From 5ace2154a8f9445a8eb4a361c7b9f8e596c6609e Mon Sep 17 00:00:00 2001
From: X9 Dev <dev@x9.cz>
Date: Fri, 17 Apr 2026 13:43:12 +0200
Subject: [PATCH] fix: revert Atera to download approach, remove bundled MSI

MSI downloads fine via Invoke-WebRequest; MFA is an interactive window
shown by the installer itself during registration - accepted as normal
workflow. Bundled approach removed: assets/Atera/ dropped, no binary
maintenance needed.

Also closes CLAUDE.md open questions #2 (MFA resolved) and #3 (--resume
already removed from prereboot task).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CLAUDE.md               |  9 ++++--
 assets/Atera/.gitkeep   |  0
 scripts/02-software.ps1 | 62 ++++++++++++++++++++---------------------
 3 files changed, 37 insertions(+), 34 deletions(-)
 delete mode 100644 assets/Atera/.gitkeep

diff --git a/CLAUDE.md b/CLAUDE.md
index 0c6ab36..8c23c27 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -163,6 +163,13 @@ xetup.exe start
 
 ---
 
+## Workflow
+
+- Do NOT start coding until explicitly approved - discuss the plan first
+- Propose changes, wait for confirmation, then implement
+
+---
+
 ## DO NOT
 
 - Do not use `$ErrorActionPreference = "Stop"` - scripts must survive partial failure
@@ -183,5 +190,3 @@ xetup.exe start
 | # | Question | Status |
 |---|---|---|
 | 1 | Complete SW list for winget | TODO - list may be incomplete |
-| 2 | Atera MFA bypass | OPEN - does aeid parameter avoid MFA? |
-| 3 | `--resume` flag | Passed by prereboot task but not parsed - resume detected via state file |
diff --git a/assets/Atera/.gitkeep b/assets/Atera/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/scripts/02-software.ps1 b/scripts/02-software.ps1
index 6b10ee6..b8b942f 100644
--- a/scripts/02-software.ps1
+++ b/scripts/02-software.ps1
@@ -14,7 +14,7 @@
     7-zip-7zip-7zip: Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.
     adobe-acrobat-reader-64-bit-adobe-acroba: Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.
     openvpn-connect-openvpntechnologies-open: Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.
-    atera-agent-install: Atera RMM agent installed via msiexec /qn. Download: Invoke-WebRequest from https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337. Agent enables MSP monitoring, remote access, and ticketing integration with the Atera dashboard.
+    atera-agent-install: Atera RMM agent downloaded from x9.servicedesk.atera.com and installed via msiexec /qn. During install, Atera MSI shows an interactive MFA window - technician enters the code to complete registration. Agent enables MSP monitoring, remote access, and ticketing integration.
     adobe-pdf-default-pdf-acrord32-po-instal: Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.
     ucpd-sys-kernel-driver-od-feb-2024-bloku: UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\.pdf -> Start-Service ucpd. Implemented in this script.
 #>
@@ -185,46 +185,44 @@ if (Get-Feature $Config "software" "pdfDefault") {
 
 # -----------------------------------------------------------------------
 # Install Atera RMM Agent
-# The MSI is bundled in assets/Atera/ (downloaded once from the Atera
-# dashboard). The download URL requires MFA in a browser session, so
-# Invoke-WebRequest gets an HTML login page instead of the MSI binary.
-# Bundling avoids this entirely - no network dependency for Atera.
-# To update: download fresh MSI from Atera dashboard, replace in assets/.
+# Download MSI from Atera dashboard API, install via msiexec /qn.
+# During install, the Atera MSI shows an interactive MFA window -
+# the technician enters the code to complete agent registration.
 # -----------------------------------------------------------------------
 if (Get-Feature $Config "software" "ateraAgent") {
     Write-Log "Installing Atera RMM Agent" -Level INFO
 
-    # Look for bundled MSI in assets/Atera/
-    $ateraAssetsDir = Join-Path $PSScriptRoot "..\assets\Atera"
-    $ateraMsi = Get-ChildItem -Path $ateraAssetsDir -Filter "*.msi" -ErrorAction SilentlyContinue |
-                Select-Object -First 1
+    $ateraMsi = "$env:TEMP\AteraAgent.msi"
+    $ateraUrl = "https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337"
 
-    if (-not $ateraMsi) {
-        Write-Log "  No Atera MSI found in assets/Atera/ - skipping" -Level WARN
-        Write-Log "  Download MSI from Atera dashboard and place in assets/Atera/" -Level WARN
-    } else {
-        Write-Log "  Using bundled MSI: $($ateraMsi.Name)" -Level INFO
-        try {
-            $msiProc = Start-Process msiexec -ArgumentList "/i `"$($ateraMsi.FullName)`" /qn" -Wait -PassThru
-            if ($msiProc.ExitCode -eq 0) {
-                Write-Log "  Atera agent installed (msiexec exit 0)" -Level OK
-            } else {
-                Write-Log "  Atera agent install exit code: $($msiProc.ExitCode)" -Level WARN
-            }
+    try {
+        Write-Log "  Downloading Atera MSI..." -Level INFO
+        Invoke-WebRequest -Uri $ateraUrl -OutFile $ateraMsi -UseBasicParsing -ErrorAction Stop
+        Write-Log "  Download complete" -Level OK
 
-            # Verify binary exists
-            $ateraExe = "$env:ProgramFiles\ATERA Networks\AteraAgent\AteraAgent.exe"
-            $ateraExe86 = "${env:ProgramFiles(x86)}\ATERA Networks\AteraAgent\AteraAgent.exe"
-            if ((Test-Path $ateraExe) -or (Test-Path $ateraExe86)) {
-                Write-Log "  Atera agent binary verified" -Level OK
-            } else {
-                Write-Log "  Atera agent binary not found at expected paths" -Level WARN
-            }
+        Write-Log "  Running installer (MFA window will appear)..." -Level INFO
+        $msiProc = Start-Process msiexec -ArgumentList "/i `"$ateraMsi`" /qn" -Wait -PassThru
+        if ($msiProc.ExitCode -eq 0) {
+            Write-Log "  Atera agent installed (msiexec exit 0)" -Level OK
+        } else {
+            Write-Log "  Atera agent install exit code: $($msiProc.ExitCode)" -Level WARN
         }
-        catch {
-            Write-Log "  Atera agent install failed: $_" -Level ERROR
+
+        # Verify binary exists
+        $ateraExe   = "$env:ProgramFiles\ATERA Networks\AteraAgent\AteraAgent.exe"
+        $ateraExe86 = "${env:ProgramFiles(x86)}\ATERA Networks\AteraAgent\AteraAgent.exe"
+        if ((Test-Path $ateraExe) -or (Test-Path $ateraExe86)) {
+            Write-Log "  Atera agent binary verified" -Level OK
+        } else {
+            Write-Log "  Atera agent binary not found at expected paths" -Level WARN
         }
     }
+    catch {
+        Write-Log "  Atera agent install failed: $_" -Level ERROR
+    }
+    finally {
+        Remove-Item $ateraMsi -ErrorAction SilentlyContinue
+    }
 } else {
     Write-Log "ateraAgent feature disabled - skipping" -Level INFO
 }