This PowerShell script automates the creation of an autologon user and configures Windows for automatic login. After a specified time, it cleans up the autologon settings.
<aside> 🚧
The original intention of this script was to solve a specific need - an endpoint is joined to Entra and enrolled into Intune via Autopilot. Ultimately, the customer only wanted the end user logging in to a local account, however. Joining the PC to Entra will default the login screen to prompt for a UPN in the joined tenant - which was not desired.
This script will create that new local user, grant it local admin rights, set it up as an autologon user temporarily (this way, the last logged in user is remembered on the login screen), then remove the autologin setup after 30 minutes.
It’s a sloppy workaround, but it served the need of the customer.
</aside>
<aside> <img src="/icons/hand_orange.svg" alt="/icons/hand_orange.svg" width="40px" /> This script stores credentials in the registry temporarily. The cleanup task removes these sensitive values after 30 minutes for security purposes.
</aside>
# Step 0: Check if the script has already run
$markerFile = "C:\\ProgramData\\AutoLogonSetupComplete.txt"
if (Test-Path $markerFile) {
Write-Output "Setup has already completed. Exiting script."
exit 0
}
# Step 1: Create the local user account if it doesn't exist
$localUser = "localuser"
$plainPassword = "P@ssword123"
$localPassword = $plainPassword | ConvertTo-SecureString -AsPlainText -Force
if (-not (Get-LocalUser -Name $localUser -ErrorAction SilentlyContinue)) {
New-LocalUser -Name $localUser -Password $localPassword -FullName "Local Autologon User" -PasswordNeverExpires -AccountNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member $localUser
# Prevent the user from changing their password
Start-Sleep -Seconds 2 # Ensure user creation is flushed before net user call
cmd.exe /c "net user $localUser /passwordchg:no"
Write-Output "Local user '$localUser' created, added to Administrators group, and restricted from changing password."
} else {
Write-Output "Local user '$localUser' already exists."
}
# Step 2: Set autologon values
$regPath = "HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
Set-ItemProperty -Path $regPath -Name "AutoAdminLogon" -Value "1" -Type String
Set-ItemProperty -Path $regPath -Name "DefaultUsername" -Value $localUser -Type String
Set-ItemProperty -Path $regPath -Name "DefaultPassword" -Value $plainPassword -Type String
Set-ItemProperty -Path $regPath -Name "DefaultDomainName" -Value "." -Type String
Write-Output "Autologon values set."
# Step 3: Create the cleanup script content
$cleanupScriptPath = "$env:ProgramData\\CleanupAutoLogon.ps1"
$cleanupScript = @'
$regPath = "HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
$valuesToRemove = @(
"AutoAdminLogon",
"DefaultUsername",
"DefaultPassword",
"DefaultDomainName"
)
foreach ($value in $valuesToRemove) {
if (Test-Path -Path $regPath) {
if (Get-ItemProperty -Path $regPath -Name $value -ErrorAction SilentlyContinue) {
Remove-ItemProperty -Path $regPath -Name $value -ErrorAction SilentlyContinue
}
}
}
'@
Set-Content -Path $cleanupScriptPath -Value $cleanupScript -Force -Encoding Unicode
# Step 4: Schedule task to run script in 30 minutes
$taskName = "AutoLogonCleanupTask"
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$cleanupScriptPath`""
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(30)
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -Principal $principal
Write-Output "Scheduled task '$taskName' created to run in 30 minutes."
# Step 5: Create the marker file so the script doesn't run again
New-Item -Path $markerFile -ItemType File -Force | Out-Null
Write-Output "Marker file created at '$markerFile'."
# Step 6: Restart the computer
Write-Output "Restarting the computer in 10 seconds..."
Start-Sleep -Seconds 10
Restart-Computer -Force