BackInfo paints a centered bitmap; when it is smaller than the screen the area
around it shows HKCU\Control Panel\Colors\Background, which was black in profiles
step 04 had not touched. Set the solid background (#223B47) in HKU\.DEFAULT and in
every existing user profile (loading each hive as needed), on top of the Default
hive and current user, so the border around the bitmap blends into the background.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- 04 profile: write AccentPalette (REG_BINARY, 8 shades derived from #223B47)
alongside AccentColor/AccentColorMenu. Without AccentPalette, Win11 ignores
the custom accent on Start/taskbar and falls back to the default - the cause
of "colors not applied everywhere". Also mirror the full theme + accent into
HKU\.DEFAULT (lock/welcome screen, system context) on top of the Default hive
and current user, so all profiles match. Mode stays Custom (dark system,
light apps); ColorPrevalence on for Start/taskbar and title bars/borders.
- BackInfo.ini: BackgroundColor 4668194 -> 2243399. BackInfo reads the value as
0xRRGGBB (RGB), not COLORREF/BGR, so #223B47 = 0x223B47 = 2243399; the BGR
value rendered with red/blue swapped.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- 04 profile: pin File Explorer via its AppUserModelID
(DesktopApplicationID="Microsoft.Windows.Explorer") instead of a hand-made
File Explorer.lnk to explorer.exe. The custom shortcut pinned as a separate
app - clicking it launched a second Explorer that did not group with the
running window, and the icon could not be unpinned normally. Stop creating
that .lnk.
- 02 software: install the Atera MSI under NT AUTHORITY\SYSTEM via a one-shot
scheduled task (msiexec /qn), then remove the task. Under SYSTEM the agent
registers silently with no interactive MFA window, so no technician input is
needed. MSI staged in C:\Windows\Temp (readable by SYSTEM).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- 02/11 winget: add --source winget to every install; fresh Win11 ISOs
ship an App Installer with a stale pinned cert, so the msstore source
fails with 0x8a15005e and aborts the install. Forcing the winget source
bypasses msstore entirely.
- 10 network: enable Network Discovery by -Group "@FirewallAPI.dll,-32752"
(resource string) instead of -DisplayGroup "Network Discovery", which is
localized and failed on Czech Windows.
- 04 profile: set keyboard layout CZ primary + US secondary via
Set-WinUserLanguageList (current user) and Preload in the Default hive
and HKU\.DEFAULT (welcome screen / system accounts). Always applied.
- 02 software: verify Atera via the AteraAgent service (Get-Service) with a
path fallback incl. C:\ProgramData, since Atera no longer installs to a
fixed location.
- 12 windows-update: format Install-WindowsUpdate output via $_.Result/$_.Title
instead of logging the raw object (was spamming "System.__ComObject").
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Critical fixes:
- Fix resume mode: StepsByIDs returned Enabled=false, all resume steps
would be SKIPPED (deployment could never resume after reboot)
- Add reboot loop protection: per-step retry counter (max 5) prevents
infinite reboot cycles when a step always exits with code 9
- Block reboot when state.Save() fails in resumePhase (prevents state
loss leading to full restart from scratch)
- Atomic state file write (write-to-tmp + rename) prevents JSON
corruption on BSOD/power loss mid-write
- Script watchdog: kills scripts after 30 min of no output (resets on
each line, so active long-running scripts are never killed)
- Fix copyFile: check Close() error explicitly instead of deferred
close that silently drops flush errors (e.g. disk full)
High severity:
- Cleanup() now logs errors instead of silently ignoring them
- Email report: 3 retries with backoff + always saves C:\X9\report.html
- Winget parallel jobs: 10 min timeout, kill hung jobs
- UCPD stop verification: 2s wait + state check before PDF association
- Atera installer: /qn -> /qb so MFA window can appear
- GVLK activation: match by EditionID (registry, not localized) instead
of fragile OS caption string matching
Medium severity:
- Default profile hive unload: retry loop (5 attempts, increasing delay)
- LayoutModification.xml: UTF-8 without BOM (PS 5.1 Set-Content adds BOM)
- Set-Reg SYSTEM task: try/finally ensures temp file + task cleanup
- Windows Update: @($available).Count for PS 5.1 single-result edge case
- config.json: add missing kmsServer field in activation section
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Background jobs do not reliably inherit PATH from the parent session,
causing winget calls to fail silently. Now the resolved executable path
is passed explicitly as an argument into each Start-Job scriptblock.
Also treats exit code 3010 (success + reboot required) as OK.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
MSI downloads fine via Invoke-WebRequest; MFA is an interactive window
shown by the installer itself during registration - accepted as normal
workflow. Bundled approach removed: assets/Atera/ dropped, no binary
maintenance needed.
Also closes CLAUDE.md open questions #2 (MFA resolved) and #3 (--resume
already removed from prereboot task).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Atera agent: download URL requires MFA in browser session, so
Invoke-WebRequest gets HTML instead of MSI. Changed to bundled
MSI from assets/Atera/ - download once from dashboard, no network
dependency. Graceful skip with log message when MSI not present.
Removed unused --resume argument from X9-Resume scheduled task
registration. Resume is detected via state file, not CLI flag.
CI pipeline: added mingw-w64-gcc and CGO_ENABLED=1 for Walk
cross-compilation (required since Walk migration from Fyne).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Email report: HTML summary sent via SMTP2Go (mail-eu.smtp2go.com)
at the end of every deployment. Subject "xetup report HOSTNAME",
body contains per-step status table with timestamps. Non-blocking
(goroutine) so it doesn't delay the summary screen.
Pre-flight checks: admin rights, winget availability, network
connectivity (DNS resolve), and disk space verified before the
config form. Results shown as colored status lines at the top
of the GUI - red warnings tell the technician what's wrong
before starting a 30-minute deployment.
Parallel winget: 02-software.ps1 now launches all winget installs
as background jobs (Start-Job) and waits for all to complete.
7-Zip, Acrobat, OpenVPN run simultaneously instead of sequentially,
saving 3-5 minutes per deployment.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Root cause fix: runner.go passed config as unevaluated PS expression
via -File mode - scripts received a literal string instead of parsed
object. Changed to -ConfigPath; scripts load JSON themselves via
shared common.ps1 (Write-Log, Get-Feature, Load-Config).
GUI now regenerates runtime config before run so user selections
actually reach the scripts.
Merged 04-default-profile + 05-personalization into single script
(one hive load/unload, no Explorer restart, no hive contention).
Deleted Deploy-Windows.ps1 (xetup.exe is sole entry point),
06-scheduled-tasks.ps1 (tasks caused more harm than good),
07-desktop-info.ps1 (replaced by BackInfo long ago).
Step ordering: activation moved early, pcIdentity before WU
(exit 9 on rename only when rename actually happened).
Edge policies split into mandatory (telemetry, first-run) vs
recommended (UI preferences user can override).
Atera install uses Start-Process -Wait instead of fragile sleep.
Updated config.json, tests, DefaultConfig to match current state.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
xetup.exe now acts as an orchestrator across system reboots:
- PS scripts exit 9 to signal "reboot needed, re-run me" (WU) or
"done but reboot needed to finalize" (Dell BIOS)
- On exit 9: xetup saves state.json, ensures adminx9 account,
copies itself to stable path, enables autologon, registers
X9-Resume scheduled task (AtLogOn adminx9, RunLevel Highest)
- On resume: loads pending steps from state, continues seamlessly
with "Pokracuji po restartu..." label in the run window
- On completion: disables autologon, removes X9-Resume task,
deletes state file, shows summary with accumulated results
across all reboot rounds
New packages: internal/state, internal/prereboot
Script 12: simplified to exit 0 (done) or exit 9 (reboot needed)
Script 11: exit 9 when DCU exit code 1 (BIOS staged, reboot needed)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When X9-WindowsUpdate finds no more updates:
- Creates "! WU HOTOVO yyyy-MM-dd HH:mm.txt" on C:\Users\Public\Desktop
- Locks the workstation via one-shot task running as adminx9
(login screen = unambiguous visual signal for the operator)
- One-shot lock task self-deletes after 5 minutes
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
04-default-profile: Create File Explorer.lnk (and PowerShell.lnk for
admin profile) in C:\Users\Default\AppData\Roaming\...\Start Menu
before writing LayoutModification.xml. On a clean Windows 11 install
the System Tools folder is often missing from the Default profile,
which causes the taskbar pin to be silently skipped.
12-windows-update: Enable temporary autologon for adminx9 so the
machine logs in automatically after each update reboot without
operator intervention. AutoLogonCount=10 as safety cap.
Autologon is disabled (and DefaultPassword removed) by the
scheduled task when no more updates are found.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
BackInfo.ini:
- AutoBackground=0: don't read live desktop color during deployment;
Windows hasn't propagated the registry background color to the
live session yet, so AutoBackground reads black
- BackgroundColor=4668194: explicit COLORREF for #223B47
(was 2097152 = 0x200000 = RGB(0,0,32), near-black)
05-personalization.ps1:
- Add Explorer\Accent\AccentColorMenu = 0xFF473B22
- Add Explorer\Accent\StartColorMenu = 0xFF473B22
Windows taskbar reads AccentColorMenu for its color when
ColorPrevalence=1; DWM\AccentColor only controls title bars.
Without these keys the taskbar shows Windows default blue
(RGB 130, 232, 253 = Windows 11 "Steel" default accent).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 04-default-profile: default profile now pins Explorer+Edge (was empty),
preventing MS Store and other defaults from appearing in taskbar
- 03-system-registry: disable Edge new tab page quick links, background,
content feed (NewTabPageQuickLinksEnabled/BackgroundEnabled/AllowedBackgroundTypes)
- 05-personalization: set Wallpaper="" in default hive so new user accounts
get solid-color background instead of black fallback
- runner: add onStepStart callback, fires before each script launch
- gui: step progress strip in run phase — color-coded labels per step
(pending gray · / running blue ► / ok green ✓ / error red ✗ / skipped gray –)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
HKCR: is not available by default in PS sessions - must be explicitly
mounted via New-PSDrive before any registry operations on it.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
