In some cases, you want to be able to include passwords and other sensitive items in MDT CustomSettings.ini files, but don't want the casual observer to be able to view them. This is a variation of a technique from Michael Niehaus (see his post here) that includes a salted hash and repetitive encoding so simple attempts at decoding the string are prevented.
There are a few things that you have to set up. First, add custom properties to your [Settings] section in CustomSettings.ini. These will hold the encrypted values that are then decoded by the system later on:
[Settings] Priority=Default Properties=EncodedUserID,EncodedUserPassword,EncodedUserDomain,EncodedDomainAdmin,EncodedDomainAdminDomain,EncodedDomainAdminPassword,EncodedAdminPassword
The key is that the property name is the concatenation of two key values: "Encoded" + The name of the value to fill with the decoded string. Technically, this can be used for any value. Be sure that there is a matching value in the DecodeExit.vbs script.
To use this in your CustomSettings.ini file, you would have the value listed, followed by the special line UserExit=DecodeExit.vbs.
[Default] EncodedUserID=TknNexXizDc= EncodedUserPassword=SmpfaKTQ2DXdmV UserExit=DecodeExit.vbs
Be sure that you add that UserExit line in any section that contains encoded values (such as if you have separate sections that deal with various domain join options or machine admin passwords).
There are two scripts that make this solution work: Encode.wsf and DecodeExit.vbs. Use Encode.wsf as a command-line interface to encode passwords into a string that you can copy/paste into the CustomSettings.ini file. Both scripts should be included in the MDT Scripts directory on the deployment share as they both call utility files from that location.