Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

Secret task sequence variable value Exposed

We have the need to run a command line in the task sequence and leverage a secret value TS variable ADMACCTPW set with the local admin account password. Example Run Command Line "net user admin %ADMACCTPW%
The issue is in the SMSTS.log the variables are all expanded like the ProgramName = 'net user admin mynewadminpassword' InstallSoftware 7/1/2016 12:58:58 PM 4468 (0x1174)

Thereby exposing the secret value TS variable

42 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Rick Gates shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Thanks for the additional comments.

There was a bug where if the task sequence steps were reordered then the variable was replaced by a GUID, this was fixed 8 September. Any Technical Preview from 1809 onwards would have the fix – https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

Please note, we don’t always look back on comments for items that are marked closed. For bug reports please use Feedback Hub or Send a Frown to submit this to the product group. For more information, see: https://docs.microsoft.com/en-us/sccm/core/understand/find-help

Updating to completed – this item is addressed in our 1806 release. Thanks for the suggestions and feedback

General Blog: https://cloudblogs.microsoft.com/enterprisemobility/2018/07/31/update-1806-for-configuration-manager-current-branch-is-now-available/

Docs: https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1806

8 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    This problem is NOT solved with 1810 and the 1810 cumulative Hotfix Rollup KB4486457!

  • AdminBob Mac Neill (Software Engineer, System Center Configuration Manager) commented  ·   ·  Flag as inappropriate

    Thanks for the additional comments.

    There was a bug where if the task sequence steps were reordered then the variable was replaced by a GUID, this was fixed 8 September. Any Technical Preview from 1809 onwards would have the fix - https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

    Please note, we don't always look back on comments for items that are marked closed. For bug reports please use Feedback Hub or Send a Frown to submit this to the product group. For more information, see: https://docs.microsoft.com/en-us/sccm/core/understand/find-help

  • Jose Espitia commented  ·   ·  Flag as inappropriate

    I'm running into the same exact issue that Sassan Fanai mentioned. There seems to be a bug where the masked TS variable is changed to a string/guid.

  • Sassan Fanai commented  ·   ·  Flag as inappropriate

    Agree with Mike D this doesn't really work you would expect.
    OSDDoNotLogCommand should mask the Command line in smsts.log, as the hidden TS variable is expanded and shown in clear text, masking the program name doesn't really make sense imo.

    Example:
    TS Variable configured with "Do not display this value" and it's value set to "secret1" in this
    example. OSDDoNotLogCommand also set to True.

    In smsts.log you see this lines:

    - ProgramName is not shown in log since task sequence variable 'OSDDoNotLogCommand' is set to 'True'
    - ProgramName = '*******************'
    .......
    - Command line cmd /C echo secret1 >> C:\TEMP\hidden.txt returned 0

    "Secret1" being the masked TS variable value.
    There also seems to be a bug, where the masked TS variable is changed to a string/guid IF you change the TS after you've set the masked value. Following the example above, you'd see the following in smsts.log AND in the "hidden.txt" file in this example.

    Command line cmd /C echo fee4457b-e6c3-4618-81f8-f26885e49866 >> C:\TEMP\hidden.txt returned 0

  • mike d commented  ·   ·  Flag as inappropriate

    This still doesn't work as expected based upon the original requester's intentions in CB1806.

    The SMSTS.log still contains the full command line and plain-text variable when using both "Do not display this value" when setting/creating the TS Variable and setting "OSDDoNotLogCommand" to TRUE prior to running the step.

  • A. G. commented  ·   ·  Flag as inappropriate

    Workaround for the time beeing

    Use a powershell wrapper: SMSTSEnvironment doesn't expose the task sequence variable in smsts.log.

    But nevertheless, Microsoft, please fix this behaviour.

  • Michael Kenntenich commented  ·   ·  Flag as inappropriate

    Your workaround works, but the basic issue is that "secret" values for Task sequence variables are exposed in smsts.log although it is protected in the console and database. The tool smsswd.exe should really be changed so that it won't expose the full program name including all parameters when a secret task sequence variable is used.

Feedback and Knowledge Base