fix: taskbar Explorer pin + Atera install under SYSTEM
- 04 profile: pin File Explorer via its AppUserModelID (DesktopApplicationID="Microsoft.Windows.Explorer") instead of a hand-made File Explorer.lnk to explorer.exe. The custom shortcut pinned as a separate app - clicking it launched a second Explorer that did not group with the running window, and the icon could not be unpinned normally. Stop creating that .lnk. - 02 software: install the Atera MSI under NT AUTHORITY\SYSTEM via a one-shot scheduled task (msiexec /qn), then remove the task. Under SYSTEM the agent registers silently with no interactive MFA window, so no technician input is needed. MSI staged in C:\Windows\Temp (readable by SYSTEM). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
X9 Dev
parent
7becac7a8b
commit
451b9e221c
2 changed files with 41 additions and 23 deletions
|
|
@ -14,7 +14,7 @@
|
||||||
7-zip-7zip-7zip: Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.
|
7-zip-7zip-7zip: Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.
|
||||||
adobe-acrobat-reader-64-bit-adobe-acroba: Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.
|
adobe-acrobat-reader-64-bit-adobe-acroba: Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.
|
||||||
openvpn-connect-openvpntechnologies-open: Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.
|
openvpn-connect-openvpntechnologies-open: Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.
|
||||||
atera-agent-install: Atera RMM agent downloaded from x9.servicedesk.atera.com and installed via msiexec /qb. During install, Atera MSI shows an interactive MFA window - technician enters the code to complete registration. Agent enables MSP monitoring, remote access, and ticketing integration.
|
atera-agent-install: Atera RMM agent downloaded from x9.servicedesk.atera.com and installed under NT AUTHORITY\SYSTEM via a one-shot scheduled task (msiexec /qn). Running as SYSTEM registers the agent silently with no interactive MFA window, so no technician input is needed. Agent enables MSP monitoring, remote access, and ticketing integration.
|
||||||
adobe-pdf-default-pdf-acrord32-po-instal: Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.
|
adobe-pdf-default-pdf-acrord32-po-instal: Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.
|
||||||
ucpd-sys-kernel-driver-od-feb-2024-bloku: UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\.pdf -> Start-Service ucpd. Implemented in this script.
|
ucpd-sys-kernel-driver-od-feb-2024-bloku: UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\.pdf -> Start-Service ucpd. Implemented in this script.
|
||||||
#>
|
#>
|
||||||
|
|
@ -208,27 +208,48 @@ if (Get-Feature $Config "software" "pdfDefault") {
|
||||||
|
|
||||||
# -----------------------------------------------------------------------
|
# -----------------------------------------------------------------------
|
||||||
# Install Atera RMM Agent
|
# Install Atera RMM Agent
|
||||||
# Download MSI from Atera dashboard API, install via msiexec /qb.
|
# Download the MSI from the Atera dashboard API, then install it under the
|
||||||
# During install, the Atera MSI shows an interactive MFA window -
|
# SYSTEM account via a one-shot scheduled task. Under SYSTEM the Atera
|
||||||
# the technician enters the code to complete agent registration.
|
# installer registers silently and does NOT show the interactive MFA window
|
||||||
|
# that appears when installing in a user context - so no technician input
|
||||||
|
# is needed.
|
||||||
# -----------------------------------------------------------------------
|
# -----------------------------------------------------------------------
|
||||||
if (Get-Feature $Config "software" "ateraAgent") {
|
if (Get-Feature $Config "software" "ateraAgent") {
|
||||||
Write-Log "Installing Atera RMM Agent" -Level INFO
|
Write-Log "Installing Atera RMM Agent (under SYSTEM)" -Level INFO
|
||||||
|
|
||||||
$ateraMsi = "$env:TEMP\AteraAgent.msi"
|
# Machine-wide temp dir readable by SYSTEM (a per-user TEMP may not be)
|
||||||
$ateraUrl = "https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337"
|
$ateraMsi = "$env:WINDIR\Temp\AteraAgent.msi"
|
||||||
|
$ateraUrl = "https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337"
|
||||||
|
$ateraTask = "X9-AteraInstall"
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Write-Log " Downloading Atera MSI..." -Level INFO
|
Write-Log " Downloading Atera MSI..." -Level INFO
|
||||||
Invoke-WebRequest -Uri $ateraUrl -OutFile $ateraMsi -UseBasicParsing -ErrorAction Stop
|
Invoke-WebRequest -Uri $ateraUrl -OutFile $ateraMsi -UseBasicParsing -ErrorAction Stop
|
||||||
Write-Log " Download complete" -Level OK
|
Write-Log " Download complete" -Level OK
|
||||||
|
|
||||||
Write-Log " Running installer (MFA window will appear)..." -Level INFO
|
# Run msiexec as NT AUTHORITY\SYSTEM via a temporary scheduled task.
|
||||||
$msiProc = Start-Process msiexec -ArgumentList "/i `"$ateraMsi`" /qb" -Wait -PassThru
|
# SYSTEM runs in non-interactive session 0, hence /qn (no UI) and no MFA.
|
||||||
if ($msiProc.ExitCode -eq 0) {
|
Write-Log " Installing as SYSTEM via scheduled task (no MFA)..." -Level INFO
|
||||||
Write-Log " Atera agent installed (msiexec exit 0)" -Level OK
|
$action = New-ScheduledTaskAction -Execute "msiexec.exe" -Argument "/i `"$ateraMsi`" /qn /norestart"
|
||||||
|
$principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
|
||||||
|
$stTask = New-ScheduledTask -Action $action -Principal $principal
|
||||||
|
Register-ScheduledTask -TaskName $ateraTask -InputObject $stTask -Force | Out-Null
|
||||||
|
Start-ScheduledTask -TaskName $ateraTask
|
||||||
|
|
||||||
|
# Wait for the task to finish (msiexec install can take a few minutes)
|
||||||
|
$deadline = (Get-Date).AddMinutes(10)
|
||||||
|
do {
|
||||||
|
Start-Sleep -Seconds 3
|
||||||
|
$state = (Get-ScheduledTask -TaskName $ateraTask -ErrorAction SilentlyContinue).State
|
||||||
|
} while ($state -eq "Running" -and (Get-Date) -lt $deadline)
|
||||||
|
|
||||||
|
$result = (Get-ScheduledTaskInfo -TaskName $ateraTask -ErrorAction SilentlyContinue).LastTaskResult
|
||||||
|
if ($state -eq "Running") {
|
||||||
|
Write-Log " Atera install timed out after 10 min" -Level WARN
|
||||||
|
} elseif ($result -eq 0) {
|
||||||
|
Write-Log " Atera installer finished (SYSTEM, exit 0)" -Level OK
|
||||||
} else {
|
} else {
|
||||||
Write-Log " Atera agent install exit code: $($msiProc.ExitCode)" -Level WARN
|
Write-Log " Atera installer exit code: $result" -Level WARN
|
||||||
}
|
}
|
||||||
|
|
||||||
# Verify install. The AteraAgent service is the most reliable signal -
|
# Verify install. The AteraAgent service is the most reliable signal -
|
||||||
|
|
@ -255,6 +276,7 @@ if (Get-Feature $Config "software" "ateraAgent") {
|
||||||
Write-Log " Atera agent install failed: $_" -Level ERROR
|
Write-Log " Atera agent install failed: $_" -Level ERROR
|
||||||
}
|
}
|
||||||
finally {
|
finally {
|
||||||
|
Unregister-ScheduledTask -TaskName $ateraTask -Confirm:$false -ErrorAction SilentlyContinue
|
||||||
Remove-Item $ateraMsi -ErrorAction SilentlyContinue
|
Remove-Item $ateraMsi -ErrorAction SilentlyContinue
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
|
|
@ -176,15 +176,11 @@ try {
|
||||||
$wsh = New-Object -ComObject WScript.Shell
|
$wsh = New-Object -ComObject WScript.Shell
|
||||||
$defRoaming = "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
|
$defRoaming = "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
|
||||||
|
|
||||||
$explorerLnkDir = "$defRoaming\System Tools"
|
# File Explorer is pinned via its AppUserModelID (see pin list below),
|
||||||
$explorerLnk = "$explorerLnkDir\File Explorer.lnk"
|
# not a custom .lnk. A hand-made shortcut to explorer.exe pins as a
|
||||||
if (-not (Test-Path $explorerLnk)) {
|
# separate app: clicking it launches a second Explorer that does not
|
||||||
if (-not (Test-Path $explorerLnkDir)) { New-Item -ItemType Directory -Path $explorerLnkDir -Force | Out-Null }
|
# group with the running window, and the icon cannot be unpinned
|
||||||
$sc = $wsh.CreateShortcut($explorerLnk)
|
# normally. The AUMID pin behaves like the built-in Explorer button.
|
||||||
$sc.TargetPath = "$env:WINDIR\explorer.exe"
|
|
||||||
$sc.Save()
|
|
||||||
Write-Log " Created File Explorer.lnk in Default profile Start Menu" -Level OK
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($ProfileType -eq "admin") {
|
if ($ProfileType -eq "admin") {
|
||||||
$psLnkDir = "$defRoaming\Windows PowerShell"
|
$psLnkDir = "$defRoaming\Windows PowerShell"
|
||||||
|
|
@ -206,14 +202,14 @@ try {
|
||||||
$pinList = switch ($ProfileType) {
|
$pinList = switch ($ProfileType) {
|
||||||
"admin" {
|
"admin" {
|
||||||
@'
|
@'
|
||||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
|
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
|
||||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"/>
|
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"/>
|
||||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
|
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
|
||||||
'@
|
'@
|
||||||
}
|
}
|
||||||
default {
|
default {
|
||||||
@'
|
@'
|
||||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
|
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
|
||||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
|
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
|
||||||
'@
|
'@
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue