vagrant icon indicating copy to clipboard operation
vagrant copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Provisioning windows systems might hang forever if auto-logon is disabled by windows updates

Open abbbi opened this issue 3 years ago • 1 comments

Ive come across this multiple times now, apparently because windows image fetched windows updates before provisioning. Some windows updates (fetched during first startup after fresh sysprep) seem to disable the auto logon feature for the vagrant user. Especially update KB5005716 on windows 10 and another one on windows 11 which i have not tracked down yet.

Provisioning then simply hangs at:

==> default: Running provisioner: shell...
    default: Running: inline PowerShell script

Investigation then shows that executing non-elevated powershell commands works:

 vagrant winrm -s powershell -c "Write foo"
 foo

But executing elevated powershell command simply hangs:

vagrant winrm -e -s powershell -c "Write foo"

The reason for this is that elevated powershell commands are executed via task scheduler, but the task scheduler will not start any task until the user has logged in at least once. This can be verified by using a non-elevated command to query the task status:

vagrant winrm  -s powershell -c "Get-ScheduledTask" | grep WinRM_Elevated_Shell
     WinRM_Elevated_Shell_8baef852-... Queued

My only workaround was to re-build the images and pull the updates before sysprepping. Maybe it would help if vagrant would check the task status repeately and error out accordingly if the task does not reach a running state after certain timeous.

abbbi avatar Sep 27 '22 19:09 abbbi

This issue has been hitting me with every windows 11 image i built. After some time something is happening during Image bootup that disables the autologon. Ive come up with the following workaround:

  1. using typed_triggers, im uploading a powershell file which re-enables auto-logon just after the virtual machine has finished up booting.
  2. Execute the autologon script without elevated rights to re-enable auto-logon for the vagrant user
  3. using the reload provisioner to re-load the virtual machine
  4. after reload autologon works again and i can continue with regular provisioning where the scripts are executed with elevated rights.
ENV["VAGRANT_EXPERIMENTAL"] = "typed_triggers"
[..]
 config.trigger.before :after_boot, type: :hook do |t|
      config.vm.provision "file", source: "autologon.ps1", destination: "C://autologon.ps1"
      config.vm.provision "shell", inline: "powershell -File C://autologon.ps1", privileged: false
      config.vm.provision :reload
 end

autologon.ps1 goes by:

Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' 'AutoAdminLogon' -Value '1' -Type String
Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' 'DefaultUsername' -Value 'vagrant' -Type String
Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' 'DefaultPassword' -Value 'vagrant' -Type String

abbbi avatar Nov 15 '23 07:11 abbbi