Unlock

The Unlock action unlocks a locked computer using a botflow Automated steps that you can design for each bot that will run.. The Nintex RPA LE Unlocker installs a DLL file that allows Nintex RPA LE to use the Unlock action to unlock the machine if it is locked (for example, if a user presses CTL+ALT+DEL to lock their PC for security reasons).

Using the Unlock action, you can:

  • Periodically check a computer to ensure that it is online.
  • Unlock a computer as a troubleshooting step.
  • Unlock a computer at a predetermined time.
  • Unlock an idle computer in preparation for running a botflow.

The Unlock action can only unlock a locked computer, such as a computer that is set to automatically lock after a set period of inactivity. It cannot perform the initial log in to the computer.

The following requirements must be met before an Unlock action can be used on a computer:

  • The Nintex RPA LE Unlocker must be installed on the computer.

  • The user must remain logged into the machine with Nintex Bot installed. The user must also be the same user set up in Nintex RPA Central that is associated with that Nintex Bot. When the Nintex Bot machine is locked, the Unlock action unlocks the active session.

  • If you are using Nintex RPA LE Unlocker 16.5.1 or below with Nintex Bot 17.14.0 or below and Nintex RPA Central 2.13.0 or below, you must also meet these requirements:

    • The user running the Unlock action must have local administrator rights on the computer.

    • Nintex Bot must be set up to run as an administrator.

    • If the User Access Control (UAC) feature in Microsoft Windows is turned on (typical), you must start Nintex Bot with the Run as administrator option when creating the Unlock action. You can also turn the UAC feature off.

You only need to set up Nintex Bot to run as an administrator if you are using the Nintex RPA LE Unlocker 16.5.1 or below with Nintex Bot 17.14.0 or below and Nintex RPA Central 2.13.0 or below.

  1. Find the Foxtrot.exe file in the installation folder: C:\Program Files (x86)\Nintex\RPA\Foxtrot.exe

  2. Right-click on Foxtrot.exe and select Properties.

  3. Click the Compatibility tab.

  4. Select Run this program as an administrator.

  5. Click OK.

You may only need to turn UAC off if you are using the Nintex RPA LE Unlocker 16.5.1 or below with Nintex Bot 17.14.0 or below and Nintex RPA Central 2.13.0 or below.

  1. In the Type here to search text box on the Windows task bar, type UAC and select Change User Account Control settings.​

  2. Select the Never notify me when setting and click OK.

Download the Nintex RPA LE Unlocker from the latest Nintex RPA LE release notes and install it on the Nintex Bot machine. The installation installs DLL files that Nintex Bot uses to unlock the machine while it is on the locked screen (when someone locks the PC, but does not log out of the machine).

Note: 

  • You must have administrator permissions to install the Nintex RPA LE Unlocker.

  • The Nintex Bot service must be installed and running on the Nintex Bot to use the Nintex RPA LE Unlocker.

Unlock Nintex Bot machine using CTL+ALT+DEL

After you install the Nintex RPA LE Unlocker, follow the instructions below to set up the Nintex Bot machine to be unlocked using CTL+ALT+DEL on the lock screen.

  1. In the Type here to search text box on the Windows task bar, type netplwiz and select Run command.

  2. Click the Advanced tab on the User Accounts window.

  3. Select Require users to press Ctrl-Alt-Delete and click OK.

  4. In the Type here to search text box on the Windows task bar, type secpol.msc or Local Security Policy and press Enter.

  5. Open the Local Policies > Security Options > folder.

  6. Double-click Interactive logon: Do not require CTL+ALT+DEL.

  7. Select Disabled and click OK.

Set up the SoftwareSASGeneration registration key

Also after you install the Nintex RPA LE Unlocker, set up the SoftwareSASGeneration registration key on the Nintex Bot machine. Because this setup involves accessing and updating the system registry, exercise caution.

  1. In the Type here to search text box on the Windows task bar, type Regedit and select Registry Editor.

  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System key.

  3. If it does not already exist, create a new DWORD (32-bit) Value named SoftwareSASGeneration and set it to a value of 1.

If you are using Remote Desktop or other virtual machine software to connect to a remote computer, closing it will lock the computer and display the login screen. In the locked mode, the computer does not have a user interface, so any currently running or scheduled bots will fail. Consider implementing the best practices in this section to improve your botflow completion success rate on remotely-connected computers.

Note: The screen resolution might change when you are connected to a remote computer. Ensure that you resize all of your windows to appropriate sizes (such as 1000 x 500) to make sure that the windows are always the same size and fit the resolution at all times.

Best practice 1: Create a batch file to run the tscon utility and disconnect

When you are running Nintex Bot on a remotely-connected computer, disconnect from the computer, but do not log out of it. To disconnect, set up the batch file to run the tscon utility to disconnect and Run as Administrator. This allows the keyboard and mouse to be available for Nintex RPA LE to use them.

After you run the batch file, you will be disconnected from the session. Make sure that you have set up Nintex Bot to run as an administrator and that you have turned UAC off. The file will now always run using an administrator access token.

Note: 

  • If you are using a standard account and prompting is disabled, the application will fail to run. the tscon utility returns the control to the original local session on the remote computer and bypasses the login screen. All programs on the remote computer continue running normally, including Nintex Bots.

  • If you properly disconnect from the Remote Desktop or virtual machine session, then you do not need to have an Unlock action in the botflow. If you start a botflow (or schedule a botflow to run at a later time) in Nintex RPA Central, and then disconnect using the batch file for the tscon utility, the botflow will run as normal.

  • You can call the batch file to run the tscon utility at the beginning of your tests (if the Nintex Bot is running as an administrator).

Copy and paste the code below to create the batch file. Because you must run this batch file as an administrator, when you disconnect, right-click on the file and select Run as Administrator.

for /f "skip=1 tokens=3" %%s in ('query user %USERNAME%') do (

%windir%\System32\tscon.exe %%s /dest:console

)

To set up the batch file to always run as an administrator:

Note: You cannot set system applications or processes to always run with administrator privileges. Only non-system applications and processes can be set to always run at this level. If the Run This Program As An Administrator option is not available, it means that the application is blocked from always running at an elevated level, the application does not require administrator credentials to run, or you are not logged on as an administrator.

  1. On the Start menu, locate the file that you want to always run as an administrator.

  2. Right-click on the file and select Create shortcut.

  3. Right-click on the shortcut and select Properties.

  4. Click the Compatibility tab.

  5. Apply one of the following settings:

    • To apply the setting to the currently logged-on user, select Run This Program As An Administrator, and then click OK.

    • To apply the setting to all users on the computer regardless of which shortcut is used to start the application, click Change Setting For All Users, select Run This Program As An Administrator, and then click OK.

Best practice 2: Disable the Windows lock screen

You may need to disable the Windows 10 lock screen prior to running blotflows on remotely-connected computers. After disabling it, you can lock your computer or put it to sleep, and when you unlock or wake it up, you will no longer see the lock screen, and instead you will see the login screen. Disabling the lock screen does not disable the boot-up lock screen; if you shut down your computer, you will still see the lock screen when it first boots up.

  1. Navigate to C:\Windows\SystemApps and locate the LockApp_cw5n1h2txyewy folder.

  2. Rename the folder by adding .bak to the end of it and press Enter. If you cannot rename the folder, follow these instructions to disable the lock screen.

Best practice 3: Disable the Unlock action

If your user session is active and you have disconnected from the remotely-connected computer using the tscon utility batch file, you may not need the Unlock action in your botflow and you can disable it. Test your botflow with the disabled Unlock action to determine if the botflow will continue to run if you are disconnected from the Remote Desktop or virtual machine session, but your user session is still active.

Best practice 4: Turn off services that automatically log off users or simulate user activity

Some cloud-hosted virtual machine environments automatically log users out after a set period of time due to inactivity. Contact your IT staff and consider turning off services that automatically log users off remotely-connected computers. If remote or virtual sessions are automatically terminated due to an idle state, your botflows may also be terminated. Review and modify your IT policies that support auto-log off services; or, create a ‘keep-alive’ botflow or download and install a utility that simulates user activity on the remotely-connected computer so that the timeout doesn’t occur.

Best practice 5: Uninstall or allowlist multi-factor authentication (MFA) tools

Uninstall (do not simply disable) MFA tools such as Duo on remotely-connected computers. If you are unable to uninstall MFA tools, allowlist the credential provider for the system that you need to automate with Nintex RPA LE. If you are unable to uninstall or allowlist MFA tools, set up the computer to only use the MFA tool through RDP.

If you are using Duo, you can read about enabling credential providers in this article and credential provider settings in this article.

Note: The GUID for the Nintex RPA LE Unlocker is {1F78FD39-692A-46af-B6F6-162E1318A3CA}. It is located in this registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\ {1F78FD39-692A-46af-B6F6-162E1318A3CA}

  1. On the Actions List, click Computer and then click Unlock from the Workstation list.
  2. Set the Unlock settings.
    3. Field or button Description
    General
    • Username: The username of the active user logged into Microsoft Windows displays. This cannot be changed because the Unlock action unlocks the computer using the active username.
    • Credential: Create a credential using the username and password required to unlock the computer.
    • Confirm: Type the password required to unlock the computer. You must enter the password each time the Unlock action is opened for an edit.
    • Pause (secs): (Optional) Type the number of seconds to pause the Unlock action or use the Expression Builder to build the action settings using variables or other token values. This allows the computer to fully start after it is unlocked.
    • Test: Click to test the Unlock action. Click OK in the Warning window to continue. The Unlock action locks the computer, pauses for 5 seconds, and then unlocks the computer. If the test fails, manually unlock the computer.
    Credential

    To create a credential:

    1. Click Add Item () on the Botflow Pane.
    2. Select Credential.
    3. Type a Name for the credential.
    4. Type a unique Username.
      Note: 
      • The username cannot match the name of any other credential in the botflow.
      • For email, the username is the email address.
    5. If needed, type the value of the Password and confirm it to ensure that the correct value has been submitted.
      Note: 

      • On May 30, 2022, basic access authentication for Gmail was deprecated and less secure apps are no longer supported. If you are using App Passwords to send or get email from a Gmail inbox, those passwords will continue to work. If you want to use full OAuth authentication for additional security and standardization, you can transition to it with Nintex Bot 17.10.0 or later.

      • On December 31, 2022, basic authentication for Microsoft Exchange Online was deprecated. If you want to use full OAuth authentication for additional security and standardization, you can transition to it with Nintex Bot 17.10.0 or later.

    6. (Optional) Click + (plus sign) in the Additional Fields table header to add optional fields.
      1. Type a Name for the field.
      2. Type the Value to send to the application.
      3. Click OK.
    7. (Optional) Select the Never save protected values with botflow check box.

      8. Note: In compliance with companies that have a policy against saved passwords, when selected, neither the password nor any of the Additional Field values are saved in the botflow. This option is for use in an attended bot situation where the user must first enter the password and/or Additional Field values before botflow runs, either by using the Credential Prompt action or by manually setting those values.

    8. (Optional) Type a Note to document special instructions or functionality.
    9. Click OK to save the credential.
    Timing Settings

    Some actions have timing settings and vary based on the targeted application. The timing settings of a targeted application element are configured and saved with the action. The timing settings are then used to control when the action starts.

    1. Click Wait up to 1 sec.
    1. Open the Time drop-down list and select the required setting:
      • Do not wait: Immediately attempts to execute the action and applies any error settings or rules.
      • Wait up to: Waits up to one (1) second to execute the action per any configured rules. The time specified is the wait time prior to continuing the botflow. In the event of an application being unavailable, the action adheres to the error settings. Time units include numeric settings for seconds, minutes, and hours.
      • Wait forever: Waits until the target application is in a ready state and applies any error settings or rules.
    1. Click X to close the drop-down list and save the setting.
    Run error task
    1. Click Run error task.
    2. Open the On Error drop-down list and select the required setting:
      • Run error task: A botflow containing an error task automatically runs the error task in the event of an error. If the botflow does not contain an error task, the botflow stops in the event of an error.
      • Stop on error: The botflow stops in the event of an error.
      • Ignore errors: The action is skipped in the event of an error and the botflow attempts to execute the next action.
    1. Click X to close the drop-down and save the setting.
    Note

    (Optional) Type a Note to document any special instructions or functionality.    
    Run Switch

    The Run Switch toggle controls how Nintex Bot runs an action when adding or editing an action in a botflow.

    • Run: To run the action automatically when you click OK, switch the toggle to Run.

    • Don't Run: If you do not want to run the action automatically when you click OK, switch the toggle to Don't Run.
  3. Click OK to add the Unlock action to the botflow.