feat(bloatware): keep Microsoft.Windows.Photos

Add Photos to the always-keep list (KeepPackages) like Calculator - the
default image viewer should not be removed. It stays in the removal list
but the keep-guard skips it and logs KEEP. Updates script header,
CLAUDE.md DO-NOT, web spec table, descriptions.json and CHANGELOG.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.claude/memory/MEMORY.md

@@ -7,7 +7,8 @@
 - [Communication preferences](feedback_preferences.md) - Czech, discussion first, interactive reviews, phased approach
 
 ## Project
-- [Xetup project state](project_xetup_state.md) - Current state, architecture decisions, what's next (as of 2026-04-15)
+- [Xetup v0.9 release and CI/ops findings](project_v0.9_release.md) - bloatware toggles, release-via-dispatch, Forgejo UI, pwsh (as of 2026-06-03)
+- [Xetup project state](project_xetup_state.md) - Current high-level snapshot: what it is, architecture, scripts, infra, status (as of 2026-06-03)
 - [Technical findings](project_technical_findings.md) - Deep code analysis, UCPD issue, Win11 compatibility, tools research
 
 ## Reference

.claude/memory/project_v0.9_release.md

@@ -0,0 +1,62 @@
+---
+name: Xetup v0.9 release and CI/ops findings as of 2026-06-03
+description: What shipped in v0.9 (bloatware toggles), how releases really trigger, Forgejo UI customization, dev tooling
+type: project
+---
+
+## v0.9 shipped (2026-06-03)
+
+Tag `v0.9`, named non-prerelease, signed `xetup.exe` published. Also on rolling `latest`.
+
+### Bloatware feature toggles (step 01)
+The bloatware step now has three independent GUI checkboxes (in `runner.StepFeatures()`
+under `bloatware`, defaults in `config.go` + `config.json`):
+- `standardBloatware` (default on) - the bulk AppX/capability/feature list.
+- `removeNewOutlook` (default on) - the new Outlook for Windows app
+  (`Microsoft.OutlookForWindows`). Classic Outlook from M365 is a Win32 app, never
+  touched - only the bundled UWP new Outlook is.
+- `removeSnippingTool` (default OFF) - **Snipping Tool is now KEPT by default**.
+  Spans three list entries: `Microsoft.ScreenSketch` (the modern app), the legacy
+  capability `Microsoft.Windows.SnippingTool`, and the optional feature
+  `Microsoft-SnippingTool`. Kept like Calculator (common productivity tool).
+
+Gating logic is `Test-RemovalAllowed` in `scripts/01-bloatware.ps1`: each item is
+governed by its own flag, so toggles are independent (a single feature off does not
+disable the whole step).
+
+### Latent bug fixed
+The Go `Config` struct had no `Bloatware` field, so the GUI's runtime-config
+regeneration silently dropped `bloatware.keepPackages` - the script's keep-list merge
+was effectively dead when run via xetup.exe. Added the field.
+
+## CI / release mechanics (important)
+- `release.yml` triggers on push to `main` ONLY for paths `**.go`, `scripts/**`,
+  `assets/**`, `embed.go`, `app.manifest`, `release.yml`. Docs-only / `web/**` pushes
+  do NOT trigger a build.
+- **Version tags release via `workflow_dispatch` on the tag ref, NOT a plain tag push.**
+  A `vX.Y` tag usually points at a docs-only "release X.Y" commit, which the `paths`
+  filter blocks - so `git push <tag>` does nothing. Dispatch instead:
+  `POST /api/v1/repos/x9/xetup/actions/workflows/release.yml/dispatches {"ref":"vX.Y"}`.
+  This is how v0.8 and v0.9 were built. `github.ref = refs/tags/vX.Y` -> named release.
+- Release notes come from the matching `## [X.Y]` section in `CHANGELOG.md`. Move the
+  `[Unreleased]` content into a dated `## [X.Y] - DATE` section before tagging.
+
+## Forgejo UI customization
+- Top-left Forgejo brand logo (`#navbar-logo`) is replaced with a back-link to
+  `xetup.x9.cz` via `templates/custom/header.tmpl` (CSS + small JS retargeting href).
+- Forgejo custom path is `GITEA_CUSTOM=/data/gitea` inside the `xetup-forgejo`
+  container; templates live in the `xetup_forgejo-data` volume (NOT git by itself).
+- Source is versioned in the repo at `deploy/forgejo/` (mirror + README). Deploy =
+  `docker cp` into the container + `docker restart xetup-forgejo` (templates load at
+  startup). Runner reconnects on its own.
+
+## Dev tooling
+- `pwsh` (PowerShell 7.6.2) is installed on the dev box (Debian 12) via the Microsoft
+  apt repo. Use it for PS syntax/parse checks:
+  `[System.Management.Automation.Language.Parser]::ParseFile(...)`. Note: Windows-only
+  cmdlets (Remove-AppxPackage, Get-WindowsCapability...) cannot run here.
+
+## Still open
+- v0.9 / `latest` are NOT smoke-tested on real Windows yet. Recommend VM test
+  (snapshot -> run -> revert) before a technician deploys to a client. Revert path:
+  `git revert <sha>` + push (CI rebuilds `latest`).

.claude/memory/project_xetup_state.md

@@ -1,73 +1,72 @@
 ---
-name: Xetup project state as of 2026-04-15
+name: Xetup project state as of 2026-06-03
-description: Current state of the xetup Windows deployment project - architecture decisions, what exists, what's planned
+description: Current state of the xetup Windows deployment project - what it is, architecture, status, what is shipped vs open
 type: project
 ---
 
 ## What xetup is
-Automated Windows 10/11 setup for X9.cz MSP clients. Replaces ~3 hours of manual work with a single script/tool.
+Automated Windows 10/11 setup for X9.cz MSP clients - replaces hours of manual
+prep on a new machine with a single signed binary the technician runs on-site as
+Administrator. ~20 machines/month, various clients. `xetup.exe` is the SOLE entry
+point (no CLI script entry point - do NOT create Deploy-Windows.ps1).
 
-## Current repo structure (cleaned 2026-04-15)
+Detailed architecture, conventions and per-step notes live in `CLAUDE.md` and
+`SPEC.md` - this file is the high-level current-state snapshot.
+
+## Architecture (as built)
+- **Go GUI launcher** (`xetup.exe`) - single binary, embeds `scripts/` + `assets/`
+  via `embed.go`. Extracts to temp, loads config, runs PS scripts sequentially,
+  handles reboot-resume cycles, sends an HTML email report (SMTP2Go) at the end.
+- **GUI is Walk** (Windows-only, CGO required) - NOT a charmbracelet TUI (that was
+  an early-planning idea that did not ship). Cross-compiled with mingw:
+  `CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc GOOS=windows GOARCH=amd64`.
+- Three GUI phases: config form -> live log -> summary with reboot countdown.
+- **Steps with sub-features**: GUI checkboxes map to `config.features[step][feature]`
+  (missing key defaults to true). Step is enabled if >=1 of its features is checked.
+- **Reboot-resume**: steps exit code 9 = "reboot required"; runner persists state,
+  sets autologon for `adminx9` + an `X9-Resume` scheduled task, reboots, resumes.
+  Steps 09 (pcIdentity on rename) and 12 (windowsUpdate) can trigger it.
+
+## Current scripts (step order)
 ```
-xetup/
+00 admin-account     (adminx9, no password, hidden, FullName "X9.cz s.r.o.")
-├── review.html                  ← interactive review page v2 (with colleague comments)
+08 activation         (OA3 -> config key -> GVLK)
-├── xetup-review.md             ← exported review v1 results from colleague
+01 bloatware          (AppX + Capabilities + Optional Features; feature-gated)
-├── xetup-win-setup-spec.md     ← original spec from colleague
+02 software           (parallel winget + Adobe PDF default + Atera under SYSTEM)
-├── xetup-win-setup-novinky.md  ← v2 additions from colleague (taskbar pins, explorer, network, admin desc)
+03 system-registry    (HKLM tweaks, Edge policies, OneDrive, powercfg)
-├── W11.pdf                      ← reference PDF
+04 default-profile    (NTUSER.DAT + HKCU + personalization, merged into one hive load)
-└── windows-deployment-new/      ← the active codebase
+07 backinfo           (BackInfo.exe + startup shortcut)
-    ├── Deploy-Windows.ps1       ← master script
+10 network            (Private profile, ping, Network Discovery)
-    ├── CLAUDE.md / SPEC.md
+11 dell-update        (Dell Command | Update, auto-skip on non-Dell)
-    ├── config/config.json
+09 pc-identity        (rename PC + C:\X9 folder, exit 9 on rename)
-    ├── assets/
+12 windows-update     (PSWindowsUpdate reboot cycle, exit 9)
-    │   ├── Backinfo/            ← BackInfo.exe + ini + ps1 (ready to use)
-    │   └── Logo/                ← X9 ico + jpeg (moved here 2026-04-15)
-    └── scripts/
-        ├── 00-admin-account.ps1
-        ├── 01-bloatware.ps1
-        ├── 02-software.ps1
-        ├── 03-system-registry.ps1
-        ├── 04-default-profile.ps1
-        ├── 05-personalization.ps1
-        ├── 06-scheduled-tasks.ps1
-        ├── 07-desktop-info.ps1  ← TO BE REPLACED by BackInfo
-        └── 08-activation.ps1
 ```
+Note: old 05-personalization / 06-scheduled-tasks / 07-desktop-info no longer
+exist (personalization merged into 04; DesktopInfo replaced by BackInfo).
 
-## Key decisions made (2026-04-15 session)
+## Infra / web (live)
-1. **BackInfo wins over custom DesktopInfo** - colleague prefers it (INI config, auto-update, centered text). Our 07-desktop-info.ps1 will be deleted.
+- **Forgejo** at git.xetup.x9.cz (container `xetup-forgejo`, v9.0.3) - git + issues +
-2. **OneDrive must NOT be removed** - current code aggressively deletes it, breaks M365. Must fix 03-system-registry.ps1 and 04-default-profile.ps1.
+  Actions CI. Runner: `xetup-runner`. Navbar logo customized to a xetup.x9.cz
-3. **RDP must NOT be removed** - was in SPEC but never implemented (good). Remove from SPEC entirely.
+  back-link (see `deploy/forgejo/`).
-4. **Colleague's spec has priority** over our implementation when they overlap.
+- **Static site** at xetup.x9.cz (container `xetup-web`, nginx) - bind-mounts
-5. **adminx9 account: no password** (changed from config-driven password), FullName = "X9.cz s.r.o."
+  `/opt/xetup/web` directly, so editing `web/**` is LIVE immediately (no deploy step).
-6. **Nextcloud not needed** - assets are in repo, only Atera MSI downloads from web.
+  Pages: landing, spec (from `web/data/descriptions.json`), changelog (renders
-7. **Flash2 not integrated** - it's the old version of this tool, just for inspiration.
+  `CHANGELOG.md` via Forgejo raw API).
-8. **Atera Agent**: curl from `https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337` then `msiexec /i setup.msi /qn`
+- **CI release** (`.forgejo/workflows/release.yml`): builds, signs (Azure Trusted
+  Signing), publishes `xetup.exe`. Push to `main` touching code/scripts -> rolling
+  `latest`. Version `vX.Y` releases are triggered by `workflow_dispatch` on the tag
+  ref (the `paths` filter blocks docs-only tag pushes). Signing SP is shared across
+  X9 projects - do NOT rotate.
 
-## Architecture direction (decided 2026-04-15)
+## Status (2026-06-03)
-- **Go TUI launcher** (xetup.exe) - single binary, embeds PS scripts + assets
+- **Released: v0.9** - bloatware feature toggles (Outlook/Snipping/standard now
-- Charmbracelet stack: bubbletea, huh, lipgloss
+  independently toggleable; Snipping kept by default), `keepPackages` runtime bug
-- Self-update from web (version.json check)
+  fixed. See `project_v0.9_release.md` for detail.
-- **Web platform** at xetup.x9.cz:
+- CI, signing, web, changelog page all working.
-  - Forgejo for git hosting + issues + CI
-  - Auto-generated documentation from spec.yaml
-  - Comments via Forgejo Issues API
-  - Landing page + download + changelog
-  - Deployment reporting dashboard (later)
-- **spec.yaml** as single source of truth for both exe and docs
 
-## What needs to happen next
+## Open / next
-1. Create spec.yaml from all gathered specs + review
+- v0.9 + `latest` NOT yet smoke-tested on real Windows - recommend VM test
-2. Initialize Go project structure
+  (snapshot -> run -> revert) before client deployment.
-3. Fix PS scripts (OneDrive removal, admin password, BackInfo integration)
+- Complete winget SW list still TODO (config list may be incomplete).
-4. Set up repo (GitHub initially, Forgejo later)
+- Hard rules (from CLAUDE.md): keep Calculator; do not remove OneDrive policy-block;
-5. First Go build with TUI form
+  do not remove RDP/RDS; no diacritics anywhere; no `$ErrorActionPreference=Stop`.
-6. CI pipeline (GitHub Actions)
-7. Web landing page
-
-## Technical findings from deep analysis
-- UCPD kernel driver (since Feb 2024) blocks PDF default association via UserChoice - need to disable UCPD during deployment
-- System tray "show all icons" broken in Win11 24H2 - EnableAutoTray=0 ignored
-- Edge needs ~15 more policy keys than we currently set
-- ConfigureStartPins has new applyOnce property in 24H2
-- Current code quality is solid: 3-level registry fallback, proper hive handling with GC+finally

CHANGELOG.md

@@ -8,7 +8,10 @@ Builds are continuous: every push to `main` produces a signed `xetup.exe` publis
 
 ## [Unreleased]
 
-_Nothing yet._
+### Changed
+- **Photos now kept** (01): `Microsoft.Windows.Photos` is added to the always-keep list
+  (`KeepPackages`), so the default image viewer is no longer removed - like Calculator. It stays
+  in the removal list but the keep-guard skips it and logs `KEEP Microsoft.Windows.Photos`.
 
 ## [0.9] - 2026-06-03
 

CLAUDE.md

@@ -200,6 +200,7 @@ git push "http://x9:${TOKEN}@localhost:3100/x9/xetup.git" main
 
 - Do not use `$ErrorActionPreference = "Stop"` - scripts must survive partial failure
 - Do not remove Calculator (Microsoft.WindowsCalculator)
+- Do not remove Photos (Microsoft.Windows.Photos)
 - Do not use ARM VM for testing
 - Do not write scripts depending on specific username
 - Do not use hardcoded paths that do not exist on clean Windows

deploy/forgejo/README.md

@@ -0,0 +1,34 @@
+# Forgejo customizations
+
+Custom UI tweaks for the `xetup-forgejo` instance (git.xetup.x9.cz). These live
+in the Forgejo data volume (`xetup_forgejo-data`), which is NOT under git, so the
+source of truth is kept here and deployed into the container.
+
+## Files
+
+- `templates/custom/header.tmpl` - injected into `<head>` on every page. Replaces
+  the meaningless Forgejo brand logo (top-left navbar) with a back-link to
+  `xetup.x9.cz`. Pure CSS for the look; a small inline script retargets the
+  `#navbar-logo` href.
+
+## Deploy
+
+Custom templates are read at startup, so a restart is required after any change.
+
+```bash
+# Path inside the container: GITEA_CUSTOM=/data/gitea
+docker exec xetup-forgejo sh -c 'mkdir -p /data/gitea/templates/custom'
+docker cp deploy/forgejo/templates/custom/header.tmpl \
+  xetup-forgejo:/data/gitea/templates/custom/header.tmpl
+docker exec xetup-forgejo sh -c 'chown -R git:git /data/gitea/templates'
+docker restart xetup-forgejo
+```
+
+The runner (`xetup-runner`) reconnects on its own after the restart.
+
+## Verify
+
+```bash
+curl -s http://localhost:3100/x9/xetup/releases | grep -q 'content: "xetup.x9.cz"' \
+  && echo "header.tmpl injected" || echo "NOT injected"
+```

deploy/forgejo/templates/custom/header.tmpl

@@ -0,0 +1,33 @@
+<style>
+	/* The Forgejo brand in the top-left has no meaning for us; turn it into a
+	   back-link to the main site (xetup.x9.cz). Pure CSS for the look, a tiny
+	   script below retargets the href. */
+	#navbar-logo img { display: none !important; }
+	#navbar-logo {
+		display: inline-flex !important;
+		align-items: center;
+		gap: .35rem;
+		padding: .35rem .7rem !important;
+		border: 1px solid var(--color-secondary, #d4d7dc);
+		border-radius: 6px;
+		font-weight: 600;
+		line-height: 1;
+		white-space: nowrap;
+	}
+	#navbar-logo::before { content: "\2190"; font-size: 1.05em; }
+	#navbar-logo::after  { content: "xetup.x9.cz"; }
+	#navbar-logo:hover {
+		background: var(--color-hover, rgba(0,0,0,.05));
+		border-color: var(--color-primary, #4078c0);
+	}
+</style>
+<script>
+	document.addEventListener('DOMContentLoaded', function () {
+		var logo = document.getElementById('navbar-logo');
+		if (logo) {
+			logo.setAttribute('href', 'https://xetup.x9.cz');
+			logo.setAttribute('aria-label', 'Zpet na xetup.x9.cz');
+			logo.setAttribute('title', 'Zpet na xetup.x9.cz');
+		}
+	});
+</script>

scripts/01-bloatware.ps1

@@ -5,11 +5,12 @@
 .DESCRIPTION
     Removes Microsoft-bundled apps and features not needed in a business MSP deployment.
     Removal is done for all users (-AllUsers) and from the provisioning store so new
-    users do not get them either. Calculator is intentionally kept.
+    users do not get them either. Calculator and Photos are intentionally kept.
 
 .ITEMS
     appx-balicky-odstraneni-pro-vsechny-uziv: Uses Remove-AppxPackage -AllUsers and Remove-AppxProvisionedPackage. The provisioned removal prevents apps from reinstalling for new user profiles. Covers ~35 apps including Cortana, Copilot, Teams personal, Xbox, Skype, News, Weather, Maps.
     zachovano-microsoft-windowscalculator: Calculator is explicitly excluded. Lightweight utility frequently used by technicians and end users. Removing it would require manual reinstall from Store.
+    zachovano-microsoft-windows-photos: Photos is explicitly excluded via KeepPackages. Default image viewer expected by end users; removing it leaves no built-in viewer and would require manual reinstall from Store.
     windows-capabilities-fax-ie-openssh-wmp-: Removed via Remove-WindowsCapability: Fax & Scan, Internet Explorer mode, OpenSSH client, Windows Media Player (legacy), WordPad, Handwriting recognition, Steps Recorder, Math Input Panel, Quick Assist.
     windows-optional-features-ps-2-0-mediapl: Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component.
     feature-toggles: Three GUI feature flags gate removal. standardBloatware (default on) covers the bulk list. removeNewOutlook (default on) controls Microsoft.OutlookForWindows; classic Outlook from M365 is a Win32 app and is never touched. removeSnippingTool (default OFF) controls Snipping Tool across all three lists (ScreenSketch app + legacy capability + legacy feature) - kept by default as a common productivity tool, like Calculator.
@@ -104,7 +105,7 @@ $AppxToRemove = @(
 )
 
 # Packages to always keep
-$KeepPackages = @("Microsoft.WindowsCalculator")
+$KeepPackages = @("Microsoft.WindowsCalculator", "Microsoft.Windows.Photos")
 if ($Config -and $Config.bloatware -and $Config.bloatware.keepPackages) {
     $KeepPackages += $Config.bloatware.keepPackages
 }

web/data/descriptions.json

@@ -13,10 +13,11 @@
   },
   "01-bloatware": {
     "synopsis": "Removes pre-installed bloatware: AppX packages, Capabilities, and Optional Features.",
-    "description": "Removes Microsoft-bundled apps and features not needed in a business MSP deployment.\nRemoval is done for all users (-AllUsers) and from the provisioning store so new\nusers do not get them either. Calculator is intentionally kept.",
+    "description": "Removes Microsoft-bundled apps and features not needed in a business MSP deployment.\nRemoval is done for all users (-AllUsers) and from the provisioning store so new\nusers do not get them either. Calculator and Photos are intentionally kept.",
     "items": {
       "appx-balicky-odstraneni-pro-vsechny-uziv": "Uses Remove-AppxPackage -AllUsers and Remove-AppxProvisionedPackage. The provisioned removal prevents apps from reinstalling for new user profiles. Covers ~35 apps including Cortana, Copilot, Teams personal, Xbox, Skype, News, Weather, Maps.",
       "zachovano-microsoft-windowscalculator": "Calculator is explicitly excluded. Lightweight utility frequently used by technicians and end users. Removing it would require manual reinstall from Store.",
+      "zachovano-microsoft-windows-photos": "Photos is explicitly excluded via KeepPackages. Default image viewer expected by end users; removing it leaves no built-in viewer and would require manual reinstall from Store.",
       "windows-capabilities-fax-ie-openssh-wmp-": "Removed via Remove-WindowsCapability: Fax & Scan, Internet Explorer mode, OpenSSH client, Windows Media Player (legacy), WordPad, Handwriting recognition, Steps Recorder, Math Input Panel, Quick Assist.",
       "windows-optional-features-ps-2-0-mediapl": "Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component.",
       "feature-toggles": "Three GUI feature flags gate removal. standardBloatware (default on) covers the bulk list. removeNewOutlook (default on) controls Microsoft.OutlookForWindows; classic Outlook from M365 is a Win32 app and is never touched. removeSnippingTool (default OFF) controls Snipping Tool across all three lists (ScreenSketch app + legacy capability + legacy feature) - kept by default as a common productivity tool, like Calculator."

web/spec/index.html

@@ -578,6 +578,7 @@
         <table class="items">
           <tr class="flag-done"><td>AppX balicky &ndash; odstraneni pro vsechny uzivatele a provisioned</td><td>Remove-AppxPackage -AllUsers + Remove-AppxProvisionedPackage</td></tr>
           <tr class="flag-done"><td>Zachovano: Microsoft.WindowsCalculator</td><td>Zamerny vyjimek</td></tr>
+          <tr class="flag-done"><td>Zachovano: Microsoft.Windows.Photos</td><td>Zamerny vyjimek (vychozi prohlizec obrazku)</td></tr>
           <tr class="flag-done"><td>Windows Capabilities (Fax, IE, OpenSSH, WMP, WordPad, …)</td><td>Remove-WindowsCapability</td></tr>
           <tr class="flag-done"><td>Windows Optional Features (PS 2.0, MediaPlayback, Recall, …)</td><td>Disable-WindowsOptionalFeature</td></tr>
           <tr class="flag-done"><td>GUI prepinace: standardBloatware, removeNewOutlook, removeSnippingTool</td><td>Kazdy krok lze v GUI samostatne zaskrtnout/odskrtnout</td></tr>
@@ -608,7 +609,7 @@
           <tr class="flag-done"><td>UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice</td><td>Stop-Service ucpd + 2s sleep + overeni zastaveni pred HKCR zapisem. Na Win11 24H2 je UCPD chranena sluzba a stop selze &ndash; logovano jako WARN (ne ERROR); HKCR zapis (system-wide) projde i tak.</td></tr>
           <tr class="flag-done"><td>Winget parallel joby: timeout 600s + kill zavislych</td><td>Wait-Job -Timeout 600; po vyprseni Kill + Remove zavislych jobu</td></tr>
           <tr class="flag-done"><td>Winget cesta explicitne predavana do parallel jobu</td><td>Opraveno &ndash; Start-Job nezdedi PATH; winget.exe fullpath preda jako argument. Exit 3010 (success+reboot) nyni vyhodnocen jako OK.</td></tr>
-          <tr class="flag-done"><td>Winget: <code>--source winget</code> u kazde instalace</td><td>Field fix &ndash; fresh Win11 ISO ma App Installer se starym pinned certem, msstore source padá na <code>0x8a15005e</code> a instalaci prerusi. <code>--source winget</code> msstore obejde. Plati i pro krok 11 (Dell).</td></tr>
+          <tr class="flag-done"><td>Winget: <code>--source winget</code> u kazde instalace</td><td>Field fix &ndash; fresh Win11 ISO ma App Installer se starym pinned certem, msstore source pada na <code>0x8a15005e</code> a instalaci prerusi. <code>--source winget</code> msstore obejde. Plati i pro krok 11 (Dell).</td></tr>
           <tr class="flag-done"><td>Atera: detekce pres sluzbu <code>Get-Service AteraAgent</code></td><td>Field fix &ndash; agent se obcas instaluje do <code>C:\ProgramData\</code>; existence sluzby je spolehlivejsi nez kontrola souboru. Fallback na cesty vc. ProgramData.</td></tr>
         </table>
         <div class="note">