{"id":391028,"date":"2024-12-13T07:54:36","date_gmt":"2024-12-13T07:54:36","guid":{"rendered":"https:\/\/www.ninjaone.com\/?post_type=script_hub&p=391028"},"modified":"2024-12-13T07:54:36","modified_gmt":"2024-12-13T07:54:36","slug":"script-desactiver-la-connexion-automatique","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/fr\/script-hub\/script-desactiver-la-connexion-automatique\/","title":{"rendered":"Renforcer la s\u00e9curit\u00e9 avec PowerShell\u00a0: d\u00e9sactiver la connexion automatique et imposer CTRL+ALT+SUPPR\u00a0"},"content":{"rendered":"

Dans les environnements informatiques, la s\u00e9curit\u00e9 est primordiale et chaque couche de d\u00e9fense est importante. Une mesure de s\u00e9curit\u00e9 souvent n\u00e9glig\u00e9e consiste \u00e0 demander aux utilisateurs d’appuyer sur\u00a0CTRL+ALT+SUPPR<\/strong>\u00a0avant de se connecter. Cette action agit comme une s\u00e9quence d’attention s\u00e9curis\u00e9e (SAS), garantissant que l’\u00e9cran de connexion est authentique et qu’il ne s’agit pas d’une interface usurp\u00e9e cr\u00e9\u00e9e par un malware.<\/p>\n

Pour les professionnels de l’informatique et les fournisseurs de services g\u00e9r\u00e9s (MSP)<\/a>, l’automatisation de ces t\u00e2ches permet de gagner du temps et de renforcer la coh\u00e9rence. C’est pr\u00e9cis\u00e9ment ce que fait le script PowerShell<\/a> fourni : il permet de d\u00e9sactiver la connexion automatique et applique l’exigence CTRL+ALT+SUPPR<\/strong>\u00a0sur les syst\u00e8mes Windows.<\/p>\n

Comprendre la n\u00e9cessit\u00e9 de pratiques de connexion s\u00e9curis\u00e9es<\/h2>\n

L’exigence\u00a0CTRL+ALT+SUPPR<\/strong>\u00a0n’est pas l\u00e0 juste pour emb\u00eater les utilisateurs, elle offre des avantages cruciaux en mati\u00e8re de s\u00e9curit\u00e9. Cette combinaison garantit que les utilisateurs interagissent avec le sous-syst\u00e8me d’authentification s\u00e9curis\u00e9 du syst\u00e8me d’exploitation plut\u00f4t qu’avec des programmes potentiellement malveillants. La d\u00e9sactivation de la connexion automatique emp\u00eache \u00e9galement tout acc\u00e8s non autoris\u00e9 dans les environnements partag\u00e9s ou sensibles. Les professionnels de l’informatique qui g\u00e8rent des flottes d’appareils trouveront ce script tr\u00e8s utile pour impl\u00e9menter rapidement ces param\u00e8tres dans tous les syst\u00e8mes.<\/p>\n

Le script\u00a0:<\/h2>\n
#Requires -Version 5.1\r\n\r\n<#\r\n.SYNOPSIS\r\n    Disables the automatic login feature and requires 'CTRL', 'ALT', and 'DELETE' to be pressed each time a user signs in. Once 'Interactive logon: Do not require CTRL+ALT+DEL' is apart of the security policy it cannot be removed from the policy. It either has to be enabled or disabled.\r\n.DESCRIPTION\r\n    Disables the automatic login feature and requires 'CTRL', 'ALT', and 'DELETE' to be pressed each time a user signs in. Once 'Interactive logon: Do not require CTRL+ALT+DEL' is apart of the security policy it cannot be removed from the policy. It either has to be enabled or disabled.\r\n\r\n    By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n.EXAMPLE\r\n    (No Parameters)\r\n    \r\n    Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AutoAdminLogon changed from 1 to 0\r\n    Retrieving existing security policy...\r\n                                                                            \r\n    The task has completed successfully.\r\n    See log %windir%\\security\\logs\\scesrv.log for detail info.\r\n    Modifying policy to require Ctrl Alt Del to be pressed on login.\r\n    Applying updated policy...\r\n    Completed 5 percent (0\/18) \tProcess Security Policy area        \r\n    Completed 22 percent (3\/18) \tProcess Security Policy area        \r\n    Completed 44 percent (7\/18) \tProcess Security Policy area        \r\n    Completed 61 percent (10\/18) \tProcess Security Policy area        \r\n    Completed 77 percent (13\/18) \tProcess Security Policy area        \r\n    Completed 100 percent (18\/18) \tProcess Security Policy area        \r\n                                                                            \r\n    The task has completed successfully.\r\n    See log %windir%\\security\\logs\\scesrv.log for detail info.\r\n\r\nPARAMETER: -MicrosoftDefaults\r\n    Reverts all the modified settings to their Microsoft default value.\r\n\r\nPARAMETER: -ForceRestart\r\n    Schedules a restart for 60 seconds from now so that the CTRL+ALT+DEL login requirement may take immediate effect.\r\n\r\n.NOTES\r\n    Minimum OS Architecture Supported: Windows 10, Windows Server 2016\r\n    Release Notes: Initial Release\r\n#>\r\n\r\n[CmdletBinding()]\r\nparam (\r\n    [Parameter()]\r\n    [Switch]$MicrosoftDefaults = [System.Convert]::ToBoolean($env:revertToMicrosoftDefaults),\r\n    [Parameter()]\r\n    [Switch]$ForceRestart = [System.Convert]::ToBoolean($env:forceRestart)\r\n)\r\n\r\nbegin {\r\n\r\n    function Test-IsDomainJoined {\r\n        if ($PSVersionTable.PSVersion.Major -lt 5) {\r\n            return $(Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain\r\n        }\r\n        else {\r\n            return $(Get-CimInstance -Class Win32_ComputerSystem).PartOfDomain\r\n        }\r\n    }\r\n\r\n    function Set-RegKey {\r\n        param (\r\n            $Path,\r\n            $Name,\r\n            $Value,\r\n            [ValidateSet(\"DWord\", \"QWord\", \"String\", \"ExpandedString\", \"Binary\", \"MultiString\", \"Unknown\")]\r\n            $PropertyType = \"DWord\"\r\n        )\r\n\r\n        # Check if the specified path exists, if not, create it.\r\n        if (-not $(Test-Path -Path $Path)) {\r\n            New-Item -Path $Path -Force | Out-Null\r\n        }\r\n\r\n        # Check if the property already exists at the path.\r\n        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue)) {\r\n\r\n            # Retrieve the current value of the registry key.\r\n            $CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name\r\n            try {\r\n                # Attempt to update the property's value.\r\n                Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null\r\n            }\r\n            catch {\r\n                # If an error occurs during the update, print an error message and exit.\r\n                Write-Host \"[Error] Unable to Set registry key for $Name please see below error!\"\r\n                Write-Host \"[Error] $($_.Message)\"\r\n                exit 1\r\n            }\r\n            # Print a confirmation of the change.\r\n            Write-Host \"$Path\\$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name)\"\r\n        }\r\n        else {\r\n            try {\r\n                # If the property does not exist, create it with the specified value and type.\r\n                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null\r\n            }\r\n            catch {\r\n                # If an error occurs during creation, print an error message and exit.\r\n                Write-Host \"[Error] Unable to Set registry key for $Name please see below error!\"\r\n                Write-Host \"[Error] $($_.Exception.Message)\"\r\n                exit 1\r\n            }\r\n\r\n            # Print a confirmation of the change.\r\n            Write-Host \"Set $Path\\$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name)\"\r\n        }\r\n    }\r\n    function Test-IsElevated {\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n        $p = New-Object System.Security.Principal.WindowsPrincipal($id)\r\n        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)\r\n    }\r\n\r\n    if (!$ExitCode) {\r\n        $ExitCode = 0\r\n    }\r\n}\r\nprocess {\r\n    # Check if the current user session is elevated with administrator privileges. If not, display an error message and exit the script.\r\n    if (!(Test-IsElevated)) {\r\n        Write-Host -Object \"[Error] Access Denied. Please run with Administrator privileges.\"\r\n        exit 1\r\n    }\r\n\r\n    # Retrieve the AutoAdminLogon and DefaultPassword registry values to check for automatic login settings and stored passwords.\r\n    $AutoLogin = Get-ItemProperty -Path \"Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" -Name \"AutoAdminLogon\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty \"AutoAdminLogon\" -ErrorAction SilentlyContinue\r\n    $DefaultPassword = Get-ItemProperty -Path \"Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" -Name \"DefaultPassword\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty \"DefaultPassword\" -ErrorAction SilentlyContinue\r\n    $PasswordLessSetting = Get-ItemProperty -Path \"Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PasswordLess\\Device\" -Name \"DevicePasswordLessBuildVersion\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty \"DevicePasswordLessBuildVersion\" -ErrorAction SilentlyContinue\r\n\r\n    # Alert if a password is stored in the registry, which might be insecure if in plain text.\r\n    if ($DefaultPassword) {\r\n        Write-Host \"[Alert] A Password is stored in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\DefaultPassword. This password is likely in plain text.\"\r\n    }\r\n\r\n    # Check if the device is part of a domain, and if so, recommend using group policy for login settings.\r\n    if (Test-IsDomainJoined) {\r\n        Write-Host \"[Error] This device is domain joined. CTRL ALT Delete login should be setup using group policy.\"\r\n        Write-Host \"[Info] Group Policy Location: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon:(...)\"\r\n        Write-Host \"[Info] https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-10\/security\/threat-protection\/security-policy-settings\/interactive-logon-do-not-require-ctrl-alt-del\"\r\n        exit 1\r\n    }\r\n\r\n    # Turn off automatic login if it is enabled.\r\n    if ($AutoLogin -ne 0) {\r\n        Set-RegKey -Path \"Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" -Name \"AutoAdminLogon\" -Value 0\r\n    }\r\n\r\n    # Disable automatic login if it is enabled\r\n    if ($PasswordLessSetting -eq 0) {\r\n        Set-RegKey -Path \"Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PasswordLess\\Device\" -Name \"DevicePasswordLessBuildVersion\" -Value 2\r\n    }\r\n\r\n    # Announce the start of the security policy retrieval process.\r\n    Write-Host \"Retrieving existing security policy...\"\r\n\r\n    # Export the current security policy and record the output to a temporary file.\r\n    $SecurityPolicyPath = \"$env:TEMP\\enable-ctrlaltdellogin.cfg\"\r\n    $OutputPath = \"$env:TEMP\\enable-ctrlaltdellogin.txt\"\r\n    $ExportPolicy = Start-Process SecEdit.exe -ArgumentList \"\/export \/cfg $SecurityPolicyPath\" -RedirectStandardOutput $OutputPath -NoNewWindow -Wait -PassThru\r\n    $ExportPolicyOutput = Get-Content -Path $OutputPath\r\n\r\n    # Display the output of the policy export and clean up the temporary file.\r\n    if ($ExportPolicyOutput) {\r\n        $ExportPolicyOutput | Write-Host\r\n        Remove-Item $OutputPath\r\n    }\r\n\r\n    # Check the exit code of the export process and display an error message if the export failed.\r\n    if ($ExportPolicy.ExitCode -ne 0) {\r\n        Write-Host -Object \"Exit Code: $($ExportPolicy.ExitCode)\"\r\n        Write-Host -Object \"[Error] Unable to edit security policy.\"\r\n        exit 1\r\n    }\r\n    \r\n    # Check if Microsoft default setting is specifed.\r\n    if ($MicrosoftDefaults) {\r\n        Write-Host \"Removing Ctrl Alt Del requirement from security policy...\"\r\n\r\n        # Initialize a new list to store modified security policy settings.\r\n        $NewSecPolicy = New-Object System.Collections.Generic.List[string]\r\n\r\n        # Read the current security policy and process each line.\r\n        Get-Content $SecurityPolicyPath | ForEach-Object {\r\n\r\n            # If the line contains settings for CTRL ALT DEL, reset the value.\r\n            if ($_ -match \"DisableCAD\") {\r\n                $NewSecPolicy.Add(($_ -replace \",.*\", \",1\"))\r\n            }\r\n            else {\r\n                $NewSecPolicy.Add($_)\r\n            }\r\n        }\r\n\r\n        # Write the modified security policy back to the configuration file.\r\n        $NewSecPolicy | Out-File $SecurityPolicyPath\r\n\r\n        Write-Host \"Applying updated policy...\"\r\n        # Apply the modified security policy using SecEdit.exe.\r\n        $UpdateSecurityPolicy = Start-Process SecEdit.exe -ArgumentList \"\/configure \/db c:\\windows\\security\\local.sdb \/cfg $SecurityPolicyPath\" -RedirectStandardOutput $OutputPath -Wait -NoNewWindow -PassThru\r\n    \r\n        # Capture the output from the policy update and display it.\r\n        $UpdatePolicyOutput = Get-Content -Path $OutputPath\r\n        if ($UpdatePolicyOutput) {\r\n            $UpdatePolicyOutput | Write-Host\r\n            Remove-Item $OutputPath\r\n        }\r\n    \r\n\r\n        # Check the exit code of the policy update process and handle errors.\r\n        if ($UpdateSecurityPolicy.ExitCode -ne 0) {\r\n            Write-Host -Object \"Exit Code: $($UpdateSecurityPolicy.ExitCode)\"\r\n            Write-Host -Object \"[Error] Unable to update security policy.\"\r\n            exit 1\r\n        }\r\n        else {\r\n            if ($ForceRestart) {\r\n                Write-Warning -Message \"Scheduling system restart for 60 seconds from now. $((Get-Date).AddMinutes(60))\"\r\n                Start-Process shutdown.exe -ArgumentList \"\/r \/t 60\" -Wait -NoNewWindow\r\n            }\r\n            else {\r\n                Write-Warning -Message \"A restart may be required for the Ctrl Alt Del requirement to be removed. Please restart at your earliest convenience.\"\r\n            }\r\n            \r\n            exit $ExitCode\r\n        }\r\n    }\r\n\r\n    # Begin modification to require ctrl alt del in the security policy.\r\n    Write-Host \"Modifying policy to require Ctrl Alt Del to be pressed on login.\"\r\n\r\n    # Check if the current policy already includes a ctrl alt del requirement.\r\n    if (Get-Content $SecurityPolicyPath | Where-Object { $_ -like \"*DisableCAD*\" }) {\r\n        # Replace the existing title with a new one, maintaining other parts of the line.\r\n        $Caption = (Get-Content $SecurityPolicyPath | Where-Object { $_ -like \"*DisableCAD*\" }) -replace ',.*', \",0\"\r\n        (Get-Content $SecurityPolicyPath) -replace \".*DisableCAD.*\", \"$Caption\" | Out-File $SecurityPolicyPath\r\n    }\r\n    else {\r\n        # If setting is not present, create a new list for the modified policy settings.\r\n        $NewSecPolicy = New-Object System.Collections.Generic.List[string]\r\n        # Create the new setting.\r\n        $Caption = \"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableCAD=4,0\"\r\n\r\n        # Read the current policy and add the new setting where appropriate.\r\n        Get-Content $SecurityPolicyPath | ForEach-Object {\r\n            if ($_ -match \"\\[Registry Values\\]\") {\r\n                $NewSecPolicy.Add($_)\r\n                $NewSecPolicy.Add($Caption)\r\n            }\r\n            else {\r\n                $NewSecPolicy.Add($_)\r\n            }\r\n        }\r\n\r\n        # Write the modified settings back to the configuration file.\r\n        $NewSecPolicy | Out-File $SecurityPolicyPath\r\n    }\r\n\r\n    # Display a message indicating that the updated security policy is being applied.\r\n    Write-Host \"Applying updated policy...\"\r\n    $UpdateSecurityPolicy = Start-Process SecEdit.exe -ArgumentList \"\/configure \/db c:\\windows\\security\\local.sdb \/cfg $SecurityPolicyPath \/areas securitypolicy\" -RedirectStandardOutput $OutputPath -Wait -NoNewWindow -PassThru\r\n    \r\n    $UpdatePolicyOutput = Get-Content -Path $OutputPath\r\n    # If there is any output from the SecEdit process, display it in the console.\r\n    if ($UpdatePolicyOutput) {\r\n        $UpdatePolicyOutput | Write-Host\r\n        Remove-Item $OutputPath\r\n    }\r\n    \r\n\r\n    # Check if the SecEdit process completed successfully by examining the exit code.\r\n    if ($UpdateSecurityPolicy.ExitCode -ne 0) {\r\n        Write-Host -Object \"Exit Code: $($UpdateSecurityPolicy.ExitCode)\"\r\n        Write-Host -Object \"[Error] Unable to update security policy.\"\r\n        exit 1\r\n    }\r\n\r\n    if ($ForceRestart) {\r\n        Write-Warning -Message \"Scheduling system restart for 60 seconds from now. $((Get-Date).AddMinutes(60))\"\r\n        Start-Process shutdown.exe -ArgumentList \"\/r \/t 60\" -Wait -NoNewWindow\r\n    }\r\n    else {\r\n        Write-Warning -Message \"A restart may be required for the Ctrl Alt Del requirement to take effect. Please restart at your earliest convenience.\"\r\n    }\r\n    \r\n    exit $ExitCode\r\n}\r\nend {\r\n    \r\n    \r\n    \r\n}<\/pre>\n
 <\/p>\n\n
Gagnez du temps gr\u00e2ce \u00e0 plus de 300 scripts du Dojo NinjaOne.<\/p>\n
\u2192 Obtenir l’acc\u00e8s<\/a><\/p>\n<\/div>\n
Comment fonctionne le script<\/h2>\n
1. Contr\u00f4les et fonctions pr\u00e9liminaires<\/h3>\n