Windows - Configuration - Disable Automatic Logon

What the automatic logon disabler does

This Automox Worklet™ disables the automatic logon feature on Windows endpoints. Automatic logon allows users to bypass password entry when logging in, creating a significant security vulnerability.

The Worklet removes stored default credentials and enforces the Ctrl+Alt+Del requirement, which activates the secure attention sequence and prevents credential interception attacks. This applies to both workstations and servers.

Risks created by automatic logon

Automatic logon bypasses authentication controls, allowing physical access to become full system access. Threat actors who gain physical access to unattended endpoints immediately access sensitive data, system resources, and network shares without entering credentials. Your security monitoring cannot distinguish legitimate automatic logins from unauthorized physical access.

Stored credentials in registry keys create persistent attack vectors. Malware can harvest default usernames and passwords from registry entries, enabling lateral movement across your network. Without the Ctrl+Alt+Del secure attention sequence, credential capture attacks intercept login credentials before Windows authentication validates them.

How automatic logon disabling works

1. Evaluation phase: The Worklet checks the Windows registry at HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon for three conditions: the presence of DefaultPassword and DefaultUserName values, whether AutoAdminLogon is set to 1, and whether DisableCAD is not set to 0. If any of these conditions indicate automatic logon is enabled, the Worklet flags the endpoint for remediation.

2. Remediation phase: The Worklet removes any stored DefaultPassword and DefaultUserName registry entries, sets AutoAdminLogon to 0, and sets DisableCAD to 0. These changes enforce that users must authenticate with a password and complete the secure attention sequence before gaining access.

Automatic logon disabling requirements

• Windows Server 2016 or later, or Windows 10 or later

• Local administrator or System account privileges to modify registry settings

• PowerShell execution policy must allow script execution

• No active auto-login sessions required during remediation

Outcomes after enforcing authentication

Your endpoints require credential entry and Ctrl+Alt+Del completion for all logins, eliminating unauthorized access through unattended systems. Physical access no longer grants automatic system access, protecting sensitive data from theft when endpoints are left unsecured. Your security monitoring accurately distinguishes legitimate authenticated access from physical security breaches.

Registry values confirm compliance: AutoAdminLogon equals 0, DisableCAD equals 0, and DefaultPassword and DefaultUserName keys are removed. Your organization meets CIS Benchmarks and NIST 800-53 access control requirements with consistent security posture across all Windows endpoints.

How to validate disable automatic logon changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disable automatic logon.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Write-Host, Write-Output, WINDOWS-AUTOLOGIN.

4. Validate remediation effects from script operations such as Write-Host, Write-Output, WINDOWS-AUTOLOGIN, then rerun evaluation for compliance.

Expected state after disable automatic logon changes

After remediation, endpoints reflect the target disable automatic logon configuration and report compliant status in Automox.

You can confirm results by correlating activity logs with evaluation checks (Write-Host, Write-Output, WINDOWS-AUTOLOGIN) and remediation actions (Write-Host, Write-Output, WINDOWS-AUTOLOGIN).

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable automatic logon. This supports repeatable system preferences workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as Write-Host, Write-Output, WINDOWS-AUTOLOGIN and remediation operations such as Write-Host, Write-Output, WINDOWS-AUTOLOGIN. Use these indicators to verify that endpoint changes match intended policy outcomes.