diff --git a/scripts/04-default-profile.ps1 b/scripts/04-default-profile.ps1
index b963bb9..6295d82 100644
--- a/scripts/04-default-profile.ps1
+++ b/scripts/04-default-profile.ps1
@@ -223,6 +223,35 @@ try {
         # Win11 24H2+ may require ProvisionedLayoutModification.xml format instead.
         Write-Log "  Writing taskbar layout (ProfileType=$ProfileType)" -Level INFO
 
+        # Ensure File Explorer shortcut exists in Default profile's Start Menu.
+        # On a clean Windows 11 install the System Tools folder may be missing
+        # from C:\Users\Default\AppData\Roaming - without it the XML pin is silently skipped.
+        $wsh = New-Object -ComObject WScript.Shell
+        $defRoaming = "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
+
+        $explorerLnkDir = "$defRoaming\System Tools"
+        $explorerLnk    = "$explorerLnkDir\File Explorer.lnk"
+        if (-not (Test-Path $explorerLnk)) {
+            if (-not (Test-Path $explorerLnkDir)) { New-Item -ItemType Directory -Path $explorerLnkDir -Force | Out-Null }
+            $sc = $wsh.CreateShortcut($explorerLnk)
+            $sc.TargetPath = "$env:WINDIR\explorer.exe"
+            $sc.Save()
+            Write-Log "  Created File Explorer.lnk in Default profile Start Menu" -Level OK
+        }
+
+        # Same for PowerShell (admin profile)
+        if ($ProfileType -eq "admin") {
+            $psLnkDir = "$defRoaming\Windows PowerShell"
+            $psLnk    = "$psLnkDir\Windows PowerShell.lnk"
+            if (-not (Test-Path $psLnk)) {
+                if (-not (Test-Path $psLnkDir)) { New-Item -ItemType Directory -Path $psLnkDir -Force | Out-Null }
+                $sc = $wsh.CreateShortcut($psLnk)
+                $sc.TargetPath = "$env:WINDIR\System32\WindowsPowerShell\v1.0\powershell.exe"
+                $sc.Save()
+                Write-Log "  Created Windows PowerShell.lnk in Default profile Start Menu" -Level OK
+            }
+        }
+
         $taskbarLayoutDir = "C:\Users\Default\AppData\Local\Microsoft\Windows\Shell"
         if (-not (Test-Path $taskbarLayoutDir)) {
             New-Item -ItemType Directory -Path $taskbarLayoutDir -Force | Out-Null
diff --git a/scripts/12-windows-update.ps1 b/scripts/12-windows-update.ps1
index 6752775..4273a98 100644
--- a/scripts/12-windows-update.ps1
+++ b/scripts/12-windows-update.ps1
@@ -73,20 +73,44 @@ try {
 }
 
 # -----------------------------------------------------------------------
-# 3. Scheduled task for post-reboot update rounds (self-deleting)
+# 3. Enable autologon for adminx9 (temporary - disabled when updates complete)
+# -----------------------------------------------------------------------
+Write-Log "Enabling temporary autologon for adminx9..." -Level INFO
+
+$winlogonPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+try {
+    Set-ItemProperty -Path $winlogonPath -Name "AutoAdminLogon"  -Value "1"  -Type String -Force
+    Set-ItemProperty -Path $winlogonPath -Name "DefaultUserName" -Value "adminx9" -Type String -Force
+    Set-ItemProperty -Path $winlogonPath -Name "DefaultPassword" -Value "" -Type String -Force
+    Set-ItemProperty -Path $winlogonPath -Name "DefaultDomainName" -Value "." -Type String -Force
+    # Safety cap: max 10 automatic logons in case the task fails to clean up
+    Set-ItemProperty -Path $winlogonPath -Name "AutoLogonCount"  -Value 10 -Type DWord -Force
+    Write-Log "  Autologon enabled (adminx9, max 10 rounds)" -Level OK
+} catch {
+    Write-Log "  Failed to enable autologon: $_" -Level WARN
+    Write-Log "  Windows Update rounds will require manual login after each reboot" -Level WARN
+}
+
+# -----------------------------------------------------------------------
+# 4. Scheduled task for post-reboot update rounds (self-deleting)
 # -----------------------------------------------------------------------
 Write-Log "Registering post-reboot update task..." -Level INFO
 
 $taskName = "X9-WindowsUpdate"
 
-# PowerShell block that runs on each logon until no more updates found
+# PowerShell block that runs on each logon until no more updates found.
+# When done: disables autologon and removes itself.
 $updateScript = @'
 Import-Module PSWindowsUpdate -Force -ErrorAction Stop
 $updates = Get-WindowsUpdate -AcceptAll -IgnoreReboot
 if ($updates) {
     Install-WindowsUpdate -AcceptAll -IgnoreReboot | Out-File "C:\Windows\Setup\Scripts\wu-pass-$(Get-Date -Format 'yyyyMMdd-HHmmss').log" -Encoding UTF8
 } else {
-    # No more updates - remove this task
+    # No more updates - disable autologon and remove this task
+    $wl = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+    Set-ItemProperty -Path $wl -Name "AutoAdminLogon" -Value "0" -Type String -Force
+    Remove-ItemProperty -Path $wl -Name "DefaultPassword"   -ErrorAction SilentlyContinue
+    Remove-ItemProperty -Path $wl -Name "AutoLogonCount"    -ErrorAction SilentlyContinue
     Unregister-ScheduledTask -TaskName "X9-WindowsUpdate" -Confirm:$false
 }
 '@
@@ -112,4 +136,3 @@ try {
 }
 
 Write-Log "Step 12 - Windows Update complete" -Level OK
-Write-Log "  ACTION REQUIRED: Reboot the machine to complete remaining update rounds" -Level WARN