Do you ever find yourself troubleshooting why autologin has stopped working on Windows?
There is a series of devices that require to autologin. These are usually Kiosk devices, or Monitoring Boards, TVs etc etc.
Randomly the devices that needed autologin all stopped working. Around about the same time. We checked the usually suspects (Did someone lock the account again?) Did we apply a new security policy that blocked it? Did a Windows update break it.
Lets take a step back and remind ourselves how Auto Login works. The key requirements to make the Auto Login work are
A working username and password. (AD user or local user )
If we have all of these set the PC should auto login.
Where is the problem?
The Auto Logins stopped working. After re adding the keys, it didn’t help. The DefaultPassword key was deleted and the ForceAutoLogon was set to 0. Something is changing this.
We spun up ProcMon with Boot Logging enabled and started digging into the results. It looks like LoginUI is delete the Keys during shutdown
3/23/2023 9:26:35 AM
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon is changed from 1 to 0 by LogonUI.exe
3/23/2023 9:26:35 AM
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword is deleted by LogonUI.exe.
3/23/2023 9:26:36 AM
User Logoff Notification for Customer Experience Improvement Program
3/23/2023 9:26:38 AM
The Event log service was stopped. (This is an indicator that system is shut down)
3/23/2023 9:27:38 AM
The Event log service was started. (This is an indicator that system is started)
A Further check of the Event logs show and EAS Policy is responsible. But why. (These accounts don’t have mailboxes.)
We dig and dig, to find there is no mail, nor a reason to connect to Exchange online. We delete the policy and it comes back after a few hours.
How does Intune fit into this?
All the devices are enrolled in SCCM, and AAD Hybrid join and enrolled into Intune. In testing, we deleted a device from Intune and blocked enrolment. They AutoLogin keys stayed and the EAS Policy was removed.
After checking the Configuration Polices applied in Intune, we found no culprits. We already exclude the device from most of the Intune Polices.
However when checking the Compliance polices, we are setting minimum Password length. We have found our problem!!!
But wait. We aren’t applying the Compliance policy to any devices, and the autologin users usually aren’t Synced to AAD? Turns out our assumption was wrong. The user were Synced to AAD and the compliance policy was set to All users. There our problem.
How can we fix this
First things first. Lets exclude the Auto Login users from the compliance policy and sync the device. It can take hours / days for the policy to be removed from the device status.
Then added the autologin keys back to the device and waited in the hope that this problem is solved. Unfortunately the problem returned shortly after.
Turns out Intune does a very good job of caching settings on the device and will keep them there.
You either need to
Delete the device from Intune, and let it Re enrol.
Set up a new compliance policy removing the settings.
Manually intervene, find and delete the keys. and Script the fix.
I chose the 3rd option. There are too many computers to remove them from Intune. We don’t want a compliance policy set up that could be applied in the wrong place. I set up the fowling script to delete the keys, Add the autologin back and to Sync with Intune.
###
# Reset the Device Auto Login after device is joined to AAD and Intune
# Ensure the Complance Policy is not set on the device. Otherwise the problem
# will come back in a few days
###
param ([String] $LoginUser = "AutomationUser"
, [String] $LoginDomain = "timstechblurbs.local"
, [String] $LoginPassword = "ALongAndComplacatePAsswordNoOneCanRemeber")
$NodeCacheKeys = Get-ChildItem -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\' -recurse -erroraction silentlycontinue | Get-ItemProperty | where {$_.'NodeUri' -like "*/DeviceLock/*"}
foreach ($key in $NodeCacheKeys)
{
Write-Host $key.PSPath
Remove-Item -Path $key.PSPath -Recurse -WhatIf
}
$PolicyKeys = Get-ItemProperty -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\' -erroraction silentlycontinue
Write-Host $PolicyKeys.PSPath
Remove-Item -Path $PolicyKeys.PSPath -Recurse
$EASKeys = Get-ItemProperty -path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EAS\Policies' -erroraction silentlycontinue
Write-Host $EASKeys.PSPath
Remove-Item -Path $EASKeys.PSParentPath -Recurse
Get-ScheduledTask -TaskName "Schedule to run OMADMClient by server" -ErrorAction Continue | Start-ScheduledTask
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value $LoginDomain
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AltDefaultDomainName -Value $LoginDomain
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value "1"
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name ForceAutoLogon -Value "1"
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value $LoginUser
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value $LoginPassword
How much time do we spend casing users full C: drive. Especially when patch Tuesday has come along and we need to get patch KBxxxxx installed yesterday.
Storage sense to the Rescue!!!
Storage sense can be spilt into two handy features.
Deflating OneDrive on demand files
Cleaning Temp, Downloads and old unused files.
Let’s start with OneDrive files on Demand. Since build 17720, we were able to save space on the client machine by only download the well used files. That really handy when you have lots of large files, but only need to access once in a while. We can also control when our files are “dehydrated” and converted to cloud only files.
You need to find the right number of days before dehydrating the files. Somewhere between 1 and 365. If you have a lot of user without a regular internet connection, I would aim for value of over 6o. If you pretty well always online, I would aim for more 15 – 30 days. It also depends on the amount of data saved in OneDrive. It includes any data stored in synced Sharepoint folders as well. I decided on 30 Days.
The we choose a cadence. I went with 1 – Every day for the testing. I don’t normally notice when it runs. But it could equally be every week. So when we went live I set it to every 7 days.
What about cleaning up the downloads folder? It always ends up as a dumping ground for me. Lets set it for 30 days. This is one point it is worth mentioning to the end users. I have some old programs and handy installers saved in OneDrive. So when I break my computer again I can rebuild It without finding all the software again. (I know, I should always take the last versos from he website. )
Now we know what we want to set. Let’s set it up in Endpoint Manager.
Login into Intune, and Goto Devices -> Configuration Profiles -> Create Profile
Select Windows 10 and Later, and Custom Profile.
Enter in a Name and Description.
Lets Start with “Allow Storage Sense Global.” Select Add on the next Page. Enter in the name for the setting. In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal. The Data Type should be Internet. Set the Value to 1 (Meaning Enabled). Press Save.
Lets repeat until we cover all of the settings in the table.
Once Done, let’s save and deploy it to our test devices. Sync and reboot the test device.
How do I know is working?
Press Start and search Storage Sense. You can then see a break down off the settings. you can also see how much space you saved. (Once its been running for a few days)
In our testing it’s saved us about 20-30 % space on the devices.It has helped us keep the drives clean in the process and ensure we can get the update and software out to the clients.
You can see with files are set to Cloud Only files. On the left, the first file is a cloud only. The user simply double clicks, and it downaloads
Some very simple and easy setting to get some fresh space.
Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)
If you ask the Security team, the answer is a yes. We should set them.
Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.
Policy Setting Name
Windows 10
Access Credential Manager as a trusted caller
No One (Blank)
Access this computer from the network
Administrators; Remote Desktop Users
Act as part of the operating system
No One (Blank)
Allow log on locally
Administrators; Users
Back up files and directories
Administrators
Create a pagefile
Administrators
Create a token object
No One (Blank)
Create global objects
Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE
Create permanent shared objects
No One (Blank)
Debug programs
Administrators
Deny access to this computer from the network
NT AUTHORITY\Local Account
Deny log on through Remote Desktop Services
NT AUTHORITY\Local Account
Enable computer and user accounts to be trusted for delegation
No One (blank)
Force shutdown from a remote system
Administrators
Impersonate a client after authentication
Administrators, SERVICE, Local Service, Network Service
Load and unload device drivers
Administrators
Lock pages in memory
No One (blank)
Manage auditing and security log
Administrators
Modify firmware environment values
Administrators
Perform volume maintenance tasks
Administrators
Profile single process
Administrators
Restore files and directories
Administrators
Take ownership of files or other objects
Administrators
First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.
Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.
Now we check the local account and we get S-1-5-113.
Account
SID
Administrators
S-1-5-32-544.
Local Account
S-1-5-113
Local Service
S-1-5-19
Network Service
S-1-5-20
Service
S-1-5-6
So Lets set up a polcy. Lets open Endpoint Mananger.
Select “Windows 10 and Later” and Custom in the profile
Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.
Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.
Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)
Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.
Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.
You should also do the testing on a test machine. Just in case you lock your self out.
How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.
Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk. It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege
C:\Users\tim>accesschk.exe -a SeSystemtimePrivilege
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ® 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
SeSystemtimePrivilege (Change the system time):
BUILTIN\Administrators
NT AUTHORITY\LOCAL SERVICE
Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.
C:\Users\tim>accesschk.exe -a *
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ® 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
SeCreateTokenPrivilege (Create a token object):
SeAssignPrimaryTokenPrivilege (Replace a process level token):
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeLockMemoryPrivilege (Lock pages in memory):
SeIncreaseQuotaPrivilege (Adjust memory quotas for a process):
BUILTIN\Administrators
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeMachineAccountPrivilege (Add workstations to domain):
SeTcbPrivilege (Act as part of the operating system):
SeSecurityPrivilege (Manage auditing and security log):
BUILTIN\Administrators
SeTakeOwnershipPrivilege (Take ownership of files or other objects):
BUILTIN\Administrators
SeLoadDriverPrivilege (Load and unload device drivers):
BUILTIN\Administrators
SeSystemProfilePrivilege (Profile system performance):
NT SERVICE\WdiServiceHost
BUILTIN\Administrators
SeSystemtimePrivilege (Change the system time):
BUILTIN\Administrators
NT AUTHORITY\LOCAL SERVICE
SeProfileSingleProcessPrivilege (Profile single process):
BUILTIN\Administrators
SeIncreaseBasePriorityPrivilege (Increase scheduling priority):
BUILTIN\Administrators
SeCreatePagefilePrivilege (Create a pagefile):
BUILTIN\Administrators
SeCreatePermanentPrivilege (Create permanent shared objects):
SeBackupPrivilege (Back up files and directories):
BUILTIN\Administrators
SeRestorePrivilege (Restore files and directories):
BUILTIN\Backup Operators
BUILTIN\Administrators
SeShutdownPrivilege (Shut down the system):
BUILTIN\Backup Operators
BUILTIN\Users
BUILTIN\Administrators
SeDebugPrivilege (Debug programs):
BUILTIN\Administrators
SeAuditPrivilege (Generate security audits):
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeSystemEnvironmentPrivilege (Modify firmware environment values):
BUILTIN\Administrators
SeChangeNotifyPrivilege (Bypass traverse checking):
BUILTIN\Backup Operators
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
Everyone
SeRemoteShutdownPrivilege (Force shutdown from a remote system):
BUILTIN\Administrators
SeUndockPrivilege (Remove computer from docking station):
BUILTIN\Users
BUILTIN\Administrators
SeSyncAgentPrivilege (Synchronize directory service data):
SeEnableDelegationPrivilege (Enable computer and user accounts to be trusted for delegation):
SeManageVolumePrivilege (Perform volume maintenance tasks):
BUILTIN\Administrators
SeImpersonatePrivilege (Impersonate a client after authentication):
NT AUTHORITY\SERVICE
BUILTIN\Administrators
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeCreateGlobalPrivilege (Create global objects):
NT AUTHORITY\SERVICE
BUILTIN\Administrators
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeTrustedCredManAccessPrivilege (Access Credential Manager as a trusted caller):
SeRelabelPrivilege (Modify an object label):
SeIncreaseWorkingSetPrivilege (Increase a process working set):
BUILTIN\Users
SeTimeZonePrivilege (Change the time zone):
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\LOCAL SERVICE
SeCreateSymbolicLinkPrivilege (Create symbolic links):
SeDelegateSessionUserImpersonatePrivilege (Obtain an impersonation token for another user in the same session):
BUILTIN\Administrators
SeBatchLogonRight:
BUILTIN\Performance Log Users
BUILTIN\Backup Operators
BUILTIN\Administrators
SeInteractiveLogonRight:
BUILTIN\Backup Operators
BUILTIN\Users
BUILTIN\Administrators
EAUKUKDH0VUMDEN\Guest
SeNetworkLogonRight:
BUILTIN\Backup Operators
BUILTIN\Users
BUILTIN\Administrators
Everyone
SeServiceLogonRight:
NT SERVICE\ALL SERVICES
SeDenyBatchLogonRight:
NT AUTHORITY\Local account and member of Administrators group
NT AUTHORITY\Local account
SeDenyInteractiveLogonRight:
BUILTIN\Guests
SeDenyNetworkLogonRight:
SeDenyServiceLogonRight:
NT AUTHORITY\Local account and member of Administrators group
NT AUTHORITY\Local account
SeRemoteInteractiveLogonRight:
BUILTIN\Remote Desktop Users
BUILTIN\Administrators
SeDenyRemoteInteractiveLogonRight:
BUILTIN\Guests
Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college
