In the VSTS build, I set various variables (Edit build -> Variables tab), some I set as secret (click the lock), some I don't.

In the build, I run a command prompt task to run set -- e.g. show me all the environment variables. Those marked as secret aren't present.

How do I get VSTS secrets into environment variables?

Secret variables are:

• Encrypted at rest with a 2048-bit RSA key.
• Not returned back to the client. They are automatically masked out of any log output from the build or release.
• Not decrypted into environment variables. So scripts and programs run by your build steps are not given access by default.
• Decrypted for access by your build steps. So you can use them in password arguments and also pass them explicitly into a script or a program from your build step (for example as $(password)).

So, Secure variables need to be passed in to tasks as inputs. Check this case: How to add secret variable as task environment variable in VSTS