none
MDT Autologon Password not Encrypted when only preparing SysPrep RRS feed

  • Question

  • So I came across a disturbing discovery while testing an MDT deployment.

    Apparently, when the Deployment Share is set to DoCapture=PREPARE, MDT copies an unattend.xml file to the Windows\System32\Sysprep folder which contains the plain-text password used for the Administrator account!

    I am already aware of the article at https://social.technet.microsoft.com/Forums/en-US/e917d11a-b54d-4979-9429-218babedb7f6/mdt-2013-password-shown-in-plain-text which indicates a very similar issue, but is not quite the same.  Even with the 'Hide Sensitive Data' setting enabled in the WSIM, it does not change the behavior for the unattend.xml file(s) that I believe is created when the target system is executing the Task Sequence.

    Fortunately, it is easy enough to change the password once MDT is complete, and even better that we disable the account.  But people should be aware that if you only PREPARE SysPrep in MDT, you will be storing a plain-text copy of the password on your reference system.

    Elohir

    Wednesday, November 21, 2018 7:46 PM

All replies

  • So I came across a disturbing discovery while testing an MDT deployment.

    Apparently, when the Deployment Share is set to DoCapture=PREPARE, MDT copies an unattend.xml file to the Windows\System32\Sysprep folder which contains the plain-text password used for the Administrator account!

    I am already aware of the article at https://social.technet.microsoft.com/Forums/en-US/e917d11a-b54d-4979-9429-218babedb7f6/mdt-2013-password-shown-in-plain-text which indicates a very similar issue, but is not quite the same.  Even with the 'Hide Sensitive Data' setting enabled in the WSIM, it does not change the behavior for the unattend.xml file(s) that I believe is created when the target system is executing the Task Sequence.

    Fortunately, it is easy enough to change the password once MDT is complete, and even better that we disable the account.  But people should be aware that if you only PREPARE SysPrep in MDT, you will be storing a plain-text copy of the password on your reference system.

    Elohir

    In MDT you can edit the unattended file and it will open in the Windows System Image Manager. Under the Tools menu select the option to Hide Sensitive Information. This will "encrypt" the password and certain other items with a string like "UABhAHMAcwB3AG8AcgBkADEAMgAzADQANgBQAGEAcwBzAHcAbwByAGQA".

    You can also make sure any setup file are deleted by creating a SetupComplete.cmd file and place it in Widows > Setup > Script folder. Just list as many "del" commands to delete any files you want.

    Wednesday, November 21, 2018 10:57 PM
  • Hi Greg,

    Thanks for the info, but that has no effect.

    As I mentioned, I already reviewed another article with that same recommendation.  Those settings do not affect the XML file that is generated during the Task sequence and placed in the C:\Windows\System32\Sysprep folder when you prepare Sysprep. 

    I have yet to confirm if other DoCapture settings produce the same result, but I have not yet had a chance to verify, as we need to perform additional customizations before running sysprep.

    I agree the files will need to be deleted, as well as the password changed.  But as I said, I thought it was important to let users know the default behavior introduces a large security risk, especially if you are using the same password across multiple systems.

    Elohir

    Thursday, November 22, 2018 4:13 AM
  • Hi Greg,

    Thanks for the info, but that has no effect.

    As I mentioned, I already reviewed another article with that same recommendation.  Those settings do not affect the XML file that is generated during the Task sequence and placed in the C:\Windows\System32\Sysprep folder when you prepare Sysprep. 

    I have yet to confirm if other DoCapture settings produce the same result, but I have not yet had a chance to verify, as we need to perform additional customizations before running sysprep.

    I agree the files will need to be deleted, as well as the password changed.  But as I said, I thought it was important to let users know the default behavior introduces a large security risk, especially if you are using the same password across multiple systems.

    Elohir


    Yes but that seems to be by design. It should work when you edit the task sequence you can modify the the unattended file. It will open in Windows SIM and encrypt the passwords.  You can see more about it here, https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/hide-sensitive-data-in-an-answer-file.
    Monday, November 26, 2018 10:46 PM
  • Strange "design" choice it seems to me.

    Underneath the "Control" folder of the MDT Deployment Share, there is a folder for each Task Sequence which contains a copy of Unattend.xml.  For the most part, this is the same file that is placed in the C:\Windows\System32\Sysprep folder after the MDT Wizard has completed.

    But it's not exactly the same.  Most importantly, is change in password state (clear text in sysprep, encrypted on the Deployment Share).  But also some other minor variations.  So even though I have edited the unattend.xml file inside the Task Sequence, some changes don't propagate to the version in the sysprep folder.

    Another issue, is that unattend.xml file refers to a LTIBootstrap.vbs script as part of it's FirstLogonCommands.  But that script no longer exists on the system.  I can't even find a copy in the 'scripts' folder of the Deployment Share.

    So it looks like I will need to craft my own unattend.xml file to replace the one created by MDT in sysprep.

    Elohir

    Wednesday, November 28, 2018 12:21 AM