none
unattend.xml with Windows Sim for Windows 10

    Question

  • Windows Sim uses Base64 to encode the password.  It is not secure.  Powershell can be used to retrieve the password and Microsoft needs to patch this immediately.  All that is required is that you save the encoded password to a file like c:\pwd.txt  then from Powershell
    ps> $encryptedpwd = get-content c:\pwd.txt
    ps> $encryptedpwd
    (your base64 password from windows sim is displayed here)
    ps> [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encryptedpwd))
    (Your password is shown here)

    What can we use to add a local system admin account during sysprep without using an A.D. service account?


    -Dat Guy



    • Edited by Killin4Gsus Thursday, April 20, 2017 12:50 PM
    Thursday, April 20, 2017 12:45 PM

All replies

  • Hi ,

    I am not familiar with PowerShell, I am not sure about that. 
    Is this meet your requirements?
    $encryptedpwd  | ConvertTo-SecureString -AsPlainText -Force

    Is this article helpful for you?
    Working with Passwords, Secure Strings and Credentials in Windows PowerShell
    https://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Saturday, April 22, 2017 3:53 AM
    Moderator
  • Rick - Unattend.xml is otherwise known as the "Answer File" for when you install windows... or sysprep it.  Microsoft developed Windows SIM.   When you instruct Windows Sim to "Hide Sensitive Data" it doesn't encrypt the passwords used to create user accounts.  Instead, it converts it to Base64 and pretends that it was encrypted.  Currently, Microsofts recommendation is to "delete" the answer file - but that doesn't prevent  someone from stealing your usb or your unattend and simple decoding it with powershell.  It's important because if someone makes a local user account in Windows through the unattend then your password isn't hidden for that account at all.  It's only encoded in Base64 and not encrypted in something like AES for example... Not that Microsoft could prevent themselves from releasing private keys...


    -Dat Guy

    Saturday, April 22, 2017 8:52 AM
  • Hi ,

    Thanks for sharing this information. Can you introduce us more procedure so we could try to reproduce it?
    Besides, you could use the built-in Feedback Hub to submit it, draw Microsoft's attention.

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 25, 2017 8:57 AM
    Moderator