Jump to content

  • 0

Password Protect a Task Sequence?


I have successfully set up our environment to PXE (thanks to Anyweb's many guides) and have the boot media set to use a password to get to the list of available Task Sequences, but I was wondering if there were a way to password protect a task sequence that is selected.

For example: anyone can select the task to deploy Windows XP or Windows7, however, if someone selects Windows Server 2008, something will prompt for another password and the sequence will fail if it's not correct.


Does that make any sense or is it possible?


Thanks in advance!

Share this post

Link to post
Share on other sites

Recommended Posts

  • 0

yes it's possible and here's how to do it *note this happens in Windows PE*




create a blank text file in notepad called promptforpassword.wsf


paste the following into it


<job id="PromptForPassword">

<script language="VBScript" >

Dim env,oTSProgressUI,MyPass
Set env = CreateObject("Microsoft.SMS.TSEnvironment")

set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")


MyPass=Inputbox("Please enter the Password to continue")

If MyPass = "password" then
End If






Create another blank text file in notepad called Shutdown.wsf, this file will be placed in a sub folder of the scripts folder of your MDT Files package (eg: scripts\ts password)


The Shutdown.wsf file should look like this, note that it depends on the MDT toolkit files package to be loaded prior to running.


<job id="setEnv">
 <script language="VBScript" src="..\ZTIUtility.vbs"/>
 <script language="VBScript">

Dim oTSProgressUI
set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")

 	On error resume next
Dim fso, WShell, oFile
Set WShell = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.filesystemobject")

scriptroot = oEnvironment.Item("SCRIPTROOT")

MsgBox "Please click OK to shutdown the computer.",0, "Task Sequence Aborted"
WShell.Run "wpeutil shutdown",0, True 



Create the Package


Create a package called Prompt for Password and place the password script file above in the package, distribute it to distribution points. Add the shutdown.wsf script to a folder called TS Password and copy that folder to the Scripts subfolder of your MDT files package, redistribute that to it's distribution Points.



Create the Task Sequence


In ConfigMgr create a blank custom MDT task sequence, and for the first step have a Use Tollkit Package (this step is needed for the shutdown.wsf script later).


Once done, add a new Run Command Line step to your task sequence, the step will call the promptforpassowrd.wsf file in the package you've just created, like so


Command line:

cscript "promptforpassword.wsf"



Prompt For Password


Next create a Shutdown Step,


The Shutdown step in the task sequence will check for the variable called ALLOWOSDBUILD,

if ALLOWOSDBUILD = no then the Task Sequence will run another script (shutdown.wsf) otherwise it will continue as normal.


So for the Shutdown step click on the options tab and set it as follows



This group/step will run if the following conditions are met:

Task Sequence Variable ALLOWOSDBUILD not equals "YES"



Command line:

cscript "shutdown.wsf"



MDT Files



so long story short, if someone enters the right password, they are allowed to continue, if they don't the task sequence shuts down.

if you want I can post a demo of this via webcast..





if you want a HTA to run within windows to prompt the user to enter a password then read this post on Technet, the code from that post is listed below, thanks Nick


<title>HTA Test</title>

<script LANGUAGE="VBScript">

   Sub TestSub

set WshShell = WScript.CreateObject("WScript.Shell")

if PasswordArea.value = "password" Then
 Msgbox "Thanks password is correct. Task sequence will now continue"
 WshShell.RegWrite "HKLM\Software\REBUILD\Rebuild","00000000","REG_DWORD"
 Msgbox "Sorry, password is not correct. Please try again"
End If
   End Sub



   <input type="password" name="PasswordArea" size="30"><P>
   <input id=runbutton  class="button" type="button" value="ENTER" name="run_button"  onClick="TestSub">





  • Like 1

Share this post

Link to post
Share on other sites

  • 0



by the way you can even make the Task Sequence 'invisible' to computers in RAP (Run Advertised Programs) by doing as follows:


right click on your task sequence, choose Properties


click on the Advanced tab


Select an operating system from the list which is NOT in use in your organisation *eg: Windows Vista X64, or Windows 2000*


click Apply,




once done, you will not see the Task Sequence listed in RAP on any of your Windows XP or Windows 7 or Windows Server computers, but you will be able to PXE boot and run the Task Sequence as normal.

Share this post

Link to post
Share on other sites

  • 0

That would be great if its not too much work

I can tell you that it works great. I got it set up and it works exactly the way i need it to do.

Thank you so much, anyweb!!!!

Share this post

Link to post
Share on other sites

  • 0

here's a sample Task Sequence to see it in action, simply import the XML file into SCCM 2007 sp2 (with MDT 2010 integrated) and you are nearly ready to go,

you will have to edit the task sequence to point to your packages, one package is the prompt for password containing the original wsf file, the second package is your mdt files package (which contains a subfolder in scripts called TS Password, which in turn contains the shutdown.wsf script)


Prompt For Password.xml


In my example task sequence I install an application (microsoft security essentials) after successful password completion, however you could install an entire OS or more as you would with any task sequence, it's up to you.


Here's a description of the Task Sequence Steps:-


Restart to Windows PE


This does a check in the options tab to see if we are in WinPE, if not, it restarts the computer into WinPE so you will need to attach a boot image to this Task Sequence. The reason for this check is that we cannot interact with the user on the desktop in Windows itself, only in WinPE.


The options we set are:


This group/step will run if the following conditions are met:
If All the conditions are true:

Task Sequence Variable _SMSTSinWInPE equals False


restart to windows pe.jpg


Prompt For Password


This step runs the actual promptforpassword.wsf script directly from the package we put it in, you could clean this up even more by placing the script in the mdtfiles/scripts/ts password folder (more on that later). I've also got yet another check in here (not needed if you include the previous step) to see that we are in WinPE (see the options tab). This script returns a value for the AllowOSDBuild variable, either YES or NO depending on whether you enter the password correctly or not.




Use Toolkit Package


This step loads the MDT Files package (needed for the next step) and you should know by now that we have copied the TS Password folder containing shutdown.wsf to the scripts sub directory of the MDT Files package.






This step executes the script called shutdown.wsf contained in the TS Password subfolder (in the scripts directory of MDT Files package). This script will shutdown the computer if:


* AllowOSDBuild=NO


* If you click on Cancel at the password prompt screen.


Below is a copy of the Shutdown Step options




Rest of Task Sequence


If the user enters the correct password the the Rest of the Task sequence steps will be ran as normal, in this example I install an application after rebooting back into Windows, (you can put whatever you want here, like installing an OS or migrating from XP to 7 or whatever !).




Share this post

Link to post
Share on other sites

  • 0

are you loading the mdt files package in a previous step, it contains that vbs file...



That's the way I have it set. I would assume that the toolkit files are loading because the shutdown.wsf is being called. My password would simply replace "password" in this, correct?


If MyPass = "password" then


End If

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.