none
How To encrypt a password in unattendend.xml RRS feed

  • Question

  • Hi @ll,

    I want to encrypt the passwords in the unattendend.xml (windows 7). Now there all in PlainText.

    <LocalAccount wcm:action="add">
                            <Password>
                                <Value>P@ssw0rd</Value>
                                <PlainText>true</PlainText>
                            </Password>
                            <Description>LocalAdmin</Description>
                            <DisplayName>LocalAdmin</DisplayName>
                            <Group>administrator</Group>
                            <Name>LocalAdmin</Name>
     </LocalAccount>

    Which encryption is used? How can I generate the encrypted values?

    Best regards,
    Lucian

    Thursday, December 16, 2010 8:34 AM

Answers

  • Hi,

     

    Thanks for posting in Microsoft TechNet forums.

     

    Open Windows SIM.

    Open a Windows image. For more information, see Open a Windows Image or Catalog File.

    Open or create an answer file. For more information, see Open an Answer File.

    Add one of the following password settings to your answer file:

    Microsoft-Windows-Shell-Setup | AutoLogon | Password

    Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword

    Microsoft-Windows-Shell-Setup | UserAccounts | LocalAccounts | LocalAccount | Password

    Add a value to one or more of the password settings.

    On the Tools menu, check Hide Sensitive Data. This ensures that when the answer file is saved, the password information will be hidden.

    Save the answer file and close Windows SIM.

     

    Best Regards

    Magon Liu

    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Lucian85 Friday, December 17, 2010 12:18 PM
    Friday, December 17, 2010 8:32 AM
    Moderator

All replies

  • Hi,

     

    Thanks for posting in Microsoft TechNet forums.

     

    Open Windows SIM.

    Open a Windows image. For more information, see Open a Windows Image or Catalog File.

    Open or create an answer file. For more information, see Open an Answer File.

    Add one of the following password settings to your answer file:

    Microsoft-Windows-Shell-Setup | AutoLogon | Password

    Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword

    Microsoft-Windows-Shell-Setup | UserAccounts | LocalAccounts | LocalAccount | Password

    Add a value to one or more of the password settings.

    On the Tools menu, check Hide Sensitive Data. This ensures that when the answer file is saved, the password information will be hidden.

    Save the answer file and close Windows SIM.

     

    Best Regards

    Magon Liu

    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Lucian85 Friday, December 17, 2010 12:18 PM
    Friday, December 17, 2010 8:32 AM
    Moderator
  • but how do I encrypt the domain password portion within x86_microsoft-windows-unattendjoin_neutral | identification | credentials | password

    the method described above will only encrypt the following respectively.  

    Microsoft-Windows-Shell-Setup | AutoLogon | Password 

    Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword

    Microsoft-Windows-Shell-Setup | UserAccounts | LocalAccounts | LocalAccount | Password

    would adding the domain administrator password to Microsoft-Windows-Shell-Setup | AutoLogon | Password and then removing the identification portion of x86_microsoft-windows-unattendjoin_neutral | identification | credentials | password achieve this? -- **if so?, what other implications would this have?  would systems always autologon as the domain administrator?

    Dustin

     

    • Proposed as answer by ccscott- Friday, November 17, 2017 12:33 AM
    • Unproposed as answer by ccscott- Friday, November 17, 2017 12:33 AM
    Thursday, April 19, 2012 8:39 PM
  • If only Microsoft had some kind of SQL product on the market that could store user id and passwords in an encrypted table and could be integrated with deployment solution....

    Thursday, November 14, 2013 5:06 AM
  • Windows Sim uses Base64 to encode the password.  It is not secure.  Powershell can be used to retrieve the password and Microsoft needs to patch this immediately.  All that is required is that you save the encoded password to a file like c:\key.txt  then from Powershell
    ps> $encryptedpwd = get-content c:\pwd.txt
    ps> $encryptedpwd
    (your base64 password from windows sim is displayed here)
    ps> [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encryptedpwd))

    (Your password is shown here)
    • Edited by Killin4Gsus Thursday, April 20, 2017 12:36 PM
    Thursday, April 20, 2017 12:15 PM
  • Even though this question was asked some time ago, I try to answer your questions, since I stumbled upon the same problem just yesterday.

    The password is rather obfuscated than encrypted. It is basically base64 encrypted with an added string plus padding bytes.


    If you do not want or cannot install the Microsoft SIM tools, this is the way to go:

    All that is required to create your own password is an editor that can insert NULL bytes and a base64 encoder. One editor capable of inserting NULL bytes is Notepad++.  A Linux machine with installed "base64" can be used to encode the password.

    So how to create a password? Let's take your above example.
    You want to create a local account and need set to value inside the <Password> tag.

    Write you password into the editor. Lets assume you choose "IamAdmin" as a password. Now append "Password" to the line (see above mentioned tag). It must now read "IamAdminPassword". Now we need to insert the padding bytes.

    In Notepad++ choose Edit->Character Panel. Now insert a "00" byte after each character on your line by double clicking the first line in the ASCII Insertion Panel.
    The string should now look similar to this: "I a m A d m i n P a s s w o r d ".

    Do not add a carriage return to the end of your line! Now save your file to something meaningful like base64-pw.txt .

    All we need to do now, is to encode the file. I prefer the Linux command line, but you may choose any other available option. Transfer the file to the Linux machine and then run:
    cat base64-pw.txt | base64

    This will be the output for above example: SQBhAG0AQQBkAG0AaQBuAFAAYQBzAHMAdwBvAHIAZAA=

    Voila, we are done.

    You may want to encode the Password for the tag <AdministratorPassword> as well. Make sure to append "AdministratorPassword" to the end of your password before inserting the NULL bytes. It should read "IamAdminAdministratorPassword" then.


    Hope this will help...



    • Edited by Rayn0r42 Thursday, January 23, 2020 7:09 AM typos
    Thursday, January 23, 2020 6:58 AM
  • if you have access to a powershell console, you can encode passwords for your unattend file like so:

    $administratorPassword = 'never-gonna-give-you-up'
    $encodedAdministratorPassword = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(('{0}AdministratorPassword' -f $administratorPassword)))
    
    $autoLogonPassword = 'never-gonna-let-you-down'
    $encodedAutoLogonPassword = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(('{0}Password' -f $autoLogonPassword)))


    Tuesday, June 9, 2020 6:16 AM
  • I found that if you use PowerShell then you don't need to mess with ASCII

    So to encrypt Password I use:

    $UnEncodedText = 'IamAdminPassword'
    $EncodedText =[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($UnEncodedText))
    write-host "Encoded_String_is:" $EncodedText

    And to decrypt :

    $EncodedText = 'SQBhAG0AQQBkAG0AaQBuAFAAYQBzAHMAdwBvAHIAZAA='
    $DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
    write-host "Decoded_Text_is:" $DecodedText

    Just need to remember adding "AdministratorPassword" to the built in Administrator password and "Password" for other accounts.

    Tested this on unattended.xml for Win 10 2004


    Sunday, September 13, 2020 3:23 PM