[2023] How to: Setup self-hosted Azure agents to run tests that interact with the?desktop

If you’re looking to run tests that involve interacting with the desktop, you’ll need to make sure your agent is set up to run as a process instead of a service. This is especially important if you want to run coded UI tests remotely or capture a video recording during a test run.?

To configure agents that are assigned to roles involving desktop interaction, you can follow the steps below:

Prepare permissions

Information security for self-hosted agents

To configure the Azure Pipelines agent will need pool admin permissions, but the user who runs the agent does not. It’s important to restrict access to the folders controlled by the agent to as few users as possible, as they may contain sensitive information that could be accessed or stolen.

Since the Azure Pipelines agent executes code from external sources, it could potentially be targeted in a Remote Code Execution attack. To mitigate this risk, it’s crucial to carefully consider the threat model for each specific use case and determine the minimum permissions required for the user running the agent, the machine hosting the agent, the users with write access to the pipeline definition, and the group of users controlling pool access for new pipelines.

One best practice is to have a different identity running the agent than the one with permission to connect the agent to the pool. This minimizes the risk of sensitive files, such as credentials and other agent-related files, being accessed by unauthorized users. It’s also wise to limit access to the agent folder to DevOps administrators and the user identity running the agent process. This way, administrators can investigate file systems to diagnose build failures or retrieve log files to report Azure DevOps issues.

Determine which user you will?use

To use the Azure Pipelines agent, you will need to register it. This is a one-time step that must be completed by someone with permission to administer the agent queue. It’s important to note that the agent will not use this person’s credentials in everyday operations, but they are required to complete the registration process. If you want to learn more about how agents communicate, additional information is available to help you get started. By taking the time to register your agent properly, you can help to ensure its smooth and secure operation.

Authenticate with a personal access token?(PAT)

To get started with the Azure Pipelines agent, you need to register it. To do this it’s necessary to get the Access Token (PAT), check here for more information. This is a one-time process that must be completed by someone who has permission to administer the agent queue. It’s important to note that the credentials of the person who completes the registration will not be used in the agent’s everyday operation, but they are necessary to complete the registration successfully. If you want to learn more about how agents communicate, additional resources are available to help you better understand this process. By taking the time to register your agent properly, you can ensure that it will operate smoothly and securely.

Confirm the user has permission

Make sure the user account that you’re going to use has permission to register the agent. If you want to learn more about how to confirm if the user has permission check here.?

Azure agent to run tests that interact with the?desktop

To run tests that involve interacting with the desktop, it’s necessary to turn on automatic logon in Windows (auto-logon) and run the agent to run interactively mode on startup.

Turn on automatic logon in?Windows

Here, we’ll be exploring how you can make your life easier by automating the logon process on your Windows computer. This involves using the registry editor to turn on automatic logon, so you don’t have to type it in every time you start up your computer. Plus, other users can start your computer and use your account without having to enter your login details. Sounds pretty convenient, right? Let’s dive in and see how it’s done! To get more security details check here.

Use Registry Editor to turn on automatic logon

To use Registry Editor to turn on automatic logon, follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type Regedit.exe, and then press Enter.
3. Locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey in the registry.
4. Double-click the DefaultUserName entry, type your user name, and then click OK.
5. Double-click the DefaultPassword entry, type your password and then click OK.?

If the DefaultPassword value does not exist, it must be added. To add value, follow these steps:

a. On the Edit menu, click New and then point to String Value.

b. Type DefaultPassword, and then press Enter.

c. Double-click DefaultPassword.

d. In the Edit String dialog, type your password and then click OK.

Note

If no DefaultPassword string is specified, Windows automatically changes the value of the AutoAdminLogon key from 1 (true) to 0 (false), disabling the AutoAdminLogon feature.

6. On the Edit menu, click New and then point to String Value.

7. Type AutoAdminLogon, and then press Enter.

8. Double-click AutoAdminLogon.

9. In the Edit String dialog box, type 1 and then click OK.

10. If you have joined the computer to a domain, you should add the DefaultDomainName value, and the data for the value should be set as the fully qualified domain name (FQDN) of the domain, for example, contoso.com...

11. Exit Registry Editor.

12. Click Start, click Shutdown, and then type a reason in the Comment text box.

13. Click OK to turn off your computer.

14. Restart your computer. You can now log on automatically.

Setup Agent as an interactive mode and runs on?startup

Open your terminal (PowerShell or cmd) and into your agent dir, type this command line:

.\config.cmd --url https://dev.azure.com/{your-organization} --auth pat --token {your-access-token} --pool {pool} --agent {agent} --acceptTeeEula --runAsAutoLogon --windowsLogonAccount {your-user} --windowsLogonPassword {your-password}?

To ensure everything is working as intended, go ahead and restart your computer. Once it’s up and running again, the autologon feature and the automatic startup of the agent should kick in and run smoothly in interactive mode. Give it a try and see how it goes!

Conclusion

We have learned how to set up self-hosted Azure agents for running tests that interact with the desktop, it’s important to ensure that the agent is configured to run as a process instead of a service, and that appropriate permissions are in place to restrict access to sensitive information. The user running the agent should be different from the one with permission to connect the agent to the pool to minimize the risk of unauthorized access to sensitive files. It’s also necessary to turn on automatic logon in Windows and run the agent in interactive mode on startup. By following these steps, you can ensure that your agent will operate smoothly and securely. Feel free for any questions. See you there.