Compare commits
No commits in common. "603fba53727f116f90f7a284966b2982fde0aeac" and "7becac7a8bf05796dfce145374b2b36c93d6f4c9" have entirely different histories.
603fba5372
...
7becac7a8b
5 changed files with 28 additions and 46 deletions
|
|
@ -14,7 +14,7 @@
|
|||
7-zip-7zip-7zip: Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.
|
||||
adobe-acrobat-reader-64-bit-adobe-acroba: Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.
|
||||
openvpn-connect-openvpntechnologies-open: Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.
|
||||
atera-agent-install: Atera RMM agent downloaded from x9.servicedesk.atera.com and installed under NT AUTHORITY\SYSTEM via a one-shot scheduled task (msiexec /qn). Running as SYSTEM registers the agent silently with no interactive MFA window, so no technician input is needed. Agent enables MSP monitoring, remote access, and ticketing integration.
|
||||
atera-agent-install: Atera RMM agent downloaded from x9.servicedesk.atera.com and installed via msiexec /qb. During install, Atera MSI shows an interactive MFA window - technician enters the code to complete registration. Agent enables MSP monitoring, remote access, and ticketing integration.
|
||||
adobe-pdf-default-pdf-acrord32-po-instal: Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.
|
||||
ucpd-sys-kernel-driver-od-feb-2024-bloku: UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\.pdf -> Start-Service ucpd. Implemented in this script.
|
||||
#>
|
||||
|
|
@ -208,48 +208,27 @@ if (Get-Feature $Config "software" "pdfDefault") {
|
|||
|
||||
# -----------------------------------------------------------------------
|
||||
# Install Atera RMM Agent
|
||||
# Download the MSI from the Atera dashboard API, then install it under the
|
||||
# SYSTEM account via a one-shot scheduled task. Under SYSTEM the Atera
|
||||
# installer registers silently and does NOT show the interactive MFA window
|
||||
# that appears when installing in a user context - so no technician input
|
||||
# is needed.
|
||||
# Download MSI from Atera dashboard API, install via msiexec /qb.
|
||||
# During install, the Atera MSI shows an interactive MFA window -
|
||||
# the technician enters the code to complete agent registration.
|
||||
# -----------------------------------------------------------------------
|
||||
if (Get-Feature $Config "software" "ateraAgent") {
|
||||
Write-Log "Installing Atera RMM Agent (under SYSTEM)" -Level INFO
|
||||
Write-Log "Installing Atera RMM Agent" -Level INFO
|
||||
|
||||
# Machine-wide temp dir readable by SYSTEM (a per-user TEMP may not be)
|
||||
$ateraMsi = "$env:WINDIR\Temp\AteraAgent.msi"
|
||||
$ateraMsi = "$env:TEMP\AteraAgent.msi"
|
||||
$ateraUrl = "https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337"
|
||||
$ateraTask = "X9-AteraInstall"
|
||||
|
||||
try {
|
||||
Write-Log " Downloading Atera MSI..." -Level INFO
|
||||
Invoke-WebRequest -Uri $ateraUrl -OutFile $ateraMsi -UseBasicParsing -ErrorAction Stop
|
||||
Write-Log " Download complete" -Level OK
|
||||
|
||||
# Run msiexec as NT AUTHORITY\SYSTEM via a temporary scheduled task.
|
||||
# SYSTEM runs in non-interactive session 0, hence /qn (no UI) and no MFA.
|
||||
Write-Log " Installing as SYSTEM via scheduled task (no MFA)..." -Level INFO
|
||||
$action = New-ScheduledTaskAction -Execute "msiexec.exe" -Argument "/i `"$ateraMsi`" /qn /norestart"
|
||||
$principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
|
||||
$stTask = New-ScheduledTask -Action $action -Principal $principal
|
||||
Register-ScheduledTask -TaskName $ateraTask -InputObject $stTask -Force | Out-Null
|
||||
Start-ScheduledTask -TaskName $ateraTask
|
||||
|
||||
# Wait for the task to finish (msiexec install can take a few minutes)
|
||||
$deadline = (Get-Date).AddMinutes(10)
|
||||
do {
|
||||
Start-Sleep -Seconds 3
|
||||
$state = (Get-ScheduledTask -TaskName $ateraTask -ErrorAction SilentlyContinue).State
|
||||
} while ($state -eq "Running" -and (Get-Date) -lt $deadline)
|
||||
|
||||
$result = (Get-ScheduledTaskInfo -TaskName $ateraTask -ErrorAction SilentlyContinue).LastTaskResult
|
||||
if ($state -eq "Running") {
|
||||
Write-Log " Atera install timed out after 10 min" -Level WARN
|
||||
} elseif ($result -eq 0) {
|
||||
Write-Log " Atera installer finished (SYSTEM, exit 0)" -Level OK
|
||||
Write-Log " Running installer (MFA window will appear)..." -Level INFO
|
||||
$msiProc = Start-Process msiexec -ArgumentList "/i `"$ateraMsi`" /qb" -Wait -PassThru
|
||||
if ($msiProc.ExitCode -eq 0) {
|
||||
Write-Log " Atera agent installed (msiexec exit 0)" -Level OK
|
||||
} else {
|
||||
Write-Log " Atera installer exit code: $result" -Level WARN
|
||||
Write-Log " Atera agent install exit code: $($msiProc.ExitCode)" -Level WARN
|
||||
}
|
||||
|
||||
# Verify install. The AteraAgent service is the most reliable signal -
|
||||
|
|
@ -276,7 +255,6 @@ if (Get-Feature $Config "software" "ateraAgent") {
|
|||
Write-Log " Atera agent install failed: $_" -Level ERROR
|
||||
}
|
||||
finally {
|
||||
Unregister-ScheduledTask -TaskName $ateraTask -Confirm:$false -ErrorAction SilentlyContinue
|
||||
Remove-Item $ateraMsi -ErrorAction SilentlyContinue
|
||||
}
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -176,11 +176,15 @@ try {
|
|||
$wsh = New-Object -ComObject WScript.Shell
|
||||
$defRoaming = "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
|
||||
|
||||
# File Explorer is pinned via its AppUserModelID (see pin list below),
|
||||
# not a custom .lnk. A hand-made shortcut to explorer.exe pins as a
|
||||
# separate app: clicking it launches a second Explorer that does not
|
||||
# group with the running window, and the icon cannot be unpinned
|
||||
# normally. The AUMID pin behaves like the built-in Explorer button.
|
||||
$explorerLnkDir = "$defRoaming\System Tools"
|
||||
$explorerLnk = "$explorerLnkDir\File Explorer.lnk"
|
||||
if (-not (Test-Path $explorerLnk)) {
|
||||
if (-not (Test-Path $explorerLnkDir)) { New-Item -ItemType Directory -Path $explorerLnkDir -Force | Out-Null }
|
||||
$sc = $wsh.CreateShortcut($explorerLnk)
|
||||
$sc.TargetPath = "$env:WINDIR\explorer.exe"
|
||||
$sc.Save()
|
||||
Write-Log " Created File Explorer.lnk in Default profile Start Menu" -Level OK
|
||||
}
|
||||
|
||||
if ($ProfileType -eq "admin") {
|
||||
$psLnkDir = "$defRoaming\Windows PowerShell"
|
||||
|
|
@ -202,14 +206,14 @@ try {
|
|||
$pinList = switch ($ProfileType) {
|
||||
"admin" {
|
||||
@'
|
||||
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
|
||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
|
||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"/>
|
||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
|
||||
'@
|
||||
}
|
||||
default {
|
||||
@'
|
||||
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
|
||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
|
||||
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
|
||||
'@
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
"7-zip-7zip-7zip": "Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.",
|
||||
"adobe-acrobat-reader-64-bit-adobe-acroba": "Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.",
|
||||
"openvpn-connect-openvpntechnologies-open": "Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.",
|
||||
"atera-agent-install": "Atera RMM agent downloaded from x9.servicedesk.atera.com and installed under NT AUTHORITY\\SYSTEM via a one-shot scheduled task (msiexec /qn). Running as SYSTEM registers the agent silently with no interactive MFA window, so no technician input is needed. Install is verified primarily via the AteraAgent service (Get-Service AteraAgent), which is reliable regardless of install path - Atera now sometimes lands under C:\\ProgramData instead of Program Files; a path check (incl. ProgramData) is the fallback. Agent enables MSP monitoring, remote access, and ticketing integration.",
|
||||
"atera-agent-install": "Atera RMM agent downloaded from x9.servicedesk.atera.com and installed via msiexec /qb. During install, Atera MSI shows an interactive MFA window - technician enters the code to complete registration. Install is verified primarily via the AteraAgent service (Get-Service AteraAgent), which is reliable regardless of install path - Atera now sometimes lands under C:\\ProgramData instead of Program Files; a path check (incl. ProgramData) is the fallback. Agent enables MSP monitoring, remote access, and ticketing integration.",
|
||||
"adobe-pdf-default-pdf-acrord32-po-instal": "Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.",
|
||||
"ucpd-sys-kernel-driver-od-feb-2024-bloku": "UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\\.pdf -> Start-Service ucpd. Implemented in this script."
|
||||
}
|
||||
|
|
@ -61,7 +61,7 @@
|
|||
"taskbar-zarovnat-vlevo-taskbaral-0": "TaskbarAl = 0 in Explorer\\Advanced. Windows 11 default is center-aligned (TaskbarAl = 1). Left alignment matches Windows 10 muscle memory and is strongly preferred by business users transitioning from Win10.",
|
||||
"taskbar-skryt-search-copilot-task-view-w": "Hides Search box (SearchboxTaskbarMode=0), Copilot button (ShowCopilotButton=0), Task View (ShowTaskViewButton=0), Widgets (TaskbarDa=0), Chat/Teams (TaskbarMn=0). Reduces taskbar clutter to just pinned apps and running processes.",
|
||||
"taskbar-zobrazit-vsechny-ikonky-v-tray-s": "Registers scheduled task that sets EnableAutoTray=0 on logon (repeat every 1 min). Windows 11 periodically re-hides tray icons - this task forces all icons visible so users can see VPN status, antivirus, backup, etc.",
|
||||
"taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. File Explorer is pinned via its AppUserModelID (DesktopApplicationID=\"Microsoft.Windows.Explorer\"), not a hand-made .lnk to explorer.exe - the custom shortcut pinned as a separate app, launching a second Explorer that did not group with the running window and could not be unpinned normally. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.",
|
||||
"taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.",
|
||||
"explorer-zobrazovat-pripony-souboru-hide": "HideFileExt = 0 in Explorer\\Advanced. Shows file extensions (.docx, .exe, .pdf, .ps1) in File Explorer. Essential for recognizing file types, avoiding phishing (fake .pdf.exe), and general IT work.",
|
||||
"explorer-otevrit-na-this-pc-launchto-1": "LaunchTo = 1. File Explorer opens to \"This PC\" (drives view) instead of Quick Access. More useful on fresh machines where Quick Access history is empty and irrelevant.",
|
||||
"start-menu-vyprazdnit-piny-win11": "ConfigureStartPins = {\"pinnedList\":[]} applied via registry. Removes all default Start menu tiles (Edge, Teams, Store, Office, Solitaire, etc.) from the Windows 11 Start grid. User starts with an empty, clean Start menu.",
|
||||
|
|
|
|||
|
|
@ -184,7 +184,7 @@
|
|||
<p>Aplikace prochazi kroky automaticky a zobrazuje zive logy. <strong>Nech to bezet, nic nezavirej.</strong></p>
|
||||
<p>Nektere kroky (prejmenovani PC, Windows Update) vyzaduji restart. Xetup v tom pripade <strong>sam restartuje pocitac</strong>, po restartu se <strong>sam znovu spusti</strong> a pokracuje od mista kde skoncil. Tohle se muze opakovat vicekrat – je to ocekavane chovani.</p>
|
||||
<p>Pro automaticky restart xetup vytvori skryty ucet <code>adminx9</code> (bez hesla, clen Administrators) a nastavi na nej autologon. Po dokonceni deploymetu se autologon vypne a ucet zustane pro budouci spravu.</p>
|
||||
<p><strong>Atera:</strong> agent se instaluje tise pod uctem SYSTEM, takze se uz neobjevuje zadne prihlasovaci/MFA okno – neni potreba nic potvrzovat.</p>
|
||||
<p><strong>Pozor na Atera:</strong> behem instalace SW se muze objevit prihlasovaci/MFA okno Atera – je treba ho potvrdit, jinak instalace ceka.</p>
|
||||
</div>
|
||||
|
||||
<div class="phase">
|
||||
|
|
|
|||
|
|
@ -599,7 +599,7 @@
|
|||
<tr class="flag-done"><td>7-Zip (<code>7zip.7zip</code>)</td><td>OK</td></tr>
|
||||
<tr class="flag-done"><td>Adobe Acrobat Reader 64-bit (<code>Adobe.Acrobat.Reader.64-bit</code>)</td><td>OK</td></tr>
|
||||
<tr class="flag-done"><td>OpenVPN Connect (<code>OpenVPNTechnologies.OpenVPNConnect</code>)</td><td>OK</td></tr>
|
||||
<tr class="flag-done"><td>Atera Agent install (pod SYSTEM)</td><td>Invoke-WebRequest + <code>msiexec /i /qn</code> spustene jako <code>NT AUTHORITY\SYSTEM</code> pres docasny scheduled task. Pod SYSTEM se agent registruje tise <strong>bez MFA okna</strong> – bez zasahu technika.</td></tr>
|
||||
<tr class="flag-done"><td>Atera Agent install</td><td>Invoke-WebRequest + <code>msiexec /i /qb</code> – /qb umozni zobrazeni MFA okna</td></tr>
|
||||
<tr class="flag-done"><td>Adobe PDF default: .pdf -> AcroRd32 po instalaci</td><td>OK – UCPD stop/start kolem zapisu asociace</td></tr>
|
||||
<tr class="flag-done"><td>UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice</td><td>Stop-Service ucpd + 2s sleep + overeni zastaveni pred HKCR zapisem. Na Win11 24H2 je UCPD chranena sluzba a stop selze – logovano jako WARN (ne ERROR); HKCR zapis (system-wide) projde i tak.</td></tr>
|
||||
<tr class="flag-done"><td>Winget parallel joby: timeout 600s + kill zavislych</td><td>Wait-Job -Timeout 600; po vyprseni Kill + Remove zavislych jobu</td></tr>
|
||||
|
|
@ -661,7 +661,7 @@
|
|||
<tr class="flag-done"><td>Taskbar: zarovnat vlevo (TaskbarAl = 0)</td><td>Win11 default je center</td></tr>
|
||||
<tr class="flag-done"><td>Taskbar: skryt Search, Copilot, Task View, Widgets, Chat</td><td>OK</td></tr>
|
||||
<tr class="flag-done"><td>Taskbar: zobrazit vsechny ikonky v tray (EnableAutoTray = 0)</td><td>Win11 periodicky znovu skryva tray ikony po updatu</td></tr>
|
||||
<tr class="flag-done"><td>Taskbar: explicitni pinlist (TaskbarLayoutModification.xml)</td><td>default/user: Pruzkumnik + Edge; admin: Pruzkumnik + Edge + PowerShell. <code>PinListPlacement="Replace"</code> – prazdny seznam by dovoloval Windows pridat Store a dalsi vychozi. Pruzkumnik se pinuje pres AUMID <code>DesktopApplicationID="Microsoft.Windows.Explorer"</code>, ne vlastni .lnk – ten by spoustel druhy Explorer a slo by ho spatne odepnout.</td></tr>
|
||||
<tr class="flag-done"><td>Taskbar: explicitni pinlist (TaskbarLayoutModification.xml)</td><td>default/user: Pruzkumnik + Edge; admin: Pruzkumnik + Edge + PowerShell. <code>PinListPlacement="Replace"</code> – prazdny seznam by dovoloval Windows pridat Store a dalsi vychozi.</td></tr>
|
||||
<tr class="flag-done"><td>Explorer: zobrazovat pripony souboru (HideFileExt = 0)</td><td>OK</td></tr>
|
||||
<tr class="flag-done"><td>Explorer: otevrit na This PC (LaunchTo = 1)</td><td>OK</td></tr>
|
||||
<tr class="flag-done"><td>Explorer: ShowRecent = 0, ShowFrequent = 0</td><td>Skryt nedavne a caste soubory v Quick Access</td></tr>
|
||||
|
|
|
|||
Loading…
Reference in a new issue