locked
Powershell Scheduled Task; Encrypted Password: Key not valid for use in specified state RRS feed

  • Question

  • Hello everyone!

    This is my first post in this forum and I'm looking forward to it!

    Anyway here's the problem. I got a Powershell Script which I want to implement in the Task Scheduler. The script automates the VMWare Tool upgrade. The problem is the following: when I manually run the task over Powershell it completes without an error. BUT if I run the task through Task Scheduler it displays an error in the log I create.

    Here's the script:

    Start-Transcript -Path C:\temp\log.txt -Append
    
    #Decrypt Password
    $securePass = Get-Content C:\Path\EncryptedPwd.txt | ConvertTo-SecureString
    $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass)
    $Pwd = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
    
    #Username
    $user = "USER"
    
    
    #Load VMware Power-CLI Snap-In
    Get-Module -Name VMWare* -Listavailable | Import-Module
    #vCenter FQDN
    $VCenterName = "VCenterFQDN"
    #Connect vCenter 
    Connect-VIServer -Server $VCenterName -User $user -Password $Pwd 
    #Update VMware Tool nach TAGS
    Get-VM -Tag "Tag" | Where-Object { $_.ExtensionData.Guest.ToolsVersionStatus -eq 'guestToolsNeedUpgrade' -and $_.PowerState -eq 'PoweredOn' } | Get-VMGuest | Where-Object { $_.GuestFamily -eq "windowsGuest" } | Update-Tools -NoReboot –RunAsync
    
    Stop-Transcript
    
    #exit(0)
    
    
    <##
    #Pausieren des Scripts 
    Start-Sleep -s 180
    #Generate Report für PRTG-Check 
    Get-VM -Tag "Tag" | Where-Object { $_.ExtensionData.Guest.ToolsVersionStatus -eq 'guestToolsNeedUpgrade' -and $_.PowerState -eq 'PoweredOn' } | Get-VMGuest | Where-Object { $_.GuestFamily -eq "windowsGuest" } | Out-File C:\PathToReport.txt -width 120
    ##>

    The error in the log is the following:

    At C:\PathToPSScript.ps1:13 char:70
    + ... ent C:\Path\EncryptedPwd.txt | ConvertTo-SecureString
    +                                                    ~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException
        + FullyQualifiedErrorId :
    ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
    ConvertTo-SecureString : Key not valid for use in specified state.

    As you can see there's a problem in the ConvertTo-SecureString and I have not found a possible explanation till now why it is working when I start the script manually and why it isn't working when it is run throught the Task Scheduler.
    There are more errors, but they are errors due to the ConvertTo-SecureString error.

    Can anyone help me here?



    • Edited by abeerance Monday, February 26, 2018 12:07 PM change
    Monday, February 26, 2018 12:05 PM

Answers

  • Hello,

    A secure string only works with the user which created the secure string.
    In order to make it work with your scheduled task you have to create the encrypted password in the context of the scheduled task user.

    • Marked as answer by abeerance Monday, February 26, 2018 12:56 PM
    Monday, February 26, 2018 12:22 PM

All replies

  • Hello,

    A secure string only works with the user which created the secure string.
    In order to make it work with your scheduled task you have to create the encrypted password in the context of the scheduled task user.

    • Marked as answer by abeerance Monday, February 26, 2018 12:56 PM
    Monday, February 26, 2018 12:22 PM
  • I just solved it myself. The problem was that I created the encrypted password as UserX but running the task as UserY.

    https://social.technet.microsoft.com/Forums/en-US/a2118fb3-bc5b-4278-8a1d-dced30842b60/powershell-as-scheduled-task-not-handling-credentials-properly?forum=ITCG

    Monday, February 26, 2018 12:30 PM
  • Didn't see your reply.
    But thanks man! Fast reply. Would have even saved me time if I saw it.

    Cheers

    Monday, February 26, 2018 12:56 PM
  • Hello,

    A secure string only works with the user which created the secure string.
    In order to make it work with your scheduled task you have to create the encrypted password in the context of the scheduled task user.

    This is exactly how I fixed my scheduled task that connects to Office 365, thanks to this post!

    Friday, August 10, 2018 8:52 AM
  • Also, make sure the task has a stored password if it's a task that can run if the user isn't logged on.
    So that means no (!) check at "Do not store password", see screenshot:

    Tuesday, November 20, 2018 12:27 PM
  • When I encrypt a password for another computer, I have to specify a key.

    Tuesday, November 20, 2018 3:30 PM