Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Configuring Autologon during OSD using Autologon.exe

Posted on June 18, 2020June 25, 2020 by Jörgen Nilsson

There are many blogposts on how to configure Autologon for use when deploying kiosk devices for example. I needed to solve that in a kiosk scenario, more kiosk blogposts will be posted later.
What are the challenges with Autologon then? To start with the OOBE phase clears out all Autologon registry values so they need to be configured after OSD is complete. Another challenge is that the username and password is saved in clear test in the registry.

Autologon.exe is a SysInternals tool that encrypts the password used by Autologon in the registry instead of storing it in clear text. Autologon.exe can be downloaded here https://docs.microsoft.com/en-us/sysinternals/downloads/autologon

Here is how we solved it in the project.

Run a PowerShell script during OSD that does the following:

-Writes the username to a registry value so we can pick up later (in another blog post)
-Copies Autologon.exe to C:\Windows\Temp
-Creates an Autologon.cmd file in C:\Windows\Temp which we can run as a scheduled task.
-Autologon.cmd includes username/password for the kiosk user with permissions set to System  
-Creates a schedule task that runs Autologon.cmd
-Autologon.cmd runs Autologon.cmd then deletes Autologon.cmd and AutoLogon.exe and reboots.

I use Collection variables to set username and password to be used during OS deployment shown below.

I create a package with Autologon.exe and the .xml file for the schedule task and the PowerShell script which can be downloaded here: https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/Kiosk%20scripts

The PowerShell script, remember to change the $Domain and the $RegKeyName to reflect your environment.

# Name: Autologon.ps1
# Authors: Jörgen Nilsson
# ccmexec.com

[CmdletBinding()]
Param(
    [Parameter(Mandatory=$True)]
    [string]$Username,
    [Parameter(Mandatory=$True)]
    [string]$Password
  )
# Set values
$Version="1"
$RegKeyName = "CCMEXECOSD"
$FullRegKeyName = "HKLM:\SOFTWARE\" + $regkeyname 
$Domain="demiranda"

# Create Registry key 
New-Item -Path $FullRegKeyName -type Directory -ErrorAction SilentlyContinue

# Set registry values to be used later
new-itemproperty $FullRegKeyName -Name "Kiosk Version" -Value $Version -Type STRING -Force -ErrorAction SilentlyContinue | Out-Null
new-itemproperty $FullRegKeyName -Name "UserName" -Value $username -Type STRING -Force -ErrorAction SilentlyContinue | Out-Null

# Creates ScheduleTask
Register-ScheduledTask -Xml (get-content $PSScriptRoot\autologon.xml | out-string) -TaskName "Autologon"

# Copy Autologon.exe
Copy-Item -path $PSScriptRoot\autologon.exe -Destination C:\Windows

# Creates the autologon.cmd file
$AutologonFile = "C:\Windows\temp\Autologon.cmd"
New-Item $AutologonFile -ItemType File -Value "C:\Windows\Autologon.exe /accepteula $Username $Domain $Password"
Add-Content $AutologonFile ""
Add-Content $AutologonFile "del C:\Windows\Autologon.exe"
Add-Content $AutologonFile "schtasks.exe /delete /tn AutoLogon /f"
Add-Content $AutologonFile "shutdown /r /t 20 /f"
Add-Content $AutologonFile "del %0" 

# Sets permissions so only System can read the cmd file
Invoke-Expression -Command:"icacls C:\Windows\Temp\Autologon.cmd /inheritance:r"
Invoke-Expression -Command:"icacls C:\Windows\Temp\Autologon.cmd /grant SYSTEM:'(F)'"

The group in my Task Sequence looks like this where I have a conditon on the group that the Task Sequence variable “KioskDomain” must be present for it to execute.

The configure Autologon step looks like this and executes the PowerShell script from the package we created earlier. Where I pass the username / password as variables to the script. A follow up post on this will explain how I will use that in a Run script as well.

The step “Move to correct OU” moves the computer to a Kiosk OU using an account that has the needed permissions. The script can be found here: https://github.com/Ccmexec/MEMCM-OSD-Scripts

The computer will restart once after the OSD completes and then the schedule task will start and execute the script and the machine will reboot and logon automatically.

Then we have successfully configured autologon during OSD without the password in clear text in the registry.
Next post will cover the script I use to configure Windows 10 to run KioskMode with Multiple apps and how to update it as well, stay tuned!

  • AutoLogon
  • Kiosk
  • Kiosk Mode
  • Kiosk Mode Autlogon
  • 14 thoughts on “Configuring Autologon during OSD using Autologon.exe”

    1. SpecT says:
      June 19, 2020 at 1:38 pm

      $RegKeyName = $regkeyname
      $Username = $username

      The same or other ?

      Reply
    2. Andy D'Hollander says:
      June 24, 2020 at 8:56 pm

      Just a remark, I tried this in our environment and we have autogenerated complex passwords for our kiosk accounts and the one I tested with errored out on a “)” in the password.
      And when it does, it actually does put the kiosk username and password in the smsts.log file as part of the error.

      Reply
    3. lukas says:
      June 25, 2020 at 9:28 am

      Hi Jörgen,

      greate solution – the only Thing which is missing for me is the last step “Reboot after OSD”.
      Do you use here the SMSTSPostAction?

      Reply
      1. Jörgen Nilsson says:
        June 25, 2020 at 10:08 am

        Ah, thanks for the headsup, will update the post.
        I use the following command as the PostAction

        cmd /c shutdown /r /t 45 /f

        Reply
    4. adam says:
      July 10, 2020 at 6:12 am

      Hi Guys, what’s ” $RegKeyName to reflect your environment.” what is this key refering to. can i just leave it to what it is ?

      Reply
      1. Jörgen Nilsson says:
        August 7, 2020 at 9:15 am

        Hi,
        It is a registry key that is used for tagging the registry with username so we can grab it later. I use the same key as I use here https://ccmexec.com/2018/03/script-to-tattoo-the-client-registry-during-osd-ps-version/
        /Jörgen

        Reply
    5. Pingback: Microsoft Cloud ve Datacenter Management Temmuz 2020 Bülten – Sertaç Topal
    6. Pingback: Windows 10 Secure AutoLogon - PowerShell - CCMEXEC.COM - Enterprise Mobility
    7. Deb says:
      August 18, 2020 at 2:36 am

      Hi,
      How do you get the task seq to reference the variables in the collection?
      **I use Collection variables to set username and password to be used during OS deployment shown below**

      Reply
      1. Jörgen Nilsson says:
        August 18, 2020 at 9:46 am

        Hi,
        The script reads those variables from the TS environment, where the variables are added for collections that the device is a member of when the TS starts.
        /Jörgen

        Reply
    8. Mikael says:
      September 17, 2020 at 9:46 am

      Since windows get updated ever so often, is there a risk that the autologon.exe will no longer work with newer versions of Windows? Autologon.exe hasn’t been updated since 2016 and I am worried we will invest time and effort to set this up and it will no longer work in versions to come.

      Reply
      1. Jörgen Nilsson says:
        September 22, 2020 at 10:30 am

        Hi,
        There is always a risk of course but you can use Powershell with a little C# function to achieve the same. so as long as Windows 10 supports LSA Secrets then we can do it without Autologon.exe as well.
        Regards,
        Jörgen

        Reply
    9. Thomas says:
      September 22, 2020 at 10:54 am

      I have tried your solution in this post, but I can not get it to work.
      It does everything as it is supposed to do except from logging on.
      It have set the correct domain and user name, but it just ends up at the login screen waiting for a password.
      Any suggestions to what can be wrong?

      Reply
    10. DMarv says:
      January 12, 2022 at 2:29 am

      Not sure if this works anymore. I run into the same issue as the user above on 21H1

      Reply

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Tweets by ccmexec

    Recent Posts

    • Configuring MS Edge Security Baseline v107 using Settings Catalog
    • Configuring Desktop App Installer using CSP and script?!
    • Customizing Taskbar and Start in Windows 11 22h2 with PowerShell
    • MMUGSE – physical event 2022-10-19 @Microsoft Reactor Stockholm.
    • Switch to Private Firewall profile on AAD joined when connected to specific network.

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT