From 2f0e176e820c4be07b902c4321fbec5d118ec52e Mon Sep 17 00:00:00 2001 From: X9 Dev Date: Fri, 17 Apr 2026 12:36:12 +0200 Subject: [PATCH] docs: rewrite CLAUDE.md and SPEC.md to reflect current state Both files were significantly outdated - referencing deleted scripts (Deploy-Windows.ps1, 05-personalization, 06-scheduled-tasks, 07-desktop-info), wrong step ordering, completed TODOs listed as planned, and missing new features (email report, pre-flight checks, parallel winget, common.ps1). Rewritten from scratch based on actual current code state. No historical cruft, no "planned changes" that are already done. Co-Authored-By: Claude Sonnet 4.6 --- CLAUDE.md | 242 +++++++++++++++++++++-------------------- SPEC.md | 319 +++++++++++++++++------------------------------------- 2 files changed, 226 insertions(+), 335 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 51535cd..0c6ab36 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -2,14 +2,16 @@ ## Project context -MSP deployment script for X9.cz - automated preparation of new Windows 10/11 computers for clients. -Replaces ~3 hours of manual setup with a single PowerShell script (evolving toward Go TUI launcher). +MSP deployment tool for X9.cz - automated preparation of new Windows 10/11 computers. +Go GUI launcher (xetup.exe) embeds PowerShell scripts, runs them sequentially, handles +reboot cycles for Windows Update, and sends an email report when done. **Key parameters:** - Target OS: Windows 10 and Windows 11 (x64), including unsupported HW -- Execution: as Administrator on already-installed Windows (not WinPE/autounattend) +- Execution: as Administrator on already-installed Windows (not WinPE/autounattend, not OOBE) - Volume: ~20 machines per month, various clients - Operator: MSP technician on-site at client +- Entry point: xetup.exe only (no CLI script entry point) --- @@ -23,27 +25,76 @@ Replaces ~3 hours of manual setup with a single PowerShell script (evolving towa ## Repo structure ``` -windows-deployment-new/ +xetup/ ├── CLAUDE.md <- this file ├── SPEC.md <- technical specification -├── Deploy-Windows.ps1 <- master script (entry point) +├── embed.go <- embeds scripts/ and assets/ into binary +├── cmd/xetup/ +│ ├── main.go <- entry point: extract, load config, launch GUI +│ └── app.manifest <- Windows manifest (requireAdministrator) +├── internal/ +│ ├── config/config.go <- Config struct, Load/Save, DefaultConfig +│ ├── gui/gui.go <- Walk GUI: form → run → summary (3 phases) +│ ├── runner/runner.go <- sequential PS script executor with log streaming +│ ├── state/state.go <- JSON state file for reboot-resume persistence +│ ├── prereboot/ <- autologon + X9-Resume scheduled task for reboot cycle +│ ├── preflight/ <- pre-run checks (admin, winget, network, disk) +│ └── report/report.go <- HTML email report via SMTP2Go ├── scripts/ -│ ├── 00-admin-account.ps1 <- create hidden admin account +│ ├── common.ps1 <- shared functions (Write-Log, Get-Feature, Load-Config) +│ ├── 00-admin-account.ps1 <- create hidden admin account (adminx9, no password) │ ├── 01-bloatware.ps1 <- remove AppX, Capabilities, Features -│ ├── 02-software.ps1 <- winget installs + Adobe PDF default -│ ├── 03-system-registry.ps1 <- HKLM tweaks -│ ├── 04-default-profile.ps1 <- C:\Users\Default\NTUSER.DAT changes -│ ├── 05-personalization.ps1 <- colors, wallpaper, theme -│ ├── 06-scheduled-tasks.ps1 <- register scheduled tasks -│ ├── 07-desktop-info.ps1 <- TO BE DELETED (replaced by BackInfo) -│ └── 08-activation.ps1 <- Windows activation via slmgr +│ ├── 02-software.ps1 <- parallel winget installs + Adobe PDF default + Atera +│ ├── 03-system-registry.ps1 <- HKLM tweaks, Edge policies, OneDrive, powercfg +│ ├── 04-default-profile.ps1 <- NTUSER.DAT + HKCU + personalization (merged) +│ ├── 07-backinfo.ps1 <- deploy BackInfo.exe + startup shortcut +│ ├── 08-activation.ps1 <- Windows activation (OA3 → config key → GVLK) +│ ├── 09-pc-identity.ps1 <- rename PC + C:\X9 folder (exit 9 on rename) +│ ├── 10-network.ps1 <- Private profile, ping, Network Discovery +│ ├── 11-dell-update.ps1 <- Dell Command | Update (auto-skip on non-Dell) +│ └── 12-windows-update.ps1 <- PSWindowsUpdate reboot cycle (exit 9) ├── config/ -│ └── config.json <- per-client config +│ └── config.json <- default config template ├── assets/ -│ ├── Backinfo/ <- BackInfo.exe + .ini + backinfo_W11.ps1 +│ ├── Backinfo/ <- BackInfo.exe + .ini │ └── Logo/ <- X9-ikona.ico, X9-logo.jpeg -└── tests/ - └── Test-Deployment.ps1 <- post-deployment verification +├── tests/ +│ └── Test-Deployment.ps1 <- post-deployment verification +└── web/ <- xetup.x9.cz static site +``` + +--- + +## Execution flow + +``` +xetup.exe start + → extract scripts/ and assets/ to temp dir + → state file exists? → resume mode (skip form, run pending steps) + → normal mode: + 1. Pre-flight checks (admin, winget, network, disk) shown in GUI + 2. Config form (PC name, key, profile, step checkboxes) + 3. Write runtime config JSON (reflects GUI selections) + 4. Run steps sequentially via powershell.exe -File -ConfigPath -LogFile + 5. Step exits 9? → save state, setup autologon + X9-Resume task, reboot + 6. After reboot → xetup resumes, runs remaining steps + 7. All done → cleanup autologon, send email report, show summary +``` + +## Step execution order + +``` +00 Admin account (adminx9) +08 Windows activation +01 Bloatware removal +02 Software (parallel winget + Atera + PDF default) +03 System Registry (HKLM + Edge policies) +04 Default Profile + Personalization (single hive load) +07 BackInfo +10 Network discovery +11 Dell Command | Update +09 PC identity (rename triggers reboot via exit 9) +12 Windows Update (reboot cycle via exit 9) ``` --- @@ -51,115 +102,79 @@ windows-deployment-new/ ## Conventions and rules ### PowerShell -- Always `#Requires -RunAsAdministrator` in master script -- `$ErrorActionPreference = "Continue"` - script must survive partial failures -- Log every step to `C:\Windows\Setup\Scripts\Deploy.log` -- Logging via `Write-Log` function defined in master script -- `Invoke-Step` function wraps every step - catches errors, logs, continues -- Comments in English, code in English -- NO diacritics - no accented characters anywhere: not in comments, not in user messages, not in log output -- NO emoticons - not in comments, not in output messages -- Reason: encoding issues across systems, log readability, compatibility +- All scripts use `common.ps1` (dot-sourced): Write-Log, Get-Feature, Load-Config +- Scripts receive `-ConfigPath` (path to JSON) and `-LogFile` params +- Scripts parse config themselves via `Load-Config $ConfigPath` +- `$ErrorActionPreference = "Continue"` - scripts survive partial failures +- Exit code 9 = "reboot required" - runner saves state and triggers restart +- Log to `C:\Windows\Setup\Scripts\Deploy.log` +- NO diacritics anywhere (encoding issues across systems) +- NO emoticons -### Master script structure -```powershell -# 1. Load config.json -# 2. Run individual scripts in order -# 3. Print summary report at end (OK/ERROR counts) -``` +### Go / GUI +- Walk-based GUI (Windows only, CGO required) +- Cross-compile: `CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc GOOS=windows GOARCH=amd64` +- Three phases: config form → live log → summary with reboot countdown +- Features system: steps can have sub-features (checkboxes in GUI), controlled via config.features -### Master script switches -| Switch | Behavior | -|---|---| -| `-SkipBloatware` | Skip step 1 | -| `-SkipSoftware` | Skip step 2 | -| `-SkipDefaultProfile` | Skip step 4 | -| `-DryRun` | Run without changes, log only | +### Config +- `config.json` is the template, `config-runtime.json` is written to temp at runtime +- GUI regenerates runtime config before starting the run +- `DefaultConfig()` in config.go provides sensible defaults when config.json is absent +- Features default to `true` when missing from config ### Testing -- Test VM: Windows 10/11 x64 on VMware ESXi (X9.cz internal infrastructure) -- Before each test: take snapshot -- After test: revert snapshot -- Dev environment: x64 VM only - NOT ARM (no Parallels/Apple Silicon for testing) +- Test VM: Windows 10/11 x64 on VMware ESXi +- Before each test: take snapshot, after test: revert +- Dev environment: x64 VM only (not ARM) --- -## Important notes - -### BackInfo (replaces custom DesktopInfo) -BackInfo.exe IS used. Located in assets/Backinfo/. Deployment: -1. Copy assets/Backinfo/ to C:\Program Files\Backinfo\ -2. Run backinfo_W11.ps1 (detects OS, writes registry, creates Startup shortcut) -3. BackInfo.exe auto-starts on every logon, reads INI, renders BMP with system info -- Configurable via BackInfo.ini (fonts, positions, data sources) -- Displays: hostname (centered, large), username, OS, HW info, network info -- DELETE 07-desktop-info.ps1 - no longer needed - -### Adobe Reader as default PDF app -- After install: set .pdf -> AcroRd32 association -- Scheduled task PDF-DefaultApp restores association on every logon (guard against Edge overwriting it) -- NOTE: UCPD.sys (kernel driver since Feb 2024) blocks UserChoice writes. Consider disabling UCPD during deployment. - -### Default Profile -- Changes to C:\Users\Default\NTUSER.DAT via reg load / reg unload -- Applies to all new users - critical for MSP deployment -- Currently logged-in user gets changes via direct write to HKCU - -### Winget -- Always use --accept-package-agreements --accept-source-agreements -- Check winget availability before running installs -- Log result of every install - -### Atera Agent -- Download: `Invoke-WebRequest -Uri "https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337" -OutFile setup.msi` -- Install: `msiexec /i setup.msi /qn` +## Key implementation details ### Admin account (adminx9) -- NO PASSWORD (changed from previous version) +- No password (empty), hidden from login screen, Administrators group - FullName = "X9.cz s.r.o." (via ADSI) -- Hidden from login screen -- Added to Administrators group +- Also used by prereboot for autologon during reboot cycles + +### Edge policies +- Mandatory (`Policies\Microsoft\Edge`): HideFirstRunExperience, DefaultBrowserSettingEnabled, DiagnosticData, FeedbackSurveysEnabled +- Recommended (`Policies\Microsoft\Edge\Recommended`): everything else (user can override) + +### PDF default +- Adobe Reader set via HKCR\.pdf after install +- UCPD driver stopped during association write, restarted after + +### Reboot-resume cycle +- `prereboot_windows.go`: copies xetup.exe to stable path, sets autologon for adminx9, registers X9-Resume scheduled task +- `state.go`: persists pending steps + accumulated results across reboots +- Steps 09 (pcIdentity on rename) and 12 (windowsUpdate) can trigger exit 9 +- Cleanup: disables autologon, removes X9-Resume task + +### Email report +- Sent via SMTP2Go (mail-eu.smtp2go.com:2525) at end of deployment +- From: xetup@x9.cz, To: net@x9.cz +- Subject: "xetup report HOSTNAME" +- HTML body with per-step status table + +### Parallel winget +- 02-software.ps1 launches all winget installs as background jobs (Start-Job) +- Jobs run simultaneously, results collected after all complete --- ## DO NOT -- Do not use $ErrorActionPreference = "Stop" - script must survive partial failure -- Do not remove Calculator (Microsoft.WindowsCalculator) - intentionally kept +- Do not use `$ErrorActionPreference = "Stop"` - scripts must survive partial failure +- Do not remove Calculator (Microsoft.WindowsCalculator) - Do not use ARM VM for testing -- Do not write scripts depending on specific username - script is universal +- Do not write scripts depending on specific username - Do not use hardcoded paths that do not exist on clean Windows -- NO diacritics - no accented characters in any part of any script -- NO emoticons - none in comments, log messages or output -- Do not remove OneDrive - must remain installable for M365 -- Do not remove RDP/RDS - must remain functional -- Do not remove Microsoft-RemoteDesktopConnection from Optional Features - ---- - -## Planned changes (from review v2, 2026-04-15) - -### Must fix -- [ ] Remove OneDrive uninstall from 03-system-registry.ps1 and 04-default-profile.ps1 -- [ ] Remove password from admin account, add FullName = "X9.cz s.r.o." -- [ ] Delete 07-desktop-info.ps1, replace with BackInfo deployment step -- [ ] Add powercfg settings (standby-timeout-ac 0, monitor-timeout-ac 60, etc.) -- [ ] Add proxy auto-detect disable (AutoDetect = 0) -- [ ] Add Atera Agent install step -- [ ] Extend Edge policies (~15 more keys) - -### New features (from colleague spec v2) -- [ ] Taskbar pinned apps: admin vs user variants via XML layout + -ProfileType parameter -- [ ] Explorer: ShowRecent=0, ShowFrequent=0, FullPath=1 in CabinetState -- [ ] Network discovery: enable ping, set private network profile (post-restart step) -- [ ] PC rename: Rename-Computer as final step before restart -- [ ] C:\X9 directory structure with custom folder icon - -### Architecture evolution -- [ ] Go TUI launcher (xetup.exe) embedding PS scripts -- [ ] spec.yaml as single source of truth -- [ ] Web platform at xetup.x9.cz (Forgejo + docs + comments) -- [ ] Self-update mechanism in xetup.exe +- NO diacritics in any file +- NO emoticons +- Do not remove OneDrive policy-block-free (M365 must be able to reinstall it) +- Do not remove RDP/RDS or Microsoft-RemoteDesktopConnection +- Do not create Deploy-Windows.ps1 or other CLI entry points (xetup.exe is sole entry point) --- @@ -167,9 +182,6 @@ BackInfo.exe IS used. Located in assets/Backinfo/. Deployment: | # | Question | Status | |---|---|---| -| 1 | BackInfo replacement | DONE - using BackInfo.exe from assets/ | -| 2 | Complete SW list for winget | TODO - list incomplete | -| 3 | Per-client variability via config.json | FUTURE | -| 4 | Admin account adminx9 | DECIDED - no password, FullName "X9.cz s.r.o." | -| 5 | UCPD driver workaround for PDF default | TODO - disable during deployment | -| 6 | Atera MFA bypass | OPEN - does aeid parameter avoid MFA? | +| 1 | Complete SW list for winget | TODO - list may be incomplete | +| 2 | Atera MFA bypass | OPEN - does aeid parameter avoid MFA? | +| 3 | `--resume` flag | Passed by prereboot task but not parsed - resume detected via state file | diff --git a/SPEC.md b/SPEC.md index 1c94f37..c306d58 100644 --- a/SPEC.md +++ b/SPEC.md @@ -1,16 +1,14 @@ -# MSP Windows Deployment - Specification (SPEC.md) +# MSP Windows Deployment - Specification -> Version: 0.2 (draft) -> Author: X9.cz -> Purpose: Automated preparation of new Windows 10/11 computers for clients +> Purpose: Automated preparation of new Windows 10/11 computers for X9.cz clients --- ## Overview -Script replaces ~3 hours of manual computer setup. Run once as Administrator on -already-installed Windows, performs everything automatically, saves result to Default -Profile so settings apply to every subsequent user. +xetup.exe replaces ~3 hours of manual computer setup. GUI launcher embeds PowerShell +scripts, runs them sequentially, handles reboot cycles, sends email report when done. +Settings are applied to Default Profile (NTUSER.DAT) so every new user inherits them. --- @@ -18,276 +16,157 @@ Profile so settings apply to every subsequent user. - Windows 10 or Windows 11 (x64) - Run as Administrator -- Internet connection (for winget installs) -- Computer received either as clean OEM install or with manufacturer pre-installed Windows +- Internet connection (for winget installs, Atera agent, Windows Update) +- Post-OOBE (fully installed Windows with at least one user account) --- -## What the script does NOT do +## Step execution order -- Does not install Windows (not an autounattend.xml for clean install) -- Does not create images -- Does not manage the computer ongoing (one-time deployment) +| # | Step | Script | Notes | +|---|---|---|---| +| 00 | Admin account | 00-admin-account.ps1 | adminx9, no password, hidden | +| 08 | Windows activation | 08-activation.ps1 | OA3 → config key → GVLK fallback | +| 01 | Bloatware removal | 01-bloatware.ps1 | AppX + Capabilities + Features | +| 02 | Software install | 02-software.ps1 | Parallel winget + Atera + PDF default | +| 03 | System registry | 03-system-registry.ps1 | HKLM tweaks, Edge, powercfg, WPAD | +| 04 | Profile + personalization | 04-default-profile.ps1 | NTUSER.DAT + HKCU + theme | +| 07 | BackInfo | 07-backinfo.ps1 | System info wallpaper overlay | +| 10 | Network | 10-network.ps1 | Private profile, ping, discovery | +| 11 | Dell Update | 11-dell-update.ps1 | Auto-skip on non-Dell HW | +| 09 | PC identity | 09-pc-identity.ps1 | Rename + C:\X9 (reboot on rename) | +| 12 | Windows Update | 12-windows-update.ps1 | Multi-round reboot cycle | --- -## Script structure - -Script is divided into steps. Each step logs its result. Steps can be skipped with switches. - ---- - -## STEP 0a - Admin account +## Step 00 - Admin account Creates local admin account `adminx9`: -- Password from `config.json` (`adminAccount.password`) +- No password (empty) - account is hidden, only accessible to technicians +- FullName = "X9.cz s.r.o." (via ADSI) - Added to Administrators group -- Password never expires, user cannot change password -- Hidden from Windows login screen (SpecialAccounts\UserList = 0) +- Hidden from login screen (SpecialAccounts\UserList = 0) +- Password never expires --- -## STEP 0b - Windows activation +## Step 08 - Windows activation -Activates Windows using product key from config: -- Key from `config.json` (`activation.productKey`) - set to real MAK/retail key for production -- Falls back to GVLK (KMS client key) matched by detected OS edition -- Optional KMS server via `activation.kmsServer` -- If already activated, skips silently +Priority: OA3 embedded key (BIOS/UEFI) → config.json productKey → GVLK by edition. +Optional KMS server via config.json. Skips if already activated (LicenseStatus = 1). --- -## STEP 1 - Bloatware removal +## Step 01 - Bloatware removal -### 1a - AppX packages (UWP apps) +Removes ~35 AppX packages (Cortana, Copilot, Teams, Xbox, Skype, News, etc.), +~14 Windows Capabilities (Fax, IE, WordPad, etc.), and Optional Features +(PowerShell 2.0, Recall). Calculator intentionally kept. -Removed for all users (-AllUsers) and from provisioned packages (so they do not return for new users). +--- -| Package | Description | +## Step 02 - Software installation + +Parallel winget installs (Start-Job): + +| Software | Winget ID | |---|---| -| Microsoft.Microsoft3DViewer | 3D Viewer | -| Microsoft.BingSearch | Bing Search | -| Microsoft.WindowsCamera | Camera | -| Clipchamp.Clipchamp | Clipchamp video editor | -| Microsoft.WindowsAlarms | Clock / Alarm | -| Microsoft.Copilot | Copilot AI | -| Microsoft.549981C3F5F10 | Cortana | -| Microsoft.Windows.DevHome | Dev Home | -| MicrosoftCorporationII.MicrosoftFamily | Family Safety | -| Microsoft.WindowsFeedbackHub | Feedback Hub | -| Microsoft.Edge.GameAssist | Game Assist | -| Microsoft.GetHelp | Help | -| Microsoft.Getstarted | Tips / Get Started | -| microsoft.windowscommunicationsapps | Mail and Calendar | -| Microsoft.WindowsMaps | Maps | -| Microsoft.MixedReality.Portal | Mixed Reality | -| Microsoft.BingNews | News | -| Microsoft.MicrosoftOfficeHub | Office Hub | -| Microsoft.Office.OneNote | OneNote | -| Microsoft.OutlookForWindows | Outlook (new) | -| Microsoft.Paint | Paint (new UWP) | -| Microsoft.MSPaint | Paint (legacy) | -| Microsoft.People | People | -| Microsoft.Windows.Photos | Photos | -| Microsoft.PowerAutomateDesktop | Power Automate | -| MicrosoftCorporationII.QuickAssist | Quick Assist | -| Microsoft.SkypeApp | Skype | -| Microsoft.ScreenSketch | Snipping Tool | -| Microsoft.MicrosoftSolitaireCollection | Solitaire | -| Microsoft.MicrosoftStickyNotes | Sticky Notes | -| MicrosoftTeams / MSTeams | Teams (personal) | -| Microsoft.Todos | To Do | -| Microsoft.WindowsSoundRecorder | Voice Recorder | -| Microsoft.Wallet | Wallet | -| Microsoft.BingWeather | Weather | -| Microsoft.WindowsTerminal | Windows Terminal | -| Microsoft.Xbox.TCUI | Xbox UI | -| Microsoft.XboxApp | Xbox | -| Microsoft.XboxGameOverlay | Xbox Game Overlay | -| Microsoft.XboxGamingOverlay | Xbox Gaming Overlay | -| Microsoft.XboxIdentityProvider | Xbox Identity | -| Microsoft.XboxSpeechToTextOverlay | Xbox Speech | -| Microsoft.GamingApp | Gaming App | -| Microsoft.YourPhone | Phone Link | -| Microsoft.ZuneMusic | Music | -| Microsoft.ZuneVideo | Movies and TV | +| 7-Zip | 7zip.7zip | +| Adobe Acrobat Reader 64-bit | Adobe.Acrobat.Reader.64-bit | +| OpenVPN Connect | OpenVPNTechnologies.OpenVPNConnect | -NOTE: Microsoft.WindowsCalculator is intentionally KEPT. +After Acrobat: UCPD driver stopped, .pdf → AcroExch.Document.DC set via HKCR, UCPD restarted. -### 1b - Windows Capabilities - -| Capability | Description | -|---|---| -| Print.Fax.Scan | Fax and Scan | -| Language.Handwriting | Handwriting | -| Browser.InternetExplorer | Internet Explorer | -| MathRecognizer | Math Input | -| OneCoreUAP.OneSync | OneSync | -| OpenSSH.Client | OpenSSH client | -| Microsoft.Windows.MSPaint | Paint (Win32) | -| Microsoft.Windows.PowerShell.ISE | PowerShell ISE | -| App.Support.QuickAssist | Quick Assist | -| Microsoft.Windows.SnippingTool | Snipping Tool | -| App.StepsRecorder | Steps Recorder | -| Hello.Face.* | Windows Hello face | -| Media.WindowsMediaPlayer | Windows Media Player | -| Microsoft.Windows.WordPad | WordPad | - -### 1c - Windows Optional Features - -| Feature | Description | -|---|---| -| MediaPlayback | Media playback | -| MicrosoftWindowsPowerShellV2Root | PowerShell 2.0 | -| Microsoft-RemoteDesktopConnection | RDP client | -| Recall | Windows Recall (AI) | -| Microsoft-SnippingTool | Snipping Tool (feature) | +Atera RMM agent: downloaded from x9.servicedesk.atera.com, installed via msiexec /qn with -Wait. --- -## STEP 2 - Software installation (winget) +## Step 03 - System registry (HKLM) -| Software | Winget ID | Notes | -|---|---|---| -| 7-Zip | `7zip.7zip` | OK | -| Adobe Acrobat Reader | `Adobe.Acrobat.Reader.64-bit` | OK, see note | -| OpenVPN Connect | `OpenVPNTechnologies.OpenVPNConnect` | OK | -| ... | ... | TODO: complete list | +Always applied: password max age unlimited, timezone (Central Europe Standard Time). -> Adobe Acrobat Reader: After install, script sets .pdf -> AcroRd32 as default. -> Scheduled task PDF-DefaultApp restores this association on every logon as a guard -> against Edge overwriting it. - -> BackInfo: NOT used. Replaced by custom PowerShell scheduled task DesktopInfo. -> See STEP 7. +Feature-toggled sections: +- **systemTweaks**: BypassNRO, disable Teams auto-install, Widgets, GameDVR, Recall, Copilot search +- **edgePolicies**: mandatory (first-run, telemetry) + recommended (UI defaults user can change) +- **oneDriveUninstall**: removes consumer OneDrive (no policy block - M365 can reinstall) +- **powercfg**: standby-ac=0, monitor-ac=60, standby-dc=30, monitor-dc=15 +- **proxyDisable**: WPAD auto-detect off --- -## STEP 3 - System settings (HKLM - applies to whole system) +## Step 04 - Default Profile + Personalization -| Setting | Value | Notes | -|---|---|---| -| Disable NRO (bypass network check) | HKLM\...\OOBE\BypassNRO = 1 | | -| Disable auto-install of Teams | ConfigureChatAutoInstall = 0 | | -| Disable Cloud Optimized Content | DisableCloudOptimizedContent = 1 | | -| Disable Widgets (News and Interests) | HKLM\...\Dsh\AllowNewsAndInterests = 0 | | -| Edge - hide First Run Experience | HKLM\Policies\Edge\HideFirstRunExperience = 1 | | -| Passwords - no expiration | net accounts /maxpwage:UNLIMITED | | -| Time zone | Central Europe Standard Time | | -| OneDrive - remove | Delete OneDriveSetup.exe + Start Menu lnk | | -| Outlook (new) - disable auto-install | Delete UScheduler registry key | | -| Disable GameDVR | AppCaptureEnabled = 0 | | +Single hive load of C:\Users\Default\NTUSER.DAT. All changes applied to both Default +hive and current HKCU. Feature-toggled sections: + +- **taskbarTweaks**: left alignment, hide Search/Copilot/TaskView/Widgets/Chat, show all + tray icons, taskbar layout XML per ProfileType (default/admin/user), NumLock on +- **startMenuTweaks**: empty pins, disable Bing search, disable Copilot, disable GameDVR +- **explorerTweaks**: show extensions, LaunchTo=ThisPC, hide Recent/Frequent, full path + +Personalization (always): dark shell / light apps, accent #223B47, transparency off, +solid wallpaper #223B47 (BackInfo overwrites on logon). --- -## STEP 4 - Default Profile (NTUSER.DAT) +## Step 07 - BackInfo -Settings applied to C:\Users\Default\NTUSER.DAT - inherited by every new user on first logon. - -Method: script loads Default hive (reg load), makes changes, unloads (reg unload). - -| Setting | Key / Value | Description | -|---|---|---| -| Taskbar - align left | TaskbarAl = 0 | Win11 default is center | -| Taskbar - hide Search box | SearchboxTaskbarMode = 0 | | -| Taskbar - hide Copilot button | ShowCopilotButton = 0 | | -| Taskbar - hide Task View button | ShowTaskViewButton = 0 | | -| Taskbar - hide Widgets | TaskbarDa = 0 | | -| Taskbar - hide Chat/Teams button | TaskbarMn = 0 | | -| Taskbar - show all tray icons | Scheduled task ShowAllTrayIcons | Runs on every logon | -| Taskbar - empty pinlist | TaskbarLayoutModification.xml | Removes default pinned apps | -| Explorer - show file extensions | HideFileExt = 0 | | -| Explorer - open to This PC | LaunchTo = 1 | Instead of Quick Access | -| Start menu - empty pins | ConfigureStartPins = {"pinnedList":[]} | Win11 | -| Start menu - disable Bing results | DisableSearchBoxSuggestions = 1 | | -| Copilot - disable | TurnOffWindowsCopilot = 1 | | -| GameDVR - disable | AppCaptureEnabled = 0 | | -| OneDrive - remove RunOnce key | Delete OneDriveSetup from Run | | -| Num Lock on startup - enable | InitialKeyboardIndicators = 2 | | -| Accent color on title bars | ColorPrevalence = 1 | | +Copies BackInfo.exe + INI to C:\Program Files\Backinfo\. Detects OS, writes OSName to +registry. Creates startup shortcut for all users. BackInfo renders system info BMP as +desktop wallpaper on every logon. --- -## STEP 5 - Personalization (colors, wallpaper) +## Step 10 - Network -Applied to both Default Profile and currently logged-in user. - -| Setting | Value | -|---|---| -| System theme (taskbar, Start) | Dark | -| App theme | Light | -| Accent color | #223B47 (dark blue-gray) | -| Accent color on Start and taskbar | Yes | -| Accent color on title bars | Yes | -| Transparency | Disabled | -| Wallpaper | Solid color #223B47 (no image) | - -NOTE: DesktopInfo scheduled task (STEP 7) will overwrite the wallpaper with a system -info BMP. The solid color here is only a fallback if DesktopInfo is not running. +Sets all connected adapters to Private profile. Enables ICMP echo (ping) and Network +Discovery firewall rules. --- -## STEP 6 - Scheduled Tasks +## Step 11 - Dell Command | Update -| Task | Trigger | Purpose | -|---|---|---| -| ShowAllTrayIcons | Every logon, every 1 min | Show all icons in system tray (Win11) | -| UnlockStartLayout | Once after layout is applied | Unlock Start menu layout | -| PDF-DefaultApp | Every logon | Restore .pdf -> Adobe Reader if Edge overwrote it | -| DesktopInfo | Every logon | Render system info onto desktop wallpaper | +Detects Dell hardware via Win32_ComputerSystem.Manufacturer. On non-Dell: skips silently. +On Dell: installs DCU Universal via winget, runs dcu-cli.exe /applyUpdates with +-reboot=disable. Feature-toggled: drivers/firmware and BIOS separately. Exit 9 when +BIOS/firmware updates are staged (finalize on next restart). --- -## STEP 7 - DesktopInfo (BackInfo replacement) +## Step 09 - PC identity -Custom PowerShell scheduled task. No external dependencies. - -**What it displays:** -- Computer name (hostname) -- IP address -- Windows version and build -- Logged-in username -- Deployment date - -**How it works:** -1. PS script collects system info -2. Renders text onto bitmap via WPF / System.Drawing -3. Saves BMP to C:\Windows\Setup\Scripts\desktopinfo.bmp -4. Sets BMP as desktop wallpaper via SystemParametersInfo -5. Runs on every user logon via Scheduled Task - -**Why not BackInfo:** -- BackInfo has Win11 rendering issues requiring registry hacks -- External EXE dependency is hard to distribute -- Custom PS solution = full control, no dependencies, works on Win10 and Win11 +Creates C:\X9\ directory (Logs, Scripts, Assets) with custom folder icon. +Sets computer description. Renames computer if config.json pcName is set and differs +from current. Exit 9 only when rename actually happened (restart required). --- -## STEP 8 - Logging and output +## Step 12 - Windows Update -- Every step writes to C:\Windows\Setup\Scripts\Deploy.log -- Format: [HH:mm:ss] Step description - OK / ERROR: ... -- At end: summary report (how many steps OK, how many failed) -- Log stays on disk for diagnostics +Installs PSWindowsUpdate module, runs one update pass. Exit 9 when updates were installed +(reboot needed for next round). Exit 0 when fully up to date. xetup state machine handles +the reboot cycle automatically. --- -## Script switches +## Config structure -| Switch | Behavior | -|---|---| -| `-SkipBloatware` | Skip step 1 | -| `-SkipSoftware` | Skip step 2 | -| `-SkipDefaultProfile` | Skip step 4 | -| `-DryRun` | Run through steps without changes, log only | +```json +{ + "deployment": { "pcName": "", "pcDescription": "", "timezone": "...", "profileType": "default" }, + "adminAccount": { "username": "adminx9" }, + "activation": { "productKey": "", "kmsServer": "" }, + "software": { "install": [{ "name": "...", "wingetId": "..." }] }, + "steps": { "adminAccount": true, ... }, + "features": { "software": { "wingetInstalls": true, "pdfDefault": true, "ateraAgent": true }, ... }, + "bloatware": { "keepPackages": ["Microsoft.WindowsCalculator"] } +} +``` --- -## Open questions +## Email report -| # | Question | Status | -|---|---|---| -| 1 | BackInfo replacement | DONE - custom PS scheduled task DesktopInfo | -| 2 | Complete SW list for winget | TODO | -| 3 | Per-client variability via config.json | FUTURE | -| 4 | Admin account adminx9 - script or manual? | DONE - script (00-admin-account.ps1) | +Sent via SMTP2Go at end of deployment. HTML with per-step status table, timestamps, +OK/ERROR/SKIPPED counts. Subject: "xetup report HOSTNAME". +From: xetup@x9.cz, To: net@x9.cz.