I have used Michael Niehaus excellent script for dumping all task sequence variables during OSD which is great for troubleshooting. https://blogs.technet.microsoft.com/mniehaus/2010/04/26/dumping-task-sequence-variables/
However it dumps all TS variables including:
- _SMSTSReserved variables which for instance contains the Network access account username and password in clear text. The same goes for the Domain Join account used in the Task Sequence.
- _OSDOAF which contains the TPM Password Hash for the computer it the Pre-Provision Bitlocker step is used and it takes ownership of the TPM.
So my college Johan Schrewelius posted a nice little Powershell script that can be used instead, which excludes the “sensitive” variables and only write the public ones to the log file.
It can be downloaded here: https://gallery.technet.microsoft.com/Task-Sequence-Variables-de05b064
In many environment scripts used for troubleshooting like this are left in the production Task Sequences and that is not a really good idea if it includes username/password in clear text or TPM password hash.
The script simply filters out the “sensitive” variables: