Jump to content


  • 0
thadkew

Password Protect a Task Sequence?

Asked by thadkew

Question

thadkew Newbie

thadkew

Posted
Posted

I have successfully set up our environment to PXE (thanks to Anyweb's many guides) and have the boot media set to use a password to get to the list of available Task Sequences, but I was wondering if there were a way to password protect a task sequence that is selected.

For example: anyone can select the task to deploy Windows XP or Windows7, however, if someone selects Windows Server 2008, something will prompt for another password and the sequence will fail if it's not correct.

 

Does that make any sense or is it possible?

 

Thanks in advance!

Share this post

Link to post
Share on other sites

36 answers to this question

Recommended Posts

  • 0
anyweb Proficient

anyweb

Posted
Posted

yes it's possible and here's how to do it *note this happens in Windows PE*

 

PromptForPassword.wsf

 

create a blank text file in notepad called promptforpassword.wsf

 

paste the following into it

 

<job id="PromptForPassword">

<script language="VBScript" >

Dim env,oTSProgressUI,MyPass
Set env = CreateObject("Microsoft.SMS.TSEnvironment")

set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
oTSProgressUI.CloseProgressDialog()

env("ALLOWOSDBUILD") = "NO"

MyPass=Inputbox("Please enter the Password to continue")

If MyPass = "password" then
 env("ALLOWOSDBUILD") = "YES"
End If

</script>
</job>

 

 

Shutdown.wsf

 

Create another blank text file in notepad called Shutdown.wsf, this file will be placed in a sub folder of the scripts folder of your MDT Files package (eg: scripts\ts password)

 

The Shutdown.wsf file should look like this, note that it depends on the MDT toolkit files package to be loaded prior to running.

 

<job id="setEnv">
 <script language="VBScript" src="..\ZTIUtility.vbs"/>
 <script language="VBScript">

Dim oTSProgressUI
set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
oTSProgressUI.CloseProgressDialog()


 	On error resume next
Dim fso, WShell, oFile
Set WShell = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.filesystemobject")

scriptroot = oEnvironment.Item("SCRIPTROOT")

MsgBox "Please click OK to shutdown the computer.",0, "Task Sequence Aborted"
WShell.Run "wpeutil shutdown",0, True 

 </script>
</job>

 

Create the Package

 

Create a package called Prompt for Password and place the password script file above in the package, distribute it to distribution points. Add the shutdown.wsf script to a folder called TS Password and copy that folder to the Scripts subfolder of your MDT files package, redistribute that to it's distribution Points.

 

 

Create the Task Sequence

 

In ConfigMgr create a blank custom MDT task sequence, and for the first step have a Use Tollkit Package (this step is needed for the shutdown.wsf script later).

 

Once done, add a new Run Command Line step to your task sequence, the step will call the promptforpassowrd.wsf file in the package you've just created, like so

 

Command line:

cscript "promptforpassword.wsf"

 

Package:

Prompt For Password

 

Next create a Shutdown Step,

 

The Shutdown step in the task sequence will check for the variable called ALLOWOSDBUILD,

if ALLOWOSDBUILD = no then the Task Sequence will run another script (shutdown.wsf) otherwise it will continue as normal.

 

So for the Shutdown step click on the options tab and set it as follows

 

 

This group/step will run if the following conditions are met:

Task Sequence Variable ALLOWOSDBUILD not equals "YES"

 

 

Command line:

cscript "shutdown.wsf"

 

Package:

MDT Files

 

 

so long story short, if someone enters the right password, they are allowed to continue, if they don't the task sequence shuts down.

if you want I can post a demo of this via webcast..

 

 

 

Update

if you want a HTA to run within windows to prompt the user to enter a password then read this post on Technet, the code from that post is listed below, thanks Nick

 

<html>
<head>
<title>HTA Test</title>
<HTA:APPLICATION
    ID="objTest"
    APPLICATIONNAME="REBUILD"
    SCROLL="yes"
    SINGLEINSTANCE="yes"
>
</head>

<script LANGUAGE="VBScript">


   Sub TestSub

set WshShell = WScript.CreateObject("WScript.Shell")

if PasswordArea.value = "password" Then
 Msgbox "Thanks password is correct. Task sequence will now continue"
 WshShell.RegWrite "HKLM\Software\REBUILD\Rebuild","00000000","REG_DWORD"
 Self.Close  
Else
 Msgbox "Sorry, password is not correct. Please try again"
End If
   End Sub

</SCRIPT>

<body>


<P>MICROSOFT SCCM</p>
<P>SYSTEM REBUILD</P>
   <input type="password" name="PasswordArea" size="30"><P>
   <input id=runbutton  class="button" type="button" value="ENTER" name="run_button"  onClick="TestSub">

</body>

 

cheers

niall

  • Like 1

Share this post

Link to post
Share on other sites
  • 0
anyweb Proficient

anyweb

Posted
Posted

thanks,

 

by the way you can even make the Task Sequence 'invisible' to computers in RAP (Run Advertised Programs) by doing as follows:

 

right click on your task sequence, choose Properties

 

click on the Advanced tab

 

Select an operating system from the list which is NOT in use in your organisation *eg: Windows Vista X64, or Windows 2000*

 

click Apply,

 

promptforpassword.jpg

 

once done, you will not see the Task Sequence listed in RAP on any of your Windows XP or Windows 7 or Windows Server computers, but you will be able to PXE boot and run the Task Sequence as normal.

Share this post

Link to post
Share on other sites
  • 0
thadkew Newbie

thadkew

Posted
Posted

That would be great if its not too much work

I can tell you that it works great. I got it set up and it works exactly the way i need it to do.

Thank you so much, anyweb!!!!

Share this post

Link to post
Share on other sites
  • 0
anyweb Proficient

anyweb

Posted
Posted

here's a sample Task Sequence to see it in action, simply import the XML file into SCCM 2007 sp2 (with MDT 2010 integrated) and you are nearly ready to go,

you will have to edit the task sequence to point to your packages, one package is the prompt for password containing the original wsf file, the second package is your mdt files package (which contains a subfolder in scripts called TS Password, which in turn contains the shutdown.wsf script)

 

Prompt For Password.xml

 

In my example task sequence I install an application (microsoft security essentials) after successful password completion, however you could install an entire OS or more as you would with any task sequence, it's up to you.

 

Here's a description of the Task Sequence Steps:-

 

Restart to Windows PE

 

This does a check in the options tab to see if we are in WinPE, if not, it restarts the computer into WinPE so you will need to attach a boot image to this Task Sequence. The reason for this check is that we cannot interact with the user on the desktop in Windows itself, only in WinPE.

 

The options we set are:

 

This group/step will run if the following conditions are met:
If All the conditions are true:

Task Sequence Variable _SMSTSinWInPE equals False

 

restart to windows pe.jpg

 

Prompt For Password

 

This step runs the actual promptforpassword.wsf script directly from the package we put it in, you could clean this up even more by placing the script in the mdtfiles/scripts/ts password folder (more on that later). I've also got yet another check in here (not needed if you include the previous step) to see that we are in WinPE (see the options tab). This script returns a value for the AllowOSDBuild variable, either YES or NO depending on whether you enter the password correctly or not.

 

promptforpassword.jpg

 

Use Toolkit Package

 

This step loads the MDT Files package (needed for the next step) and you should know by now that we have copied the TS Password folder containing shutdown.wsf to the scripts sub directory of the MDT Files package.

 

Shutdown

 

shutdown1.jpg

 

This step executes the script called shutdown.wsf contained in the TS Password subfolder (in the scripts directory of MDT Files package). This script will shutdown the computer if:

 

* AllowOSDBuild=NO

or

* If you click on Cancel at the password prompt screen.

 

Below is a copy of the Shutdown Step options

 

shutdown2.jpg

 

Rest of Task Sequence

 

If the user enters the correct password the the Rest of the Task sequence steps will be ran as normal, in this example I install an application after rebooting back into Windows, (you can put whatever you want here, like installing an OS or migrating from XP to 7 or whatever !).

 

 

restofts.jpg

Share this post

Link to post
Share on other sites
  • 0
boognish Newbie

boognish

Posted
Posted

are you loading the mdt files package in a previous step, it contains that vbs file...

 

 

That's the way I have it set. I would assume that the toolkit files are loading because the shutdown.wsf is being called. My password would simply replace "password" in this, correct?

 

If MyPass = "password" then

env("ALLOWOSDBUILD") = "YES"

End If

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to question listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.