From 603fba53727f116f90f7a284966b2982fde0aeac Mon Sep 17 00:00:00 2001
From: X9 Dev <dev@x9.cz>
Date: Mon, 1 Jun 2026 14:26:08 +0200
Subject: [PATCH] docs(web): reflect Explorer AUMID pin + Atera-under-SYSTEM

- spec: Atera row now SYSTEM + /qn + no MFA; taskbar row notes Explorer is
  pinned via AUMID to avoid the duplicate-instance / unpinnable bug.
- descriptions.json: update 02 Atera item and 04 taskbar item accordingly.
- navod: drop the obsolete "confirm Atera MFA" warning - it installs silently
  under SYSTEM now.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 web/data/descriptions.json | 4 ++--
 web/navod/index.html       | 2 +-
 web/spec/index.html        | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/web/data/descriptions.json b/web/data/descriptions.json
index 2decffe..4b387dc 100644
--- a/web/data/descriptions.json
+++ b/web/data/descriptions.json
@@ -28,7 +28,7 @@
       "7-zip-7zip-7zip": "Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.",
       "adobe-acrobat-reader-64-bit-adobe-acroba": "Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.",
       "openvpn-connect-openvpntechnologies-open": "Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.",
-      "atera-agent-install": "Atera RMM agent downloaded from x9.servicedesk.atera.com and installed via msiexec /qb. During install, Atera MSI shows an interactive MFA window - technician enters the code to complete registration. Install is verified primarily via the AteraAgent service (Get-Service AteraAgent), which is reliable regardless of install path - Atera now sometimes lands under C:\\ProgramData instead of Program Files; a path check (incl. ProgramData) is the fallback. Agent enables MSP monitoring, remote access, and ticketing integration.",
+      "atera-agent-install": "Atera RMM agent downloaded from x9.servicedesk.atera.com and installed under NT AUTHORITY\\SYSTEM via a one-shot scheduled task (msiexec /qn). Running as SYSTEM registers the agent silently with no interactive MFA window, so no technician input is needed. Install is verified primarily via the AteraAgent service (Get-Service AteraAgent), which is reliable regardless of install path - Atera now sometimes lands under C:\\ProgramData instead of Program Files; a path check (incl. ProgramData) is the fallback. Agent enables MSP monitoring, remote access, and ticketing integration.",
       "adobe-pdf-default-pdf-acrord32-po-instal": "Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.",
       "ucpd-sys-kernel-driver-od-feb-2024-bloku": "UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\\.pdf -> Start-Service ucpd. Implemented in this script."
     }
@@ -61,7 +61,7 @@
       "taskbar-zarovnat-vlevo-taskbaral-0": "TaskbarAl = 0 in Explorer\\Advanced. Windows 11 default is center-aligned (TaskbarAl = 1). Left alignment matches Windows 10 muscle memory and is strongly preferred by business users transitioning from Win10.",
       "taskbar-skryt-search-copilot-task-view-w": "Hides Search box (SearchboxTaskbarMode=0), Copilot button (ShowCopilotButton=0), Task View (ShowTaskViewButton=0), Widgets (TaskbarDa=0), Chat/Teams (TaskbarMn=0). Reduces taskbar clutter to just pinned apps and running processes.",
       "taskbar-zobrazit-vsechny-ikonky-v-tray-s": "Registers scheduled task that sets EnableAutoTray=0 on logon (repeat every 1 min). Windows 11 periodically re-hides tray icons - this task forces all icons visible so users can see VPN status, antivirus, backup, etc.",
-      "taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.",
+      "taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. File Explorer is pinned via its AppUserModelID (DesktopApplicationID=\"Microsoft.Windows.Explorer\"), not a hand-made .lnk to explorer.exe - the custom shortcut pinned as a separate app, launching a second Explorer that did not group with the running window and could not be unpinned normally. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.",
       "explorer-zobrazovat-pripony-souboru-hide": "HideFileExt = 0 in Explorer\\Advanced. Shows file extensions (.docx, .exe, .pdf, .ps1) in File Explorer. Essential for recognizing file types, avoiding phishing (fake .pdf.exe), and general IT work.",
       "explorer-otevrit-na-this-pc-launchto-1": "LaunchTo = 1. File Explorer opens to \"This PC\" (drives view) instead of Quick Access. More useful on fresh machines where Quick Access history is empty and irrelevant.",
       "start-menu-vyprazdnit-piny-win11": "ConfigureStartPins = {\"pinnedList\":[]} applied via registry. Removes all default Start menu tiles (Edge, Teams, Store, Office, Solitaire, etc.) from the Windows 11 Start grid. User starts with an empty, clean Start menu.",
diff --git a/web/navod/index.html b/web/navod/index.html
index 7570e70..27d8e0d 100644
--- a/web/navod/index.html
+++ b/web/navod/index.html
@@ -184,7 +184,7 @@
     <p>Aplikace prochazi kroky automaticky a zobrazuje zive logy. <strong>Nech to bezet, nic nezavirej.</strong></p>
     <p>Nektere kroky (prejmenovani PC, Windows Update) vyzaduji restart. Xetup v tom pripade <strong>sam restartuje pocitac</strong>, po restartu se <strong>sam znovu spusti</strong> a pokracuje od mista kde skoncil. Tohle se muze opakovat vicekrat &ndash; je to ocekavane chovani.</p>
     <p>Pro automaticky restart xetup vytvori skryty ucet <code>adminx9</code> (bez hesla, clen Administrators) a nastavi na nej autologon. Po dokonceni deploymetu se autologon vypne a ucet zustane pro budouci spravu.</p>
-    <p><strong>Pozor na Atera:</strong> behem instalace SW se muze objevit prihlasovaci/MFA okno Atera &ndash; je treba ho potvrdit, jinak instalace ceka.</p>
+    <p><strong>Atera:</strong> agent se instaluje tise pod uctem SYSTEM, takze se uz neobjevuje zadne prihlasovaci/MFA okno &ndash; neni potreba nic potvrzovat.</p>
   </div>
 
   <div class="phase">
diff --git a/web/spec/index.html b/web/spec/index.html
index 32c4b36..94753b5 100644
--- a/web/spec/index.html
+++ b/web/spec/index.html
@@ -599,7 +599,7 @@
           <tr class="flag-done"><td>7-Zip (<code>7zip.7zip</code>)</td><td>OK</td></tr>
           <tr class="flag-done"><td>Adobe Acrobat Reader 64-bit (<code>Adobe.Acrobat.Reader.64-bit</code>)</td><td>OK</td></tr>
           <tr class="flag-done"><td>OpenVPN Connect (<code>OpenVPNTechnologies.OpenVPNConnect</code>)</td><td>OK</td></tr>
-          <tr class="flag-done"><td>Atera Agent install</td><td>Invoke-WebRequest + <code>msiexec /i /qb</code> &ndash; /qb umozni zobrazeni MFA okna</td></tr>
+          <tr class="flag-done"><td>Atera Agent install (pod SYSTEM)</td><td>Invoke-WebRequest + <code>msiexec /i /qn</code> spustene jako <code>NT AUTHORITY\SYSTEM</code> pres docasny scheduled task. Pod SYSTEM se agent registruje tise <strong>bez MFA okna</strong> &ndash; bez zasahu technika.</td></tr>
           <tr class="flag-done"><td>Adobe PDF default: .pdf -&gt; AcroRd32 po instalaci</td><td>OK &ndash; UCPD stop/start kolem zapisu asociace</td></tr>
           <tr class="flag-done"><td>UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice</td><td>Stop-Service ucpd + 2s sleep + overeni zastaveni pred HKCR zapisem. Na Win11 24H2 je UCPD chranena sluzba a stop selze &ndash; logovano jako WARN (ne ERROR); HKCR zapis (system-wide) projde i tak.</td></tr>
           <tr class="flag-done"><td>Winget parallel joby: timeout 600s + kill zavislych</td><td>Wait-Job -Timeout 600; po vyprseni Kill + Remove zavislych jobu</td></tr>
@@ -661,7 +661,7 @@
           <tr class="flag-done"><td>Taskbar: zarovnat vlevo (TaskbarAl = 0)</td><td>Win11 default je center</td></tr>
           <tr class="flag-done"><td>Taskbar: skryt Search, Copilot, Task View, Widgets, Chat</td><td>OK</td></tr>
           <tr class="flag-done"><td>Taskbar: zobrazit vsechny ikonky v tray (EnableAutoTray = 0)</td><td>Win11 periodicky znovu skryva tray ikony po updatu</td></tr>
-          <tr class="flag-done"><td>Taskbar: explicitni pinlist (TaskbarLayoutModification.xml)</td><td>default/user: Pruzkumnik + Edge; admin: Pruzkumnik + Edge + PowerShell. <code>PinListPlacement="Replace"</code> &ndash; prazdny seznam by dovoloval Windows pridat Store a dalsi vychozi.</td></tr>
+          <tr class="flag-done"><td>Taskbar: explicitni pinlist (TaskbarLayoutModification.xml)</td><td>default/user: Pruzkumnik + Edge; admin: Pruzkumnik + Edge + PowerShell. <code>PinListPlacement="Replace"</code> &ndash; prazdny seznam by dovoloval Windows pridat Store a dalsi vychozi. Pruzkumnik se pinuje pres AUMID <code>DesktopApplicationID="Microsoft.Windows.Explorer"</code>, ne vlastni .lnk &ndash; ten by spoustel druhy Explorer a slo by ho spatne odepnout.</td></tr>
           <tr class="flag-done"><td>Explorer: zobrazovat pripony souboru (HideFileExt = 0)</td><td>OK</td></tr>
           <tr class="flag-done"><td>Explorer: otevrit na This PC (LaunchTo = 1)</td><td>OK</td></tr>
           <tr class="flag-done"><td>Explorer: ShowRecent = 0, ShowFrequent = 0</td><td>Skryt nedavne a caste soubory v Quick Access</td></tr>