This mirrors MSVC-PR-539935, which @joemmett will be merging into MSVC main.

New codebase scanning tools are hissing at how create-1es-hosted-pool.ps1 builds up a plaintext password before converting it into a SecureString with ConvertTo-SecureString.

Jonathan's fix is to start with a SecureString and build it up character-by-character. Of course, this still leaves each character in normal memory for a fraction of a nanosecond, but that's unavoidable. This avoids mentioning ConvertTo-SecureString, thereby making the tools happy. Later in this script, we redact the generated password from appearing in any console output (my innovation back in #1577), and we discard it entirely after creating the pool, so we're touching it as little as possible.

I verified that the updated function works in PowerShell 7.4.1, but I haven't done a full test drive of the updated script.

⚠️ I eventually noticed that it'll be broken because of this leftover mention of $AdminPW:

@joemmett's MSVC-PR is high priority so I want to merge this as-is, then I'll figure out how to fix the script during April Patch Tuesday.