SOLVED

Problem with autologin on multi app Kiosk Win 10

Copper Contributor

Hello guys,

I have a problem with multiple Windows machines. All machines are Dell optiplex 7060 and few Intel NUC's and all have enabled TPM (or PTT). They have latest W10 2004 installed, fully updated.

All machines are deployed through Intune as multi app kiosk, with two apps - Zoom Rooms and Teamviewer.

Process for setup is I import csv file from machine (I manually add group tag kiosk). It's assigned to dynamic group, from there it gets Deployment profile.

Everything work as expected with Windows 1903 or 1909 until last update.

For already deployed machines, few of them (not all) after update to 2004 were unable to autologin.

Initial setup goes perfectly, unfortunately when it's done I don't get autologin. It asks me for user and when I enter .\kioskUser0 it goes in and works as expected.

I’ve accessed devices also with my admin account, updated everything (Windows and drivers), still the same.

I also changed the registry for WinLogon - AutoAdminLogon to 1 (keeps reseting to 0), DefaultPassword (whole entry keeps deleting), DefaultUserName (set to kioskUser0).

Nothing helped.

 

I've also done several manual syncs through Intune for all devices that have autologin issue, also didn't help.

I've done also some further testing with one dell optiplex 7060 and now all new deployements (tried with 1909 and 2004) had autologin problem.

I've attached few screenshots for configuration.

 

Any ideas how can I solve this issue?

14 Replies

@mivanovic945 

Hello, possibly you have an Exchange Active Sync policy active. Check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational. An EAS policy breaks autologon. See one of the notes: https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows.

At this moment unknown where the EAS policy is set for Windows 10. 

@JamelEla Yes, you are correct. I've made a screenshot from freshly installed device and from "old" one.

On device that I tried to change registry for autologin, I have many warnings. On newly installed only one error since I didn't made any changes to registry.

I checked and we haven't configured any EAS policies. Maybe Windows have some default policies.

I found by googling more similar cases, however not a resolution.

Any ideas where EAS policy is located or how can I solved this?

Hey @mivanovic945,

 

typically password policies will break your Autologon scenario. Check if you have configured any Password policies in Intune or Compliance Policy checking for Password complexity etc. they will break your Autologon scenario, same like the EAS policies.

 

best,

Oliver

Hi @Oliver Kieselbach ,

 

I removed in Intune all policies and configuration profiles (other than kiosk) for Kiosk device.

Nothing gets assigned, i have verified that in intune portal.

I've also checked in PC itself which policies are applied and nothing is applied.

I've attached screenshot from xml file that I exported from powershell.

 

Best regards,

Milos

@mivanovic945 Have you tried delete EAS reg key as below and re enable auto logon and check it.

 

EAS.jpg

Hi @mivanovic945,

 

As @ErReddy says when the EAS reg key is present on the device, autologon will be turned off. The problem is that if you delete it manually and then re-enable autologon, the EAS key will be added again and autologon will be turned off once the device syncs with MEM.

 

To solve this we had to create our own service which searches for this key, if it exists deletes it and re-enables autologon.

Spoiler
Hi - did you ever figure this out? We are facing same problem. We are about to go same route and have something check for and delete those keys whenever they exist, but wondering if you got to the bottom of it? We have cases open to MS at the moment, as we are experiencing this issue with Win10 Kiosks and Teams Room Systems as well.

@ErReddy I tried to delete registry key and it always re-appear.

@Josh Hammond We also have open ticket at MS regarding this. It's almost same issue.

I've tested with MS support various scenarios and we found out that issue is with Autopilot.

I created one service user, assign proper license, added it to deployment group and tested if login from offline installation would create proper kiosk user and autologin work.

After signing in with service user everything worked perfectly.

Kiosk user was created and I had no problem with autologin.

I've setup 6 mini PC's this way and I didn't have any problems.

Point is - we narrow it down to Autopilot problem.

We will investigate further, but that's all for now.

best response confirmed by mivanovic945 (Copper Contributor)
Solution

@Josh Hammond @almennn 

 I've found out what was causing this issue.

Problem was in Windows 10 security baseline profile.

It was assigned to all devices and kiosk group wasn’t among excluded groups.

Check your security baseline profiles, maybe there lies solution...

We're having this issue now. We haven't got any security baselines deployed, really not sure what the issue is.

@jfarmer , I had the same issue. I excluded the devices from compliance policy. I have been testing it for 2 days now and autologin still works

You could try that. Later I will create another compliance policy just for devices with autologin.

Excluding the kiosk devices from the compliance policies worked for me. Thank you!
Seems like it's working also for me. Thanks for the heads-up!
1 best response

Accepted Solutions
best response confirmed by mivanovic945 (Copper Contributor)
Solution

@Josh Hammond @almennn 

 I've found out what was causing this issue.

Problem was in Windows 10 security baseline profile.

It was assigned to all devices and kiosk group wasn’t among excluded groups.

Check your security baseline profiles, maybe there lies solution...

View solution in original post