How to get the network access password from WinPE in SCCM.

My colleage at Atea, Oddvar Håland Moe, have written a script that dumps the password of the network access account from the boot image in plain text. This is why you never enable command line support in your boot images on a production network. Anyone will be able to retrieve the password during PXE boot / OS deployment.



SetEnv = CreateObject("Microsoft.SMS.TSEnvironment")
ForEachts in Env.GetVariables()
Ifts = "_SMSTSReserved2"Then
wscript.echo "Password for Network Access Account is: "& Env(ts)


  1. Press F8 to open up the command line console.
  2. Open notepad.exe and type in the script.
  3. Save it and run it with cscript.exe.

That’s it, the password of the network access account is dumped in plain text.

To protect your system against this, make sure command line support is not enabled in your boot images, and use a dedicated account for the network access with minimum rights necessary.

Be sure to visit Oddvar’s website: MSITpros.

Anders Rødland

Anders Rødland started his IT career in 2006. My main focus is MS Configuration Manager and client management, and I currently hold active 15 Microsoft certifications. Certified on Windows Server, Windows Client, SQL, Exchange and System Center Configuration Manager. Anders Rødland also holds an ITIL Foundation certification.This is my private blog and do not represent my employer. I use this to share information that I find useful. Sharing is caring.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.