In some cases, you want to be able to include passwords and other sensitive items in MDT CustomSettings.ini files, but don't want the casual observer to be able to view them. This is a variation of a technique from Michael Niehaus (see his post here) that includes a salted hash and repetitive encoding so simple attempts at decoding the string are prevented.

There are a few things that you have to set up. First, add custom properties to your [Settings] section in CustomSettings.ini. These will hold the encrypted values that are then decoded by the system later on:

[Settings]
Priority=Default
Properties=EncodedUserID,EncodedUserPassword,EncodedUserDomain,EncodedDomainAdmin,EncodedDomainAdminDomain,EncodedDomainAdminPassword,EncodedAdminPassword 

The key is that the property name is the concatenation of two key values: "Encoded" + The name of the value to fill with the decoded string. Technically, this can be used for any value. Be sure that there is a matching value in the DecodeExit.vbs script.

To use this in your CustomSettings.ini file, you would have the value listed, followed by the special line UserExit=DecodeExit.vbs.

[Default]
EncodedUserID=TknNexXizDc=
EncodedUserPassword=SmpfaKTQ2DXdmV
UserExit=DecodeExit.vbs 

Be sure that you add that UserExit line in any section that contains encoded values (such as if you have separate sections that deal with various domain join options or machine admin passwords).

There are two scripts that make this solution work: Encode.wsf and DecodeExit.vbs. Use Encode.wsf as a command-line interface to encode passwords into a string that you can copy/paste into the CustomSettings.ini file. Both scripts should be included in the MDT Scripts directory on the deployment share as they both call utility files from that location.

Encode.wsf

<job id="Encode">
    <script language="VBScript" src="ZTIUtility.vbs"/>
    <script language="VBScript">
        ' File: Encode.wsf
        ' Version: 1.1
        ' Author: Michael Niehaus, Jeff Huston
        ' Purpose: Encode a string to base64
        ' Usage: cscript.exe Encode.wsf /Value:"The string to encode"
        '
        ' ------------- DISCLAIMER -------------------------------------------------
        ' This script code is provided as is with no guarantee or waranty concerning
        ' the usability or impact on systems and may be used, distributed, and
        ' modified in any way provided the parties agree and acknowledge the
        ' Microsoft or Microsoft Partners have neither accountabilty or
        ' responsibility for results produced by use of this script.
        '
        ' Microsoft will not provide any support through any means.
        ' ------------- DISCLAIMER -------------------------------------------------
        
        'Set up a random string of characters here and use the same string
        'in DecodeExit.vbs
        
        strSalt="asjdklasd93nq1mlvasjkl9uqwnmjklvdu890asweklfmasJTEDKLSD09023SDAFasd"
        
        strClear = oEnvironment.Item("Value")
        strS = "" 'This will be our salt string
        
        'Make sure the salt string contains enough copies of strSalt to be as
        'long as strClear
        Do Until Len(strS) >= Len(strClear)
            strS = strS & strSalt
        Loop
        
        'Match string lengths between strS and strClear
        strS = Left(strS,Len(strClear))
        
        strSalted = ""
        'Salt the string into strSalted
        For I = 1 to Len(strClear)
            C1 = Asc(Mid(strS,I,1))
            C2 = Asc(Mid(strClear,I,1))
            C3 = C1 xor C2 xor 32
            strSalted = strSalted & Chr(C3)
        Next
        
        WScript.Echo "INITIAL TEXT: " & strClear
        'Double base64 encode the salted string
        b64 = oStrings.Base64Encode(oStrings.Base64Encode(strSalted))
        WSCript.Echo "ENCODED VALUE TO COPY/PASTE: " & b64
        
        'Decode test
        'Double base64 decode the salted string
        strDSalted = oStrings.Base64Decode(oStrings.Base64Decode(b64))
        strD = ""
        'Create a strD that is the salt string of equal or greater length 
        'than the salted string
        Do Until Len(strD) >= Len(strDSalted)
            strD = strD & strSalt
        Loop
        'Trim strD to match the length of the salted string
        strD = Left(strD,Len(strDSalted))
        strDClear = ""
        'Go through and desalt the string to return clear text for verification
        For I = 1 to Len(strDSalted)
            C1 = Asc(Mid(strD,I,1))
            C2 = Asc(Mid(strDSalted,I,1))
            C3 = C1 xor C2 xor 32
            strDClear = strDClear & Chr(C3)
        Next
        WScript.Echo "CHECK TEXT: " & strDClear
    </script>
</job>

DecodeExit.vbs

' File: DecodeExit.vbs
' Version: 1.1
' Author: Michael Niehaus, Jeff Huston
' Purpose: Decode encoded task sequence variable values from
' CustomSettings.ini or Bootstrap.ini.
'
' ------------- DISCLAIMER -------------------------------------------------
' This script code is provided as is with no guarantee or waranty concerning
' the usability or impact on systems and may be used, distributed, and
' modified in any way provided the parties agree and acknowledge the
' Microsoft or Microsoft Partners have neither accountabilty or
' responsibility for results produced by use of this script.
'
' Microsoft will not provide any support through any means.
' ------------- DISCLAIMER -------------------------------------------------

Function UserExit(sType, sWhen, sDetail, bSkip)
    Dim sVar
    
    ' Only look at variables after they have been set by this section.
    ' That way, we can put the encoded values in the same section.
    If sWhen = "AFTER" then
        ' MDT knows about "sensitive" values (those are stored encoded in
        ' variables.dat and in task sequence variables)
        ' so those are likely the ones that need to be encoded to put in
        ' the INI files. Check to see which "encoded" 
        ' values are specified. 
        For each sVar in Array("USERID", "USERPASSWORD", "USERDOMAIN", _
                "DOMAINADMIN", "DOMAINADMINPASSWORD", "DOMAINADMINDOMAIN", _
                "ADMINPASSWORD", "BDEPIN", "TPMOWNERPASSWORD", "ADDSUSERNAME", _
                "ADDSPASSWORD", "SAFEMODEADMINPASSWORD", "USERNAME", _
                "USERPASSWORD", "PRODUCTKEY")
            ' If the encoded value exists, decode it and save it to the
            ' proper task sequence variable
            If oEnvironment.Item("Encoded" & sVar) <> "" then
                oLogging.CreateEntry "Decoding variable Encoded" & sVar & _
                    " for assignment to " & sVar, LogTypeInfo
                oEnvironment.Item(sVar) = _
                    WM_DecodeEncodedValue(oEnvironment.Item("Encoded" & sVar))
            End if
        Next
    End if
End Function

Function WM_DecodeEncodedValue(strEncrypted) 
    Dim strSalt, strDSalted, strD, strDClear, I, C1, C2, C3
    
    'Same salt string from Encode.wsf
    strSalt="asjdklasd93nq1mlvasjkl9uqwnmjklvdu890asweklfmasJTEDKLSD09023SDAFasd" 
    
    strDSalted = oStrings.Base64Decode(oStrings.Base64Decode(strEncrypted))
    
    strD = ""
    Do Until Len(strD) >= Len(strDSalted)
        strD = strD & strSalt
    Loop
    strD = Left(strD,Len(strDSalted))
    
    strDClear = ""
    For I = 1 to Len(strDSalted)
        C1 = Asc(Mid(strD,I,1))
        C2 = Asc(Mid(strDSalted,I,1))
        C3 = C1 xor C2 xor 32
        strDClear = strDClear & Chr(C3)
    Next
    
    WM_DecodeEncodedValue = strDClear
End Function