diff --git a/SPEC.md b/SPEC.md
index c306d58..dfab7e1 100644
--- a/SPEC.md
+++ b/SPEC.md
@@ -86,10 +86,14 @@ Atera RMM agent: downloaded from x9.servicedesk.atera.com, installed via msiexec
 Always applied: password max age unlimited, timezone (Central Europe Standard Time).
 
 Feature-toggled sections:
-- **systemTweaks**: BypassNRO, disable Teams auto-install, Widgets, GameDVR, Recall, Copilot search
-- **edgePolicies**: mandatory (first-run, telemetry) + recommended (UI defaults user can change)
+- **systemTweaks**: BypassNRO, disable Teams auto-install, Widgets, GameDVR, Recall, Copilot search,
+  Smart App Control (VerifiedAndReputablePolicyState=0, permanent)
+- **edgePolicies**: mandatory only (HideFirstRunExperience, DefaultBrowserSettingEnabled,
+  DiagnosticData, FeedbackSurveysEnabled) + initial_preferences file for UI defaults
+  (favorites bar, no home button, no search suggestions, clean NTP, no rewards/shopping/collections).
+  initial_preferences is read by Edge once on first profile creation - user can override freely.
 - **oneDriveUninstall**: removes consumer OneDrive (no policy block - M365 can reinstall)
-- **powercfg**: standby-ac=0, monitor-ac=60, standby-dc=30, monitor-dc=15
+- **powercfg**: hibernate off; standby-ac=0, monitor-ac=60, standby-dc=30, monitor-dc=15
 - **proxyDisable**: WPAD auto-detect off
 
 ---
diff --git a/scripts/03-system-registry.ps1 b/scripts/03-system-registry.ps1
index 036623f..01df908 100644
--- a/scripts/03-system-registry.ps1
+++ b/scripts/03-system-registry.ps1
@@ -18,11 +18,11 @@
     hesla-bez-expirace-net-accounts-maxpwage: net accounts /maxpwage:UNLIMITED. Sets the local password expiration policy to never. MSP-managed machines handle password rotation via other means (Atera, domain policy, manual).
     casova-zona-central-europe-standard-time: Set-TimeZone -Id "Central Europe Standard Time". UTC+1 (UTC+2 in summer DST). Applied system-wide. Critical for correct log timestamps, scheduled task timing, and calendar sync.
     zakaz-gamedvr: HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR\AppCaptureEnabled = 0. Disables Xbox Game Bar screen capture overlay. Reduces background resource usage and eliminates unintended capture prompts on business machines.
-    edge-skryt-first-run-experience: HideFirstRunExperience=1 + DefaultBrowserSettingEnabled=0. Suppresses Edge welcome wizard and default browser prompts on first launch.
-    edge-policies-panel-oblibeny-vyhledavac: FavoritesBarEnabled=1 (always show), DefaultSearchProviderEnabled=1, DefaultSearchProviderName=Google, ManagedSearchEngines removes other providers.
-    edge-policies-tlacitka-zobrazit: DownloadsButtonEnabled=1, HistoryButtonEnabled=1.
-    edge-policies-tlacitka-skryt: HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0 (Drop), WebCaptureEnabled=0 (Screenshot), ShareAllowed=0.
-    edge-policies-obsah-a-telemetrie: NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, SpotlightExperiencesAndRecommendationsEnabled=0, PersonalizationReportingEnabled=0, EdgeShoppingAssistantEnabled=0, ShowMicrosoftRewards=0, HubsSidebarEnabled=0, SearchSuggestEnabled=0, DiagnosticData=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0.
+    zakaz-smart-app-control: HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy\VerifiedAndReputablePolicyState = 0. Disables Windows 11 Smart App Control (Intelligent App Control). Prevents SAC from blocking unrecognized business software during deployment. 0=Off, 1=Evaluation, 2=Enforcing. Setting to 0 is permanent - cannot be re-enabled without OS reset.
+    zakaz-hibernace-powercfg-h-off: powercfg /hibernate off. Disables hibernation entirely. Removes hiberfil.sys, prevents hibernate-related power state issues, and ensures clean shutdown behavior on business machines.
+    edge-skryt-first-run-experience: HideFirstRunExperience=1 + DefaultBrowserSettingEnabled=0 (Mandatory). Suppresses Edge welcome wizard and default browser prompts on first launch.
+    edge-telemetrie-mandatory: DiagnosticData=0, FeedbackSurveysEnabled=0 (Mandatory). Telemetry and feedback always off - user cannot change.
+    edge-initial-preferences: Writes C:\Program Files (x86)\Microsoft\Edge\Application\initial_preferences. Sets Edge UI defaults (clean NTP, favorites bar visible, home button hidden, search suggestions off) that the user can freely override in Edge settings. Read by Edge once on first profile creation.
     onedrive-uninstall-intentional: Uninstalls the pre-installed OneDrive consumer version via OneDriveSetup.exe /uninstall and removes Start Menu shortcut. Intentional for clean MSP deployment baseline. No DisableFileSyncNGSC policy key is set - M365 installation can reinstall and run OneDrive normally. Only the stock consumer pre-install is removed.
     powercfg-nastaveni-spotreba-energie: powercfg /change: standby-timeout-ac 0 (never sleep on AC), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery). Applied to active power plan.
     proxy-auto-detect-zakaz-autodetect-0: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents MITM via rogue WPAD on untrusted networks.
@@ -283,69 +283,99 @@ if (Get-Feature $Config "systemRegistry" "systemTweaks") {
     # Start menu - hide Recommended section (Win11)
     Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" `
             -Name "HideRecommendedSection" -Value 1
+
+    # Disable Smart App Control (Intelligent App Control) - Win11 only key, safe to set on Win10
+    # 0=Off, 1=Evaluation, 2=Enforcing. Protected key - Set-Reg SYSTEM task fallback handles ACL.
+    Set-Reg -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy" `
+            -Name "VerifiedAndReputablePolicyState" -Value 0
 } else {
     Write-Log "systemTweaks feature disabled - skipping" -Level INFO
 }
 
 # -----------------------------------------------------------------------
-# Microsoft Edge policies
+# Microsoft Edge policies + initial_preferences
+#
+# Strategy (two-tier):
+#   Mandatory GPO  - only privacy/first-run items (user cannot change)
+#   initial_preferences - all UI defaults (user CAN change freely in Edge settings)
+#
+# initial_preferences is read by Edge ONCE when a new user profile is created.
+# It has no effect on profiles that already exist (i.e. Edge was already launched).
+# For a clean deployment where xetup runs before any user opens Edge this is reliable.
 # -----------------------------------------------------------------------
 if (Get-Feature $Config "systemRegistry" "edgePolicies") {
     Write-Log "  Applying Edge policies" -Level INFO
-    $edgeMandatory   = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
-    $edgeRecommended = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\Recommended"
+    $edgeMandatory = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
 
-    # --- Mandatory (user cannot override, locked in Edge UI) ---
-    # First run / default browser nag
+    # --- Mandatory: privacy and first-run suppression only ---
     Set-Reg -Path $edgeMandatory -Name "HideFirstRunExperience"       -Value 1
     Set-Reg -Path $edgeMandatory -Name "DefaultBrowserSettingEnabled" -Value 0
+    Set-Reg -Path $edgeMandatory -Name "DiagnosticData"               -Value 0
+    Set-Reg -Path $edgeMandatory -Name "FeedbackSurveysEnabled"       -Value 0
 
-    # Telemetry / feedback - always off
-    Set-Reg -Path $edgeMandatory -Name "DiagnosticData"         -Value 0
-    Set-Reg -Path $edgeMandatory -Name "FeedbackSurveysEnabled" -Value 0
-
-    # Disable desktop shortcut on install/update
+    # Suppress desktop shortcut creation on Edge install/update (EdgeUpdate key)
     Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate" `
             -Name "CreateDesktopShortcutDefault" -Value 0
 
-    # --- Recommended (sets default, user can change in Edge settings) ---
-    # New tab page - clean defaults
-    Set-Reg -Path $edgeRecommended -Name "NewTabPageContentEnabled"                       -Value 0
-    Set-Reg -Path $edgeRecommended -Name "NewTabPageQuickLinksEnabled"                    -Value 0
-    Set-Reg -Path $edgeRecommended -Name "NewTabPageBackgroundEnabled"                    -Value 0
-    Set-Reg -Path $edgeRecommended -Name "NewTabPageAllowedBackgroundTypes"               -Value 3
-    Set-Reg -Path $edgeRecommended -Name "ShowRecommendationsEnabled"                     -Value 0
-    Set-Reg -Path $edgeRecommended -Name "SpotlightExperiencesAndRecommendationsEnabled"  -Value 0
-    Set-Reg -Path $edgeRecommended -Name "PersonalizationReportingEnabled"                -Value 0
+    # --- initial_preferences: UI defaults the user can override ---
+    # Path: Edge Application dir (stable channel on x64 Windows)
+    $edgeAppDir       = "C:\Program Files (x86)\Microsoft\Edge\Application"
+    $edgeInitPrefPath = "$edgeAppDir\initial_preferences"
 
-    # Shopping / rewards / sidebar
-    Set-Reg -Path $edgeRecommended -Name "EdgeShoppingAssistantEnabled" -Value 0
-    Set-Reg -Path $edgeRecommended -Name "ShowMicrosoftRewards"         -Value 0
-    Set-Reg -Path $edgeRecommended -Name "HubsSidebarEnabled"           -Value 0
-    Set-Reg -Path $edgeRecommended -Name "EdgeCollectionsEnabled"       -Value 0
+    if (Test-Path $edgeAppDir) {
+        # Build JSON as hashtable - ConvertTo-Json handles serialization
+        $prefs = [ordered]@{
+            # Favorites bar always visible
+            bookmark_bar = [ordered]@{ show_on_all_tabs = $true }
 
-    # Search suggestions / import
-    Set-Reg -Path $edgeRecommended -Name "SearchSuggestEnabled" -Value 0
-    Set-Reg -Path $edgeRecommended -Name "ImportOnEachLaunch"   -Value 0
+            browser = [ordered]@{
+                show_home_button = $false   # hide home button
+            }
 
-    # Toolbar buttons - show
-    Set-Reg -Path $edgeRecommended -Name "FavoritesBarEnabled"      -Value 1
-    Set-Reg -Path $edgeRecommended -Name "DownloadsButtonEnabled"   -Value 1
-    Set-Reg -Path $edgeRecommended -Name "HistoryButtonEnabled"     -Value 1
-    Set-Reg -Path $edgeRecommended -Name "PerformanceButtonEnabled" -Value 1
+            # Disable search-as-you-type suggestions (privacy + less noise)
+            search = [ordered]@{ suggest_enabled = $false }
 
-    # Toolbar buttons - hide
-    Set-Reg -Path $edgeRecommended -Name "HomeButtonEnabled"  -Value 0
-    Set-Reg -Path $edgeRecommended -Name "SplitScreenEnabled" -Value 0
-    Set-Reg -Path $edgeRecommended -Name "EdgeEDropEnabled"   -Value 0
-    Set-Reg -Path $edgeRecommended -Name "WebCaptureEnabled"  -Value 0
-    Set-Reg -Path $edgeRecommended -Name "ShareAllowed"       -Value 0
+            # First-run / import suppression (belt-and-suspenders alongside Mandatory policy)
+            distribution = [ordered]@{
+                suppress_first_run_default_browser_prompt = $true
+                skip_first_run_ui                         = $true
+                do_not_create_desktop_shortcut            = $true
+                make_chrome_default                       = $false
+                import_bookmarks                          = $false
+                import_history                            = $false
+                import_home_page                          = $false
+                import_search_engine                      = $false
+                show_welcome_page                         = $false
+            }
 
-    # Default search engine: Google
-    Set-Reg -Path $edgeRecommended -Name "DefaultSearchProviderEnabled"  -Value 1 -Type "DWord"
-    Set-Reg -Path $edgeRecommended -Name "DefaultSearchProviderName"     -Value "Google" -Type "String"
-    Set-Reg -Path $edgeRecommended -Name "DefaultSearchProviderSearchURL" `
-            -Value "https://www.google.com/search?q={searchTerms}" -Type "String"
+            # No first-run tabs (e.g. Edge welcome page)
+            first_run_tabs = @()
+
+            # Edge-specific defaults (best-effort: key names are internal/semi-documented)
+            # These set sane defaults; if Edge ignores an unknown key it is a no-op.
+            edge = [ordered]@{
+                newTabPageContentEnabled    = $false   # clean new tab page
+                newTabPageQuickLinksEnabled = $false   # no quick links on NTP
+                newTabPageBackgroundEnabled = $false   # no background image on NTP
+                showMicrosoftRewards        = $false   # no rewards badge
+                collections_enabled         = $false   # no Collections
+                shopping_list_enabled       = $false   # no shopping assistant
+                share_experience_enabled    = $false   # no Share button
+            }
+        }
+
+        try {
+            $json    = $prefs | ConvertTo-Json -Depth 6
+            $utf8    = New-Object System.Text.UTF8Encoding $false  # no BOM
+            [System.IO.File]::WriteAllText($edgeInitPrefPath, $json, $utf8)
+            Write-Log "  Edge initial_preferences written: $edgeInitPrefPath" -Level OK
+        }
+        catch {
+            Write-Log "  Failed to write Edge initial_preferences: $_" -Level WARN
+        }
+    } else {
+        Write-Log "  Edge application dir not found - initial_preferences skipped" -Level WARN
+    }
 } else {
     Write-Log "edgePolicies feature disabled - skipping" -Level INFO
 }
@@ -390,6 +420,14 @@ if (Get-Feature $Config "systemRegistry" "oneDriveUninstall") {
 if (Get-Feature $Config "systemRegistry" "powercfg") {
     Write-Log "  Applying power configuration" -Level INFO
 
+    # Disable hibernation (removes hiberfil.sys, prevents hibernate-related power issues)
+    $hibResult = & powercfg /hibernate off 2>&1
+    if ($LASTEXITCODE -eq 0) {
+        Write-Log "  powercfg /hibernate off" -Level OK
+    } else {
+        Write-Log "  powercfg /hibernate off failed: $hibResult" -Level WARN
+    }
+
     $powercfgArgs = @(
         @("/change", "standby-timeout-ac",  "0"),    # never sleep on AC
         @("/change", "monitor-timeout-ac",  "60"),   # screen off after 60 min on AC
diff --git a/web/spec/index.html b/web/spec/index.html
index 59b5865..eb4cef9 100644
--- a/web/spec/index.html
+++ b/web/spec/index.html
@@ -631,17 +631,13 @@
           <tr class="flag-done"><td>Hesla bez expirace (<code>net accounts /maxpwage:UNLIMITED</code>)</td><td>OK</td></tr>
           <tr class="flag-done"><td>Casova zona: Central Europe Standard Time</td><td>OK</td></tr>
           <tr class="flag-done"><td>Zakaz GameDVR</td><td>OK</td></tr>
-          <tr class="flag-done"><td>Edge &ndash; skryt First Run Experience + zakaz default browser prompt</td><td>HideFirstRunExperience=1, DefaultBrowserSettingEnabled=0</td></tr>
-          <tr class="flag-done"><td>Edge policies &ndash; panel oblibeny, vyhledavac Google</td><td>FavoritesBarEnabled=1, DefaultSearchProviderName=Google, ManagedSearchEngines</td></tr>
-          <tr class="flag-done"><td>Edge policies &ndash; tlacitka zobrazit (Historie, Stahnout)</td><td>DownloadsButtonEnabled=1, HistoryButtonEnabled=1</td></tr>
-          <tr class="flag-done"><td>Edge policies &ndash; tlacitka skryt (Home, Kolekce, Split, Drop, Screenshot, Share, Zpetna vazba)</td><td>HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0, WebCaptureEnabled=0, ShareAllowed=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0</td></tr>
-          <tr class="flag-done"><td>Edge policies &ndash; obsah a telemetrie</td><td>NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, EdgeShoppingAssistantEnabled=0, DiagnosticData=0, &hellip;</td></tr>
+          <tr class="flag-done"><td>Zakaz Smart App Control (Intelligent App Control)</td><td>HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy\VerifiedAndReputablePolicyState = 0. Permanentni &ndash; bez reset OS nelze zapnout zpet.</td></tr>
+          <tr class="flag-done"><td>Zakaz hibernace (<code>powercfg /hibernate off</code>)</td><td>Odstrani hiberfil.sys, predchazi problemum s power stavy pri deployi</td></tr>
+          <tr class="flag-done"><td>Edge &ndash; Mandatory: zakaz First Run, telemetrie</td><td>HideFirstRunExperience=1, DefaultBrowserSettingEnabled=0, DiagnosticData=0, FeedbackSurveysEnabled=0. Uzivatel nemuze zmenit.</td></tr>
+          <tr class="flag-done"><td>Edge &ndash; initial_preferences: UI defaults (uzivatel muze zmenit)</td><td>Zapise <code>C:\Program Files (x86)\Microsoft\Edge\Application\initial_preferences</code>. Edge precte jednou pri prvnim vytvoreni profilu. Nastavuje: oblibene vzdy viditelne, skryt Home, zakaz navrhu vyhledavani, cisty NTP, zakaz nakupniho asistenta, odmen a kolekci.</td></tr>
           <tr class="flag-done"><td>OneDrive uninstall (intentional)</td><td>OneDriveSetup.exe /uninstall &ndash; odstrani pre-installed verzi. M365 si nainstaluje vlastni.</td></tr>
-          <tr class="flag-done"><td>Powercfg nastaveni (spotreba energie)</td><td>standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15</td></tr>
+          <tr class="flag-done"><td>Powercfg nastaveni (spotreba energie)</td><td>hibernate off; standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15</td></tr>
           <tr class="flag-done"><td>Proxy auto-detect zakaz (AutoDetect = 0)</td><td>HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</td></tr>
-          <tr class="flag-done"><td>Edge nova karta &ndash; zakaz rychlych odkazu</td><td>NewTabPageQuickLinksEnabled = 0</td></tr>
-          <tr class="flag-done"><td>Edge nova karta &ndash; zakaz pozadi</td><td>NewTabPageBackgroundEnabled = 0</td></tr>
-          <tr class="flag-done"><td>Edge nova karta &ndash; zakaz obsahu / feedu</td><td>NewTabPageAllowedBackgroundTypes = 3 (pouze plna barva)</td></tr>
         </table>
       </div>
       <div class="step-footer">