diff --git a/.forgejo/workflows/release.yml b/.forgejo/workflows/release.yml
index 23acd10..cd7ae4d 100644
--- a/.forgejo/workflows/release.yml
+++ b/.forgejo/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
       - name: Setup
         working-directory: /
         run: |
-          apk add --no-cache git curl jq
+          apk add --no-cache git curl jq mingw-w64-gcc
           git clone --depth=1 \
             "http://x9:${{ secrets.FORGEJO_TOKEN }}@xetup-forgejo:3000/${{ github.repository }}.git" \
             /repo
@@ -41,7 +41,8 @@ jobs:
 
       - name: Build xetup.exe
         run: |
-          GOOS=windows GOARCH=amd64 \
+          CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc \
+            GOOS=windows GOARCH=amd64 \
             go build -ldflags="-s -w -H windowsgui" -o xetup.exe ./cmd/xetup/
           echo "Built: $(ls -lh xetup.exe | awk '{print $5}')"
 
diff --git a/assets/Atera/.gitkeep b/assets/Atera/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/internal/prereboot/prereboot_windows.go b/internal/prereboot/prereboot_windows.go
index b84570e..5f44fd9 100644
--- a/internal/prereboot/prereboot_windows.go
+++ b/internal/prereboot/prereboot_windows.go
@@ -158,8 +158,9 @@ func disableAutologon() error {
 }
 
 func registerResumeTask() error {
+	// No arguments needed - xetup detects resume mode via state file presence.
 	ps := fmt.Sprintf(`
-$action    = New-ScheduledTaskAction -Execute '%s' -Argument '--resume'
+$action    = New-ScheduledTaskAction -Execute '%s'
 $trigger   = New-ScheduledTaskTrigger -AtLogOn -User '%s'
 $settings  = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 4) -MultipleInstances IgnoreNew
 $principal = New-ScheduledTaskPrincipal -UserId '%s' -LogonType Interactive -RunLevel Highest
diff --git a/scripts/02-software.ps1 b/scripts/02-software.ps1
index 20f52b8..6b10ee6 100644
--- a/scripts/02-software.ps1
+++ b/scripts/02-software.ps1
@@ -185,40 +185,46 @@ if (Get-Feature $Config "software" "pdfDefault") {
 
 # -----------------------------------------------------------------------
 # Install Atera RMM Agent
+# The MSI is bundled in assets/Atera/ (downloaded once from the Atera
+# dashboard). The download URL requires MFA in a browser session, so
+# Invoke-WebRequest gets an HTML login page instead of the MSI binary.
+# Bundling avoids this entirely - no network dependency for Atera.
+# To update: download fresh MSI from Atera dashboard, replace in assets/.
 # -----------------------------------------------------------------------
 if (Get-Feature $Config "software" "ateraAgent") {
     Write-Log "Installing Atera RMM Agent" -Level INFO
 
-    $ateraUrl = "https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337"
-    $ateraMsi = "$env:TEMP\AteraAgent.msi"
+    # Look for bundled MSI in assets/Atera/
+    $ateraAssetsDir = Join-Path $PSScriptRoot "..\assets\Atera"
+    $ateraMsi = Get-ChildItem -Path $ateraAssetsDir -Filter "*.msi" -ErrorAction SilentlyContinue |
+                Select-Object -First 1
 
-    try {
-        Write-Log "  Downloading Atera agent..." -Level INFO
-        Invoke-WebRequest -Uri $ateraUrl -OutFile $ateraMsi -UseBasicParsing -ErrorAction Stop
-        Write-Log "  Download complete" -Level OK
+    if (-not $ateraMsi) {
+        Write-Log "  No Atera MSI found in assets/Atera/ - skipping" -Level WARN
+        Write-Log "  Download MSI from Atera dashboard and place in assets/Atera/" -Level WARN
+    } else {
+        Write-Log "  Using bundled MSI: $($ateraMsi.Name)" -Level INFO
+        try {
+            $msiProc = Start-Process msiexec -ArgumentList "/i `"$($ateraMsi.FullName)`" /qn" -Wait -PassThru
+            if ($msiProc.ExitCode -eq 0) {
+                Write-Log "  Atera agent installed (msiexec exit 0)" -Level OK
+            } else {
+                Write-Log "  Atera agent install exit code: $($msiProc.ExitCode)" -Level WARN
+            }
 
-        $msiProc = Start-Process msiexec -ArgumentList "/i `"$ateraMsi`" /qn" -Wait -PassThru
-        if ($msiProc.ExitCode -eq 0) {
-            Write-Log "  Atera agent installed (msiexec exit 0)" -Level OK
-        } else {
-            Write-Log "  Atera agent install exit code: $($msiProc.ExitCode)" -Level WARN
+            # Verify binary exists
+            $ateraExe = "$env:ProgramFiles\ATERA Networks\AteraAgent\AteraAgent.exe"
+            $ateraExe86 = "${env:ProgramFiles(x86)}\ATERA Networks\AteraAgent\AteraAgent.exe"
+            if ((Test-Path $ateraExe) -or (Test-Path $ateraExe86)) {
+                Write-Log "  Atera agent binary verified" -Level OK
+            } else {
+                Write-Log "  Atera agent binary not found at expected paths" -Level WARN
+            }
         }
-
-        # Verify binary exists
-        $ateraExe = "$env:ProgramFiles\ATERA Networks\AteraAgent\AteraAgent.exe"
-        $ateraExe86 = "${env:ProgramFiles(x86)}\ATERA Networks\AteraAgent\AteraAgent.exe"
-        if ((Test-Path $ateraExe) -or (Test-Path $ateraExe86)) {
-            Write-Log "  Atera agent binary verified" -Level OK
-        } else {
-            Write-Log "  Atera agent binary not found at expected paths" -Level WARN
+        catch {
+            Write-Log "  Atera agent install failed: $_" -Level ERROR
         }
     }
-    catch {
-        Write-Log "  Atera agent download/install failed: $_" -Level ERROR
-    }
-    finally {
-        Remove-Item $ateraMsi -Force -ErrorAction SilentlyContinue
-    }
 } else {
     Write-Log "ateraAgent feature disabled - skipping" -Level INFO
 }