none
Password Protect Task Sequence

    Question

  • Hi guys, I am looking to password protect my rebuild task sequence. Basically I want to have a task sequence which every SCCM client can see via run advertised programs. Then I want helpdesk to be able to troubleshoot it down to the machine requiring a rebuild, if this is required they can kick this off from Run Advertised Programs. However in order for standard users to not run this themselves I want to be able to password protect the task sequence

    The following below works but only after booting into WINPE, which of course the helpdesk person cannot enter it in at this point as he has no remote tools running. Also it appears when placing in the password it is clear text, anyway to hide the charecters so users cant see this if say the helpdesk person is remoted on via UltraVNC

    http://www.windows-noob.com/forums/index.php?/topic/2336-password-protect-a-task-sequence/ 

    Any ideas here would be great

    Thanks

    Thursday, June 30, 2011 2:51 AM

Answers

  • you can make a dependancy on the task sequence so that a HTA run's first, that way the HTA run's as user permissions before the ts kicks off. to do this right click on the task sequence, properties, advanced and choose Run Another Program First

    My step by step SCCM Guides
    I'm on Twitter > ncbrady
    • Marked as answer by nickm34 Sunday, July 3, 2011 10:07 PM
    Thursday, June 30, 2011 8:22 AM
    Moderator
  • why not, simply create your own validate section in the TS at the beginning of the TS, if the key is present it continues, if not it exits (similar to the way the password prompter exits)


    My step by step SCCM Guides
    I'm on Twitter > ncbrady
    • Marked as answer by nickm34 Sunday, July 3, 2011 10:07 PM
    Friday, July 1, 2011 4:51 AM
    Moderator

All replies

  • Hi - Am not sure the below blog will help you or not. But, really worth going through it (if you are not)......

    http://blogs.technet.com/b/cameronk/archive/2010/04/27/creating-a-user-interactive-task-sequence-experience.aspx


    Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, June 30, 2011 6:10 AM
  • you can make a dependancy on the task sequence so that a HTA run's first, that way the HTA run's as user permissions before the ts kicks off. to do this right click on the task sequence, properties, advanced and choose Run Another Program First

    My step by step SCCM Guides
    I'm on Twitter > ncbrady
    • Marked as answer by nickm34 Sunday, July 3, 2011 10:07 PM
    Thursday, June 30, 2011 8:22 AM
    Moderator
  • Thanks guys,

    Niall I have got an HTA application up and running and looks to be exactly what I am after. And I can get it to exit if incorrect password is entered, however at this point it will continue on regardless of whether the password is correct or not. I suppose I dont know how to gracefully exit without starting the task sequence if it is entered incorrectly and how to continue on with the task sequence if it is entered correctly

    Nick

    Thursday, June 30, 2011 11:18 PM
  • Ok, think Im on the right track. What I have thought of is to kick off HTA app which prompts for a password. If this is entered correctly it will add a registry entry such as HKLM\Rebuild\ etc... then the task sequence steps can be set so that they are conditional on the existence of this reg key

    Thats fine but what I would want is to be able to set the whole task sequence to be conditional on a reg entry. Is this possible?

    Thanks

    Friday, July 1, 2011 1:18 AM
  • why not, simply create your own validate section in the TS at the beginning of the TS, if the key is present it continues, if not it exits (similar to the way the password prompter exits)


    My step by step SCCM Guides
    I'm on Twitter > ncbrady
    • Marked as answer by nickm34 Sunday, July 3, 2011 10:07 PM
    Friday, July 1, 2011 4:51 AM
    Moderator
  • Thanks Niall,

    I setup a top level group named "Password Check" and under this group I have all others such as Setup Operating system, install software etc. However the behviour I would have expected is that if it does not find the reg key in this top level group it would not continue on with the nested groups. It seems as though it performs the correct check, does not find the key but then continues on with the rest of the task sequence... so not getting it to exit gracefully at that top level if the key does not exist. Do you think that I should use a similar exit strategy to the password prompter mentioned above?

    Thanks

    Nick

    Sunday, July 3, 2011 8:29 PM
  • use a WSF to exit from the ts much like the one i provided in the Password Protect a Task Sequence, have you tried that ?

    My step by step SCCM Guides
    I'm on Twitter > ncbrady
    Sunday, July 3, 2011 8:55 PM
    Moderator
  • GOT IT! Sorry, had incorrect nestings of my groups so had a couple of groups which fell outside this top level password check group. I moved these up so they all sit under the top level group. looking all good now. It will successfully exit if entered incorrectly (exits gracefully). and continues on with task sequence if password is entered correctly

    Below is my HTA applicaiton if anyone is interested. Thanks

    <html>
    <head>
    <title>HTA Test</title>
    <HTA:APPLICATION
         ID="objTest"
         APPLICATIONNAME="REBUILD"
         SCROLL="yes"
         SINGLEINSTANCE="yes"
    >
    </head>

    <SCRIPT LANGUAGE="VBScript">


        Sub TestSub
     
     set WshShell = WScript.CreateObject("WScript.Shell")

     if PasswordArea.value = "password" Then
      Msgbox "Thanks password is correct. Task sequence will now continue"
      WshShell.RegWrite "HKLM\Software\REBUILD\Rebuild","00000000","REG_DWORD"
      Self.Close  
     Else
      Msgbox "Sorry, password is not correct. Please try again"
     End If
        End Sub

    </SCRIPT>

    <body>


     <P>MICROSOFT SCCM</p>
     <P>SYSTEM REBUILD</P>
        <input type="password" name="PasswordArea" size="30"><P>
        <input id=runbutton  class="button" type="button" value="ENTER" name="run_button"  onClick="TestSub">

    </body>

    Sunday, July 3, 2011 10:07 PM
  • thanks Nick

    i've updated the original post to link back here and to include your code snippet above,

    cheers

    niall



    My step by step SCCM Guides
    I'm on Twitter > ncbrady
    Monday, July 4, 2011 1:11 PM
    Moderator
  • Can you expound on this a little?  I have the same problem we are trying to solve.  I don't understand the part of making an HTA run first to get the password prompt.
    Wednesday, September 7, 2011 5:55 PM
  • a hta is just a html web page, can be anything, and in this case it simply prompts the user in windows to enter a password, if correct then the rest of the task sequence can begin,

    the key here is that the first dependancy, runs in Windows under the user's context, the remaining (the actual task sequence) runs in System, you see you can't display a HTA in windows under the system account as you'll never see it, hence this workaroun/fix/whatever

     

    cheers

    niall



    My step by step SCCM Guides
    I'm on Twitter > ncbrady
    Wednesday, September 7, 2011 9:31 PM
    Moderator
  • GOT IT! Sorry, had incorrect nestings of my groups so had a couple of groups which fell outside this top level password check group. I moved these up so they all sit under the top level group. looking all good now. It will successfully exit if entered incorrectly (exits gracefully). and continues on with task sequence if password is entered correctly

    Below is my HTA applicaiton if anyone is interested. Thanks

    <html>
    <head>
    <title>HTA Test</title>
    <HTA:APPLICATION
         ID="objTest"
         APPLICATIONNAME="REBUILD"
         SCROLL="yes"
         SINGLEINSTANCE="yes"
    >
    </head>

    <SCRIPT LANGUAGE="VBScript">


        Sub TestSub
     
     set WshShell = WScript.CreateObject("WScript.Shell")

     if PasswordArea.value = "password" Then
      Msgbox "Thanks password is correct. Task sequence will now continue"
      WshShell.RegWrite "HKLM\Software\REBUILD\Rebuild","00000000","REG_DWORD"
      Self.Close  
     Else
      Msgbox "Sorry, password is not correct. Please try again"
     End If
        End Sub

    </SCRIPT>

    <body>


     <P>MICROSOFT SCCM</p>
     <P>SYSTEM REBUILD</P>
        <input type="password" name="PasswordArea" size="30"><P>
        <input id=runbutton  class="button" type="button" value="ENTER" name="run_button"  onClick="TestSub">

    </body>

    I am trying to following the instructions here on creating the HTA to prompt for a password but when I use the above code, I get an error message;

    Script:

    Line: 10

    Char: 4

    Error: The end tag does not match the start tag : HTA:APPLICATION

    Code: 80040022

    Source: Windows Script Host

    Can someone help with this?

    Friday, June 8, 2012 2:51 PM
  • Change your file extension to .hta instead of .wsf

    In this case, the script is now an HTA file and no more a Windows Script File.


    Cumputer operator MCP and A+ certified

    Tuesday, August 7, 2012 12:08 PM
  • Am I correct in thinking this all you need at the top level of a TS, or is there more, maybe something that reads the REGKEY and allows the MDT to continue?

    Thank you

    Tuesday, September 25, 2012 9:04 AM
  • Should I be able to run this hta file from my desktop to test it?  When I run it, it opens.  However, when I enter the password, I get 

    An error has occurred in the script on this page.

    Line: 18

    Char: 2

    Error:  Object required: 'WScript'

    Code: 0

    URL:   file:///C:/Users/User.Account/Desktop/Scripts/password.hta

    I used the exact code Nick added earlier.

    Thanks for any help

    Monday, March 4, 2013 7:05 PM
  • CSMatMat, the original script block was written for .wsf and will need an edit before executing as an .hta will work:

    You'll need to edit the line:

    set WshShell = WScript.CreateObject("WScript.Shell")

     

    To get rid of first "WScript." so it looks like this:

    set WshShell = CreateObject("WScript.Shell")

     

    I hope that helps!

     

     

    Nash


    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    <-- If this post was helpful, please click "Vote as Helpful".


    • Edited by NPherson Monday, March 4, 2013 8:36 PM
    Monday, March 4, 2013 8:36 PM
  • Thanks Nash.  The resolves the issue.  I think everything is good but I can't get my hta to pop up.   I see it running in task manager.   The task sequence is suspended so I know it's waiting for the hta to be closed.    Any ideas on how to make this appear?

    This is sccm 2012 btw to note.

    Thanks

    Tuesday, March 5, 2013 12:18 AM
  • We have SCCM 2012 too and am also having trouble making the HTA to pop up.  Anyone found any answers?

    cheers TIA.

    Thursday, March 20, 2014 4:00 AM
  • I have been working at implementing an HTA file to password protect my SCCM 2012 R2 task sequences as discussed here and various places throughout the web. I a looking for some clarification why the "Use Toolkit Package" is needed in the task sequence before the .WSF script (below) can run? I assume it is because it is calling the ZTIutility.vbs script which is part of MDT, but I don't understand what is actually happening. Could someone explain?

     <job id="setEnv"> <script language="VBScript" src="..\ZTIUtility.vbs"/> <script language="VBScript"> Dim oTSProgressUI set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI") oTSProgressUI.CloseProgressDialog() On error resume next Dim fso, WShell, oFile Set WShell = CreateObject("WScript.Shell") Set fso = CreateObject("scripting.filesystemobject") scriptroot = oEnvironment.Item("SCRIPTROOT") MsgBox "Please click OK to shutdown the computer.",0, "Task Sequence Aborted" WShell.Run "wpeutil shutdown",0, True </script> </job>

    Also, it there any other way to gracefully shut down the task sequence with out integrating MDT into SCCM to get the "Use Toolkit Package" option?

    --Tony

    Friday, June 20, 2014 3:44 PM