What is setting AutoAdminLogon to 0 (MSS-Legacy)

Question

I am having an issue getting AutoAdminLogon working with my Windows Server 2008 R2 Image. It is an Amazon Windows Server 2008 R2 CIS Level 2 Benchmark AMI from the Amazon Marketplace.

The issue I am having is when I set the AutoAdminLogin to 1 and do a gpupdate or reboot it reverts back to 0.

I am using Packer to provision my AMI so the steps I am going through are Remove PowerShell 3.0 then reboot. The AutoAdminLogon is set before the reboot but gpupdate runs when the system restarts gpupdate reverts the setting back to 0.

The AutoAdminLogon is needed because the server needs to reboot several times during the provisioning. Steps are 1. Remove PowerShell 3.0 2. Reboot 3. AutoAdminLogon 4. Install .Net 4.5.2 5. Install Windows Management Framework 5.1 6. Reboot.

At this point, Packer will try to connect using WINRM to finish provisioning the instance to capture as an AMI.

I know it has something to do with the MSS-Legacy settings applied to the AMI. But how do I un-apply them? Or just the AutoAdminLogin set to Disabled?

I have tried using secedit:

secedit /export /cfg c:\temp\secpol.cfg
(gc C:\temp\secpol.cfg).replace('AutoAdminLogon=1,"0"','AutoAdminLogon=1,"1"') | Out-File C:\temp\secpol.cfg
secedit /configure /db c:\windows\security\secedit.sdb /cfg c:\temp\secpol.cfg

Reference: Modify Local Security Policy using Powershell

I have tried the steps listed here: https://docs.bmc.com/docs/tssa89/rollback-of-cis-and-pciv2-templates-after-remediation-does-not-work-808908846.html

Here is also a link to the Script I have modified to do the PowerShell Upgrade: https://github.com/jborean93/ansible-windows/blob/master/scripts/Upgrade-PowerShell.ps1

Now if I download the MSS-Legacy GPO templates and use the GUI to set the MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) to Enabled, It will work and the setting will stick after reboots or gpudpate. But I need a way to do this in a scripted manner because there is no interaction with the Instance during the Bakery process.

I cannot do the steps using a GUI as this is part of our AMI bakery process.

Thanks so much I look forward to seeing peoples thoughts.

Answer 1

I've just come across this "fun"!

I used the PolicyFileEditor PowerShell module and a lot of trial and error, coupled with the information in your question (thanks for that!) to get this working.

My OS is Windows Server 2016, so hopefully it also works for Windows Server 2008 R2 (not that anyone should be using that anymore).

Here's the PowerShell code that I'm using in my Packer build:

Install-Module PolicyFileEditor
Import-Module PolicyFileEditor
# Change the Autologon GPO setting
Set-PolicyFileEntry -Path "$env:windir\system32\GroupPolicy\Machine\registry.pol" -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName "AutoAdminLogon" -Data "1"
# Force the policy update to occur
gpupdate /force

# Configure the auto login user and password so that the next restart has autologin
$loginPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Set-ItemProperty -Path $loginPath -Name "DefaultUserName " -Value "<your_admin_user>" -Type String
Set-ItemProperty -Path $loginPath -Name "DefaultPassword" -Value "<your_admin_password>" -Type String

Answer 2

Note that the Type for AutoLogonCount should be REG_DWORD

Answer 3

There's also another registry value that you need to specify which is the AutoLogonCount. AutoAdminLogon is directly correlated to the logon count for how many times the system will automatically logon after a reboot.

If your logon count is not set, this may be the reason why it's resetting to 0.

If you want this to be set infinitely, just set it 999999 or something ridiculously high.

You can refer to this MSDN for more information: MSGina.dll

Answer 4

Instead of having to restart the computer, you can try the following command:

# Force the policy update to occur w/o restart
echo N | gpupdate.exe /target:Computer /force