Encrypt autologin password on AzureAD

Question

Hi All,

Has someone managed to encrypt the autologin password on azureAD/ workgroup devices?
Yes, we can use the Intune Kiosk profile with autologin with built-in guest users, but it’s not useful for most scenarios we have.
So I was thinking of having Kiosk mode with Azure AD user and enabling autologin via a script, but that leaves the password in clear text and I am not sure how to use the code for LsaStorePrivateData function.
The Autologon tool doesn’t work for azureAD users. How are you guys doing it? Opening a support case doesn’t lead anywhere.

Posted by Abhas Rastogi in HTMD FB Group

 

 

Answer ( 1 )

  1. Replied by Micko Jeremia Castrén

    I am unsure if the LSA encryption is based on individual information gathered from the endpoint, but you could use the encrypted mode to set the registry key in LSA using the SysInternals AutoLogon.exe and then store the encrypted value in your script. Depending on your setup, you could go hardcore and create your own registered app in Azure and create a function app or automation runbook to create a password which is both used to reset the password periodically and with a managed identity and roles allowed to the kiosk computers to retrieve a new password from. However, conditional access and policies on the kiosk computers are key to preventing at least trivially querying the registry value that stores the LSA secret.

    Replied by Abhas Rastogi

    Micko Jeremia Castrén, have you used the Autologon tool for cloud users? In my test, it didn’t work.

    Replied by Micko Jeremia Castrén

    Abhas Rastogi, Sorry this confusion was on me. It should not work with Autologon. Could you tell me a bit about what you’re trying to accomplish by using an AzAD account?

Leave an answer

Sorry, you do not have permission to answer to this question .