Configuring Autologon during OSD using Autologon.exe
There are many blogposts on how to configure Autologon for use when deploying kiosk devices for example. I needed to solve that in a kiosk scenario, more kiosk blogposts will be posted later.
What are the challenges with Autologon then? To start with the OOBE phase clears out all Autologon registry values so they need to be configured after OSD is complete. Another challenge is that the username and password is saved in clear test in the registry.
Autologon.exe is a SysInternals tool that encrypts the password used by Autologon in the registry instead of storing it in clear text. Autologon.exe can be downloaded here https://docs.microsoft.com/en-us/sysinternals/downloads/autologon
Here is how we solved it in the project.
Run a PowerShell script during OSD that does the following:
-Writes the username to a registry value so we can pick up later (in another blog post)
-Copies Autologon.exe to C:\Windows\Temp
-Creates an Autologon.cmd file in C:\Windows\Temp which we can run as a scheduled task.
-Autologon.cmd includes username/password for the kiosk user with permissions set to System
-Creates a schedule task that runs Autologon.cmd
-Autologon.cmd runs Autologon.cmd then deletes Autologon.cmd and AutoLogon.exe and reboots.
I use Collection variables to set username and password to be used during OS deployment shown below.
I create a package with Autologon.exe and the .xml file for the schedule task and the PowerShell script which can be downloaded here: https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/Kiosk%20scripts
The PowerShell script, remember to change the $Domain and the $RegKeyName to reflect your environment.
# Name: Autologon.ps1
# Authors: Jörgen Nilsson
# ccmexec.com
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True)]
[string]$Username,
[Parameter(Mandatory=$True)]
[string]$Password
)
# Set values
$Version="1"
$RegKeyName = "CCMEXECOSD"
$FullRegKeyName = "HKLM:\SOFTWARE\" + $regkeyname
$Domain="demiranda"
# Create Registry key
New-Item -Path $FullRegKeyName -type Directory -ErrorAction SilentlyContinue
# Set registry values to be used later
new-itemproperty $FullRegKeyName -Name "Kiosk Version" -Value $Version -Type STRING -Force -ErrorAction SilentlyContinue | Out-Null
new-itemproperty $FullRegKeyName -Name "UserName" -Value $username -Type STRING -Force -ErrorAction SilentlyContinue | Out-Null
# Creates ScheduleTask
Register-ScheduledTask -Xml (get-content $PSScriptRoot\autologon.xml | out-string) -TaskName "Autologon"
# Copy Autologon.exe
Copy-Item -path $PSScriptRoot\autologon.exe -Destination C:\Windows
# Creates the autologon.cmd file
$AutologonFile = "C:\Windows\temp\Autologon.cmd"
New-Item $AutologonFile -ItemType File -Value "C:\Windows\Autologon.exe /accepteula $Username $Domain $Password"
Add-Content $AutologonFile ""
Add-Content $AutologonFile "del C:\Windows\Autologon.exe"
Add-Content $AutologonFile "schtasks.exe /delete /tn AutoLogon /f"
Add-Content $AutologonFile "shutdown /r /t 20 /f"
Add-Content $AutologonFile "del %0"
# Sets permissions so only System can read the cmd file
Invoke-Expression -Command:"icacls C:\Windows\Temp\Autologon.cmd /inheritance:r"
Invoke-Expression -Command:"icacls C:\Windows\Temp\Autologon.cmd /grant SYSTEM:'(F)'"
The group in my Task Sequence looks like this where I have a conditon on the group that the Task Sequence variable “KioskDomain” must be present for it to execute.
The configure Autologon step looks like this and executes the PowerShell script from the package we created earlier. Where I pass the username / password as variables to the script. A follow up post on this will explain how I will use that in a Run script as well.
The step “Move to correct OU” moves the computer to a Kiosk OU using an account that has the needed permissions. The script can be found here: https://github.com/Ccmexec/MEMCM-OSD-Scripts
The computer will restart once after the OSD completes and then the schedule task will start and execute the script and the machine will reboot and logon automatically.
Then we have successfully configured autologon during OSD without the password in clear text in the registry.
Next post will cover the script I use to configure Windows 10 to run KioskMode with Multiple apps and how to update it as well, stay tuned!
SCCM 2012 will support management of Unix/Linux!
Use DCM to monitor that all laptops are encrypted using Bitlocker
SCCM Packages report with Packagetype
About Author
Jörgen Nilsson
Add a Comment
This site uses Akismet to reduce spam. Learn how your comment data is processed.
$RegKeyName = $regkeyname
$Username = $username
The same or other ?
Just a remark, I tried this in our environment and we have autogenerated complex passwords for our kiosk accounts and the one I tested with errored out on a “)” in the password.
And when it does, it actually does put the kiosk username and password in the smsts.log file as part of the error.
Hi Jörgen,
greate solution – the only Thing which is missing for me is the last step “Reboot after OSD”.
Do you use here the SMSTSPostAction?
Ah, thanks for the headsup, will update the post.
I use the following command as the PostAction
cmd /c shutdown /r /t 45 /f
Hi Guys, what’s ” $RegKeyName to reflect your environment.” what is this key refering to. can i just leave it to what it is ?
Hi,
It is a registry key that is used for tagging the registry with username so we can grab it later. I use the same key as I use here https://ccmexec.com/2018/03/script-to-tattoo-the-client-registry-during-osd-ps-version/
/Jörgen
Hi,
How do you get the task seq to reference the variables in the collection?
**I use Collection variables to set username and password to be used during OS deployment shown below**
Hi,
The script reads those variables from the TS environment, where the variables are added for collections that the device is a member of when the TS starts.
/Jörgen
Since windows get updated ever so often, is there a risk that the autologon.exe will no longer work with newer versions of Windows? Autologon.exe hasn’t been updated since 2016 and I am worried we will invest time and effort to set this up and it will no longer work in versions to come.
Hi,
There is always a risk of course but you can use Powershell with a little C# function to achieve the same. so as long as Windows 10 supports LSA Secrets then we can do it without Autologon.exe as well.
Regards,
Jörgen