Overview of Secrets

New
  • Updated on Apr 28, 2025
  • Published on Apr 11, 2025
  • 2 minute(s) read
  • s
 Prev Next

Introduction

The Secrets module in the Workforce Experience Platform (WXP) provides secure storage for credentials used in remediation workflows. It helps IT teams manage sensitive information—such as BIOS passwords and certificates—safely and efficiently. Without this feature, organizations would need to manually handle credentials, increasing the risk of errors and security gaps.

With the Secrets feature, you can store and manage admin credentials, certificates, and encryption keys in a centralized, secure location. These secrets are automatically injected into scripts or workflows for a secure execution without exposing sensitive data.

Secrets support authentication for BIOS policies and script-based remediations. They also enforce role-based access control (RBAC) and provide audit logs to track usage. This ensures credentials are only used by authorized users, helping teams maintain compliance and improve operational efficiency.

Secret Types

The platform currently supports the following types of secrets:

  • BIOS passwords: This is used to configure and authenticate BIOS settings in devices. These secrets work with BIOS Authentication Policies and ensure secure access to device firmware settings.
  • SPM (Secure Platform Management) certificates: This is used to authenticate BIOS Settings Policies. These certificates are matched to device groups and work with BIOS Authentication Policies for secure, policy-based configuration.

More secret types will be supported in future updates, including credentials for broader IT automation, secure integrations, and advanced remediation workflows.

Target Audience

  • IT Administrators: Managing secure execution of scripts and policies
  • Security & Compliance Teams: Controlling access and maintaining credential security
  • DevOps Engineers: Automating workflows and managing script authentication

Key Features

Some of the key capabilities include:

  • Secure storage of credential: Stores admin credentials, API keys, certificates, and encryption keys in a central and protected location. Reduces the risk of credential misuse or leakage by removing the need to share or hardcode passwords in scripts.
  • Seamless integration with remediations: Enables scripts to run securely using stored secrets, without requiring IT admins to enter credentials manually.
  • Audit logging and compliance: Tracks secret usage for auditing purposes and ensures access complies with security policies.
  • Automated secret injection: Injects secrets directly into scripts at runtime without exposing them in the UI or logs.
  • Future-ready architecture: Expand support for other secret types and integrations over time to support growing IT security needs.

Use cases

  1. Secure execution of PowerShell scripts
    Scenario: An IT admin needs to run a script to enable BitLocker encryption across multiple devices. The script requires admin credentials.
    Solution: The admin stores the credentials in Secrets. When the script runs, it uses the stored credentials automatically and ensures secure execution without exposing the password.

  2. API authentication for remediation actions
    Scenario: A remediation workflow needs to connect to an external ITSM tool like ServiceNow or Microsoft Intune using an API key.
    Solution: The API key is stored in Secrets. The workflow retrieves the key securely during execution, eliminating the need to hardcode or manually enter it.

  3. Enforcing security compliance with signed scripts
    Scenario: Company policy requires all PowerShell scripts to be signed before execution.
    Solution: The Secrets feature stores a code-signing certificate. Scripts are signed automatically during execution, ensuring compliance with the security policy.

Related Resources

For additional information, refer to the following articles:

Contact Us

For any assistance, create a support case or email [email protected].

Related articles