This is a tricky one to solve. Here are my thoughts, observations and a possible working solution, depending on the level of security you require:
There seem to be similar reports to yours, in the comments at the bottom of this winhelponline.com page. As you report, it seems the scheduled task either runs too early — so fails because locking a workstation before the desktop is loaded isn't possible — or runs too late; the user is then able to unlock the desktop without being prompted to enter their password, and potentially kill the lock workstation task/script before it runs.
Currently on my Win 10 1909 system, I'm testing with a scheduled task to run rundll32.exe user32.dll,LockWorkStation
only when the user is logged in (according to the task parameters). After restarting my computer, the lock screen is shown and is unlockable without a password. However, after "unlocking", the desktop is briefly shown, and the scheduled task runs almost immediately to lock the computer, so the likelihood someone has the time to fire up task manager and kill off task scheduler or the task is small. Please feel free to try my scheduled task, which I have made available for you as XML. The behaviour isn't ideal, but it's better than nothing. I'd be interested to know whether this gives you more consistent behaviour than before.
The automatic logon itself was set up with the Sysinternals
tool autologon.exe. I am doubtful autologon.exe
makes any difference with the unlockable-when-should-be-locked issue compared with other methods of setting up autologon (registry, control userpasswords2
) but it might be worth trying anyway. And maybe (or maybe not) it has a security advantage versus manually editing the registry in that it uses LSA Secrets (interestingly, Nirsoft's Regscanner reveals my password is stored in HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\OOBE\Broker\LocalSystemAuthBuffer
and HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\OOBE\Broker\LocalSystemAuthBuffer
data anyway, but I digress).
Alternatively, there are third-party solutions that may work for you:
- For a long time, under Windows 7, I used Auto Login & Lock v1.0 by Kurian Abraham. I can vouch for this software as working well under Windows 7, but I haven't tried it under Windows 10. It might be worth trying in a Windows 10 VM if you have one available or can spin one up. ( MD5 of
Lock.exe
: ED4685849BA97E7A45CEBD3684B99709
. MD5 of LockCMD.exe
: C24DBDEBDE61C60F3DCF37BBDAD73A7B
. )
- Logon Expert is paid-for, but free for 10 days. It claims to be able to auto logon and lock, and the trial period would obviously give enough time to see if it works as advertised. Also, it claims to be more secure, using
AES 256
encryption to store the password.
EDIT
Just when I thought I had nailed the issue using the scheduled task as linked above, I booted my computer this morning and the unlockable-when-should-be-locked issue is back. I will experiment further, starting with adding a delay to the At log on
trigger. Note that you do not need to stick to the presets in the Delay task for:
dropdown list; choose e.g. 30 seconds and then manually edit it to e.g. 10 seconds.