June 18, 2020
HomeConfiguration ManagerConfiguring Autologon during OSD using Autologon.exe

Configuring Autologon during OSD using Autologon.exe

By  Configuration Manager  4 Comments

There are many blogposts on how to configure Autologon for use when deploying kiosk devices for example. I needed to solve that in a kiosk scenario, more kiosk blogposts will be posted later.
What are the challenges with Autologon then? To start with the OOBE phase clears out all Autologon registry values so they need to be configured after OSD is complete. Another challenge is that the username and password is saved in clear test in the registry.

Autologon.exe is a SysInternals tool that encrypts the password used by Autologon in the registry instead of storing it in clear text. Autologon.exe can be downloaded here https://docs.microsoft.com/en-us/sysinternals/downloads/autologon

Here is how we solved it in the project.

Run a PowerShell script during OSD that does the following:

-Writes the username to a registry value so we can pick up later (in another blog post)
-Copies Autologon.exe to C:\Windows\Temp
-Creates an Autologon.cmd file in C:\Windows\Temp which we can run as a scheduled task.
-Autologon.cmd includes username/password for the kiosk user with permissions set to System  
-Creates a schedule task that runs Autologon.cmd
-Autologon.cmd runs Autologon.cmd then deletes Autologon.cmd and AutoLogon.exe and reboots.

I use Collection variables to set username and password to be used during OS deployment shown below.

I create a package with Autologon.exe and the .xml file for the schedule task and the PowerShell script which can be downloaded here: https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/Kiosk%20scripts

The PowerShell script, remember to change the $Domain and the $RegKeyName to reflect your environment.

# Name: Autologon.ps1
# Authors: Jörgen Nilsson
# ccmexec.com

[CmdletBinding()]
Param(
    [Parameter(Mandatory=$True)]
    [string]$Username,
    [Parameter(Mandatory=$True)]
    [string]$Password
  )
# Set values
$Version="1"
$RegKeyName = "CCMEXECOSD"
$FullRegKeyName = "HKLM:\SOFTWARE\" + $regkeyname 
$Domain="demiranda"

# Create Registry key 
New-Item -Path $FullRegKeyName -type Directory -ErrorAction SilentlyContinue

# Set registry values to be used later
new-itemproperty $FullRegKeyName -Name "Kiosk Version" -Value $Version -Type STRING -Force -ErrorAction SilentlyContinue | Out-Null
new-itemproperty $FullRegKeyName -Name "UserName" -Value $username -Type STRING -Force -ErrorAction SilentlyContinue | Out-Null

# Creates ScheduleTask
Register-ScheduledTask -Xml (get-content $PSScriptRoot\autologon.xml | out-string) -TaskName "Autologon"

# Copy Autologon.exe
Copy-Item -path $PSScriptRoot\autologon.exe -Destination C:\Windows

# Creates the autologon.cmd file
$AutologonFile = "C:\Windows\temp\Autologon.cmd"
New-Item $AutologonFile -ItemType File -Value "C:\Windows\Autologon.exe /accepteula $Username $Domain $Password"
Add-Content $AutologonFile ""
Add-Content $AutologonFile "del C:\Windows\Autologon.exe"
Add-Content $AutologonFile "schtasks.exe /delete /tn AutoLogon /f"
Add-Content $AutologonFile "shutdown /r /t 20 /f"
Add-Content $AutologonFile "del %0" 

# Sets permissions so only System can read the cmd file
Invoke-Expression -Command:"icacls C:\Windows\Temp\Autologon.cmd /inheritance:r"
Invoke-Expression -Command:"icacls C:\Windows\Temp\Autologon.cmd /grant SYSTEM:'(F)'"

The group in my Task Sequence looks like this where I have a conditon on the group that the Task Sequence variable “KioskDomain” must be present for it to execute.

The configure Autologon step looks like this and executes the PowerShell script from the package we created earlier. Where I pass the username / password as variables to the script. A follow up post on this will explain how I will use that in a Run script as well.

The step “Move to correct OU” moves the computer to a Kiosk OU using an account that has the needed permissions. The script can be found here: https://github.com/Ccmexec/MEMCM-OSD-Scripts

The computer will restart once after the OSD completes and then the schedule task will start and execute the script and the machine will reboot and logon automatically.

Then we have successfully configured autologon during OSD without the password in clear text in the registry.
Next post will cover the script I use to configure Windows 10 to run KioskMode with Multiple apps and how to update it as well, stay tuned!

Tags:, , ,

Related Posts

About Author

Jörgen Nilsson

4 Comments
  1. SpecT

    $RegKeyName = $regkeyname
    $Username = $username

    The same or other ?

    Reply
  2. Andy D'Hollander

    Just a remark, I tried this in our environment and we have autogenerated complex passwords for our kiosk accounts and the one I tested with errored out on a “)” in the password.
    And when it does, it actually does put the kiosk username and password in the smsts.log file as part of the error.

    Reply
  3. lukas

    Hi Jörgen,

    greate solution – the only Thing which is missing for me is the last step “Reboot after OSD”.
    Do you use here the SMSTSPostAction?

    Reply
    • Jörgen Nilsson

      Ah, thanks for the headsup, will update the post.
      I use the following command as the PostAction

      cmd /c shutdown /r /t 45 /f

      Reply

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.