Password Protect a Task Sequence?

[thadkew]

I have successfully set up our environment to PXE (thanks to Anyweb's many guides) and have the boot media set to use a password to get to the list of available Task Sequences, but I was wondering if there were a way to password protect a task sequence that is selected.

For example: anyone can select the task to deploy Windows XP or Windows7, however, if someone selects Windows Server 2008, something will prompt for another password and the sequence will fail if it's not correct.

 

Does that make any sense or is it possible?

 

Thanks in advance!

[anyweb]

yes it's possible and here's how to do it *note this happens in Windows PE*

 

PromptForPassword.wsf

 

create a blank text file in notepad called promptforpassword.wsf

 

paste the following into it

 

<job id="PromptForPassword">

<script language="VBScript" >

Dim env,oTSProgressUI,MyPass
Set env = CreateObject("Microsoft.SMS.TSEnvironment")

set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
oTSProgressUI.CloseProgressDialog()

env("ALLOWOSDBUILD") = "NO"

MyPass=Inputbox("Please enter the Password to continue")

If MyPass = "password" then
 env("ALLOWOSDBUILD") = "YES"
End If

</script>
</job>

 

 

Shutdown.wsf

 

Create another blank text file in notepad called Shutdown.wsf, this file will be placed in a sub folder of the scripts folder of your MDT Files package (eg: scripts\ts password)

 

The Shutdown.wsf file should look like this, note that it depends on the MDT toolkit files package to be loaded prior to running.

 

<job id="setEnv">
 <script language="VBScript" src="..\ZTIUtility.vbs"/>
 <script language="VBScript">

Dim oTSProgressUI
set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
oTSProgressUI.CloseProgressDialog()


 	On error resume next
Dim fso, WShell, oFile
Set WShell = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.filesystemobject")

scriptroot = oEnvironment.Item("SCRIPTROOT")

MsgBox "Please click OK to shutdown the computer.",0, "Task Sequence Aborted"
WShell.Run "wpeutil shutdown",0, True 

 </script>
</job>

 

Create the Package

 

Create a package called Prompt for Password and place the password script file above in the package, distribute it to distribution points. Add the shutdown.wsf script to a folder called TS Password and copy that folder to the Scripts subfolder of your MDT files package, redistribute that to it's distribution Points.

 

 

Create the Task Sequence

 

In ConfigMgr create a blank custom MDT task sequence, and for the first step have a Use Tollkit Package (this step is needed for the shutdown.wsf script later).

 

Once done, add a new Run Command Line step to your task sequence, the step will call the promptforpassowrd.wsf file in the package you've just created, like so

 

Command line:

cscript "promptforpassword.wsf"

 

Package:

Prompt For Password

 

Next create a Shutdown Step,

 

The Shutdown step in the task sequence will check for the variable called ALLOWOSDBUILD,

if ALLOWOSDBUILD = no then the Task Sequence will run another script (shutdown.wsf) otherwise it will continue as normal.

 

So for the Shutdown step click on the options tab and set it as follows

 

 

This group/step will run if the following conditions are met:

Task Sequence Variable ALLOWOSDBUILD not equals "YES"

 

 

Command line:

cscript "shutdown.wsf"

 

Package:

MDT Files

 

 

so long story short, if someone enters the right password, they are allowed to continue, if they don't the task sequence shuts down.

if you want I can post a demo of this via webcast..

 

 

 

Update

if you want a HTA to run within windows to prompt the user to enter a password then read this post on Technet, the code from that post is listed below, thanks Nick

 

<html>
<head>
<title>HTA Test</title>
<HTA:APPLICATION
    ID="objTest"
    APPLICATIONNAME="REBUILD"
    SCROLL="yes"
    SINGLEINSTANCE="yes"
>
</head>

<script LANGUAGE="VBScript">


   Sub TestSub

set WshShell = WScript.CreateObject("WScript.Shell")

if PasswordArea.value = "password" Then
 Msgbox "Thanks password is correct. Task sequence will now continue"
 WshShell.RegWrite "HKLM\Software\REBUILD\Rebuild","00000000","REG_DWORD"
 Self.Close  
Else
 Msgbox "Sorry, password is not correct. Please try again"
End If
   End Sub

</SCRIPT>

<body>


<P>MICROSOFT SCCM</p>
<P>SYSTEM REBUILD</P>
   <input type="password" name="PasswordArea" size="30"><P>
   <input id=runbutton  class="button" type="button" value="ENTER" name="run_button"  onClick="TestSub">

</body>

 

cheers

niall

[thadkew]

yes it's possible and here's how to do it

<snip>

 

You, Sir, are a KING among men...

Thank you!!!!

[anyweb]

thanks,

 

by the way you can even make the Task Sequence 'invisible' to computers in RAP (Run Advertised Programs) by doing as follows:

 

right click on your task sequence, choose Properties

 

click on the Advanced tab

 

Select an operating system from the list which is NOT in use in your organisation *eg: Windows Vista X64, or Windows 2000*

 

click Apply,

 

 

once done, you will not see the Task Sequence listed in RAP on any of your Windows XP or Windows 7 or Windows Server computers, but you will be able to PXE boot and run the Task Sequence as normal.

[boognish]

if you want I can post a demo of this via webcast..

 

cheers

niall

 

 

That would be great if its not too much work

[thadkew]

That would be great if its not too much work

I can tell you that it works great. I got it set up and it works exactly the way i need it to do.

Thank you so much, anyweb!!!!

[anyweb]

here's a sample Task Sequence to see it in action, simply import the XML file into SCCM 2007 sp2 (with MDT 2010 integrated) and you are nearly ready to go,

you will have to edit the task sequence to point to your packages, one package is the prompt for password containing the original wsf file, the second package is your mdt files package (which contains a subfolder in scripts called TS Password, which in turn contains the shutdown.wsf script)

 

Prompt For Password.xml

 

In my example task sequence I install an application (microsoft security essentials) after successful password completion, however you could install an entire OS or more as you would with any task sequence, it's up to you.

 

Here's a description of the Task Sequence Steps:-

 

Restart to Windows PE

 

This does a check in the options tab to see if we are in WinPE, if not, it restarts the computer into WinPE so you will need to attach a boot image to this Task Sequence. The reason for this check is that we cannot interact with the user on the desktop in Windows itself, only in WinPE.

 

The options we set are:

 

This group/step will run if the following conditions are met:
If All the conditions are true:

Task Sequence Variable _SMSTSinWInPE equals False

 

 

Prompt For Password

 

This step runs the actual promptforpassword.wsf script directly from the package we put it in, you could clean this up even more by placing the script in the mdtfiles/scripts/ts password folder (more on that later). I've also got yet another check in here (not needed if you include the previous step) to see that we are in WinPE (see the options tab). This script returns a value for the AllowOSDBuild variable, either YES or NO depending on whether you enter the password correctly or not.

 

 

Use Toolkit Package

 

This step loads the MDT Files package (needed for the next step) and you should know by now that we have copied the TS Password folder containing shutdown.wsf to the scripts sub directory of the MDT Files package.

 

Shutdown

 

 

This step executes the script called shutdown.wsf contained in the TS Password subfolder (in the scripts directory of MDT Files package). This script will shutdown the computer if:

 

* AllowOSDBuild=NO

or

* If you click on Cancel at the password prompt screen.

 

Below is a copy of the Shutdown Step options

 

 

Rest of Task Sequence

 

If the user enters the correct password the the Rest of the Task sequence steps will be ran as normal, in this example I install an application after rebooting back into Windows, (you can put whatever you want here, like installing an OS or migrating from XP to 7 or whatever !).

 

 

[boognish]

Im getting the following error. Shutdown.wsf is in the TS password directory

 

Cannot retrieve referenced URL : ..\ZTIUtility.vbs

 

My TS is always aborting after i put in the password

[anyweb]

are you loading the mdt files package in a previous step, it contains that vbs file...

[boognish]

are you loading the mdt files package in a previous step, it contains that vbs file...

 

 

That's the way I have it set. I would assume that the toolkit files are loading because the shutdown.wsf is being called. My password would simply replace "password" in this, correct?

 

If MyPass = "password" then

env("ALLOWOSDBUILD") = "YES"

End If

[anyweb]

yes that's correct

[Tjindarr]

Is there anyway to change the pass.wsf so that when you type the password its not in cleartext but in *******?

[anyweb]

good question, how about this http://www.msfn.org/board/topic/126348-something-to-ask/

[pollewops]

A way to display the passwords using "dots" is by using a HTA instead of a WSF file.

 

See my used scripts in the attachment.

 

PromptForPassword.zip

[Tjindarr]

how would i go about implementing this into a task sequence?

is it as easy as the one above?

 

 

A way to display the passwords using "dots" is by using a HTA instead of a WSF file.

 

See my used scripts in the attachment.

 

PromptForPassword.zip

[Tjindarr]

how would i go about implementing this into a task sequence?

is it as easy as the one above?

 

Nevermind got it sorted Thanks pollewops for an awsome script.

And anyweb for the "how to display hta" guide

[silverSl!DE]

just one dump question: how do i create the MDT toolkit files package?

[anyweb]

1. integrate mdt 2010 update 1 with configmgr, go through the wizard in task sequences to create a Microsoft Deployment Toolkit task sequence, easy. done.
   

[ogeccut]

Thanks guys, this works great. However........Lets say a user inputs a wrong password.....and we shutdown!!!! Then a user boots again and.....i am guessing wrong password is saved in MININT directory on the local drive and there will be no more prompt to enter a password.

 

I am going to try to edit the script to delete MININT right before the shutdown from shutdown.wsf.

[ogeccut]

I tested and got this working this in MDT:

 

<job id="setEnv">

<script language="VBScript" src="..\ZTIUtility.vbs"/>

<script language="VBScript">

 

Dim oTSProgressUI

'set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")

'oTSProgressUI.CloseProgressDialog()

 

 

' Clean up any existing C:\MININT directory

If oFSO.FolderExists("C:\MININT") then

On Error Resume Next

oFSO.DeleteFolder "C:\MININT", true

On Error Goto 0

End If

 

' Clean up any existing C:\_smstasksequence directory

If oFSO.FolderExists("C:\_smstasksequence") then

On Error Resume Next

oFSO.DeleteFolder "C:\_smstasksequence", true

On Error Goto 0

End If

 

On error resume next

Dim fso, WShell, oFile

Set WShell = CreateObject("WScript.Shell")

Set fso = CreateObject("scripting.filesystemobject")

 

scriptroot = oEnvironment.Item("SCRIPTROOT")

 

MsgBox "Please click OK to shutdown the computer.",0, "Task Sequence Aborted"

WShell.Run "wpeutil shutdown",0, True

 

</script>

</job>

 

 

 

[SaiTech]

Hi,

 

Would it be possible to use an AD account to protect the TS and or the FrontEnd?

/PS

[ciscoeuk]

is there a way in sccm boot image to create a contuiation screen

 

ie

 

after imput your password you get ask the question

 

Do you wish to continue?

 

yes cancel

 

cancel the machine to exsinting systems

 

the reason that i require this is that a work buddy accidently kick of a full refresh build we where testing in the lab but relized he kicked off in the live

 

estate it was not passworded, as we were still working on it

[vishnuprasad100]

I won’t like OSD blog steps are not clear & making so complicated. It’s not simple & clear posting totally I hate

[zick]

Update

if you want a HTA to run within windows to prompt the user to enter a password then read this post on Technet, the code from that post is listed below, thanks Nick

 

<html>
<head>
<title>HTA Test</title>
<HTA:APPLICATION
 ID="objTest"
 APPLICATIONNAME="REBUILD"
 SCROLL="yes"
 SINGLEINSTANCE="yes"
>
</head>

<script LANGUAGE="VBScript">


Sub TestSub

set WshShell = WScript.CreateObject("WScript.Shell")

if PasswordArea.value = "password" Then
 Msgbox "Thanks password is correct. Task sequence will now continue"
 WshShell.RegWrite "HKLM\Software\REBUILD\Rebuild","00000000","REG_DWORD"
 Self.Close  
Else
 Msgbox "Sorry, password is not correct. Please try again"
End If
End Sub

</SCRIPT>

<body>


<P>MICROSOFT SCCM</p>
<P>SYSTEM REBUILD</P>
<input type="password" name="PasswordArea" size="30"><P>
<input id=runbutton  class="button" type="button" value="ENTER" name="run_button"  onClick="TestSub">

</body>

 

cheers

niall

 

I am trying to following the instructions here on creating the HTA to prompt for a password but when I use the above code, I get an error message;

Script:

Line: 10

Char: 4

Error: The end tag does not match the start tag : HTA:APPLICATION

Code: 80040022

Source: Windows Script Host

 

 

Can someone help with this?

[wireshark]

Great job.

 

Works perfect, But I have one major problem

 

What if the machine has Bitlocker enabled... ?

 

In order to "restart in WinPE" I need to put in a "Disable Bitlocker" step otherwise in order to prestage the Boot Image.

 

It works perfect if the right password is entered. But if the user decide to "abort" then Bitlocker will be "suspended" when the machine is turned on again.

 

Is there a workarounfd for this or do I miss something... ?