From 133fc1e408796f71e4662b8810856cca0fdf44e4 Mon Sep 17 00:00:00 2001 From: X9 Dev Date: Fri, 29 May 2026 15:00:20 +0200 Subject: [PATCH] docs(web): reflect field fixes + code signing - spec: document --source winget (msstore cert bypass), Atera service detection, UCPD stop -> WARN on Win11 24H2, CZ+US keyboard layout, Network Discovery resource string, clean Windows Update log output, and the Trusted Signing step in the architecture section. - descriptions.json: update 02-software (winget source, Atera) and 10-network (Network Discovery resource string); add the keyboard layout item to 04-default-profile. - navod + index: note that xetup.exe is now digitally signed (publisher X9.cz s.r.o.), so SmartScreen/UAC show a verified publisher. Co-Authored-By: Claude Opus 4.8 --- web/data/descriptions.json | 11 ++++++----- web/index.html | 2 +- web/navod/index.html | 3 ++- web/spec/index.html | 12 ++++++++---- 4 files changed, 17 insertions(+), 11 deletions(-) diff --git a/web/data/descriptions.json b/web/data/descriptions.json index 7346a78..2decffe 100644 --- a/web/data/descriptions.json +++ b/web/data/descriptions.json @@ -23,12 +23,12 @@ }, "02-software": { "synopsis": "Installs standard business software via winget, sets Adobe PDF default, and installs Atera RMM agent.", - "description": "Uses winget to install the standard X9.cz MSP software bundle. Checks winget\navailability before running. Each install is logged. After Adobe Acrobat Reader,\ntemporarily stops the UCPD driver (User Choice Protection Driver, present since\nWin11 23H2 / Win10 22H2 update) to allow the HKCR file association write, sets\n.pdf -> AcroRd32, then restarts UCPD. Atera RMM agent is installed for MSP\nmonitoring, remote access, and ticketing integration.", + "description": "Uses winget to install the standard X9.cz MSP software bundle. Checks winget\navailability before running. Each install is logged. After Adobe Acrobat Reader,\ntemporarily stops the UCPD driver (User Choice Protection Driver, present since\nWin11 23H2 / Win10 22H2 update) to allow the HKCR file association write, sets\n.pdf -> AcroRd32, then restarts UCPD. Atera RMM agent is installed for MSP\nmonitoring, remote access, and ticketing integration.\n\nEvery winget install uses --source winget to bypass the msstore source: on fresh Win11 ISOs the bundled App Installer ships a stale pinned certificate and msstore fails with 0x8a15005e (server certificate did not match), which aborts the install. The same flag is applied in step 11 (Dell Command Update).", "items": { "7-zip-7zip-7zip": "Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.", "adobe-acrobat-reader-64-bit-adobe-acroba": "Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.", "openvpn-connect-openvpntechnologies-open": "Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.", - "atera-agent-install": "Downloads Atera MSI from x9.servicedesk.atera.com and installs via msiexec /qn. During install the Atera MSI shows an interactive MFA window - the technician enters the 2FA code to complete agent registration. Agent enables MSP monitoring, remote access, and ticketing integration with the Atera dashboard.", + "atera-agent-install": "Atera RMM agent downloaded from x9.servicedesk.atera.com and installed via msiexec /qb. During install, Atera MSI shows an interactive MFA window - technician enters the code to complete registration. Install is verified primarily via the AteraAgent service (Get-Service AteraAgent), which is reliable regardless of install path - Atera now sometimes lands under C:\\ProgramData instead of Program Files; a path check (incl. ProgramData) is the fallback. Agent enables MSP monitoring, remote access, and ticketing integration.", "adobe-pdf-default-pdf-acrord32-po-instal": "Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.", "ucpd-sys-kernel-driver-od-feb-2024-bloku": "UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\\.pdf -> Start-Service ucpd. Implemented in this script." } @@ -71,7 +71,8 @@ "accent-barva-na-titulnich-listech-colorp": "ColorPrevalence = 1 in Personalize key. Shows the X9.cz accent color (#223B47) on window title bars and borders. Gives all windows a consistent branded appearance.", "onedrive-runonce-klic-je-tady-smazat": "REMOVED. The RunOnce key deletion and Explorer namespace CLSID removal were deleted - those registry tweaks prevented a freshly installed OneDrive (e.g. for M365) from launching. OneDrive AppX uninstall in step 01 is intentional; blocking re-launch is not.", "explorer-showrecent-0-showfrequent-0": "ShowRecent=0 and ShowFrequent=0 in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer. Hides Recent files and Frequent folders from Quick Access. Privacy improvement and cleaner File Explorer on fresh deployments.", - "explorer-fullpath-1-cabinetstate": "FullPath=1 in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState. Displays the full directory path (e.g. C:\\Users\\jan\\Documents\\Projekty) in the File Explorer title bar instead of just the folder name." + "explorer-fullpath-1-cabinetstate": "FullPath=1 in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState. Displays the full directory path (e.g. C:\\Users\\jan\\Documents\\Projekty) in the File Explorer title bar instead of just the folder name.", + "klavesnice-cz-primarni-us-sekundarni": "Sets the keyboard/input layout to Czech primary + US English secondary. Applied via Set-WinUserLanguageList (cs-CZ + en-US) for the current user, plus the Preload key (1=00000405 Czech, 2=00000409 US) written into both the Default profile hive (so every new user inherits it) and HKU\\.DEFAULT (welcome screen and system/service accounts). Applied unconditionally - the US secondary layout is harmless and CZ stays primary." } }, "07-backinfo": { @@ -123,7 +124,7 @@ "items": { "nastavit-sitovy-profil-private": "Sets all connected network profiles to Private via Set-NetConnectionProfile. Public profile blocks most LAN features. Private is required for file sharing, printer sharing, and network discovery. Applied to all currently connected adapters.", "povolit-ping-icmp-firewall": "Enables \"File and Printer Sharing (Echo Request)\" firewall rules for ICMPv4 and ICMPv6. ICMP echo is disabled by default on clean Windows. Required for network diagnostics, monitoring tools, and basic connectivity verification.", - "zapnout-network-discovery": "Enables the Network Discovery firewall rule group (FPS-NB_Name-In-UDP, LLMNR, etc.) for Private and Domain profiles via Set-NetFirewallRule. Allows this PC to appear in Network Neighborhood and browse other machines." + "zapnout-network-discovery": "Enables the Network Discovery firewall rule group via Set-NetFirewallRule -Group \"@FirewallAPI.dll,-32752\" (a language-independent resource string) for Private/Any profiles, with a netsh fallback. The resource string is used instead of -DisplayGroup \"Network Discovery\" because the display name is localized (e.g. \"Zjistovani site\" on Czech Windows), which made the old DisplayGroup match fail on non-English installs." } }, "11-dell-update": { @@ -136,4 +137,4 @@ "bios-firmware-staging-reboot": "BIOS and firmware updates are staged by DCU and finalize on the next system restart. The deployment already ends with a restart (step 09 - computer rename), so no extra reboot is needed." } } -} \ No newline at end of file +} diff --git a/web/index.html b/web/index.html index 345bd51..7f2fcf1 100644 --- a/web/index.html +++ b/web/index.html @@ -192,7 +192,7 @@

- Pokud ve stazeni brani antivirus, pouzijte curl – staci bezny prikazovy radek, neni potreba administrator. + Binarka je digitalne podepsana (vydavatel X9.cz s.r.o.). Pokud ve stazeni presto brani antivirus, pouzijte curl – staci bezny prikazovy radek, neni potreba administrator.

diff --git a/web/navod/index.html b/web/navod/index.html index 7b88ba0..7570e70 100644 --- a/web/navod/index.html +++ b/web/navod/index.html @@ -137,7 +137,8 @@

Stahni xetup.exe

Stahni xetup.x9.cz/dl na cilovy pocitac.

-

Antivirus (hlavne Windows Defender) xetup.exe casto smazne nebo zablokuje. V tom pripade otevri prikazovy radek (cmd) a stahni pres curl:

+

xetup.exe je digitalne podepsany (Azure Trusted Signing, vydavatel X9.cz s.r.o.) – SmartScreen i UAC ukazuji overeneho vydavatele a Defender by mel blokovat min nez drive.

+

Pokud ho antivirus presto smazne nebo zablokuje, otevri prikazovy radek (cmd) a stahni pres curl:

curl -Lo xetup.exe https://xetup.x9.cz/dl

Curl soubor jenom stahne – pak je treba spustit rucne:

xetup + Enter

diff --git a/web/spec/index.html b/web/spec/index.html index 8cc0b8c..32c4b36 100644 --- a/web/spec/index.html +++ b/web/spec/index.html @@ -601,9 +601,11 @@ OpenVPN Connect (OpenVPNTechnologies.OpenVPNConnect)OK Atera Agent installInvoke-WebRequest + msiexec /i /qb – /qb umozni zobrazeni MFA okna Adobe PDF default: .pdf -> AcroRd32 po instalaciOK – UCPD stop/start kolem zapisu asociace - UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoiceStop-Service ucpd + 2s sleep + overeni zastaveni pred HKCR zapisem + UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoiceStop-Service ucpd + 2s sleep + overeni zastaveni pred HKCR zapisem. Na Win11 24H2 je UCPD chranena sluzba a stop selze – logovano jako WARN (ne ERROR); HKCR zapis (system-wide) projde i tak. Winget parallel joby: timeout 600s + kill zavislychWait-Job -Timeout 600; po vyprseni Kill + Remove zavislych jobu Winget cesta explicitne predavana do parallel jobuOpraveno – Start-Job nezdedi PATH; winget.exe fullpath preda jako argument. Exit 3010 (success+reboot) nyni vyhodnocen jako OK. + Winget: --source winget u kazde instalaceField fix – fresh Win11 ISO ma App Installer se starym pinned certem, msstore source padá na 0x8a15005e a instalaci prerusi. --source winget msstore obejde. Plati i pro krok 11 (Dell). + Atera: detekce pres sluzbu Get-Service AteraAgentField fix – agent se obcas instaluje do C:\ProgramData\; existence sluzby je spolehlivejsi nez kontrola souboru. Fallback na cesty vc. ProgramData.
Atera Agent URL:
@@ -668,6 +670,7 @@ Start menu: zakaz Bing vyhledavaniDisableSearchBoxSuggestions = 1 Copilot: zakaz (TurnOffWindowsCopilot = 1)OK NumLock zapnout pri startu (InitialKeyboardIndicators = 2)OK + Klavesnice: CZ primarni + US sekundarniField fix – Set-WinUserLanguageList (cs-CZ + en-US) pro aktualniho uzivatele; Preload (1=00000405 CZ, 2=00000409 US) do Default hive i HKU\.DEFAULT (welcome screen + systemove ucty). Aplikuje se vzdy automaticky. System tema (taskbar, Start): DarkOK Aplikacni tema: LightOK Accent barva: #223B47 (tmave modroseda)AccentColor DWORD = 0xFF473B22 (ABGR) @@ -776,7 +779,7 @@ - +
Nastavit sitovy profil jako Private (ne Public)Set-NetConnectionProfile pro vsechny pripojene adaptery
Povolit ping (ICMP) pro diagnostikuEnable-NetFirewallRule: FPS-ICMP4-ERQ-In + FPS-ICMP6-ERQ-In
Zapnout Network Discovery pro Private profilSet-NetFirewallRule + netsh advfirewall jako fallback
Zapnout Network Discovery pro Private profilSet-NetFirewallRule -Group "@FirewallAPI.dll,-32752" (resource string, nezavisly na jazyku) + netsh fallback. Field fix: drivejsi -DisplayGroup "Network Discovery" selhalo na ceske lokalizaci Win11.
@@ -821,7 +824,7 @@
- +
Instalace NuGet providera + PSWindowsUpdate modulu ze PSGalleryInstall-PackageProvider + Install-Module PSWindowsUpdate -Force
Prvni pruchod aktualizaci (bez rebootu)Install-WindowsUpdate -AcceptAll -IgnoreReboot
Prvni pruchod aktualizaci (bez rebootu)Install-WindowsUpdate -AcceptAll -IgnoreReboot. Vystup formatovan pres $_.Result + $_.Title (drive log zaplaval radky "System.__ComObject").
Reboot cyklus (exit 9) – pokracovani pres xetup resumeExit 9 = reboot needed; xetup ulozi stav, nastavi autologon + X9-Resume task, restartuje
Automaticky restart po skonceni deploymetu (GUI odpocet)xetup.exe zobrazi 60s odpocet + tlacitka "Restartovat ted" / "Zrusit restart"
@@ -888,6 +891,7 @@ E-mail report: 3 pokusy + lokalni HTML fallbackBackoff 0/1/5s; vzdy ulozi C:\X9\report.html bez ohledu na SMTP Hive unload retry (5 pokusu, GC pred kazdym)Prevence "hive in use" chyby pri reg unload ntuser.dat Resume fix: StepsByIDs nyni nastavuje Enabled=trueOpravena kriticka chyba – resume mode preskakoval vsechny kroky + Code signing: Azure Trusted Signing (jsign)CI podepise xetup.exe certem X9.cz s.r.o. + RFC3161 timestamp. Trusted Signing cert je kratkodoby (~3 dny) – timestamp udrzi podpis platny i po expiraci. SmartScreen/UAC pak ukaze overeneho vydavatele. Self-update: stahnout novou verzi z xetup.x9.cz/dlOverit hash pred spustenim config.json: per-klient preset na USBJmeno PC prefix, SW seznam, klic – lezi vedle .exe @@ -895,7 +899,7 @@ Struktura: cmd/xetup/, internal/config/, internal/gui/, internal/runner/

Go zavislosti: github.com/lxn/walk (Win32 GUI), golang.org/x/sys

Build: CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc GOOS=windows GOARCH=amd64 go build -ldflags="-s -w -H windowsgui" ./cmd/xetup/
- CI (Forgejo Actions) sestavi a publikuje automaticky pri kazdem push na main.

+ CI (Forgejo Actions) sestavi, podepise (Azure Trusted Signing, cert X9.cz s.r.o. + RFC3161 timestamp pres jsign) a publikuje automaticky pri kazdem push na main.

Spolehlivost (v0.6): Watchdog zabiji zavisle skripty po 30 min ticha. Reboot-loop ochrana omezi opakovani kazdeho kroku na 5 restartu. State file se zapisuje atomicky (tmp+rename). E-mail report se zkusi 3x s backoff a vzdy ulozi lokalni HTML kopii.