironment.Item("SCRIPTROOT") MsgBox "Please click OK to shutdown the computer.",0, "Task Sequence Aborted" WShell.Run "wpeutil shutdown",0, True </script> </job> Quote Share this post Link to post Share on other sites More sharing options...
SaiTech Posted February 18, 2012 Report post Posted February 18, 2012 Hi, Would it be possible to use an AD account to protect the TS and or the FrontEnd? /PS Quote Share this post Link to post Share on other sites More sharing options...
ciscoeuk Posted May 16, 2012 Report post Posted May 16, 2012 is there a way in sccm boot image to create a contuiation screen ie after imput your password you get ask the question Do you wish to continue? yes cancel cancel the machine to exsinting systems the reason that i require this is that a work buddy accidently kick of a full refresh build we where testing in the lab but relized he kicked off in the live estate it was not passworded, as we were still working on it Quote Share this post Link to post Share on other sites More sharing options...
vishnuprasad100 Posted June 3, 2012 Report post Posted June 3, 2012 I won’t like OSD blog steps are not clear & making so complicated. It’s not simple & clear posting totally I hate Quote Share this post Link to post Share on other sites More sharing options...
zick Posted June 8, 2012 Report post Posted June 8, 2012 Update if you want a HTA to run within windows to prompt the user to enter a password then read this post on Technet, the code from that post is listed below, thanks Nick <html> <head> <title>HTA Test</title> <HTA:APPLICATION ID="objTest" APPLICATIONNAME="REBUILD" SCROLL="yes" SINGLEINSTANCE="yes" > </head> <script LANGUAGE="VBScript"> Sub TestSub set WshShell = WScript.CreateObject("WScript.Shell") if PasswordArea.value = "password" Then Msgbox "Thanks password is correct. Task sequence will now continue" WshShell.RegWrite "HKLM\Software\REBUILD\Rebuild","00000000","REG_DWORD" Self.Close Else Msgbox "Sorry, password is not correct. Please try again" End If End Sub </SCRIPT> <body> <P>MICROSOFT SCCM</p> <P>SYSTEM REBUILD</P> <input type="password" name="PasswordArea" size="30"><P> <input id=runbutton class="button" type="button" value="ENTER" name="run_button" onClick="TestSub"> </body> cheers niall I am trying to following the instructions here on creating the HTA to prompt for a password but when I use the above code, I get an error message; Script: Line: 10 Char: 4 Error: The end tag does not match the start tag : HTA:APPLICATION Code: 80040022 Source: Windows Script Host Can someone help with this? Quote Share this post Link to post Share on other sites More sharing options...
wireshark Posted June 21, 2012 Report post Posted June 21, 2012 Great job. Works perfect, But I have one major problem What if the machine has Bitlocker enabled... ? In order to "restart in WinPE" I need to put in a "Disable Bitlocker" step otherwise in order to prestage the Boot Image. It works perfect if the right password is entered. But if the user decide to "abort" then Bitlocker will be "suspended" when the machine is turned on again. Is there a workarounfd for this or do I miss something... ? Quote Share this post Link to post Share on other sites More sharing options...