x9/xetup
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases 5 Packages Wiki Activity Actions

Compare commits

base: x9:7becac7a8bf05796dfce145374b2b36c93d6f4c9
Branches Tags
x9:main
x9:latest
x9:v0.9
x9:v0.8
x9:v0.7
x9:v0.1.0
...
compare: x9:603fba53727f116f90f7a284966b2982fde0aeac
Branches Tags
x9:main
x9:latest
x9:v0.9
x9:v0.8
x9:v0.7
x9:v0.1.0

2 commits
7becac7a8b ... 603fba5372

Author SHA1 Message Date
X9 Dev
603fba5372 docs(web): reflect Explorer AUMID pin + Atera-under-SYSTEM
All checks were successful
release / build-and-release (push) Successful in 34s
Details 
- spec: Atera row now SYSTEM + /qn + no MFA; taskbar row notes Explorer is
  pinned via AUMID to avoid the duplicate-instance / unpinnable bug.
- descriptions.json: update 02 Atera item and 04 taskbar item accordingly.
- navod: drop the obsolete "confirm Atera MFA" warning - it installs silently
  under SYSTEM now.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-01 14:26:08 +02:00
X9 Dev
451b9e221c fix: taskbar Explorer pin + Atera install under SYSTEM 
- 04 profile: pin File Explorer via its AppUserModelID
  (DesktopApplicationID="Microsoft.Windows.Explorer") instead of a hand-made
  File Explorer.lnk to explorer.exe. The custom shortcut pinned as a separate
  app - clicking it launched a second Explorer that did not group with the
  running window, and the icon could not be unpinned normally. Stop creating
  that .lnk.
- 02 software: install the Atera MSI under NT AUTHORITY\SYSTEM via a one-shot
  scheduled task (msiexec /qn), then remove the task. Under SYSTEM the agent
  registers silently with no interactive MFA window, so no technician input is
  needed. MSI staged in C:\Windows\Temp (readable by SYSTEM).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-01 14:26:08 +02:00
5 changed files with 46 additions and 28 deletions
Show stats Expand all files Collapse all files

44
scripts/02-software.ps1
View file

@ -14,7 +14,7 @@
7-zip-7zip-7zip: Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.
adobe-acrobat-reader-64-bit-adobe-acroba: Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.
openvpn-connect-openvpntechnologies-open: Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.
atera-agent-install: Atera RMM agent downloaded from x9.servicedesk.atera.com and installed via msiexec /qb. During install, Atera MSI shows an interactive MFA window - technician enters the code to complete registration. Agent enables MSP monitoring, remote access, and ticketing integration.
atera-agent-install: Atera RMM agent downloaded from x9.servicedesk.atera.com and installed under NT AUTHORITY\SYSTEM via a one-shot scheduled task (msiexec /qn). Running as SYSTEM registers the agent silently with no interactive MFA window, so no technician input is needed. Agent enables MSP monitoring, remote access, and ticketing integration.
adobe-pdf-default-pdf-acrord32-po-instal: Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.
ucpd-sys-kernel-driver-od-feb-2024-bloku: UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\.pdf -> Start-Service ucpd. Implemented in this script.
#>
@ -208,27 +208,48 @@ if (Get-Feature $Config "software" "pdfDefault") {
# -----------------------------------------------------------------------
# Install Atera RMM Agent
# Download MSI from Atera dashboard API, install via msiexec /qb.
# During install, the Atera MSI shows an interactive MFA window -
# the technician enters the code to complete agent registration.
# Download the MSI from the Atera dashboard API, then install it under the
# SYSTEM account via a one-shot scheduled task. Under SYSTEM the Atera
# installer registers silently and does NOT show the interactive MFA window
# that appears when installing in a user context - so no technician input
# is needed.
# -----------------------------------------------------------------------
if (Get-Feature $Config "software" "ateraAgent") {
Write-Log "Installing Atera RMM Agent" -Level INFO
Write-Log "Installing Atera RMM Agent (under SYSTEM)" -Level INFO
$ateraMsi = "$env:TEMP\AteraAgent.msi"
# Machine-wide temp dir readable by SYSTEM (a per-user TEMP may not be)
$ateraMsi = "$env:WINDIR\Temp\AteraAgent.msi"
$ateraUrl = "https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337"
$ateraTask = "X9-AteraInstall"
try {
Write-Log " Downloading Atera MSI..." -Level INFO
Invoke-WebRequest -Uri $ateraUrl -OutFile $ateraMsi -UseBasicParsing -ErrorAction Stop
Write-Log " Download complete" -Level OK
Write-Log " Running installer (MFA window will appear)..." -Level INFO
$msiProc = Start-Process msiexec -ArgumentList "/i `"$ateraMsi`" /qb" -Wait -PassThru
if ($msiProc.ExitCode -eq 0) {
Write-Log " Atera agent installed (msiexec exit 0)" -Level OK
# Run msiexec as NT AUTHORITY\SYSTEM via a temporary scheduled task.
# SYSTEM runs in non-interactive session 0, hence /qn (no UI) and no MFA.
Write-Log " Installing as SYSTEM via scheduled task (no MFA)..." -Level INFO
$action = New-ScheduledTaskAction -Execute "msiexec.exe" -Argument "/i `"$ateraMsi`" /qn /norestart"
$principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
$stTask = New-ScheduledTask -Action $action -Principal $principal
Register-ScheduledTask -TaskName $ateraTask -InputObject $stTask -Force | Out-Null
Start-ScheduledTask -TaskName $ateraTask
# Wait for the task to finish (msiexec install can take a few minutes)
$deadline = (Get-Date).AddMinutes(10)
do {
Start-Sleep -Seconds 3
$state = (Get-ScheduledTask -TaskName $ateraTask -ErrorAction SilentlyContinue).State
} while ($state -eq "Running" -and (Get-Date) -lt $deadline)
$result = (Get-ScheduledTaskInfo -TaskName $ateraTask -ErrorAction SilentlyContinue).LastTaskResult
if ($state -eq "Running") {
Write-Log " Atera install timed out after 10 min" -Level WARN
} elseif ($result -eq 0) {
Write-Log " Atera installer finished (SYSTEM, exit 0)" -Level OK
} else {
Write-Log " Atera agent install exit code: $($msiProc.ExitCode)" -Level WARN
Write-Log " Atera installer exit code: $result" -Level WARN
}
# Verify install. The AteraAgent service is the most reliable signal -
@ -255,6 +276,7 @@ if (Get-Feature $Config "software" "ateraAgent") {
Write-Log " Atera agent install failed: $_" -Level ERROR
}
finally {
Unregister-ScheduledTask -TaskName $ateraTask -Confirm:$false -ErrorAction SilentlyContinue
Remove-Item $ateraMsi -ErrorAction SilentlyContinue
}
} else {

18
scripts/04-default-profile.ps1
View file

@ -176,15 +176,11 @@ try {
$wsh = New-Object -ComObject WScript.Shell
$defRoaming = "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
$explorerLnkDir = "$defRoaming\System Tools"
$explorerLnk = "$explorerLnkDir\File Explorer.lnk"
if (-not (Test-Path $explorerLnk)) {
if (-not (Test-Path $explorerLnkDir)) { New-Item -ItemType Directory -Path $explorerLnkDir -Force | Out-Null }
$sc = $wsh.CreateShortcut($explorerLnk)
$sc.TargetPath = "$env:WINDIR\explorer.exe"
$sc.Save()
Write-Log " Created File Explorer.lnk in Default profile Start Menu" -Level OK
}
# File Explorer is pinned via its AppUserModelID (see pin list below),
# not a custom .lnk. A hand-made shortcut to explorer.exe pins as a
# separate app: clicking it launches a second Explorer that does not
# group with the running window, and the icon cannot be unpinned
# normally. The AUMID pin behaves like the built-in Explorer button.
if ($ProfileType -eq "admin") {
$psLnkDir = "$defRoaming\Windows PowerShell"
@ -206,14 +202,14 @@ try {
$pinList = switch ($ProfileType) {
"admin" {
@'
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
'@
}
default {
@'
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
'@
}

4
web/data/descriptions.json
View file

@ -28,7 +28,7 @@
"7-zip-7zip-7zip": "Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.",
"adobe-acrobat-reader-64-bit-adobe-acroba": "Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.",
"openvpn-connect-openvpntechnologies-open": "Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.",
"atera-agent-install": "Atera RMM agent downloaded from x9.servicedesk.atera.com and installed via msiexec /qb. During install, Atera MSI shows an interactive MFA window - technician enters the code to complete registration. Install is verified primarily via the AteraAgent service (Get-Service AteraAgent), which is reliable regardless of install path - Atera now sometimes lands under C:\\ProgramData instead of Program Files; a path check (incl. ProgramData) is the fallback. Agent enables MSP monitoring, remote access, and ticketing integration.",
"atera-agent-install": "Atera RMM agent downloaded from x9.servicedesk.atera.com and installed under NT AUTHORITY\\SYSTEM via a one-shot scheduled task (msiexec /qn). Running as SYSTEM registers the agent silently with no interactive MFA window, so no technician input is needed. Install is verified primarily via the AteraAgent service (Get-Service AteraAgent), which is reliable regardless of install path - Atera now sometimes lands under C:\\ProgramData instead of Program Files; a path check (incl. ProgramData) is the fallback. Agent enables MSP monitoring, remote access, and ticketing integration.",
"adobe-pdf-default-pdf-acrord32-po-instal": "Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.",
"ucpd-sys-kernel-driver-od-feb-2024-bloku": "UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\\.pdf -> Start-Service ucpd. Implemented in this script."
}
@ -61,7 +61,7 @@
"taskbar-zarovnat-vlevo-taskbaral-0": "TaskbarAl = 0 in Explorer\\Advanced. Windows 11 default is center-aligned (TaskbarAl = 1). Left alignment matches Windows 10 muscle memory and is strongly preferred by business users transitioning from Win10.",
"taskbar-skryt-search-copilot-task-view-w": "Hides Search box (SearchboxTaskbarMode=0), Copilot button (ShowCopilotButton=0), Task View (ShowTaskViewButton=0), Widgets (TaskbarDa=0), Chat/Teams (TaskbarMn=0). Reduces taskbar clutter to just pinned apps and running processes.",
"taskbar-zobrazit-vsechny-ikonky-v-tray-s": "Registers scheduled task that sets EnableAutoTray=0 on logon (repeat every 1 min). Windows 11 periodically re-hides tray icons - this task forces all icons visible so users can see VPN status, antivirus, backup, etc.",
"taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.",
"taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. File Explorer is pinned via its AppUserModelID (DesktopApplicationID=\"Microsoft.Windows.Explorer\"), not a hand-made .lnk to explorer.exe - the custom shortcut pinned as a separate app, launching a second Explorer that did not group with the running window and could not be unpinned normally. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.",
"explorer-zobrazovat-pripony-souboru-hide": "HideFileExt = 0 in Explorer\\Advanced. Shows file extensions (.docx, .exe, .pdf, .ps1) in File Explorer. Essential for recognizing file types, avoiding phishing (fake .pdf.exe), and general IT work.",
"explorer-otevrit-na-this-pc-launchto-1": "LaunchTo = 1. File Explorer opens to \"This PC\" (drives view) instead of Quick Access. More useful on fresh machines where Quick Access history is empty and irrelevant.",
"start-menu-vyprazdnit-piny-win11": "ConfigureStartPins = {\"pinnedList\":[]} applied via registry. Removes all default Start menu tiles (Edge, Teams, Store, Office, Solitaire, etc.) from the Windows 11 Start grid. User starts with an empty, clean Start menu.",

2
web/navod/index.html
View file

@ -184,7 +184,7 @@
<p>Aplikace prochazi kroky automaticky a zobrazuje zive logy. <strong>Nech to bezet, nic nezavirej.</strong></p>
<p>Nektere kroky (prejmenovani PC, Windows Update) vyzaduji restart. Xetup v tom pripade <strong>sam restartuje pocitac</strong>, po restartu se <strong>sam znovu spusti</strong> a pokracuje od mista kde skoncil. Tohle se muze opakovat vicekrat &ndash; je to ocekavane chovani.</p>
<p>Pro automaticky restart xetup vytvori skryty ucet <code>adminx9</code> (bez hesla, clen Administrators) a nastavi na nej autologon. Po dokonceni deploymetu se autologon vypne a ucet zustane pro budouci spravu.</p>
<p><strong>Pozor na Atera:</strong> behem instalace SW se muze objevit prihlasovaci/MFA okno Atera &ndash; je treba ho potvrdit, jinak instalace ceka.</p>
<p><strong>Atera:</strong> agent se instaluje tise pod uctem SYSTEM, takze se uz neobjevuje zadne prihlasovaci/MFA okno &ndash; neni potreba nic potvrzovat.</p>
</div>
<div class="phase">

4
web/spec/index.html
View file

@ -599,7 +599,7 @@
<tr class="flag-done"><td>7-Zip (<code>7zip.7zip</code>)</td><td>OK</td></tr>
<tr class="flag-done"><td>Adobe Acrobat Reader 64-bit (<code>Adobe.Acrobat.Reader.64-bit</code>)</td><td>OK</td></tr>
<tr class="flag-done"><td>OpenVPN Connect (<code>OpenVPNTechnologies.OpenVPNConnect</code>)</td><td>OK</td></tr>
<tr class="flag-done"><td>Atera Agent install</td><td>Invoke-WebRequest + <code>msiexec /i /qb</code> &ndash; /qb umozni zobrazeni MFA okna</td></tr>
<tr class="flag-done"><td>Atera Agent install (pod SYSTEM)</td><td>Invoke-WebRequest + <code>msiexec /i /qn</code> spustene jako <code>NT AUTHORITY\SYSTEM</code> pres docasny scheduled task. Pod SYSTEM se agent registruje tise <strong>bez MFA okna</strong> &ndash; bez zasahu technika.</td></tr>
<tr class="flag-done"><td>Adobe PDF default: .pdf -&gt; AcroRd32 po instalaci</td><td>OK &ndash; UCPD stop/start kolem zapisu asociace</td></tr>
<tr class="flag-done"><td>UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice</td><td>Stop-Service ucpd + 2s sleep + overeni zastaveni pred HKCR zapisem. Na Win11 24H2 je UCPD chranena sluzba a stop selze &ndash; logovano jako WARN (ne ERROR); HKCR zapis (system-wide) projde i tak.</td></tr>
<tr class="flag-done"><td>Winget parallel joby: timeout 600s + kill zavislych</td><td>Wait-Job -Timeout 600; po vyprseni Kill + Remove zavislych jobu</td></tr>
@ -661,7 +661,7 @@
<tr class="flag-done"><td>Taskbar: zarovnat vlevo (TaskbarAl = 0)</td><td>Win11 default je center</td></tr>
<tr class="flag-done"><td>Taskbar: skryt Search, Copilot, Task View, Widgets, Chat</td><td>OK</td></tr>
<tr class="flag-done"><td>Taskbar: zobrazit vsechny ikonky v tray (EnableAutoTray = 0)</td><td>Win11 periodicky znovu skryva tray ikony po updatu</td></tr>
<tr class="flag-done"><td>Taskbar: explicitni pinlist (TaskbarLayoutModification.xml)</td><td>default/user: Pruzkumnik + Edge; admin: Pruzkumnik + Edge + PowerShell. <code>PinListPlacement="Replace"</code> &ndash; prazdny seznam by dovoloval Windows pridat Store a dalsi vychozi.</td></tr>
<tr class="flag-done"><td>Taskbar: explicitni pinlist (TaskbarLayoutModification.xml)</td><td>default/user: Pruzkumnik + Edge; admin: Pruzkumnik + Edge + PowerShell. <code>PinListPlacement="Replace"</code> &ndash; prazdny seznam by dovoloval Windows pridat Store a dalsi vychozi. Pruzkumnik se pinuje pres AUMID <code>DesktopApplicationID="Microsoft.Windows.Explorer"</code>, ne vlastni .lnk &ndash; ten by spoustel druhy Explorer a slo by ho spatne odepnout.</td></tr>
<tr class="flag-done"><td>Explorer: zobrazovat pripony souboru (HideFileExt = 0)</td><td>OK</td></tr>
<tr class="flag-done"><td>Explorer: otevrit na This PC (LaunchTo = 1)</td><td>OK</td></tr>
<tr class="flag-done"><td>Explorer: ShowRecent = 0, ShowFrequent = 0</td><td>Skryt nedavne a caste soubory v Quick Access</td></tr>