Autologon Domain Account Management (Windows Kiosk Mode)

This article describes the Autologon Domain Account Management feature provided by Imprivata PAM.

Windows Kiosk Mode is used across many organizations to provide a single or multi-application-controlled environment. In retail, this could be used to display digital signs through a PowerPoint presentation or in a hospital setting, for shared workstations at a nursing station or patient exam room. Kiosk mode, native to Windows, is useful for many business applications.

Configuration of Kiosk mode can be done using a Windows Autologon account defined on the Kiosk workstation itself. What becomes common in such enterprise-wide deployments is the password of each autologon account is identical, opening the possibility of a security breach or a potential discovery during an audit.

Using Imprivata PAM (Privileged Access Management), you can manage the domain autologon accounts of Kiosk mode enabled workstations, including the option to perform an on-demand or automated password rotation. Automated password rotation ensures that you can maintain strong, unique passwords across all domain Autologon accounts and periodic password resets to maintain security and risk compliance.

Pre-requisites

Before we begin, there are some prerequisites that are required for this operation to be successful.

  1. Windows 10/11 Kiosk Mode is supported only. Windows 7 or any other version is not supported.

  2. Unique domain Autologon accounts per workstation are supported by this feature only. Local Autologon accounts are not supported.

  3. The autologon password is set to the encrypted area of the Windows registry (Sysinternals).

    To be successful in this, we reccomend to use a Shadow Account, that is a member of the local Administrators group on the Windows Kiosk workstation.

  4. WinRM must be enabled and configured on each Kiosk workstation where the Autologon account is being managed. WinRM is used to remotely execute the script by PAM. Use powershell to check WinRM:

    • Open PowerShell from any Windows Server

    • Test-WSMan -<kioskname>

  5. PAM must be integrated with the AD (Active Directory) where the Kiosk Autologon accounts are enabled users.

  6. After task execution has been completed successfully, a restart of the Kiosk workstation may be required, depending on the applications that are running on this workstation.

    By default, PAM will not restart the Kiosk workstation; however, there is a small modification that can be manually made to the script to enable a restart.

  7. This feature is tested and verified with the latest Imprivata EAM type 2 agent running on a Windows 10 Kiosk mode enabled workstation to ensure it is not negatively affected.

    Please note that other agents, applications or hardware on the workstation are not verified, so please plan and test the Autologon Domain Account Management accordingly in your environment as required.

Configuration

To configure this feature, please follow these steps.

Step 1. Create a new Script

  1. Login to PAM with a System Administrator's account.

  2. Navigate to Administration > Scripts and click Create, add the required fields:

    • Script Name: Password Reset for Autologon Account with Shadow Account

    • Description: Optional value of your choosing

    • Job Execution Strategy: Windows Remote

    • Custom Code: echo

  3. Click Save.

  4. After the script is saved, click the Factory Default button to load the new script.

  5. Click Save again to save the new script that was loaded.

Step 2. Create a new Record Type

  1. Navigate to  Administration > Record Types and click New Record Type and create a new Record Type, add the required fields, and Save this new record:

    • Name: Windows Autologon or a name of your choosing

    • Description: Optional value of your choosing

    • Session Manager: empty

    • Parent Type: empty

    • Hidden: unchecked

    • Personal Vault: unchecked

After the new Record Type is saved, a new section will appear that is used to create fields.

Step 3. Create new Fields

  1. Click Add Field to create a new field, the first of three total.

    2. Use the guidance below:

    First Field:

    • Field Type: String

    • Name: Host

    • Display Name: Host

    • Hidden: unchecked

    • Secured: unchecked

    • Indexed: unchecked

    • Order: 100

    • Helper: empty

    • Default Value: empty

    Second Field:

    • Field Type: String

    • Name: User

    • Display Name: User

    • Hidden: unchecked

    • Secured: unchecked

    • Indexed: unchecked

    • Order: 200

    • Helper: empty

    • Default Value: empty

    Third field:

    • Field Type: String

    • Name: Password

    • Display Name: Password

    • Hidden: unchecked

    • Secured: checked

    • Indexed: unchecked

    • Order: 300

    • Helper: empty

    • Default Value: empty

  2. Click the Save button on this page.

The three needed fields have been created.

Step 4. Set the Password Complexity formula

  1. Navigate to  Administration > Record Types page and click the Formula button.

  2. Set the Password Complexity formula in PAM to meet or exceed the requirements of your Domain Password Policy.

  3. Click the Save button and then return to the Record Type page.

Note: When testing, it is typical to run the password reset task several times in a short amount of time which may result in errors due to the Minimum Password Age requirement defined in your Domain Password Policy. If the Minimum Password Age is set to 1 (or higher), then you may only run this task once a day as the domain policy will fail additional attempts.

Step 5. Set the Tasks configuration

  1. Navigate to  Administration > Record Types page and click the Tasks button.

  2. On this Tasks page, click the Add Task button, select the following:

    • Script: Password Reset for Autologon Account with Shadow Account

    • Target Record: Record itself

    • Event: On Demand

  3. Click Save when completed.

We will return to this page later to finalize the Tasks configuration.

Step 6. Create a record

  1. Navigate to Records > All Records and click Add Container > Add Vault.

  2. Create a new vault with the Name and Description of your choice.

  3. Open the created vault, click the Add Record button and select Active Directory User from the dropdown menu.

    4. Note: This record will contain an Active Directory account that will be used to reset the AD password of your Autologon account(s) and to update the registry on each Kiosk workstation. To accomplish both tasks this account is required to have the necessary permission in Active Directory to reset the password of another account and to be a member of the local Administrators group on every Kiosk workstation where the Autologon account is managed. If this AD account lacks these permission requirements, the task will fail to execute properly.

  4. For this new record, enter the values:

    • Name: Autologon Shadow Account or a name of your choosing

    • Description: Optional value of your choosing

    • Reference Record: leave empty

    • Type: Active Directory User

    • User: Active Directory login name in the form of domain\user

    • Password: Active Directory account password

  5. Click Save and Return when complete.

Step 7. Associate a new Record with the Task as a Shadow Account

  1. Navigate to Administration > Record Types,

  2. Locate and Edit your type Windows Autologon.

  3. Click the Tasks button and in the Shadow Account field, type the record name of your Active Directory User you previously created to assign it to this field.

  4. After the Shadow Account displays your Active Directory User record, click the Save button.

  5. Navigate to your Vault to continue.

  6. In the Vault, click the Add Record button and select the Record Type from the dropdown that was created earlier named Windows Autologon. For this new record, enter the values:

    Note: This record will contain the values of a Kiosk workstation and Autologon account that you wish to manage.

    • Name: Kiosk Workstation 1 or a name of your choosing

    • Description: Optional value of your choosing

    • Reference Record: leave empty

    • Host: The hostname of the Kiosk machine in either a fully qualified domain hostname or IP address.

    • User: The name of the domain Autologon account in the form domain\user

    • Password: The current, valid password of this domain Autologon account.

  7. Click Save and Return when complete.

If you wish to manage additional Autologon accounts, then you can repeat the previous Step 6 to create a new record for each individual Kiosk workstation.

Testing

To perform testing, we will execute the Task on the record that was created to manage the Autologon account on a Kiosk Workstation.

  1. Open or View your Kiosk Autologon account record and click the Execute > Password Reset for Autologon Account with a Shadow Account button.

  2. On the Schedule Job page, use the automatically generated random password that is provided and click the Schedule Job button. This will place the job into the PAM queue for execution.

    3. Depending on the number of jobs currently in the queue, the task may be executed immediately, or it may take a few minutes to process.

  3. To check the status and future results of the task execution, navigate back to the Record > Job History button. On the Job History page, it will display your current Task and its status. You may use the Refresh button to update the page until it is completed.

How it Works

This feature is designed to perform two functions:

  • To reset the password of the Autologon account in its domain.

  • To update the registry, in the encrypted location, on the Host with this new password.

When the Password Reset for Autologon Account with Shadow Account task is executed the following occurs within the PAM Job Engine:

  1. PAM connects to the Kiosk workstation to reset the password of the Autologon account contained within your Kiosk Autologon record. The script is executed by the Shadow Account assigned to this task.

    • If the password reset fails, then the task ends and reports an

      Error as the State.

    • If the password reset is successful, then the task continues.

  2. PAM connects to the Kiosk workstation (as defined by the Host in this record) using WinRM to update the registry with this new password. The registry update is performed by the Shadow Account assigned to this task.

  • If the task execution against the Host fails, then the task ends and reports an

    Error as the State.

    Depending on the condition of the failure, additional details may be available by clicking the Details button for this task.

  • If the registry update fails, then the task ends as

    Completed with Failed: Result Code: 1 as the Result.

    Depending on the condition of the failure, additional details may be available by clicking the Details button for this task.

  • If the registry update is successful, then the task ends as

    Completed with Success: Result Code: 0 as the Result.

    • If you enabled the Restart command in the script, the Kiosk workstation will be immediately restarted upon this successful completion.

Script configuration to enable the restart command

Enable the PAM script to restart the Kiosk workstation after a successful task execution.

In the script’s default configuration, a Kiosk workstation restart is not performed; however, if it is required in your environment, then a simple modification to the script can be made to enable an automatic restart of the workstation. This restart will only occur if the task is completed successfully, as a last step.

  1. Navigate to Administration > Scripts, locate and click Edit for the script named Password Reset for Autologon Account with Shadow Account.

  2. Within this script, locate the below line using your browser’s search and make the modification as noted, removing the # before the line (uncommenting):

    3. Copy 
    Restart-Computer –Force

  3. Click the Save button to finish the modification.