While recently updating an old Kiosk task sequence to the latest build of Windows 10, I decided to see if I could get the Sysinternals tool Autologon working as well. In the old task sequence a Run Command Line step was used to run a reg file that would set the Username, Domain, and Password. For some background, when running in kiosk mode the SSO software Imprivata requires a windows account to logon to the system before it’s able to lock the system down and display its own logon screen. Now before the Security Czars get bent out of shape, I know setting a PC to auto logon is not the most secure idea much less using windows as a Kiosk, but in this case it is what we have to work with so we are going to do the best we can to lock it down. Of course you can just manually enter the registry settings required for autologon but the user password would be stored in plain text for anyone to see.That brings us to Autologon.exe. If you haven’t heard of Sysinternals or Mark Russinovich, then stop right now and go check it out. Directly from the download page,
“Autologon enables you to easily configure Windows’ built-in autologon mechanism. Instead of waiting for a user to enter their name and password, Windows uses the credentials you enter with Autologon, which are encrypted in the Registry, to log on the specified user automatically.”
Lets cover the basics real quick. The first time you run Autologon you are presented with a EULA that you must accept before you can use the product. Once accepted your response is stored in the registry key [HKEY_CURRENT_USER\Software\Sysinternals\Autologon\EulaAccepted].
The GUI is self-explanatory. Enter the username, domain and password of the account you wish to autologon and click Enable. If successful, the values are written to the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]. The biggest pro is that the password is encrypted and not visible in the registry. There are plenty of blog post out there covering the details of Autologon and other 3rd party tools but the bottom line is that even with it being encrypted, the password is stored in LSAsecret and can be recovered by a user with admin rights. Either way it’s a much better solution and doesn’t cost you anymore time to set it up.
To use Autologon.exe in a task sequence you will need to create a new package with source files but choose not to create a program. Make sure Autologon.exe is in the source path and distribute the package to the distribution points. Open up your task sequence and add a ‘Run Command Line‘ step anywhere after the ‘Setup Windows and Configuration Manager‘ step. I tend to make this one of my last steps just in case reboots cause any odd behavior. The command you want to run is ‘cmd.exe /c .\AutoLogon.exe /accepteula %USERNAME% %DOMAIN% %PASSWORD%‘. Make sure to add the ‘/accepteula‘ switch or this step will fail. Here is an example of a test TS that I was playing around with.
Once the TS finishes, it will reboot then log into windows with the account we specified. It’s always fun to work on new things to see if you can get them working but I really think SCCM could handle this functionality with some built in steps. It would be nice if the password was not in plain text in the task sequence editor but I can live with it as long as the registry password is encrypted. If you agree then toss some votes out at this uservoice and lets get this integrated into the next build.