Secure a Task Sequence with a Password


Configuration Manager has very limited built-in functionalities to protect a Task Sequence from being executed. Sure you can define the scope of a certain task sequence deployment with deploying it only to certain collections. You also can set an PXE / Media Password to protect deployed task sequences from being executed.

But there are certain situation where you might have several available Task Sequences deployed to one collection or the Machine is member of a number of collection having Task Sequences deployed. For example, if your process allows to deploy against "unknown computers" and you are having your Prod TS and your Test TS deployed to that Collection.



To get around this problem, I wrote a little Powershell Scripts called OSD_PasswortChecker. This Scripts creates in the WinPE at the begin of the Deployment an Password Prompt.

Entering the correct Password allows to run the rest of the Steps in the Task Sequence.



The Function of the OSD_PasswordChecker is simple, it protects your Task Sequence with a specified Password within a Task Sequence.

Here is the code of the Script:

# Script OSD_PasswordChecker.ps1 - Version 1802
# ***** Disclaimer *****
# This file is provided "AS IS" with no warranties, confers no 
# rights, and is not supported by the authors or Microsoft 
# Corporation. Its use is subject to the terms specified in the 
# Terms of Use (

# -----------------------------------------------------------------------------------
# Function Section
# -----------------------------------------------------------------------------------
function ok-button {
 Compares the entered Password with the OSDPassword 
 Function to compare the Task Sequence Varibale "OSDPassword" with the entered Password

if($tsenv.Value("OSDPassword") -eq $MaskedTextBox) {

# -----------------------------------------------------------------------------------
# Worker Section
# ----------------------------------------------------------------------------------- 
# Construct TSEnv object
try {
 $TSEnv = New-Object -ComObject Microsoft.SMS.TSEnvironment -ErrorAction Stop
catch [System.Exception] {
 Write-Warning -Message "Unable to construct Microsoft.SMS.TSEnvironment object" ; exit 1

#GUI Creation
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") 
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

$objForm = New-Object System.Windows.Forms.Form 
$objForm.Text = "OSD PasswordChecker"
$objForm.Size = New-Object System.Drawing.Size(300,200) 
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True

 if ($_.KeyCode -eq "Enter") {
 if ($_.KeyCode -eq "Escape") {

$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"

$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"

$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20) 
$objLabel.Size = New-Object System.Drawing.Size(280,20) 
$objLabel.Text = "Please enter the information in the space below:"

$MaskedTextBox = New-Object System.Windows.Forms.MaskedTextBox
$MaskedTextBox.PasswordChar = '*'
$MaskedTextBox.Location = New-Object System.Drawing.Size(10,40) 
$MaskedTextBox.Size = New-Object System.Drawing.Size(260,20) 
$objForm.Topmost = $True

[void] $objForm.ShowDialog()

You can download the Script + ServiceUI.exe (later described) here


Please add the following steps at the beginning of your Task Sequence


Step: Set OSDPassword

Create a Step "Sets the Task Sequence Variable" in which you set the Task Sequence Variable "OSDPassword". The Value of this Variable will be used to check against the Input in the OSDPasswordChecker Script.

Step: Run OSDPasswordChecker

This Steps executes a Command Line to run the OSDPasswordChecker Powershell.

To create a GUI with Powershell in WinPE there are two Prerequisites needed:

  • Enable Powershell Feature in the Boot WIM
  • ServiceUI.exe needed to create a GUI in WinPE. By the way, we are using the same technique to launch the well known MDT UDI wizard.

The Command Line you need to run:

ServiceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File OSDPasswordChecker.ps1


Deployment Start Folder

The rest of the Task Sequence should be in a separate Folder Structure. In my case "Deployment Start".

Add on this folder the following Condition:



Comments (7)

  1. Interesting one!

    Though, this might be more a compliance feature than a security feature. Nevertheless, it will mitigate unallowed installations!

    All the best,

  2. BradleyJL says:

    Great post David!
    This was just what I was looking for to prevent accidental launch of our Windows 10 reimage task sequence. I did have a bit of trouble getting it to work in my environment though. It would not create the TS variable “OSDPasswordChecked” until I changed the IF statement to “if($tsenv.Value(“OSDPassword”) -eq ($MaskedTextBox).text) . Without that it seemed like it was comparing apples to oranges.
    I am kinda new at PowerShell, so I am not sure if it is just my implementation of your script that causes the need for that change.


  3. BradleyJL says:

    Sorry Y.Perrenoud I am giving credit to the wrong person! It’s been a long day!

  4. BK McMillan says:

    Great stuff. Some feedback: I would encourage to use a Dynamic variable for the OSDPassword so it is at least not visible in clear text when editing the TS.

  5. Gibson99 says:

    where does one get ServiceUI.exe? is it already part of the winpe image? i’m trying to use this to password protect my win10 in-place upgrade TS (runs in production windows, not winpe), but it’s not working since it can’t find serviceui.exe. suggestions?

    1. Y.Perrenoud says:

      You can download the ServiceUI here

Skip to main content