BackInfo paints a centered bitmap; when it is smaller than the screen the area
around it shows HKCU\Control Panel\Colors\Background, which was black in profiles
step 04 had not touched. Set the solid background (#223B47) in HKU\.DEFAULT and in
every existing user profile (loading each hive as needed), on top of the Default
hive and current user, so the border around the bitmap blends into the background.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- 04 profile: write AccentPalette (REG_BINARY, 8 shades derived from #223B47)
alongside AccentColor/AccentColorMenu. Without AccentPalette, Win11 ignores
the custom accent on Start/taskbar and falls back to the default - the cause
of "colors not applied everywhere". Also mirror the full theme + accent into
HKU\.DEFAULT (lock/welcome screen, system context) on top of the Default hive
and current user, so all profiles match. Mode stays Custom (dark system,
light apps); ColorPrevalence on for Start/taskbar and title bars/borders.
- BackInfo.ini: BackgroundColor 4668194 -> 2243399. BackInfo reads the value as
0xRRGGBB (RGB), not COLORREF/BGR, so #223B47 = 0x223B47 = 2243399; the BGR
value rendered with red/blue swapped.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- 04 profile: pin File Explorer via its AppUserModelID
(DesktopApplicationID="Microsoft.Windows.Explorer") instead of a hand-made
File Explorer.lnk to explorer.exe. The custom shortcut pinned as a separate
app - clicking it launched a second Explorer that did not group with the
running window, and the icon could not be unpinned normally. Stop creating
that .lnk.
- 02 software: install the Atera MSI under NT AUTHORITY\SYSTEM via a one-shot
scheduled task (msiexec /qn), then remove the task. Under SYSTEM the agent
registers silently with no interactive MFA window, so no technician input is
needed. MSI staged in C:\Windows\Temp (readable by SYSTEM).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- 02/11 winget: add --source winget to every install; fresh Win11 ISOs
ship an App Installer with a stale pinned cert, so the msstore source
fails with 0x8a15005e and aborts the install. Forcing the winget source
bypasses msstore entirely.
- 10 network: enable Network Discovery by -Group "@FirewallAPI.dll,-32752"
(resource string) instead of -DisplayGroup "Network Discovery", which is
localized and failed on Czech Windows.
- 04 profile: set keyboard layout CZ primary + US secondary via
Set-WinUserLanguageList (current user) and Preload in the Default hive
and HKU\.DEFAULT (welcome screen / system accounts). Always applied.
- 02 software: verify Atera via the AteraAgent service (Get-Service) with a
path fallback incl. C:\ProgramData, since Atera no longer installs to a
fixed location.
- 12 windows-update: format Install-WindowsUpdate output via $_.Result/$_.Title
instead of logging the raw object (was spamming "System.__ComObject").
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Critical fixes:
- Fix resume mode: StepsByIDs returned Enabled=false, all resume steps
would be SKIPPED (deployment could never resume after reboot)
- Add reboot loop protection: per-step retry counter (max 5) prevents
infinite reboot cycles when a step always exits with code 9
- Block reboot when state.Save() fails in resumePhase (prevents state
loss leading to full restart from scratch)
- Atomic state file write (write-to-tmp + rename) prevents JSON
corruption on BSOD/power loss mid-write
- Script watchdog: kills scripts after 30 min of no output (resets on
each line, so active long-running scripts are never killed)
- Fix copyFile: check Close() error explicitly instead of deferred
close that silently drops flush errors (e.g. disk full)
High severity:
- Cleanup() now logs errors instead of silently ignoring them
- Email report: 3 retries with backoff + always saves C:\X9\report.html
- Winget parallel jobs: 10 min timeout, kill hung jobs
- UCPD stop verification: 2s wait + state check before PDF association
- Atera installer: /qn -> /qb so MFA window can appear
- GVLK activation: match by EditionID (registry, not localized) instead
of fragile OS caption string matching
Medium severity:
- Default profile hive unload: retry loop (5 attempts, increasing delay)
- LayoutModification.xml: UTF-8 without BOM (PS 5.1 Set-Content adds BOM)
- Set-Reg SYSTEM task: try/finally ensures temp file + task cleanup
- Windows Update: @($available).Count for PS 5.1 single-result edge case
- config.json: add missing kmsServer field in activation section
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Root cause fix: runner.go passed config as unevaluated PS expression
via -File mode - scripts received a literal string instead of parsed
object. Changed to -ConfigPath; scripts load JSON themselves via
shared common.ps1 (Write-Log, Get-Feature, Load-Config).
GUI now regenerates runtime config before run so user selections
actually reach the scripts.
Merged 04-default-profile + 05-personalization into single script
(one hive load/unload, no Explorer restart, no hive contention).
Deleted Deploy-Windows.ps1 (xetup.exe is sole entry point),
06-scheduled-tasks.ps1 (tasks caused more harm than good),
07-desktop-info.ps1 (replaced by BackInfo long ago).
Step ordering: activation moved early, pcIdentity before WU
(exit 9 on rename only when rename actually happened).
Edge policies split into mandatory (telemetry, first-run) vs
recommended (UI preferences user can override).
Atera install uses Start-Process -Wait instead of fragile sleep.
Updated config.json, tests, DefaultConfig to match current state.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
04-default-profile: Create File Explorer.lnk (and PowerShell.lnk for
admin profile) in C:\Users\Default\AppData\Roaming\...\Start Menu
before writing LayoutModification.xml. On a clean Windows 11 install
the System Tools folder is often missing from the Default profile,
which causes the taskbar pin to be silently skipped.
12-windows-update: Enable temporary autologon for adminx9 so the
machine logs in automatically after each update reboot without
operator intervention. AutoLogonCount=10 as safety cap.
Autologon is disabled (and DefaultPassword removed) by the
scheduled task when no more updates are found.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 04-default-profile: default profile now pins Explorer+Edge (was empty),
preventing MS Store and other defaults from appearing in taskbar
- 03-system-registry: disable Edge new tab page quick links, background,
content feed (NewTabPageQuickLinksEnabled/BackgroundEnabled/AllowedBackgroundTypes)
- 05-personalization: set Wallpaper="" in default hive so new user accounts
get solid-color background instead of black fallback
- runner: add onStepStart callback, fires before each script launch
- gui: step progress strip in run phase — color-coded labels per step
(pending gray · / running blue ► / ok green ✓ / error red ✗ / skipped gray –)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
