diff --git a/scripts/12-windows-update.ps1 b/scripts/12-windows-update.ps1 index 4273a98..0a076d0 100644 --- a/scripts/12-windows-update.ps1 +++ b/scripts/12-windows-update.ps1 @@ -106,11 +106,30 @@ $updates = Get-WindowsUpdate -AcceptAll -IgnoreReboot if ($updates) { Install-WindowsUpdate -AcceptAll -IgnoreReboot | Out-File "C:\Windows\Setup\Scripts\wu-pass-$(Get-Date -Format 'yyyyMMdd-HHmmss').log" -Encoding UTF8 } else { - # No more updates - disable autologon and remove this task + # No more updates - disable autologon and clean up $wl = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" Set-ItemProperty -Path $wl -Name "AutoAdminLogon" -Value "0" -Type String -Force Remove-ItemProperty -Path $wl -Name "DefaultPassword" -ErrorAction SilentlyContinue Remove-ItemProperty -Path $wl -Name "AutoLogonCount" -ErrorAction SilentlyContinue + + # Leave a visible marker on the shared Desktop so the operator knows it's done + $ts = Get-Date -Format "yyyy-MM-dd HH:mm" + $doneMsg = "Windows Update dokoncen: $ts`r`nStroj je plne aktualizovan a pripraven k predani klientovi." + [System.IO.File]::WriteAllText( + "C:\Users\Public\Desktop\! WU HOTOVO $ts.txt", + $doneMsg, + [System.Text.Encoding]::UTF8 + ) + + # Lock the workstation - login screen = clear visual signal for the operator. + # Runs as adminx9 (interactive session) via a one-shot task, self-deletes after 5 min. + $lockAction = New-ScheduledTaskAction -Execute "rundll32.exe" -Argument "user32.dll,LockWorkStation" + $lockTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddSeconds(5) + $lockPrincipal = New-ScheduledTaskPrincipal -UserId "adminx9" -LogonType Interactive -RunLevel Limited + $lockSettings = New-ScheduledTaskSettingsSet -DeleteExpiredTaskAfter (New-TimeSpan -Minutes 5) + Register-ScheduledTask -TaskName "X9-WUDoneLock" -Action $lockAction -Trigger $lockTrigger ` + -Principal $lockPrincipal -Settings $lockSettings -Force -ErrorAction SilentlyContinue | Out-Null + Unregister-ScheduledTask -TaskName "X9-WindowsUpdate" -Confirm:$false } '@