Windows 10 Provision Package and ghost logins occuring
I work for a MSP that had a software developer create the service team a USB provision tool for setting up a bulk amount of computers and I believe its causing some issues. The software developer sorta built this on his side time and no one really knows much about it. It works great but being we are moving a lot of computer setup to AAD joined we are not using this method any longer but it has been leaving some wounds I can't come up with a solution. These are the steps provided this provision tool does.
- Insert USB stick, provisioning will begin
a. Provisioning uses a .cat and .ppkg file created in Windows 10 Imaging and Configuration Designer
b. Package will
i.Skip OOBE iii.Create MSPADMIN account with password of “blah” iv.Auto Login MSPADMIN account with password of “blah”
- PC will Auto Login
a. Auto Login is set from the Provisioning Package, this is turned off during the end step
- Open USB Run “Start” in that folder
a. Start is an admin only shortcut that runs powershell in administrator mode that sets the execution policy to allow running scripts and then calls the first script in the USB (once.ps1)
b. Once.ps1 will copy the deploy folder in USB to the MSPAdmin desktop
- Enter PC Name from Number Sticker when Prompted
a. Once.ps1 is still running and should be done copying the deploy folder
b. Once.ps1 will call the Name.ps1 script from the MSPAdmin desktop folder it just copied
i.Instead of continuing the script from the USB it is now running from the HD
c. Once.ps1 will create a scheduled task to run for MSPAdmin at logon that will run the Install.ps1 script
d. Name.ps1 will first eject the USB stick
e. Name.ps1 turns off UAC and blanks admin password
f. Name.ps1 will then prompt for the computer name, and the user enters it
If you would like scripts noted above I can share.
To the problem.
These scripts are stuck somewhere, and they try to sign in MSPadmin account randomly even after scripts clear out reg keys during the end cleanup process of this provisioning package. I have looked at the registry and the run or runonce startup item are blank. What I have seen show up is the reg keys that allow the MSPAdmin account to auto sign in as noted in step 3 above. I have created GPO’s to delete these keys but then the zombie keys come back. This is the stupidest thing I have ever seen in 15+ years of IT work.
I have shut down the computers to clear the memory. I have pulled the power cables and cleared the power capacitors to be sure the system was drained. I am about to rebuild the OS and not use these tools to auto provision them but they are a time consuming setup. I have about 20 machines doing this and this is the only client we have that we have ever seen these auto sign accounts try to sign in again.
The next part of the issue is related to Bitlocker policy’s and when these zombie auto logins trying to sign in causing the computers to go into Recovery mode.
Sign in to comment