Note:
This post has been made entirely obsolete with ConfigMgr 1806 where Microsoft introduced the option to mask sensitive data in Task Sequences. Some of the principles contained herein may still be applicable to protecting other data.

 

For a customer where I was performing a ConfigMgr implementation,  I was also tasked with installing some 30 Read-Only Domain Controllers. In itself, that hardly takes any effort. But hey, we have ConfigMgr and a boring repetitive task to do; so let’s just automate the whole thing! The challenge came when figuring out how to hide the credentials used in the whole process.

Lets just start simple with a little script we can trigger from ConfigMgr to install and configure the role. Actually, when going through the wizard in Server Manager, it will do most of the scriptwriting for us and with a few changes, we end up with a script that takes parameter input and feeds all of it to the parameters of the Install-ADDSDomainController Cmdlet.

Note the -SafeModeAdministratorPassword and the -Credential parameters. The first takes a SecureString object and the latter needs a PSCredential object. These parameters have to be added to the script that the wizard generates. If you want to manually reboot the system afterwards, you may want to set the -NoRebootOnCompletion parameter. Also note that the user specified in the -DomainAdminUserName parameter needs to be a member of the BUILTIN\Administrators group within the domain -or- be granted the Enable Computer and User accounts to be trusted for delegation user right in the Default Domain Controller Policy GPO.

The script above will work. Great, let’s use it in an OSD Task Sequence!

Or….let’s not.

These are Domain Admin credentials and chances are you won’t be the only one with access to the Task Sequence. Not to mention that ConfigMgr creates detailed logfiles everywhere, including on the target system, that all sorts of people have access to.

 

The problem

When looking for ways to securely pass credentials to Powershell scripts in Task Sequences in System Center Configuration Manager, the interwebz is full of examples that use ServiceUI.exe (part of the Microsoft Deployment Toolkit) to show a Get-Credential popup, how to specify them using Collection and/or Task Sequence variables, hardcode them in a batch file or script, save a SecureString object to a file and/or they’re just entered in plaintext in the command line of the Task Sequence step.

None of these options were acceptable to me as I had 2 requirements:

  • Aside from that I don’t use MDT unless absolutely needed, the Task Sequence should just not halt to wait on user input.
  • The passwords should not be readable or retrievable by anyone with privileges below Domain Admin.

Hardcoding credentials in a script is just…wrong. So don’t do it. Ever.

SecureString objects in a file could work. But by default only the user that created the file can re-use it unless a specific key was used. Anyone who would obtain that key, which in the case of this scenario would need to be hardcoded or passed as parameter, would be able to decrypt the SecureString. Which bings us back to the root of the problem: The ConfigMgr logfiles.
In %Windir%\CCM\Logs\smsts.log, you can find the commands that the Task Sequence Engine fires, meaning a Run Command Line step would show the actual command being executed. The same is true for Collection Variables (hidden or not). When the Task Sequence loads them, they will show up in the log like this:

If we set a Run Command Line step to be executed as a specific user, ConfigMgr processes the credentials securely. It will not log the actual credentials used anywhere. This is what It looks like when a Run Command Line step is executed using a credential explicitely set in its step:

 

 

A solution

Use a certificate that can only be imported by Domain Admins to encrypt the passwords that we then use during OSD to promote a brand new system to RODC within an existing forest…or whatever else you want it to do.

Specifically, we’re going to use the Protect-CmsMessage and Unprotect-CmsMessage Cmdlets with a Self-Signed certificate.

In short, the steps to go through are as follows:

  • Using Powershell; create a self-signed certificate.
  • Using Powershell; export this certificate with ADDS Account Protection.
  • Using Powershell; encrypt the passwords using this certificate.
  • In ConfigMgr; create a package with the certificate so that we can install it.
  • In ConfigMgr; create another package with a script that will decrypt the password and configure the RODC.
  • Put it all together in a Task Sequence.

In this example, the domains’ DNS Name is ‘VMCorp.local’ and its NetBIOS Name is ‘VMCorp’.
There is a user called ‘admin’ that is a member of the ‘Domain Admins’ group. For simplicity, we’ll use this same user to perform all actions.

First, we need a certificate that will be using ADDS Account Protection for the ‘Domain Admins’ group. This certificate needs to have Key Usage for Data Encipherment and Key Encipherment and Enhanced Key Usage for Document Encryption (1.3.6.1.4.1.311.80.1).

So lets create one and store it in a temporary location:

Don’t delete it from your Certificate store just yet. As we still need it to create our Cryptographic Message Syntax strings. We can do that with nothing more than:

And we’ll then end up with something like this:

This entire block, including the “—–BEGIN CMS—–” and “—–END CMS—–“, is what we will later use as value for our password parameters. The only way to retrieve the password in plaintext from this string is with access to the certificate that was used to sign it. That certificate should be stored in a safe location, and even then, only Domain Admins can import it.

Decrypting the password again using the certificate, is as simple as:

 

With that out of the way, we can create a package in ConfigMgr with a script that will import our certificate to the target machine. This script basically just needs one line:

Save it, together with the certificate we exported in the beginning, on the ConfigMgr content-share and create a package for it. It does not need a program.

Now for the new RODC installation script. Adapt it to incorporate the Unprotect-CmsMessage Cmdlet and it will start to look like this:

You can either modify it to add your own logging or look in %Windir%\Debug\ at the DCPROMO.log and DCPromoUI.log files for the result.
Create a package for this script too. And as before, it doesn’t need a program.

 

Putting it together in the Task Sequence, we first need to define the variables:

Start by adding a Set Task Sequence Variable step for the user name. In this case a Domain Admin, so I’ve named mine ‘DAUserName’ with a value of VMCorp\Admin:

Next we add another variable and here we enter the encrypted password.
Do the same for the Safe Mode Administrator password.

The system needs to be domain joined. Because we can’t add the certificate to decrypt the password without using a Domain Admin account.
Since this is a lab environment, we’ll throw security best-practices out of the window and use the same over-privileged account for the join.

During OSD, we don’t get policies yet. Which means the Domain Admins group is not yet added to the local Administrators group. To bypass this, we need to make our domain account a local administrator. And the reason for this, is that we will use this account in the next step to import the certificate to the LocalMachine certificate store and only administrators can do that. Insert a Run Command Line step with a net localgroup administrators /add %DAUserName% command:

Up next comes the certificate. This is a simple Run Command Line step that is executed as a Domain Admin, thus having sufficient permissions to import this particular certificate; it uses Active Directory Account Protection after all. In this case the script is just executed directly from the share:

Now for the RODC installation script. Here we can just use a Run Powershell Script step, and set our parameters with the previously set variables; -DomainAdminUserName ‘%DAUserName%’ -EncryptedDomainAdminPassword ‘%DAPassword%’ -DomainNETBIOSName “VMCORP” -DomainDNSName “vmcorp.local” -EncryptedSafeModeAdminPassword ‘%SMPassword%’
Note the single quotes required to properly pass the encrypted password.

Finally, add a Restart Computer step as it is required to complete the configuration. It is highly recommended to add a step to remove the certificate again. This can be done with either a script or a command line:

 

When you look in the logs now. All you will find are entries like:

Which are useless to an unauthorized user. As it takes a Domain Admin plus the certificate to be able to decrypt what is, in this case, also a Domain Admin’s password.