Windows policy settings

It is common for security policies to have been configured that apply each time a device is logged onto the network. Login Agent is used to automatically log devices, that host runtime resources, onto the network. If security policies that require human intervention are applied to these devices, this can prevent Login Agent from working. Therefore, it is necessary for these policies to be disabled on the devices or policy needs to be applied that allows them to be programmatically traversed.

• For devices on which there are no policies that require human intervention Login Agent can automatically login without having to enable and configure the SAS service.

• For devices on which there are policies that require human intervention, the SAS service can be used to programmatically send Ctrl + Alt + Del and, whilst not a recommended approach, it also provides unsupported functionality that can attempt to temporarily disable some policies.

  The SAS service must run with by a local system or local admin account.

Ctrl + Alt + Del – Secure Attention Sequence

If there is a requirement for users to press Ctrl + Alt + Del (Secure Attention Sequence) as part of the login:

Recommended Apply Local Security Policy that enables a software SAS to be submitted on all runtime resources. Configure the Blue Prism automated process to request the SAS service to programmatically send the SAS as part of the Login operation.	Policy setting Local Group Policy > Administrative Templates > Windows Components > Windows Logon Options > Disable or enable software Secure Attention Service Value: Enabled for either Services or Services and Ease of Access applications. Login Agent install options Install the SAS service and enable the SAS proxy Configure login process to instruct a software SAS to be sent
Alternative Disable the requirement for users to traverse the SAS as part of the Login operation. (Only needs applying on devices that will be used as runtime resources).	Policy setting Local Security Policy > Interactive Login > Do not require Ctrl + Alt + Del Value: Enabled
Alternative (unsupported) Configure the Blue Prism SAS service to attempt to disable the policy setting on-the-fly.	Login Agent install options Install the SAS service and set the local SAS proxy Login process does not need to send a software SAS

Required policy settings

Local group policy security options

1. On your machine, search for 'local group policy' and click Edit group policy to open the Local Group Policy Editor.

2. In the Local Group Policy Editor, navigate to Computer Configuration > Windows Settings > Local Policies > Security Options.

   The location path may vary depending on your Windows OS version.

3. Configure the options listed below as follows:

   • Set Interactive logon: Do not require CTRL+ALT+DEL to Enabled.
   • Set Interactive logon: Don’t display last signed-in to Enabled.
   • Set Interactive logon: Don’t display username at sign-in to Enabled.
   • Leave Interactive logon: Message text for users attempting to log on blank.

   • Leave Interactive login: Message title for users attempting to log on blank.

   

Local group policy personalization

1. In the Local Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Control Panel > Personalization.

   The location path may vary depending on your Windows OS version.

2. Set Do not display the lock screen to Enabled.

   

Test policy settings

To test your settings are working correctly, restart your machine. You should see the login screen as shown below.