Kiosks can present an interesting challenge: how to keep the account credentials at least somewhat secure. In the past, we’ve typically utilized group policy to set registry items, but this leaves the credentials in plain text, readable to anyone (unless you try and go out of your way to restrict it). However, there’s a better way. The Sysinternals Autologon utility can be utilized to store the credentials encrypted as an LSA secret. These can still be recovered with administrative rights, but (hopefully) your kiosk account(s) do not have such rights.
In order to automate configuring autologon, we need to pass the credentials to the endpoint somehow. Enter a ConfigMgr task sequence and collection variables. By adding the credentials to a device collection as variables (masking the password), this provides a reasonably secure method to store the credentials.
We’ll start by adding three new variables to an existing device collection containing the kiosk(s) we want to configure. In collection properties, click the Collection Variables tab, and add them as shown below.
These variables can also be easily created via PowerShell (replacing the parameter values as necessary):
1 2 3 |
New-CMDeviceCollectionVariable -CollectionName Kiosks -VariableName 'AutologonUsername' -Value 'kiosk' -IsMask $false | Out-Null New-CMDeviceCollectionVariable -CollectionName Kiosks -VariableName 'AutologonDomain' -Value 'ad.ajf8729.com' -IsMask $false | Out-Null New-CMDeviceCollectionVariable -CollectionName Kiosks -VariableName 'AutologonPassword' -Value 'fvrw&YAqW@x5vmS!fd56ua8AzX4NB$TR' -IsMask $true | Out-Null |
Now we need to create a simple package to store the autologon executable and a script to run it. Create a new folder to store the content for this package, and add the following two items:
The Autologon.ps1 script will read the collection variables and run the Autologon64.exe utility, passing in the variables as parameters.
1 2 3 4 5 6 7 8 9 |
$TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment $AutologonUsername = $TSEnv.Value("AutologonUsername") $AutologonDomain = $TSEnv.Value("AutologonDomain") $AutologonPassword = $TSEnv.Value("AutologonPassword") $ScriptDirectory = Split-Path -Parent $MyInvocation.MyCommand.Definition Start-Process -FilePath "$($ScriptDirectory)\Autologon64.exe" -ArgumentList "/AcceptEula $AutologonUsername $AutologonDomain $AutologonPassword" |
Create a package without a program, specifying the content path you set up above. This can be done via the console, or via PowerShell (replacing the parameter values as necessary):
1 2 |
New-CMPackage -Name 'Autologon' -Path '\\ad.ajf8729.com\Shares\SOURCE\PKG\AUTOLOGON' | Out-Null Start-CMContentDistribution -PackageName 'Autologon' -DistributionPointGroupName ALL |
Next, we’ll create a very simple task sequence to run the above script and restart the computer. This can also be done via the console, or via PowerShell (replacing the parameter values as necessary):
1 2 3 4 |
$step1 = New-CMTaskSequenceStepRunPowerShellScript -ExecutionPolicy Bypass -PackageId ((Get-CMPackage -Name Autologon -Fast).PackageID) -ScriptName 'Autologon.ps1' -Name "Run Autologon.ps1" $step2 = New-CMTaskSequenceStepReboot -Name "Restart Computer" -RunAfterRestart HardDisk -NotificationMessage "Autologon has been configured. The computer must restart to continue." $ts = New-CMTaskSequence -Name 'Autologon' -CustomTaskSequence $ts | Add-CMTaskSequenceStep -Step ($step1, $step2) |
Finally, deploy the task sequence to the collection with the configured variables. You can choose to do an available or required deployment here; it depends on your environment. If there is any setup work that needs to be done before the kiosk is available for use, it may be useful for techs to log in and complete that work, and run the task sequence via Software Center as the last step. If you have all of you configuration done via other means, deploy the task sequence as required, and after any imaging is complete, it should run automatically and it will be ready for use. As an example, to deploy it as required and ASAP:
1 |
New-CMTaskSequenceDeployment -TaskSequence (Get-CMTaskSequence -Name Autologon -Fast) -Collection (Get-CMDeviceCollection -Name Kiosks) -DeployPurpose Required | Out-Null |