fix: create File Explorer.lnk explicitly + autologon for WU rounds

04-default-profile: Create File Explorer.lnk (and PowerShell.lnk for admin profile) in C:\Users\Default\AppData\Roaming\...\Start Menu before writing LayoutModification.xml. On a clean Windows 11 install the System Tools folder is often missing from the Default profile, which causes the taskbar pin to be silently skipped. 12-windows-update: Enable temporary autologon for adminx9 so the machine logs in automatically after each update reboot without operator intervention. AutoLogonCount=10 as safety cap. Autologon is disabled (and DefaultPassword removed) by the scheduled task when no more updates are found. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 16:07:48 +02:00 · 2026-04-16 16:07:48 +02:00 · 3fb65789eb
commit 3fb65789eb
parent 1c7678c51c
2 changed files with 56 additions and 4 deletions
--- a/scripts/04-default-profile.ps1
+++ b/scripts/04-default-profile.ps1
@ -223,6 +223,35 @@ try {
        # Win11 24H2+ may require ProvisionedLayoutModification.xml format instead.
        Write-Log "  Writing taskbar layout (ProfileType=$ProfileType)" -Level INFO

+        # Ensure File Explorer shortcut exists in Default profile's Start Menu.
+        # On a clean Windows 11 install the System Tools folder may be missing
+        # from C:\Users\Default\AppData\Roaming - without it the XML pin is silently skipped.
+        $wsh = New-Object -ComObject WScript.Shell
+        $defRoaming = "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
+
+        $explorerLnkDir = "$defRoaming\System Tools"
+        $explorerLnk    = "$explorerLnkDir\File Explorer.lnk"
+        if (-not (Test-Path $explorerLnk)) {
+            if (-not (Test-Path $explorerLnkDir)) { New-Item -ItemType Directory -Path $explorerLnkDir -Force | Out-Null }
+            $sc = $wsh.CreateShortcut($explorerLnk)
+            $sc.TargetPath = "$env:WINDIR\explorer.exe"
+            $sc.Save()
+            Write-Log "  Created File Explorer.lnk in Default profile Start Menu" -Level OK
+        }
+
+        # Same for PowerShell (admin profile)
+        if ($ProfileType -eq "admin") {
+            $psLnkDir = "$defRoaming\Windows PowerShell"
+            $psLnk    = "$psLnkDir\Windows PowerShell.lnk"
+            if (-not (Test-Path $psLnk)) {
+                if (-not (Test-Path $psLnkDir)) { New-Item -ItemType Directory -Path $psLnkDir -Force | Out-Null }
+                $sc = $wsh.CreateShortcut($psLnk)
+                $sc.TargetPath = "$env:WINDIR\System32\WindowsPowerShell\v1.0\powershell.exe"
+                $sc.Save()
+                Write-Log "  Created Windows PowerShell.lnk in Default profile Start Menu" -Level OK
+            }
+        }
+
        $taskbarLayoutDir = "C:\Users\Default\AppData\Local\Microsoft\Windows\Shell"
        if (-not (Test-Path $taskbarLayoutDir)) {
            New-Item -ItemType Directory -Path $taskbarLayoutDir -Force | Out-Null
--- a/scripts/12-windows-update.ps1
+++ b/scripts/12-windows-update.ps1
@ -73,20 +73,44 @@ try {
 }

 # -----------------------------------------------------------------------
-# 3. Scheduled task for post-reboot update rounds (self-deleting)
+# 3. Enable autologon for adminx9 (temporary - disabled when updates complete)
+# -----------------------------------------------------------------------
+Write-Log "Enabling temporary autologon for adminx9..." -Level INFO
+
+$winlogonPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+try {
+    Set-ItemProperty -Path $winlogonPath -Name "AutoAdminLogon"  -Value "1"  -Type String -Force
+    Set-ItemProperty -Path $winlogonPath -Name "DefaultUserName" -Value "adminx9" -Type String -Force
+    Set-ItemProperty -Path $winlogonPath -Name "DefaultPassword" -Value "" -Type String -Force
+    Set-ItemProperty -Path $winlogonPath -Name "DefaultDomainName" -Value "." -Type String -Force
+    # Safety cap: max 10 automatic logons in case the task fails to clean up
+    Set-ItemProperty -Path $winlogonPath -Name "AutoLogonCount"  -Value 10 -Type DWord -Force
+    Write-Log "  Autologon enabled (adminx9, max 10 rounds)" -Level OK
+} catch {
+    Write-Log "  Failed to enable autologon: $_" -Level WARN
+    Write-Log "  Windows Update rounds will require manual login after each reboot" -Level WARN
+}
+
+# -----------------------------------------------------------------------
+# 4. Scheduled task for post-reboot update rounds (self-deleting)
 # -----------------------------------------------------------------------
 Write-Log "Registering post-reboot update task..." -Level INFO

 $taskName = "X9-WindowsUpdate"

-# PowerShell block that runs on each logon until no more updates found
+# PowerShell block that runs on each logon until no more updates found.
+# When done: disables autologon and removes itself.
 $updateScript = @'
 Import-Module PSWindowsUpdate -Force -ErrorAction Stop
 $updates = Get-WindowsUpdate -AcceptAll -IgnoreReboot
 if ($updates) {
    Install-WindowsUpdate -AcceptAll -IgnoreReboot | Out-File "C:\Windows\Setup\Scripts\wu-pass-$(Get-Date -Format 'yyyyMMdd-HHmmss').log" -Encoding UTF8
 } else {
-    # No more updates - remove this task
+    # No more updates - disable autologon and remove this task
+    $wl = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+    Set-ItemProperty -Path $wl -Name "AutoAdminLogon" -Value "0" -Type String -Force
+    Remove-ItemProperty -Path $wl -Name "DefaultPassword"   -ErrorAction SilentlyContinue
+    Remove-ItemProperty -Path $wl -Name "AutoLogonCount"    -ErrorAction SilentlyContinue
    Unregister-ScheduledTask -TaskName "X9-WindowsUpdate" -Confirm:$false
 }
 '@
@ -112,4 +136,3 @@ try {
 }

 Write-Log "Step 12 - Windows Update complete" -Level OK
-Write-Log "  ACTION REQUIRED: Reboot the machine to complete remaining update rounds" -Level WARN