Fix Communications key ACL and Adobe path detection

- 03-system-registry.ps1: Set-Reg now has 3-tier retry: direct write,
  ACL manipulation, fallback to scheduled task running as SYSTEM (which
  has unrestricted registry access - handles TrustedInstaller-owned keys)
- 02-software.ps1: add Acrobat DC path (Acrobat.exe) before legacy
  AcroRd32.exe paths - winget installs Acrobat DC not Reader DC
- 06-scheduled-tasks.ps1: same Adobe path fix in PDF-DefaultApp script
- tests/Test-Deployment.ps1: Adobe check covers both Acrobat DC and
  Reader DC install paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/02-software.ps1

@@ -78,8 +78,10 @@ if ($Config -and $Config.pdfDefault) {
 if ($forcePdf) {
     Write-Log "Setting Adobe Reader as default PDF app" -Level INFO
 
-    # Find AcroRd32.exe
+    # Find Adobe PDF viewer executable (Acrobat DC or Reader DC)
     $acroPaths = @(
+        "$env:ProgramFiles\Adobe\Acrobat DC\Acrobat\Acrobat.exe"
+        "${env:ProgramFiles(x86)}\Adobe\Acrobat DC\Acrobat\Acrobat.exe"
         "${env:ProgramFiles(x86)}\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
         "$env:ProgramFiles\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
         "${env:ProgramFiles(x86)}\Adobe\Reader\Reader\AcroRd32.exe"
@@ -87,7 +89,7 @@ if ($forcePdf) {
     $acroExe = $acroPaths | Where-Object { Test-Path $_ } | Select-Object -First 1
 
     if (-not $acroExe) {
-        Write-Log "  AcroRd32.exe not found - PDF default not set" -Level WARN
+        Write-Log "  Adobe PDF viewer not found - PDF default not set" -Level WARN
     } else {
         Write-Log "  Found: $acroExe" -Level INFO
 

scripts/03-system-registry.ps1

@@ -68,7 +68,7 @@ function Set-Reg {
         Write-Log "  SET $Path\$Name = $Value" -Level OK
     }
     catch {
-        # Retry after granting write access
+        # Retry 1: grant write access via ACL manipulation
         try {
             Grant-RegWriteAccess -Path $Path
             if (-not (Test-Path $Path)) {
@@ -76,6 +76,49 @@ function Set-Reg {
             }
             Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force -ErrorAction Stop
             Write-Log "  SET $Path\$Name = $Value (after ACL fix)" -Level OK
+            return
+        }
+        catch { }
+
+        # Retry 2: write via scheduled task running as SYSTEM
+        # SYSTEM has full registry access regardless of key ACL
+        try {
+            $regType = switch ($Type) {
+                "DWord"       { "REG_DWORD" }
+                "String"      { "REG_SZ" }
+                "ExpandString"{ "REG_EXPAND_SZ" }
+                "MultiString" { "REG_MULTI_SZ" }
+                "QWord"       { "REG_QWORD" }
+                default       { "REG_DWORD" }
+            }
+            # Convert registry PS path to reg.exe path
+            $regPath = $Path -replace '^HKLM:\\', 'HKLM\' `
+                             -replace '^HKCU:\\', 'HKCU\' `
+                             -replace '^HKCR:\\', 'HKCR\'
+            $tempScript = "$env:TEMP\set-reg-system-$([System.IO.Path]::GetRandomFileName()).ps1"
+            "reg add `"$regPath`" /v `"$Name`" /t $regType /d $Value /f" |
+                Set-Content -Path $tempScript -Encoding UTF8
+
+            $taskName  = "TempRegFix-$([System.IO.Path]::GetRandomFileName())"
+            $action    = New-ScheduledTaskAction -Execute "cmd.exe" `
+                            -Argument "/c reg add `"$regPath`" /v `"$Name`" /t $regType /d $Value /f"
+            $principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
+            $settings  = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Seconds 30)
+            $task      = New-ScheduledTask -Action $action -Principal $principal -Settings $settings
+
+            Register-ScheduledTask -TaskName $taskName -InputObject $task -Force | Out-Null
+            Start-ScheduledTask -TaskName $taskName
+            Start-Sleep -Seconds 2
+            Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
+            Remove-Item $tempScript -Force -ErrorAction SilentlyContinue
+
+            # Verify it was written
+            $written = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name
+            if ($null -ne $written) {
+                Write-Log "  SET $Path\$Name = $Value (via SYSTEM task)" -Level OK
+            } else {
+                Write-Log "  FAILED $Path\$Name - SYSTEM task ran but value not found" -Level ERROR
+            }
         }
         catch {
             Write-Log "  FAILED $Path\$Name - $_" -Level ERROR

scripts/06-scheduled-tasks.ps1

@@ -86,6 +86,8 @@ $pdfScript = "$ScriptDir\PDF-DefaultApp.ps1"
 @'
 # Restore .pdf -> Adobe Reader association
 $acroPaths = @(
+    "$env:ProgramFiles\Adobe\Acrobat DC\Acrobat\Acrobat.exe"
+    "${env:ProgramFiles(x86)}\Adobe\Acrobat DC\Acrobat\Acrobat.exe"
     "${env:ProgramFiles(x86)}\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
     "$env:ProgramFiles\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
     "${env:ProgramFiles(x86)}\Adobe\Reader\Reader\AcroRd32.exe"

tests/Test-Deployment.ps1

@@ -104,7 +104,9 @@ Test-Check "7-Zip installed" {
     (Test-Path "${env:ProgramFiles(x86)}\7-Zip\7z.exe")
 }
 
-Test-Check "Adobe Acrobat Reader installed" {
+Test-Check "Adobe Acrobat installed" {
+    (Test-Path "$env:ProgramFiles\Adobe\Acrobat DC\Acrobat\Acrobat.exe") -or
+    (Test-Path "${env:ProgramFiles(x86)}\Adobe\Acrobat DC\Acrobat\Acrobat.exe") -or
     (Test-Path "${env:ProgramFiles(x86)}\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe") -or
     (Test-Path "$env:ProgramFiles\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe")
 }