Secret task sequence variable value Exposed
We have the need to run a command line in the task sequence and leverage a secret value TS variable ADMACCTPW set with the local admin account password. Example Run Command Line "net user admin %ADMACCTPW%
The issue is in the SMSTS.log the variables are all expanded like the ProgramName = 'net user admin mynewadminpassword' InstallSoftware 7/1/2016 12:58:58 PM 4468 (0x1174)
Thereby exposing the secret value TS variable
Updating to completed – this item is addressed in our 1806 release. Thanks for the suggestions and feedback
A. G. commented
Workaround for the time beeing
Use a powershell wrapper: SMSTSEnvironment doesn't expose the task sequence variable in smsts.log.
But nevertheless, Microsoft, please fix this behaviour.
Michael Kenntenich commented
Your workaround works, but the basic issue is that "secret" values for Task sequence variables are exposed in smsts.log although it is protected in the console and database. The tool smsswd.exe should really be changed so that it won't expose the full program name including all parameters when a secret task sequence variable is used.