x9/xetup
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases 2 Packages Wiki Activity Actions

Fix all remaining mustfix items + Edge policies

Browse source 
00-admin-account: empty password (SecureString), FullName via ADSI SetInfo()
07-backinfo: new script replacing 07-desktop-info - copies assets, sets
  registry OSName, creates Startup shortcut, launches BackInfo immediately
Deploy-Windows.ps1: step 7 now calls 07-backinfo.ps1 (desktopInfo->backinfo)
03-system-registry: full Edge policy set - favorites bar, Google search,
  show/hide toolbar buttons per spec, telemetry/content policies, removed
  old Edge policies TODO note
web/spec: step-00 OK, step-07 OK, step-03 Edge rows updated

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
X9 Dev 2026-04-16 09:45:49 +02:00
parent f5a5de943a
commit 108a22e7cb
7 changed files with 244 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
Deploy-Windows.ps1
View file

@ -107,7 +107,7 @@ $stepsEnabled = @{
defaultProfile = $true defaultProfile = $true
personalization = $true personalization = $true
scheduledTasks = $true scheduledTasks = $true
desktopInfo = $true backinfo = $true
activation = $true activation = $true
} }
if ($Config -and $Config.steps) { if ($Config -and $Config.steps) {
@ -200,13 +200,13 @@ if ($stepsEnabled['scheduledTasks']) {
} else { Skip-Step "Step 6 - Scheduled tasks" } } else { Skip-Step "Step 6 - Scheduled tasks" }
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
# Step 7 - DesktopInfo # Step 7 - BackInfo
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
if ($stepsEnabled['desktopInfo']) { if ($stepsEnabled['backinfo']) {
Invoke-Step -Name "Step 7 - DesktopInfo" -Action { Invoke-Step -Name "Step 7 - BackInfo" -Action {
& "$ScriptRoot\scripts\07-desktop-info.ps1" -Config $Config -LogFile $LogFile & "$ScriptRoot\scripts\07-backinfo.ps1" -Config $Config -LogFile $LogFile
} }
} else { Skip-Step "Step 7 - DesktopInfo" } } else { Skip-Step "Step 7 - BackInfo" }
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
# Summary # Summary

28
scripts/00-admin-account.ps1
View file

@ -31,21 +31,20 @@ function Write-Log {
} }
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
# Read account config # Account config - no password by design
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
$accountName = "adminx9" $accountName = "adminx9"
$accountPass = "AdminX9.AdminX9"
$accountDesc = "X9 MSP admin account" $accountDesc = "X9 MSP admin account"
$accountFullName = "X9.cz s.r.o."
if ($Config -and $Config.adminAccount) { if ($Config -and $Config.adminAccount) {
if ($Config.adminAccount.username) { $accountName = $Config.adminAccount.username } if ($Config.adminAccount.username) { $accountName = $Config.adminAccount.username }
if ($Config.adminAccount.password) { $accountPass = $Config.adminAccount.password }
if ($Config.adminAccount.description) { $accountDesc = $Config.adminAccount.description }
} }
Write-Log "Creating admin account: $accountName" -Level INFO Write-Log "Creating admin account: $accountName" -Level INFO
$securePass = ConvertTo-SecureString $accountPass -AsPlainText -Force # Empty password - account is hidden from login screen, no password needed
$emptyPass = [System.Security.SecureString]::new()
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
# Create or update account # Create or update account
@ -53,9 +52,9 @@ $securePass = ConvertTo-SecureString $accountPass -AsPlainText -Force
$existing = Get-LocalUser -Name $accountName -ErrorAction SilentlyContinue $existing = Get-LocalUser -Name $accountName -ErrorAction SilentlyContinue
if ($existing) { if ($existing) {
Write-Log " Account already exists - updating password" -Level INFO Write-Log " Account already exists - clearing password" -Level INFO
try { try {
Set-LocalUser -Name $accountName -Password $securePass -PasswordNeverExpires $true Set-LocalUser -Name $accountName -Password $emptyPass -PasswordNeverExpires $true
Enable-LocalUser -Name $accountName Enable-LocalUser -Name $accountName
Write-Log " Account updated: $accountName" -Level OK Write-Log " Account updated: $accountName" -Level OK
} }
@ -65,7 +64,7 @@ if ($existing) {
} else { } else {
try { try {
New-LocalUser -Name $accountName ` New-LocalUser -Name $accountName `
-Password $securePass ` -Password $emptyPass `
-Description $accountDesc ` -Description $accountDesc `
-PasswordNeverExpires ` -PasswordNeverExpires `
-UserMayNotChangePassword ` -UserMayNotChangePassword `
@ -77,6 +76,19 @@ if ($existing) {
} }
} }
# -----------------------------------------------------------------------
# Set FullName via ADSI
# -----------------------------------------------------------------------
try {
$adsiUser = [ADSI]"WinNT://./$accountName,user"
$adsiUser.FullName = $accountFullName
$adsiUser.SetInfo()
Write-Log " FullName set to: $accountFullName" -Level OK
}
catch {
Write-Log " Failed to set FullName: $_" -Level ERROR
}
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
# Add to Administrators group # Add to Administrators group
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------

62
scripts/03-system-registry.ps1
View file

@ -18,9 +18,12 @@
hesla-bez-expirace-net-accounts-maxpwage: net accounts /maxpwage:UNLIMITED. Sets the local password expiration policy to never. MSP-managed machines handle password rotation via other means (Atera, domain policy, manual). hesla-bez-expirace-net-accounts-maxpwage: net accounts /maxpwage:UNLIMITED. Sets the local password expiration policy to never. MSP-managed machines handle password rotation via other means (Atera, domain policy, manual).
casova-zona-central-europe-standard-time: Set-TimeZone -Id "Central Europe Standard Time". UTC+1 (UTC+2 in summer DST). Applied system-wide. Critical for correct log timestamps, scheduled task timing, and calendar sync. casova-zona-central-europe-standard-time: Set-TimeZone -Id "Central Europe Standard Time". UTC+1 (UTC+2 in summer DST). Applied system-wide. Critical for correct log timestamps, scheduled task timing, and calendar sync.
zakaz-gamedvr: HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR\AppCaptureEnabled = 0. Disables Xbox Game Bar screen capture overlay. Reduces background resource usage and eliminates unintended capture prompts on business machines. zakaz-gamedvr: HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR\AppCaptureEnabled = 0. Disables Xbox Game Bar screen capture overlay. Reduces background resource usage and eliminates unintended capture prompts on business machines.
edge-skryt-first-run-experience: HKLM\SOFTWARE\Policies\Microsoft\Edge\HideFirstRunExperience = 1. Suppresses the Edge welcome wizard (import from other browser, default browser prompt, etc.) for every user on first launch. edge-skryt-first-run-experience: HideFirstRunExperience=1 + DefaultBrowserSettingEnabled=0. Suppresses Edge welcome wizard and default browser prompts on first launch.
edge-policies-panel-oblibeny-vyhledavac: FavoritesBarEnabled=1 (always show), DefaultSearchProviderEnabled=1, DefaultSearchProviderName=Google, ManagedSearchEngines removes other providers.
edge-policies-tlacitka-zobrazit: DownloadsButtonEnabled=1, HistoryButtonEnabled=1.
edge-policies-tlacitka-skryt: HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0 (Drop), WebCaptureEnabled=0 (Screenshot), ShareAllowed=0.
edge-policies-obsah-a-telemetrie: NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, SpotlightExperiencesAndRecommendationsEnabled=0, PersonalizationReportingEnabled=0, EdgeShoppingAssistantEnabled=0, ShowMicrosoftRewards=0, HubsSidebarEnabled=0, SearchSuggestEnabled=0, DiagnosticData=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0.
onedrive-uninstall-intentional: Uninstalls the pre-installed OneDrive consumer version via OneDriveSetup.exe /uninstall and removes Start Menu shortcut. Intentional for clean MSP deployment baseline. No DisableFileSyncNGSC policy key is set - M365 installation can reinstall and run OneDrive normally. Only the stock consumer pre-install is removed. onedrive-uninstall-intentional: Uninstalls the pre-installed OneDrive consumer version via OneDriveSetup.exe /uninstall and removes Start Menu shortcut. Intentional for clean MSP deployment baseline. No DisableFileSyncNGSC policy key is set - M365 installation can reinstall and run OneDrive normally. Only the stock consumer pre-install is removed.
edge-policies-doplnit-15-dalsich-klicu: Missing Edge policies to add under HKLM\SOFTWARE\Policies\Microsoft\Edge: DefaultBrowserSettingEnabled=0, NewTabPageContentEnabled=0, ImportOnEachLaunch=0, ShowRecommendationsEnabled=0, PersonalizationReportingEnabled=0, SpotlightExperiencesAndRecommendationsEnabled=0, EdgeShoppingAssistantEnabled=0, HubsSidebarEnabled=0, ShowMicrosoftRewards=0, SearchSuggestEnabled=0, DiagnosticData=0.
powercfg-nastaveni-spotreba-energie: powercfg /change commands: standby-timeout-ac 0 (never sleep on AC/charger), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery). powercfg-nastaveni-spotreba-energie: powercfg /change commands: standby-timeout-ac 0 (never sleep on AC/charger), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery).
proxy-auto-detect-zakaz-autodetect-0: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents potential MITM via malicious WPAD responses on untrusted networks. proxy-auto-detect-zakaz-autodetect-0: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents potential MITM via malicious WPAD responses on untrusted networks.
#> #>
@ -230,12 +233,59 @@ Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Dsh" `
-Name "AllowNewsAndInterests" -Value 0 -Name "AllowNewsAndInterests" -Value 0
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
# Microsoft Edge - hide First Run Experience # Microsoft Edge policies
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" ` $edgePath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
-Name "HideFirstRunExperience" -Value 1
# Also disable Edge desktop shortcut creation after install # UI / first run
Set-Reg -Path $edgePath -Name "HideFirstRunExperience" -Value 1
Set-Reg -Path $edgePath -Name "DefaultBrowserSettingEnabled" -Value 0
# New tab page / recommendations
Set-Reg -Path $edgePath -Name "NewTabPageContentEnabled" -Value 0
Set-Reg -Path $edgePath -Name "ShowRecommendationsEnabled" -Value 0
Set-Reg -Path $edgePath -Name "SpotlightExperiencesAndRecommendationsEnabled" -Value 0
Set-Reg -Path $edgePath -Name "PersonalizationReportingEnabled" -Value 0
# Shopping / rewards / sidebar
Set-Reg -Path $edgePath -Name "EdgeShoppingAssistantEnabled" -Value 0
Set-Reg -Path $edgePath -Name "ShowMicrosoftRewards" -Value 0
Set-Reg -Path $edgePath -Name "HubsSidebarEnabled" -Value 0
# Search suggestions
Set-Reg -Path $edgePath -Name "SearchSuggestEnabled" -Value 0
Set-Reg -Path $edgePath -Name "ImportOnEachLaunch" -Value 0
# Telemetry / feedback
Set-Reg -Path $edgePath -Name "DiagnosticData" -Value 0
Set-Reg -Path $edgePath -Name "FeedbackSurveysEnabled" -Value 0
Set-Reg -Path $edgePath -Name "EdgeCollectionsEnabled" -Value 0
# Toolbar buttons - show
Set-Reg -Path $edgePath -Name "FavoritesBarEnabled" -Value 1 # Favorites bar always visible
Set-Reg -Path $edgePath -Name "DownloadsButtonEnabled" -Value 1
Set-Reg -Path $edgePath -Name "HistoryButtonEnabled" -Value 1
Set-Reg -Path $edgePath -Name "PerformanceButtonEnabled" -Value 1 # Sleeping Tabs / Performance
# Toolbar buttons - hide
Set-Reg -Path $edgePath -Name "HomeButtonEnabled" -Value 0
Set-Reg -Path $edgePath -Name "SplitScreenEnabled" -Value 0
Set-Reg -Path $edgePath -Name "EdgeEDropEnabled" -Value 0 # Drop
Set-Reg -Path $edgePath -Name "WebCaptureEnabled" -Value 0 # Screenshot
Set-Reg -Path $edgePath -Name "ShareAllowed" -Value 0 # Share
# Default search engine: Google
# SearchProviderEnabled must be 1, SearchProviderName + URL set the provider
Set-Reg -Path $edgePath -Name "DefaultSearchProviderEnabled" -Value 1 -Type "DWord"
Set-Reg -Path $edgePath -Name "DefaultSearchProviderName" -Value "Google" -Type "String"
Set-Reg -Path $edgePath -Name "DefaultSearchProviderSearchURL" `
-Value "https://www.google.com/search?q={searchTerms}" -Type "String"
# Remove other search engines (empty list = no other providers besides default)
Set-Reg -Path $edgePath -Name "ManagedSearchEngines" `
-Value '[{"is_default":true,"name":"Google","search_url":"https://www.google.com/search?q={searchTerms}","keyword":"google.com"}]' `
-Type "String"
# Disable desktop shortcut on install/update
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate" ` Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate" `
-Name "CreateDesktopShortcutDefault" -Value 0 -Name "CreateDesktopShortcutDefault" -Value 0

126
scripts/07-backinfo.ps1 Normal file
View file

@ -0,0 +1,126 @@
<#
.SYNOPSIS
Deploys BackInfo.exe to C:\Program Files\Backinfo\ and configures auto-start.
.DESCRIPTION
Copies the BackInfo folder from assets to Program Files, writes the OS name
to the registry (HKLM\SOFTWARE\BackInfo\OSName) so BackInfo can display it,
and creates a Startup shortcut so BackInfo launches on every user logon.
BackInfo renders a BMP wallpaper overlay with hostname, username, OS, HW info,
and network info - configured via BackInfo.ini.
.ITEMS
kopirovat-assets-backinfo-do-program-fil: Copies all files from assets\Backinfo\ to C:\Program Files\Backinfo\. Includes BackInfo.exe, BackInfo.ini, and backinfo_W11.ps1. Creates the target directory if it does not exist.
registry-osname-hklm-software-backinfo: Detects Windows build number and edition, writes OSName string to HKLM\SOFTWARE\BackInfo\OSName (and WOW6432Node). BackInfo.ini references %OSName% to display the correct OS on the wallpaper.
startup-shortcut-backinfo-exe: Creates a shortcut at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\BackInfo.lnk pointing to C:\Program Files\Backinfo\BackInfo.exe. Ensures BackInfo starts for every user on logon.
07-desktop-info-ps1-smazat-nahrazeno: 07-desktop-info.ps1 is superseded by this script. BackInfo.exe is the preferred approach - stable on Win10 and Win11, configurable via INI, already present in assets.
#>
param(
[object]$Config,
[string]$LogFile
)
$ErrorActionPreference = "Continue"
function Write-Log {
param([string]$Message, [string]$Level = "INFO")
$line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message"
Add-Content -Path $LogFile -Value $line -Encoding UTF8
}
# -----------------------------------------------------------------------
# Copy BackInfo assets to Program Files
# -----------------------------------------------------------------------
$assetsBackinfo = Join-Path $PSScriptRoot "..\assets\Backinfo"
$destBackinfo = "C:\Program Files\Backinfo"
Write-Log "Deploying BackInfo to $destBackinfo" -Level INFO
if (-not (Test-Path $assetsBackinfo)) {
Write-Log " Assets not found: $assetsBackinfo" -Level ERROR
exit 1
}
try {
if (-not (Test-Path $destBackinfo)) {
New-Item -ItemType Directory -Path $destBackinfo -Force | Out-Null
}
Copy-Item -Path "$assetsBackinfo\*" -Destination $destBackinfo -Recurse -Force
Write-Log " Copied BackInfo assets to $destBackinfo" -Level OK
}
catch {
Write-Log " Failed to copy BackInfo assets: $_" -Level ERROR
exit 1
}
# -----------------------------------------------------------------------
# Detect OS name and write to registry (BackInfo reads this via %OSName%)
# -----------------------------------------------------------------------
Write-Log "Detecting OS for BackInfo registry" -Level INFO
try {
$cvPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
$cv = Get-ItemProperty -Path $cvPath
$build = [int]$cv.CurrentBuild
$osBase = if ($build -ge 22000) { "Windows 11" } else { "Windows 10" }
$edition = switch ($cv.EditionID) {
"Professional" { "Pro" }
"ProfessionalN" { "Pro N" }
"Core" { "Home" }
"CoreN" { "Home N" }
"Enterprise" { "Enterprise" }
"Education" { "Education" }
default { $cv.EditionID }
}
$osName = "$osBase $edition"
foreach ($regPath in @("HKLM:\SOFTWARE\BackInfo", "HKLM:\SOFTWARE\WOW6432Node\BackInfo")) {
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
Set-ItemProperty -Path $regPath -Name "OSName" -Value $osName -Type String -Force
}
Write-Log " OSName set to: $osName" -Level OK
}
catch {
Write-Log " Failed to set BackInfo registry: $_" -Level ERROR
}
# -----------------------------------------------------------------------
# Create Startup shortcut for all users
# -----------------------------------------------------------------------
Write-Log "Creating BackInfo startup shortcut" -Level INFO
try {
$backInfoExe = "$destBackinfo\BackInfo.exe"
$shortcutPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\BackInfo.lnk"
$wsh = New-Object -ComObject WScript.Shell
$shortcut = $wsh.CreateShortcut($shortcutPath)
$shortcut.TargetPath = $backInfoExe
$shortcut.WorkingDirectory = $destBackinfo
$shortcut.Description = "BackInfo system info wallpaper"
$shortcut.Save()
Write-Log " Startup shortcut created: $shortcutPath" -Level OK
}
catch {
Write-Log " Failed to create startup shortcut: $_" -Level ERROR
}
# -----------------------------------------------------------------------
# Launch BackInfo now to render initial wallpaper
# -----------------------------------------------------------------------
Write-Log "Launching BackInfo for initial render" -Level INFO
try {
Start-Process -FilePath "$destBackinfo\BackInfo.exe" -ErrorAction Stop
Write-Log " BackInfo launched" -Level OK
}
catch {
Write-Log " BackInfo launch failed (non-fatal): $_" -Level WARN
}
Write-Log "Step 7 complete" -Level OK

17
web/data/descriptions.json
View file

@ -47,9 +47,12 @@
"hesla-bez-expirace-net-accounts-maxpwage": "net accounts /maxpwage:UNLIMITED. Sets the local password expiration policy to never. MSP-managed machines handle password rotation via other means (Atera, domain policy, manual).", "hesla-bez-expirace-net-accounts-maxpwage": "net accounts /maxpwage:UNLIMITED. Sets the local password expiration policy to never. MSP-managed machines handle password rotation via other means (Atera, domain policy, manual).",
"casova-zona-central-europe-standard-time": "Set-TimeZone -Id \"Central Europe Standard Time\". UTC+1 (UTC+2 in summer DST). Applied system-wide. Critical for correct log timestamps, scheduled task timing, and calendar sync.", "casova-zona-central-europe-standard-time": "Set-TimeZone -Id \"Central Europe Standard Time\". UTC+1 (UTC+2 in summer DST). Applied system-wide. Critical for correct log timestamps, scheduled task timing, and calendar sync.",
"zakaz-gamedvr": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\GameDVR\\AppCaptureEnabled = 0. Disables Xbox Game Bar screen capture overlay. Reduces background resource usage and eliminates unintended capture prompts on business machines.", "zakaz-gamedvr": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\GameDVR\\AppCaptureEnabled = 0. Disables Xbox Game Bar screen capture overlay. Reduces background resource usage and eliminates unintended capture prompts on business machines.",
"edge-skryt-first-run-experience": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\HideFirstRunExperience = 1. Suppresses the Edge welcome wizard (import from other browser, default browser prompt, etc.) for every user on first launch.", "edge-skryt-first-run-experience": "HideFirstRunExperience=1 + DefaultBrowserSettingEnabled=0. Suppresses Edge welcome wizard and default browser prompts on first launch.",
"edge-policies-panel-oblibeny-vyhledavac": "FavoritesBarEnabled=1 (always show), DefaultSearchProviderEnabled=1, DefaultSearchProviderName=Google, ManagedSearchEngines removes other providers.",
"edge-policies-tlacitka-zobrazit": "DownloadsButtonEnabled=1, HistoryButtonEnabled=1.",
"edge-policies-tlacitka-skryt": "HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0 (Drop), WebCaptureEnabled=0 (Screenshot), ShareAllowed=0.",
"edge-policies-obsah-a-telemetrie": "NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, SpotlightExperiencesAndRecommendationsEnabled=0, PersonalizationReportingEnabled=0, EdgeShoppingAssistantEnabled=0, ShowMicrosoftRewards=0, HubsSidebarEnabled=0, SearchSuggestEnabled=0, DiagnosticData=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0.",
"onedrive-uninstall-intentional": "Uninstalls the pre-installed OneDrive consumer version via OneDriveSetup.exe /uninstall and removes Start Menu shortcut. Intentional for clean MSP deployment baseline. No DisableFileSyncNGSC policy key is set - M365 installation can reinstall and run OneDrive normally. Only the stock consumer pre-install is removed.", "onedrive-uninstall-intentional": "Uninstalls the pre-installed OneDrive consumer version via OneDriveSetup.exe /uninstall and removes Start Menu shortcut. Intentional for clean MSP deployment baseline. No DisableFileSyncNGSC policy key is set - M365 installation can reinstall and run OneDrive normally. Only the stock consumer pre-install is removed.",
"edge-policies-doplnit-15-dalsich-klicu": "Missing Edge policies to add under HKLM\\SOFTWARE\\Policies\\Microsoft\\Edge: DefaultBrowserSettingEnabled=0, NewTabPageContentEnabled=0, ImportOnEachLaunch=0, ShowRecommendationsEnabled=0, PersonalizationReportingEnabled=0, SpotlightExperiencesAndRecommendationsEnabled=0, EdgeShoppingAssistantEnabled=0, HubsSidebarEnabled=0, ShowMicrosoftRewards=0, SearchSuggestEnabled=0, DiagnosticData=0.",
"powercfg-nastaveni-spotreba-energie": "powercfg /change commands: standby-timeout-ac 0 (never sleep on AC/charger), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery).", "powercfg-nastaveni-spotreba-energie": "powercfg /change commands: standby-timeout-ac 0 (never sleep on AC/charger), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery).",
"proxy-auto-detect-zakaz-autodetect-0": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents potential MITM via malicious WPAD responses on untrusted networks." "proxy-auto-detect-zakaz-autodetect-0": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents potential MITM via malicious WPAD responses on untrusted networks."
} }
@ -95,6 +98,16 @@
"pdf-defaultapp-pri-kazdem-logonu": "REMOVED. PDF default is set once during deployment (step 02) with UCPD service stopped. The scheduled task is no longer needed." "pdf-defaultapp-pri-kazdem-logonu": "REMOVED. PDF default is set once during deployment (step 02) with UCPD service stopped. The scheduled task is no longer needed."
} }
}, },
"07-backinfo": {
"synopsis": "Deploys BackInfo.exe to C:\\Program Files\\Backinfo\\ and configures auto-start.",
"description": "Copies the BackInfo folder from assets to Program Files, writes the OS name\nto the registry (HKLM\\SOFTWARE\\BackInfo\\OSName) so BackInfo can display it,\nand creates a Startup shortcut so BackInfo launches on every user logon.\nBackInfo renders a BMP wallpaper overlay with hostname, username, OS, HW info,\nand network info - configured via BackInfo.ini.",
"items": {
"kopirovat-assets-backinfo-do-program-fil": "Copies all files from assets\\Backinfo\\ to C:\\Program Files\\Backinfo\\. Includes BackInfo.exe, BackInfo.ini, and backinfo_W11.ps1. Creates the target directory if it does not exist.",
"registry-osname-hklm-software-backinfo": "Detects Windows build number and edition, writes OSName string to HKLM\\SOFTWARE\\BackInfo\\OSName (and WOW6432Node). BackInfo.ini references %OSName% to display the correct OS on the wallpaper.",
"startup-shortcut-backinfo-exe": "Creates a shortcut at C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\BackInfo.lnk pointing to C:\\Program Files\\Backinfo\\BackInfo.exe. Ensures BackInfo starts for every user on logon.",
"07-desktop-info-ps1-smazat-nahrazeno": "07-desktop-info.ps1 is superseded by this script. BackInfo.exe is the preferred approach - stable on Win10 and Win11, configurable via INI, already present in assets."
}
},
"07-desktop-info": { "07-desktop-info": {
"synopsis": "DEPRECATED - delete this script. Replaced by BackInfo.exe.", "synopsis": "DEPRECATED - delete this script. Replaced by BackInfo.exe.",
"description": "Original custom PowerShell approach to render system info onto the desktop wallpaper\nusing WPF (System.Windows.Media / System.Drawing). Superseded by BackInfo.exe which\nis already present in assets/Backinfo/ and handles Win10/Win11 natively.\nACTION REQUIRED: Delete this file. Add a BackInfo deployment step to the master script.", "description": "Original custom PowerShell approach to render system info onto the desktop wallpaper\nusing WPF (System.Windows.Media / System.Drawing). Superseded by BackInfo.exe which\nis already present in assets/Backinfo/ and handles Win10/Win11 natively.\nACTION REQUIRED: Delete this file. Add a BackInfo deployment step to the master script.",

9
web/nginx.conf
View file

@ -7,11 +7,12 @@ server {
location / { location / {
try_files $uri $uri/ $uri.html =404; try_files $uri $uri/ $uri.html =404;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate" always;
add_header Pragma "no-cache" always;
add_header Expires "0" always;
add_header X-Content-Type-Options nosniff always;
} }
error_page 404 /404.html; error_page 404 /404.html;
# Disable caching during development
add_header Cache-Control "no-store";
add_header X-Content-Type-Options nosniff;
} }

37
web/spec/index.html
View file

@ -506,7 +506,7 @@
<div class="step-header"> <div class="step-header">
<span class="step-num">00</span> <span class="step-num">00</span>
<span class="step-title">Admin ucet (adminx9)</span> <span class="step-title">Admin ucet (adminx9)</span>
<span class="badge badge-mustfix">Must fix</span> <span class="badge badge-ok">OK</span>
</div> </div>
<div class="step-body"> <div class="step-body">
<table class="items"> <table class="items">
@ -514,8 +514,8 @@
<tr class="flag-done"><td>Pridat do skupiny Administrators</td><td>Hotovo</td></tr> <tr class="flag-done"><td>Pridat do skupiny Administrators</td><td>Hotovo</td></tr>
<tr class="flag-done"><td>Skryt z login obrazovky (SpecialAccounts\UserList = 0)</td><td>Hotovo</td></tr> <tr class="flag-done"><td>Skryt z login obrazovky (SpecialAccounts\UserList = 0)</td><td>Hotovo</td></tr>
<tr class="flag-done"><td>Heslo nevypirsi, uzivatel nesmeni heslo</td><td>Hotovo</td></tr> <tr class="flag-done"><td>Heslo nevypirsi, uzivatel nesmeni heslo</td><td>Hotovo</td></tr>
<tr class="flag-mustfix"><td>Zadne heslo (aktualne nastavovano z config.json)</td><td>Zmenit: ucet BEZ hesla (rozhodnuti)</td></tr> <tr class="flag-done"><td>Zadne heslo (aktualne nastavovano z config.json)</td><td>Opraveno &ndash; prazdny SecureString, config.json heslo odstranen</td></tr>
<tr class="flag-mustfix"><td>FullName = "X9.cz s.r.o." (via ADSI)</td><td>Chybi, doplnit</td></tr> <tr class="flag-done"><td>FullName = "X9.cz s.r.o." (via ADSI)</td><td>Opraveno &ndash; ADSI SetInfo() po vytvoreni uctu</td></tr>
</table> </table>
<div class="note"> <div class="note">
<strong>Proc bez hesla:</strong> Ucet je skryty pred uzivateli, slouzi pouze MSP adminstraci. <strong>Proc bez hesla:</strong> Ucet je skryty pred uzivateli, slouzi pouze MSP adminstraci.
@ -595,20 +595,15 @@
<tr class="flag-done"><td>Hesla bez expirace (<code>net accounts /maxpwage:UNLIMITED</code>)</td><td>OK</td></tr> <tr class="flag-done"><td>Hesla bez expirace (<code>net accounts /maxpwage:UNLIMITED</code>)</td><td>OK</td></tr>
<tr class="flag-done"><td>Casova zona: Central Europe Standard Time</td><td>OK</td></tr> <tr class="flag-done"><td>Casova zona: Central Europe Standard Time</td><td>OK</td></tr>
<tr class="flag-done"><td>Zakaz GameDVR</td><td>OK</td></tr> <tr class="flag-done"><td>Zakaz GameDVR</td><td>OK</td></tr>
<tr class="flag-done"><td>Edge &ndash; skryt First Run Experience</td><td>HKLM\Policies\Edge\HideFirstRunExperience = 1</td></tr> <tr class="flag-done"><td>Edge &ndash; skryt First Run Experience + zakaz default browser prompt</td><td>HideFirstRunExperience=1, DefaultBrowserSettingEnabled=0</td></tr>
<tr class="flag-done"><td>Edge policies &ndash; panel oblibeny, vyhledavac Google</td><td>FavoritesBarEnabled=1, DefaultSearchProviderName=Google, ManagedSearchEngines</td></tr>
<tr class="flag-done"><td>Edge policies &ndash; tlacitka zobrazit (Historie, Stahnout)</td><td>DownloadsButtonEnabled=1, HistoryButtonEnabled=1</td></tr>
<tr class="flag-done"><td>Edge policies &ndash; tlacitka skryt (Home, Kolekce, Split, Drop, Screenshot, Share, Zpetna vazba)</td><td>HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0, WebCaptureEnabled=0, ShareAllowed=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0</td></tr>
<tr class="flag-done"><td>Edge policies &ndash; obsah a telemetrie</td><td>NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, EdgeShoppingAssistantEnabled=0, DiagnosticData=0, &hellip;</td></tr>
<tr class="flag-done"><td>OneDrive uninstall (intentional)</td><td>OneDriveSetup.exe /uninstall &ndash; odstrani pre-installed verzi. M365 si nainstaluje vlastni.</td></tr> <tr class="flag-done"><td>OneDrive uninstall (intentional)</td><td>OneDriveSetup.exe /uninstall &ndash; odstrani pre-installed verzi. M365 si nainstaluje vlastni.</td></tr>
<tr class="flag-todo"><td>Edge policies &ndash; doplnit ~15 dalsich klicu</td><td>Viz seznam nize</td></tr>
<tr class="flag-todo"><td>Powercfg nastaveni (spotreba energie)</td><td>Pridat: standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15</td></tr> <tr class="flag-todo"><td>Powercfg nastaveni (spotreba energie)</td><td>Pridat: standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15</td></tr>
<tr class="flag-todo"><td>Proxy auto-detect zakaz (AutoDetect = 0)</td><td>HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</td></tr> <tr class="flag-todo"><td>Proxy auto-detect zakaz (AutoDetect = 0)</td><td>HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</td></tr>
</table> </table>
<div class="note">
<strong>Edge policies k doplneni:</strong>
DefaultBrowserSettingEnabled = 0, NewTabPageContentEnabled = 0,
ImportOnEachLaunch = 0, ShowRecommendationsEnabled = 0,
PersonalizationReportingEnabled = 0, SpotlightExperiencesAndRecommendationsEnabled = 0,
DiagnosticData = 0, EdgeShoppingAssistantEnabled = 0, EdgeCollectionsEnabled = 0,
HubsSidebarEnabled = 0, ShowMicrosoftRewards = 0, SearchSuggestEnabled = 0 a dalsi.
</div>
<div class="note"> <div class="note">
<strong>Powercfg prikazy:</strong><br> <strong>Powercfg prikazy:</strong><br>
<code>powercfg /change standby-timeout-ac 0</code> (neusne na nabijeni)<br> <code>powercfg /change standby-timeout-ac 0</code> (neusne na nabijeni)<br>
@ -712,15 +707,15 @@
<div class="step-header"> <div class="step-header">
<span class="step-num">07</span> <span class="step-num">07</span>
<span class="step-title">BackInfo (systemovy info na tapete)</span> <span class="step-title">BackInfo (systemovy info na tapete)</span>
<span class="badge badge-mustfix">Must fix</span> <span class="badge badge-ok">OK</span>
</div> </div>
<div class="step-body"> <div class="step-body">
<table class="items"> <table class="items">
<tr class="flag-mustfix"><td><code>07-desktop-info.ps1</code> SMAZAT &ndash; stary pristup</td><td>Nahradit deploym. krokem pro BackInfo.exe</td></tr> <tr class="flag-done"><td><code>07-desktop-info.ps1</code> SMAZAT &ndash; stary pristup</td><td>Nahrazeno novym <code>07-backinfo.ps1</code></td></tr>
<tr class="flag-mustfix"><td>Zkopirovat <code>assets/Backinfo/</code> do <code>C:\Program Files\Backinfo\</code></td><td>Pridat do master scriptu</td></tr> <tr class="flag-done"><td>Zkopirovat <code>assets/Backinfo/</code> do <code>C:\Program Files\Backinfo\</code></td><td>Implementovano v 07-backinfo.ps1</td></tr>
<tr class="flag-mustfix"><td>Spustit <code>backinfo_W11.ps1</code> (detekce OS, registry, Startup)</td><td>Pridat do master scriptu</td></tr> <tr class="flag-done"><td>Spustit <code>backinfo_W11.ps1</code> (detekce OS, registry, Startup)</td><td>Logika inlinovana v 07-backinfo.ps1</td></tr>
<tr class="flag-done"><td>BackInfo.exe v assets/Backinfo/ k dispozici</td><td>Hotovo &ndash; jen deploy krok chybi</td></tr> <tr class="flag-done"><td>BackInfo.exe v assets/Backinfo/ k dispozici</td><td>Hotovo</td></tr>
<tr class="flag-done"><td>BackInfo auto-start pri kazdem logonu via Startup shortcut</td><td>Zaridi backinfo_W11.ps1</td></tr> <tr class="flag-done"><td>BackInfo auto-start pri kazdem logonu via Startup shortcut</td><td>Shortcut do ProgramData\StartUp vytvori 07-backinfo.ps1</td></tr>
</table> </table>
<div class="note"> <div class="note">
<strong>BackInfo.ini konfiguruje:</strong> hostname (velky, centrovan), uzivatelske jmeno, <strong>BackInfo.ini konfiguruje:</strong> hostname (velky, centrovan), uzivatelske jmeno,
@ -730,7 +725,7 @@
</div> </div>
</div> </div>
<div class="step-footer"> <div class="step-footer">
<span class="step-status">Script: <code>07-desktop-info.ps1</code> (ke smazani) &rarr; novy inline krok v Deploy-Windows.ps1</span> <span class="step-status">Script: <code>07-backinfo.ps1</code></span>
<div class="comment-widget" data-issue="8"></div> <div class="comment-widget" data-issue="8"></div>
</div> </div>
</div> </div>
@ -1052,7 +1047,7 @@
'step-04': '04-default-profile', 'step-04': '04-default-profile',
'step-05': '05-personalization', 'step-05': '05-personalization',
'step-06': '06-scheduled-tasks', 'step-06': '06-scheduled-tasks',
'step-07': '07-desktop-info', 'step-07': '07-backinfo',
'step-08': '08-activation', 'step-08': '08-activation',
}; };