AdminStudio Blog — SSahu_E (Flexera Software)
This blog describes recent changes to encryption handling in AdminStudio, the impact of these changes after upgrading from earlier versions, and the steps required to migrate existing encrypted credentials.
Overview
AdminStudio has been updated to use modern, stronger encryption algorithms across the product. All legacy encryption implementations have been fully removed and replaced with newer encryption mechanisms.
These changes:
- Apply to all AdminStudio customers
- Are not limited to specific configuration modes or optional settings
- Are mandatory as part of ongoing security and compliance improvements
Impact of the Change
After upgrading to the latest version of AdminStudio:
- All encryption operations use newer encryption algorithms
- Older encryption and decryption logic is no longer present in the source code
- Encrypted data created using earlier versions cannot be decrypted directly by the upgraded product
As a result, previously stored credentials and secure values must be migrated so they can be used by the updated product.
Handling Existing Encrypted Data
To support migration of previously stored encrypted values, AdminStudio provides a separate Encryption Migration Tool.
The tool:
- Decrypts existing encrypted values using the legacy encryption method
- Re‑encrypts them using the new encryption mechanism
- Updates the stored data so it is compatible with the upgraded AdminStudio version
Encryption Migration Tool
Availability
- The Encryption Migration Tool is provided as a separate download
- It is distributed as a compressed (ZIP) archive
- A download link is surfaced in AdminStudio through the Important Messages section, accessible from the AdminStudio ribbon beside Help Contents
When the user selects this option, a popup is displayed. Clicking the “Click here to download migration tool” hyperlink in the popup successfully downloads the migration tool for use.
Scope
The Encryption Migration Tool can:
- Re‑encrypt credentials stored in the AdminStudio catalog
- Re‑encrypt credentials stored in configuration files
- Be run multiple times, for example when multiple configuration (AC) files exist
The tool operates independently of AdminStudio and is not embedded within the product.
Recommended Upgrade Sequence
For correct behavior, perform the following steps in order:
- Complete the AdminStudio setup upgrade
- Complete the AdminStudio catalog upgrade
- Run the Encryption Migration Tool
- OR manually re‑enter all credentials in AdminStudio
- Launch or relaunch AdminStudio
Important:
If AdminStudio is already running, close it before running the migration tool and reopen it after the migration completes.
Migrating Encrypted Passwords Using the Migration Tool
1. Complete the AdminStudio Upgrade
- Upgrade the AdminStudio setup
- Upgrade the AdminStudio catalog
Note: The migration tool must be run only after both upgrades are complete.
2. Download the Encryption Migration Tool
- Download the Encryption Migration Tool as a ZIP file from the provided download location (for example, PLC or the anonymous link shown in AdminStudio)
- Extract the ZIP file to a local folder
Note: The tool is a standalone utility and is not embedded in AdminStudio.
3. Launch the Encryption Migration Tool
- Run the main executable from the extracted folder
- The tool opens a UI similar to the AdminStudio Connect to Catalog dialog
4. Configure Catalog Connection Details
- Enter the required catalog connection details
- Click Test Connection to validate the details
Note: If the catalog contains encrypted passwords, they will be processed during migration.
5. Specify an AAC File Path (If Applicable)
If applicable, provide the AAC file path used for Application Catalog or conversion workflows.
You may:
- Specify both the catalog and AAC file path
- Specify only the AAC file path
- Run the tool multiple times to migrate different AAC files individually
Note: Passwords stored in the specified AAC file are also re‑encrypted.
6. Start Migration
- Click Next to begin the migration
- Confirm the prompt to continue
- Review the list of database tables being updated
- Wait for the migration success message
Note: All detected passwords are decrypted using the old method and re‑encrypted using the new encryption mechanism.
7. Close the Tool and Relaunch AdminStudio
- Close the Encryption Migration Tool
- Launch AdminStudio again
Important: If AdminStudio was open during migration, it must be closed and relaunched.
Manual Re‑Entry of Credentials (Alternative)
If the Encryption Migration Tool is not used, all credentials must be manually re‑entered in AdminStudio.
Important Considerations
- All locations containing stored credentials must be updated
- Missing even one location will result in AdminStudio continuing to display an Important Message in the ribbon
- The UI does not automatically identify which credential locations remain unmigrated
- Documentation lists all relevant locations to assist with manual updates
Credential Locations Affected
Depending on product usage, credentials may exist in the following areas:
- Catalog connection settings
- Distribution and management system connections (for example, ConfigMgr, Workspace ONE, Intune)
- Application configuration files
- Conversion configuration files
- Certificate‑related settings (including MSIX Editor certificates)
- Virtual machine and server connection details
Locations Where Password or Sensitive Fields Are Present
Options Window
- All Distribution Connections in the Options window
- All Monitored Directory Connections in the Options window
Plugin Options
- AAC Options
- Authentication Type: Server → Password field
- App-V to MSIX Conversion Options
- Authentication Type: Server → Password field
- Signing Type: Standard → Certificate Password
- Signing Type: Custom → Arguments field
- Intune App Conversion Options
- Authentication Type: Server → Password field
Wrap Options
- Output Section
- Authentication: Server → Password field
Package Feed Options
- Authentication: Server → Password field
Server Options
- Microsoft ACT → Password field
Package Automation Options
- Notification Settings → Password field
Flexera Integration
- FSG → Password field
- FSG – AdminStudio via FSG → Password field
MSIX Editor
- Preferences Ribbon → Signing Tab
- Select Certificate for Signing (.pfx) → Password
- Signing Type: Custom → Arguments field
AAC
Machines Tab
- Properties → Machine Settings → Guest Password
- Properties → Virtual Machine Server → Server Password
Packages Tab
- Properties → MSIX Signing Options
- Signing Type: Standard → Certificate Password
- Signing Type: Custom → Arguments field
Tools Menu
- Tools → Options → MSIX Signing Options
- Signing Type: Standard → Certificate Password
- Signing Type: Custom → Arguments field
