This blog describes recent changes to encryption handling in AdminStudio, the impact of these changes after upgrading from earlier versions, and the steps required to migrate existing encrypted credentials.

Overview

AdminStudio has been updated to use modern, stronger encryption algorithms across the product. All legacy encryption implementations have been fully removed and replaced with newer encryption mechanisms.

These changes:

• Apply to all AdminStudio customers
• Are not limited to specific configuration modes or optional settings
• Are mandatory as part of ongoing security and compliance improvements

Impact of the Change

After upgrading to the latest version of AdminStudio:

• All encryption operations use newer encryption algorithms
• Older encryption and decryption logic is no longer present in the source code
• Encrypted data created using earlier versions cannot be decrypted directly by the upgraded product

As a result, previously stored credentials and secure values must be migrated so they can be used by the updated product.

Handling Existing Encrypted Data

To support migration of previously stored encrypted values, AdminStudio provides a separate Encryption Migration Tool.

The tool:

• Decrypts existing encrypted values using the legacy encryption method
• Re‑encrypts them using the new encryption mechanism
• Updates the stored data so it is compatible with the upgraded AdminStudio version

Encryption Migration Tool

Availability

• The Encryption Migration Tool is provided as a separate download
• It is distributed as a compressed (ZIP) archive
• A download link is surfaced in AdminStudio through the Important Messages section, accessible from the AdminStudio ribbon beside Help Contents

When the user selects this option, a popup is displayed. Clicking the “Click here to download migration tool” hyperlink in the popup successfully downloads the migration tool for use.

  Scope

The Encryption Migration Tool can:

• Re‑encrypt credentials stored in the AdminStudio catalog
• Re‑encrypt credentials stored in configuration files
• Be run multiple times, for example when multiple configuration (AC) files exist

The tool operates independently of AdminStudio and is not embedded within the product.

Recommended Upgrade Sequence

For correct behavior, perform the following steps in order:

1. Complete the AdminStudio setup upgrade
2. Complete the AdminStudio catalog upgrade
3. Run the Encryption Migration Tool
4. OR manually re‑enter all credentials in AdminStudio
5. Launch or relaunch AdminStudio

Important:

If AdminStudio is already running, close it before running the migration tool and reopen it after the migration completes.

Migrating Encrypted Passwords Using the Migration Tool

1. Complete the AdminStudio Upgrade

• Upgrade the AdminStudio setup
• Upgrade the AdminStudio catalog

Note: The migration tool must be run only after both upgrades are complete.

2. Download the Encryption Migration Tool

• Download the Encryption Migration Tool as a ZIP file from the provided download location (for example, PLC or the anonymous link shown in AdminStudio)
• Extract the ZIP file to a local folder

Note: The tool is a standalone utility and is not embedded in AdminStudio.

3. Launch the Encryption Migration Tool

• Run the main executable from the extracted folder
• The tool opens a UI similar to the AdminStudio Connect to Catalog dialog

4. Configure Catalog Connection Details

• Enter the required catalog connection details
• Click Test Connection to validate the details

Note: If the catalog contains encrypted passwords, they will be processed during migration. 

5. Specify an AAC File Path (If Applicable)

If applicable, provide the AAC file path used for Application Catalog or conversion workflows.

You may:

• Specify both the catalog and AAC file path
• Specify only the AAC file path
• Run the tool multiple times to migrate different AAC files individually

Note: Passwords stored in the specified AAC file are also re‑encrypted.

6. Start Migration

• Click Next to begin the migration
• Confirm the prompt to continue
• Review the list of database tables being updated
• Wait for the migration success message

Note: All detected passwords are decrypted using the old method and re‑encrypted using the new encryption mechanism.

7. Close the Tool and Relaunch AdminStudio

• Close the Encryption Migration Tool
• Launch AdminStudio again

Important: If AdminStudio was open during migration, it must be closed and relaunched.

Manual Re‑Entry of Credentials (Alternative)

If the Encryption Migration Tool is not used, all credentials must be manually re‑entered in AdminStudio.

Important Considerations

• All locations containing stored credentials must be updated
• Missing even one location will result in AdminStudio continuing to display an Important Message in the ribbon
• The UI does not automatically identify which credential locations remain unmigrated
• Documentation lists all relevant locations to assist with manual updates

Credential Locations Affected

Depending on product usage, credentials may exist in the following areas:

• Catalog connection settings
• Distribution and management system connections (for example, ConfigMgr, Workspace ONE, Intune)
• Application configuration files
• Conversion configuration files
• Certificate‑related settings (including MSIX Editor certificates)
• Virtual machine and server connection details

Locations Where Password or Sensitive Fields Are Present

Options Window

• All Distribution Connections in the Options window
• All Monitored Directory Connections in the Options window

Plugin Options

• AAC Options
  • Authentication Type: Server → Password field
• App-V to MSIX Conversion Options
  • Authentication Type: Server → Password field
  • Signing Type: Standard → Certificate Password
  • Signing Type: Custom → Arguments field
• Intune App Conversion Options
  • Authentication Type: Server → Password field

Wrap Options

• Output Section
  • Authentication: Server → Password field

Package Feed Options

• Authentication: Server → Password field

Server Options

• Microsoft ACT → Password field

Package Automation Options

• Notification Settings → Password field

Flexera Integration

• FSG → Password field
• FSG – AdminStudio via FSG → Password field

MSIX Editor

• Preferences Ribbon → Signing Tab
  • Select Certificate for Signing (.pfx) → Password
  • Signing Type: Custom → Arguments field

AAC

Machines Tab

• Properties → Machine Settings → Guest Password
• Properties → Virtual Machine Server → Server Password

Packages Tab

• Properties → MSIX Signing Options
  • Signing Type: Standard → Certificate Password
  • Signing Type: Custom → Arguments field

Tools Menu

• Tools → Options → MSIX Signing Options
  • Signing Type: Standard → Certificate Password
  • Signing Type: Custom → Arguments field