By default, MDT logging routine masks the entire line if it sees the word “password”.
I came across the problem with UDI, when using ZTIUserSatat.wsf, the encryption key is exposed in clear text in the logs with command line when ScanState.exe or LoadState.exe is called because there is no word “password” in the logging line.
Regardless, you don’t want to hide the whole line for troubleshooting purposes, only the value of that variable that gets exposed.
So, I modified ZTIUtility.vbs adding logic to hide those variables. Here is what was added to CreateEntry function
Public Function CreateEntry(sLogMsg, iType)
Dim sTime, sDate, sTempMsg, oLog, bConsole, sMaskedVar
' Each of the operations below has the potential to cause a runtime error.
' However, we must not stop operation if there is a failure, so allways continue.
On Error Resume Next
' Special Handling for Debug vs. Non-Debug messages
If not Debug then
If iType = LogTypeVerbose Then
Exit Function ' Verbose Messages are only displayed when Debug = True
Elseif iType = LogTypeDeprecated Then
iType = LogTypeInfo ' Deprecated messages are normally Info messages
' Suppress messages containing password
If Instr(1, sLogMsg, "password", 1) > 0 then
sLogMsg = "<Message containing password has been suppressed>"
' Mask variables containing passwords
For Each sMaskedVar in Split(oEnvironment.Item("MaskedVariables"),",")
sLogMsg = Replace(sLogMsg, Trim(oEnvironment.Item(sMaskedVar)), "<password has been suppressed>")
Else ' Debug = True
Make changes in your CustomSettings.INI
by adding a new property