sync: auto-sync from HOWARD-HOME at 2026-06-21 12:58:42

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-21 12:58:42

.claude/memory/feedback_bitdefender_unattended_install.md

@@ -0,0 +1,25 @@
+---
+name: feedback_bitdefender_unattended_install
+description: Bitdefender unattended RMM install must use the FULL KIT as SYSTEM (silent, no UAC) — the downloader stub fails headless and triggers UAC
+metadata:
+  type: feedback
+---
+
+Deploying Bitdefender (GravityZone) via an RMM/automation MUST be fully silent
+with NO UAC prompt and NO end-user interaction. Howard hard-stopped a deploy
+when a UAC prompt appeared on the user's screen (2026-06-21).
+
+**Why:** the lightweight **setupdownloader stub** (`setupdownloader_[hash].exe`,
+the `installLinkWindows` URL) is the WRONG tool for unattended deploy:
+- Run as SYSTEM (no UAC) it exits **3** and never installs (0-byte installer.xml;
+  needs an interactive/elevated session).
+- Run in `context: user_session` it triggers a **UAC prompt** (WTS-impersonated
+  admin token isn't auto-elevated) — unacceptable for end users.
+
+**How to apply:** use the **FULL KIT** (`fullKitWindowsX64`, ~696MB
+`epskit_x64_*.zip`; downloads with the GZ API key as HTTP Basic auth) and run its
+installer as SYSTEM with `/bdparams /silent`. SYSTEM is already elevated (no UAC)
+and the kit is self-contained (no CDN fetch → no exit 3). This is how Syncro /
+proper RMM BD deployments work. To avoid the API key on the endpoint, stage the
+kit on an internal HTTP host (e.g. GuruRMM downloads server) for anonymous pull.
+See [[reference_gravityzone_support]] and the `bitdefender` skill.