Winlogon 自動重新登入 (ARSO)Winlogon Automatic Restart Sign-On (ARSO)

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

作者: Justin Turner 資深支援工程師視窗群組Author: Justin Turner, Senior Support Escalation Engineer with the Windows group

注意

本文由 Microsoft 客戶支援工程師撰寫,以及適用於系統管理員經驗和系統設計師超過參考 TechNet 上的主題通常會提供深入的技術解釋的功能與 Windows Server 2012 R2 方案正在尋找。This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012 R2 than topics on TechNet usually provide. 不過,尚未經歷相同編輯行程,以便某些語言的似乎比哪些通常位於 TechNet 較少的外觀。However, it has not undergone the same editing passes, so some of the language may seem less polished than what is typically found on TechNet.

概觀Overview

鎖定畫面應用程式引進了 Windows 8。Windows 8 introduced lock screen apps. 以下是執行,並顯示鎖定使用者的工作階段時的通知的應用程式(行事曆約會、電子郵件和簡訊等)。。These are the applications that run and display notifications while the user's session is locked (calendar appointments, email and messages, etc.). 裝置重新啟動因為的 Windows 更新程序,會顯示在重新開機時這些鎖定畫面通知失敗。Devices that are restarted due to the Windows Update process fail to display these lock screen notifications upon restart. 部分使用者這些鎖定畫面應用程式而定。Some users depend on these lock screen applications.

變更的項目?What's changed?

當使用者登入時在 Windows 8.1 的裝置上時,LSA 會儲存使用者的認證加密記憶體無障礙只要 lsass.exe。When a user signs in on a Windows 8.1 device, LSA will save the user credentials in encrypted memory accessible only by lsass.exe. Windows Update 自動重新開機,而使用者卡時,這些認證會用來設定自動登入的使用者。When Windows Update initiates an automatic reboot without user presence, these credentials will be used to configure Autologon for the user. 執行系統 TCB 權限的 Windows Update 將會起始 RPC 通話,若要這樣做。Windows Update running as system with TCB privilege will initiate the RPC call to do this.

在重新開機一次,使用者會自動透過自動登入機制登入,此外鎖定保護使用者的工作階段。On rebooting, the user will automatically be signed in via the Autologon mechanism and then additionally locked to protect the user's session. 鎖定初始化透過 Winlogon 而 LSA 來管理 credential 完成。The locking will be initiated via Winlogon whereas the credential management is done by LSA. 來自動登鎖定使用者在主機上,使用者的鎖定畫面應用程式將會重新啟動和可用。By automatically signing on and locking the user on the console, the user's lock screen applications will be restarted and available.

注意

Windows Update 引入重新開機最後一個的使用者互動自動已該工作階段已被鎖定後,因此可以執行使用者的鎖定畫面應用程式。After a Windows Update induced reboot, the last interactive user is automatically signed on and the session is locked so the user's lock screen apps can run.

顯示在鎖定畫面的螢幕擷取畫面

顯示鎖定畫面應用程式的螢幕擷取畫面

概觀Quick Overview

  • Windows Update 需要重新開機Windows Update requires restart

  • 電腦重新開機無法 (正在執行的任何應用程式會遺失資料)?Is computer able to restart (no apps running that would lose data)?

    • 適用於您重新開機Restart for you

    • 重新登入Log back in

    • 鎖定電腦Lock machine

  • 功能或群組原則來停用Enabled or disabled by Group Policy

    • 在 [伺服器 Sku 預設停用Disabled by default in server SKUs
  • 為何?Why?

    • 部分更新後使用者登入,才能完成。Some updates cannot finish until the user logs back in.

    • 更好的使用者體驗:不需要等候 15 分鐘,完成安裝更新Better user experience: don't have to wait 15 minutes for updates to finish installing

  • 如何?How? 自動登入AutoLogon

    • 儲存的密碼,您登入會使用該認證stores password, uses that credential to log you in

    • 為 LSA 秘密分頁記憶體中儲存認證saves credential as an LSA secret in paged memory

    • 僅限如果支援 BitLocker 已無法使用Can only be enabled if BitLocker is enabled

群組原則中︰ 登入一個互動式使用者系統車載機起始重新後自動Group Policy: Sign-in last interactive user automatically after a system-initiated restart

在 Windows 8.1 / Windows Server 2012 R2,自動登入 Windows Update 重新開機之後的鎖定畫面使用者加入伺服器 sku,Client sku 退出。In Windows 8.1 / Windows Server 2012 R2, autologon of the lock screen user after a Windows Update restart is opt in for Server SKUs and opt out for Client SKUs.

原則的位置:電腦設定 > 原則 > 系統管理範本] > Windows 元件 > Windows 登入選項Policy location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Option

原則的名稱︰登入一個互動式使用者系統車載機起始重新後自動Policy Name: Sign-in last interactive user automatically after a system-initiated restart

支援的:在至少 Windows Server 2012 R2、Windows 8.1 或 Windows RT 8.1Supported on: At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1

描述日協助:Description/Help:

這項原則是否裝置將會自動登入最後一個的使用者互動之後 Windows Update 設定會控制重新開機系統。This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.

如果您可以或未設定這項原則設定,裝置安全地儲存使用者的認證(包括的使用者名稱、網域及加密的密碼)來自動登入設定,Windows Update 重新開機之後。If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain, and encrypted password) to configure automatic sign-in after a Windows Update restart. Windows Update 重新開機之後,使用者會自動登入,並自動鎖定工作階段的所有鎖定畫面應用程式的使用者設定。After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.

如果您停用這個原則設定,請裝置不會儲存自動登入的使用者的認證後重新開機的 Windows 更新。If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. 使用者:The users??? 系統重新開機之後,不會重新啟動鎖定畫面應用程式。lock screen apps are not restarted after the system restarts.

作業系統Registry Editor

值名稱Value Name 輸入Type 資料Data
DisableAutomaticRestartSignOnDisableAutomaticRestartSignOn DWORDDWORD 00

範例:Example:

0(啟用)0 (Enabled)

1(停用)1 (Disabled)

原則登錄位置: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemPolicy Registry Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

輸入: DWORDType: DWORD

登錄名稱: DisableAutomaticRestartSignOnRegistry Name: DisableAutomaticRestartSignOn

值:0 或 1Value: 0 or 1

0 = 啟用0 = Enabled

1 = 停用1 = Disabled

顯示原則設定的螢幕擷取畫面控制您可以指定是否裝置將會自動登入最後一個的使用者互動之後,Windows Update 重新開機的系統 UI

疑難排解Troubleshooting

WinLogon 會自動鎖定,當 WinLogon 的狀態追蹤將會儲存在 WinLogon 事件登入。When WinLogon automatically locks, WinLogon's state trace will be stored in the WinLogon event log.

已登入設定自動登入嘗試的狀態The status of an Autologon configuration attempt is logged

  • 如果成功If it is successful

    • 因此記錄records it as such
  • 如果失敗:If it is a failure:

    • 記錄失敗為何records what the failure was
  • 變更的 BitLocker 狀態時:When BitLocker's state changes:

    • 將會登入認證移除the removal of credentials will be logged

      • 這將會儲存 LSA 操作登入。These will be stored in the LSA Operational log.

自動登入無法通過原因為何Reasons why autologon might fail

有幾個案例中無法達到使用者自動登入。There are several cases in which a user automatic login cannot be achieved. 本節適擷取案例中,這可能會發生。This section is intended to capture the known scenarios in which this can occur.

使用者必須在變更密碼登入下一步User Must Change Password at Next Login

使用者登入需要變更密碼在下次登入時時,可以進入封鎖的狀態。User login can enter a blocked state when password change at next login is required. 這可以偵測到重新開機在大部分案例中之前,但並非所有 (,例如可連絡到密碼到期關機之間下次登入。This can be detected prior to restart in most cases, but not all (for example, password expiry can be reached between shutdown and next login.

使用者 Account 停用User Account Disabled

即使已停用,就可以維護現有的使用者工作階段。An existing user session can be maintained even if disabled. 適用於已停用 account 重新開機可以偵測到本機在大部分案例中事先,根據網域帳號(一些網域即使 account 已停用在網域控制站快登入案例工作)可能無法 gp。Restart for an account that is disabled can be detected locally in most cases in advance, depending on gp it may not be for domain accounts (some domain cached login scenarios work even if account is disabled on DC).

登入時間和家長監護Logon Hours and Parental Controls

登入小時和家長監護可以禁止建立的新使用者工作階段。The Logon Hours and parental controls can prohibit a new user session from being created. 如果發生此項視窗重新開機,使用者會不會允許登入。If a restart were to occur during this window, the user would not be permitted to login. 還有其他原則,會導致 compliance 控制項目登出或鎖定。There is additional policy that causes lock or logout as a compliance action. 尤其是通常會在這段期間的 [維護] 視窗,這可能是有許多子女案例床時間和喚醒,之間 account 鎖定可能發生的問題。This could be problematic for many child cases where account lockdown may occur between bed time and wake-up, particularly if the maintenance window is commonly during this time.

其他資源Additional Resources

表格 7 表格 \\ * 阿拉伯文 3: ARSO 詞彙Table SEQ Table \* ARABIC 3: ARSO Glossary

詞彙Term 解析度Definition
自動登入Autologon 自動登入是已經在 Windows 中的數個版本的功能。Autologon is a feature that has been present in Windows for several releases. 它是記載的工具,例如適用於 Windows 的自動登入 v3.01 有的 Windows 功能http:/technet.microsoft.com/sysinternals/bb963905.aspxIt is a documented feature of Windows that even has tools such as Autologon for Windows v3.01 http:/technet.microsoft.com/sysinternals/bb963905.aspx

它可以讓裝置的自動登入不需要輸入認證單一使用者。It allows a single user of the device to sign in automatically without entering credentials. 設定及登錄為加密 LSA 密碼儲存認證。The credentials are configured and stored in registry as an encrypted LSA secret.