docs: rewrite CLAUDE.md and SPEC.md to reflect current state

Both files were significantly outdated - referencing deleted scripts (Deploy-Windows.ps1, 05-personalization, 06-scheduled-tasks, 07-desktop-info), wrong step ordering, completed TODOs listed as planned, and missing new features (email report, pre-flight checks, parallel winget, common.ps1). Rewritten from scratch based on actual current code state. No historical cruft, no "planned changes" that are already done. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 12:36:12 +02:00 · 2026-04-17 12:36:12 +02:00 · 2f0e176e82
commit 2f0e176e82
parent 64646f1b7f
2 changed files with 226 additions and 335 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -2,14 +2,16 @@
 ## Project context
-MSP deployment script for X9.cz - automated preparation of new Windows 10/11 computers for clients.
+MSP deployment tool for X9.cz - automated preparation of new Windows 10/11 computers.
-Replaces ~3 hours of manual setup with a single PowerShell script (evolving toward Go TUI launcher).
+Go GUI launcher (xetup.exe) embeds PowerShell scripts, runs them sequentially, handles
 reboot cycles for Windows Update, and sends an email report when done.
 **Key parameters:**
 - Target OS: Windows 10 and Windows 11 (x64), including unsupported HW
- Execution: as Administrator on already-installed Windows (not WinPE/autounattend)
+- Execution: as Administrator on already-installed Windows (not WinPE/autounattend, not OOBE)
 - Volume: ~20 machines per month, various clients
 - Operator: MSP technician on-site at client
 - Entry point: xetup.exe only (no CLI script entry point)
 ---
@ -23,27 +25,76 @@ Replaces ~3 hours of manual setup with a single PowerShell script (evolving towa
 ## Repo structure
 ```
-windows-deployment-new/
+xetup/
 ├── CLAUDE.md                     <- this file
 ├── SPEC.md                       <- technical specification
-├── Deploy-Windows.ps1            <- master script (entry point)
+├── embed.go                      <- embeds scripts/ and assets/ into binary
 ├── cmd/xetup/
 │   ├── main.go                   <- entry point: extract, load config, launch GUI
 │   └── app.manifest              <- Windows manifest (requireAdministrator)
 ├── internal/
 │   ├── config/config.go          <- Config struct, Load/Save, DefaultConfig
 │   ├── gui/gui.go                <- Walk GUI: form → run → summary (3 phases)
 │   ├── runner/runner.go          <- sequential PS script executor with log streaming
 │   ├── state/state.go            <- JSON state file for reboot-resume persistence
 │   ├── prereboot/                <- autologon + X9-Resume scheduled task for reboot cycle
 │   ├── preflight/                <- pre-run checks (admin, winget, network, disk)
 │   └── report/report.go          <- HTML email report via SMTP2Go
 ├── scripts/
-│   ├── 00-admin-account.ps1      <- create hidden admin account
+│   ├── common.ps1                <- shared functions (Write-Log, Get-Feature, Load-Config)
 │   ├── 00-admin-account.ps1      <- create hidden admin account (adminx9, no password)
 │   ├── 01-bloatware.ps1          <- remove AppX, Capabilities, Features
-│   ├── 02-software.ps1           <- winget installs + Adobe PDF default
+│   ├── 02-software.ps1           <- parallel winget installs + Adobe PDF default + Atera
-│   ├── 03-system-registry.ps1    <- HKLM tweaks
+│   ├── 03-system-registry.ps1    <- HKLM tweaks, Edge policies, OneDrive, powercfg
-│   ├── 04-default-profile.ps1    <- C:\Users\Default\NTUSER.DAT changes
+│   ├── 04-default-profile.ps1    <- NTUSER.DAT + HKCU + personalization (merged)
-│   ├── 05-personalization.ps1    <- colors, wallpaper, theme
+│   ├── 07-backinfo.ps1           <- deploy BackInfo.exe + startup shortcut
-│   ├── 06-scheduled-tasks.ps1    <- register scheduled tasks
+│   ├── 08-activation.ps1         <- Windows activation (OA3 → config key → GVLK)
-│   ├── 07-desktop-info.ps1       <- TO BE DELETED (replaced by BackInfo)
+│   ├── 09-pc-identity.ps1        <- rename PC + C:\X9 folder (exit 9 on rename)
-│   └── 08-activation.ps1         <- Windows activation via slmgr
+│   ├── 10-network.ps1            <- Private profile, ping, Network Discovery
 │   ├── 11-dell-update.ps1        <- Dell Command | Update (auto-skip on non-Dell)
 │   └── 12-windows-update.ps1     <- PSWindowsUpdate reboot cycle (exit 9)
 ├── config/
-│   └── config.json               <- per-client config
+│   └── config.json               <- default config template
 ├── assets/
-│   ├── Backinfo/                  <- BackInfo.exe + .ini + backinfo_W11.ps1
+│   ├── Backinfo/                  <- BackInfo.exe + .ini
 │   └── Logo/                      <- X9-ikona.ico, X9-logo.jpeg
-└── tests/
+├── tests/
-    └── Test-Deployment.ps1       <- post-deployment verification
+│   └── Test-Deployment.ps1       <- post-deployment verification
 └── web/                           <- xetup.x9.cz static site
 ```
 ---
 ## Execution flow
 ```
 xetup.exe start
  → extract scripts/ and assets/ to temp dir
  → state file exists? → resume mode (skip form, run pending steps)
  → normal mode:
      1. Pre-flight checks (admin, winget, network, disk) shown in GUI
      2. Config form (PC name, key, profile, step checkboxes)
      3. Write runtime config JSON (reflects GUI selections)
      4. Run steps sequentially via powershell.exe -File -ConfigPath -LogFile
      5. Step exits 9? → save state, setup autologon + X9-Resume task, reboot
      6. After reboot → xetup resumes, runs remaining steps
      7. All done → cleanup autologon, send email report, show summary
 ```
 ## Step execution order
 ```
 00 Admin account (adminx9)
 08 Windows activation
 01 Bloatware removal
 02 Software (parallel winget + Atera + PDF default)
 03 System Registry (HKLM + Edge policies)
 04 Default Profile + Personalization (single hive load)
 07 BackInfo
 10 Network discovery
 11 Dell Command | Update
 09 PC identity (rename triggers reboot via exit 9)
 12 Windows Update (reboot cycle via exit 9)
 ```
 ---
@ -51,115 +102,79 @@ windows-deployment-new/
 ## Conventions and rules
 ### PowerShell
- Always `#Requires -RunAsAdministrator` in master script
+- All scripts use `common.ps1` (dot-sourced): Write-Log, Get-Feature, Load-Config
- `$ErrorActionPreference = "Continue"` - script must survive partial failures
+- Scripts receive `-ConfigPath` (path to JSON) and `-LogFile` params
- Log every step to `C:\Windows\Setup\Scripts\Deploy.log`
+- Scripts parse config themselves via `Load-Config $ConfigPath`
- Logging via `Write-Log` function defined in master script
+- `$ErrorActionPreference = "Continue"` - scripts survive partial failures
- `Invoke-Step` function wraps every step - catches errors, logs, continues
+- Exit code 9 = "reboot required" - runner saves state and triggers restart
- Comments in English, code in English
+- Log to `C:\Windows\Setup\Scripts\Deploy.log`
- NO diacritics - no accented characters anywhere: not in comments, not in user messages, not in log output
+- NO diacritics anywhere (encoding issues across systems)
- NO emoticons - not in comments, not in output messages
+- NO emoticons
 - Reason: encoding issues across systems, log readability, compatibility
-### Master script structure
+### Go / GUI
-```powershell
+- Walk-based GUI (Windows only, CGO required)
-# 1. Load config.json
+- Cross-compile: `CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc GOOS=windows GOARCH=amd64`
-# 2. Run individual scripts in order
+- Three phases: config form → live log → summary with reboot countdown
-# 3. Print summary report at end (OK/ERROR counts)
+- Features system: steps can have sub-features (checkboxes in GUI), controlled via config.features
 ```
-### Master script switches
+### Config
-| Switch | Behavior |
+- `config.json` is the template, `config-runtime.json` is written to temp at runtime
-|---|---|
+- GUI regenerates runtime config before starting the run
-| `-SkipBloatware` | Skip step 1 |
+- `DefaultConfig()` in config.go provides sensible defaults when config.json is absent
-| `-SkipSoftware` | Skip step 2 |
+- Features default to `true` when missing from config
 | `-SkipDefaultProfile` | Skip step 4 |
 | `-DryRun` | Run without changes, log only |
 ### Testing
- Test VM: Windows 10/11 x64 on VMware ESXi (X9.cz internal infrastructure)
+- Test VM: Windows 10/11 x64 on VMware ESXi
- Before each test: take snapshot
+- Before each test: take snapshot, after test: revert
- After test: revert snapshot
+- Dev environment: x64 VM only (not ARM)
 - Dev environment: x64 VM only - NOT ARM (no Parallels/Apple Silicon for testing)
 ---
-## Important notes
+## Key implementation details
 ### BackInfo (replaces custom DesktopInfo)
 BackInfo.exe IS used. Located in assets/Backinfo/. Deployment:
 1. Copy assets/Backinfo/ to C:\Program Files\Backinfo\
 2. Run backinfo_W11.ps1 (detects OS, writes registry, creates Startup shortcut)
 3. BackInfo.exe auto-starts on every logon, reads INI, renders BMP with system info
 - Configurable via BackInfo.ini (fonts, positions, data sources)
 - Displays: hostname (centered, large), username, OS, HW info, network info
 - DELETE 07-desktop-info.ps1 - no longer needed
 ### Adobe Reader as default PDF app
 - After install: set .pdf -> AcroRd32 association
 - Scheduled task PDF-DefaultApp restores association on every logon (guard against Edge overwriting it)
 - NOTE: UCPD.sys (kernel driver since Feb 2024) blocks UserChoice writes. Consider disabling UCPD during deployment.
 ### Default Profile
 - Changes to C:\Users\Default\NTUSER.DAT via reg load / reg unload
 - Applies to all new users - critical for MSP deployment
 - Currently logged-in user gets changes via direct write to HKCU
 ### Winget
 - Always use --accept-package-agreements --accept-source-agreements
 - Check winget availability before running installs
 - Log result of every install
 ### Atera Agent
 - Download: `Invoke-WebRequest -Uri "https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337" -OutFile setup.msi`
 - Install: `msiexec /i setup.msi /qn`
 ### Admin account (adminx9)
- NO PASSWORD (changed from previous version)
+- No password (empty), hidden from login screen, Administrators group
 - FullName = "X9.cz s.r.o." (via ADSI)
- Hidden from login screen
+- Also used by prereboot for autologon during reboot cycles
- Added to Administrators group
+
 ### Edge policies
 - Mandatory (`Policies\Microsoft\Edge`): HideFirstRunExperience, DefaultBrowserSettingEnabled, DiagnosticData, FeedbackSurveysEnabled
 - Recommended (`Policies\Microsoft\Edge\Recommended`): everything else (user can override)
 ### PDF default
 - Adobe Reader set via HKCR\.pdf after install
 - UCPD driver stopped during association write, restarted after
 ### Reboot-resume cycle
 - `prereboot_windows.go`: copies xetup.exe to stable path, sets autologon for adminx9, registers X9-Resume scheduled task
 - `state.go`: persists pending steps + accumulated results across reboots
 - Steps 09 (pcIdentity on rename) and 12 (windowsUpdate) can trigger exit 9
 - Cleanup: disables autologon, removes X9-Resume task
 ### Email report
 - Sent via SMTP2Go (mail-eu.smtp2go.com:2525) at end of deployment
 - From: xetup@x9.cz, To: net@x9.cz
 - Subject: "xetup report HOSTNAME"
 - HTML body with per-step status table
 ### Parallel winget
 - 02-software.ps1 launches all winget installs as background jobs (Start-Job)
 - Jobs run simultaneously, results collected after all complete
 ---
 ## DO NOT
- Do not use $ErrorActionPreference = "Stop" - script must survive partial failure
+- Do not use `$ErrorActionPreference = "Stop"` - scripts must survive partial failure
- Do not remove Calculator (Microsoft.WindowsCalculator) - intentionally kept
+- Do not remove Calculator (Microsoft.WindowsCalculator)
 - Do not use ARM VM for testing
- Do not write scripts depending on specific username - script is universal
+- Do not write scripts depending on specific username
 - Do not use hardcoded paths that do not exist on clean Windows
- NO diacritics - no accented characters in any part of any script
+- NO diacritics in any file
- NO emoticons - none in comments, log messages or output
+- NO emoticons
- Do not remove OneDrive - must remain installable for M365
+- Do not remove OneDrive policy-block-free (M365 must be able to reinstall it)
- Do not remove RDP/RDS - must remain functional
+- Do not remove RDP/RDS or Microsoft-RemoteDesktopConnection
- Do not remove Microsoft-RemoteDesktopConnection from Optional Features
+- Do not create Deploy-Windows.ps1 or other CLI entry points (xetup.exe is sole entry point)
 ---
 ## Planned changes (from review v2, 2026-04-15)
 ### Must fix
 - [ ] Remove OneDrive uninstall from 03-system-registry.ps1 and 04-default-profile.ps1
 - [ ] Remove password from admin account, add FullName = "X9.cz s.r.o."
 - [ ] Delete 07-desktop-info.ps1, replace with BackInfo deployment step
 - [ ] Add powercfg settings (standby-timeout-ac 0, monitor-timeout-ac 60, etc.)
 - [ ] Add proxy auto-detect disable (AutoDetect = 0)
 - [ ] Add Atera Agent install step
 - [ ] Extend Edge policies (~15 more keys)
 ### New features (from colleague spec v2)
 - [ ] Taskbar pinned apps: admin vs user variants via XML layout + -ProfileType parameter
 - [ ] Explorer: ShowRecent=0, ShowFrequent=0, FullPath=1 in CabinetState
 - [ ] Network discovery: enable ping, set private network profile (post-restart step)
 - [ ] PC rename: Rename-Computer as final step before restart
 - [ ] C:\X9 directory structure with custom folder icon
 ### Architecture evolution
 - [ ] Go TUI launcher (xetup.exe) embedding PS scripts
 - [ ] spec.yaml as single source of truth
 - [ ] Web platform at xetup.x9.cz (Forgejo + docs + comments)
 - [ ] Self-update mechanism in xetup.exe
 ---
@ -167,9 +182,6 @@ BackInfo.exe IS used. Located in assets/Backinfo/. Deployment:
 | # | Question | Status |
 |---|---|---|
-| 1 | BackInfo replacement | DONE - using BackInfo.exe from assets/ |
+| 1 | Complete SW list for winget | TODO - list may be incomplete |
-| 2 | Complete SW list for winget | TODO - list incomplete |
+| 2 | Atera MFA bypass | OPEN - does aeid parameter avoid MFA? |
-| 3 | Per-client variability via config.json | FUTURE |
+| 3 | `--resume` flag | Passed by prereboot task but not parsed - resume detected via state file |
 | 4 | Admin account adminx9 | DECIDED - no password, FullName "X9.cz s.r.o." |
 | 5 | UCPD driver workaround for PDF default | TODO - disable during deployment |
 | 6 | Atera MFA bypass | OPEN - does aeid parameter avoid MFA? |
--- a/SPEC.md
+++ b/SPEC.md
@ -1,16 +1,14 @@
-# MSP Windows Deployment - Specification (SPEC.md)
+# MSP Windows Deployment - Specification
-> Version: 0.2 (draft)
+> Purpose: Automated preparation of new Windows 10/11 computers for X9.cz clients
 > Author: X9.cz
 > Purpose: Automated preparation of new Windows 10/11 computers for clients
 ---
 ## Overview
-Script replaces ~3 hours of manual computer setup. Run once as Administrator on
+xetup.exe replaces ~3 hours of manual computer setup. GUI launcher embeds PowerShell
-already-installed Windows, performs everything automatically, saves result to Default
+scripts, runs them sequentially, handles reboot cycles, sends email report when done.
-Profile so settings apply to every subsequent user.
+Settings are applied to Default Profile (NTUSER.DAT) so every new user inherits them.
 ---
@ -18,276 +16,157 @@ Profile so settings apply to every subsequent user.
 - Windows 10 or Windows 11 (x64)
 - Run as Administrator
- Internet connection (for winget installs)
+- Internet connection (for winget installs, Atera agent, Windows Update)
- Computer received either as clean OEM install or with manufacturer pre-installed Windows
+- Post-OOBE (fully installed Windows with at least one user account)
 ---
-## What the script does NOT do
+## Step execution order
- Does not install Windows (not an autounattend.xml for clean install)
+| # | Step | Script | Notes |
- Does not create images
+|---|---|---|---|
- Does not manage the computer ongoing (one-time deployment)
+| 00 | Admin account | 00-admin-account.ps1 | adminx9, no password, hidden |
 | 08 | Windows activation | 08-activation.ps1 | OA3 → config key → GVLK fallback |
 | 01 | Bloatware removal | 01-bloatware.ps1 | AppX + Capabilities + Features |
 | 02 | Software install | 02-software.ps1 | Parallel winget + Atera + PDF default |
 | 03 | System registry | 03-system-registry.ps1 | HKLM tweaks, Edge, powercfg, WPAD |
 | 04 | Profile + personalization | 04-default-profile.ps1 | NTUSER.DAT + HKCU + theme |
 | 07 | BackInfo | 07-backinfo.ps1 | System info wallpaper overlay |
 | 10 | Network | 10-network.ps1 | Private profile, ping, discovery |
 | 11 | Dell Update | 11-dell-update.ps1 | Auto-skip on non-Dell HW |
 | 09 | PC identity | 09-pc-identity.ps1 | Rename + C:\X9 (reboot on rename) |
 | 12 | Windows Update | 12-windows-update.ps1 | Multi-round reboot cycle |
 ---
-## Script structure
+## Step 00 - Admin account
 Script is divided into steps. Each step logs its result. Steps can be skipped with switches.
 ---
 ## STEP 0a - Admin account
 Creates local admin account `adminx9`:
- Password from `config.json` (`adminAccount.password`)
+- No password (empty) - account is hidden, only accessible to technicians
 - FullName = "X9.cz s.r.o." (via ADSI)
 - Added to Administrators group
- Password never expires, user cannot change password
+- Hidden from login screen (SpecialAccounts\UserList = 0)
- Hidden from Windows login screen (SpecialAccounts\UserList = 0)
+- Password never expires
 ---
-## STEP 0b - Windows activation
+## Step 08 - Windows activation
-Activates Windows using product key from config:
+Priority: OA3 embedded key (BIOS/UEFI) → config.json productKey → GVLK by edition.
- Key from `config.json` (`activation.productKey`) - set to real MAK/retail key for production
+Optional KMS server via config.json. Skips if already activated (LicenseStatus = 1).
 - Falls back to GVLK (KMS client key) matched by detected OS edition
 - Optional KMS server via `activation.kmsServer`
 - If already activated, skips silently
 ---
-## STEP 1 - Bloatware removal
+## Step 01 - Bloatware removal
-### 1a - AppX packages (UWP apps)
+Removes ~35 AppX packages (Cortana, Copilot, Teams, Xbox, Skype, News, etc.),
 ~14 Windows Capabilities (Fax, IE, WordPad, etc.), and Optional Features
 (PowerShell 2.0, Recall). Calculator intentionally kept.
-Removed for all users (-AllUsers) and from provisioned packages (so they do not return for new users).
+---
-| Package | Description |
+## Step 02 - Software installation
 Parallel winget installs (Start-Job):
 | Software | Winget ID |
 |---|---|
-| Microsoft.Microsoft3DViewer | 3D Viewer |
+| 7-Zip | 7zip.7zip |
-| Microsoft.BingSearch | Bing Search |
+| Adobe Acrobat Reader 64-bit | Adobe.Acrobat.Reader.64-bit |
-| Microsoft.WindowsCamera | Camera |
+| OpenVPN Connect | OpenVPNTechnologies.OpenVPNConnect |
 | Clipchamp.Clipchamp | Clipchamp video editor |
 | Microsoft.WindowsAlarms | Clock / Alarm |
 | Microsoft.Copilot | Copilot AI |
 | Microsoft.549981C3F5F10 | Cortana |
 | Microsoft.Windows.DevHome | Dev Home |
 | MicrosoftCorporationII.MicrosoftFamily | Family Safety |
 | Microsoft.WindowsFeedbackHub | Feedback Hub |
 | Microsoft.Edge.GameAssist | Game Assist |
 | Microsoft.GetHelp | Help |
 | Microsoft.Getstarted | Tips / Get Started |
 | microsoft.windowscommunicationsapps | Mail and Calendar |
 | Microsoft.WindowsMaps | Maps |
 | Microsoft.MixedReality.Portal | Mixed Reality |
 | Microsoft.BingNews | News |
 | Microsoft.MicrosoftOfficeHub | Office Hub |
 | Microsoft.Office.OneNote | OneNote |
 | Microsoft.OutlookForWindows | Outlook (new) |
 | Microsoft.Paint | Paint (new UWP) |
 | Microsoft.MSPaint | Paint (legacy) |
 | Microsoft.People | People |
 | Microsoft.Windows.Photos | Photos |
 | Microsoft.PowerAutomateDesktop | Power Automate |
 | MicrosoftCorporationII.QuickAssist | Quick Assist |
 | Microsoft.SkypeApp | Skype |
 | Microsoft.ScreenSketch | Snipping Tool |
 | Microsoft.MicrosoftSolitaireCollection | Solitaire |
 | Microsoft.MicrosoftStickyNotes | Sticky Notes |
 | MicrosoftTeams / MSTeams | Teams (personal) |
 | Microsoft.Todos | To Do |
 | Microsoft.WindowsSoundRecorder | Voice Recorder |
 | Microsoft.Wallet | Wallet |
 | Microsoft.BingWeather | Weather |
 | Microsoft.WindowsTerminal | Windows Terminal |
 | Microsoft.Xbox.TCUI | Xbox UI |
 | Microsoft.XboxApp | Xbox |
 | Microsoft.XboxGameOverlay | Xbox Game Overlay |
 | Microsoft.XboxGamingOverlay | Xbox Gaming Overlay |
 | Microsoft.XboxIdentityProvider | Xbox Identity |
 | Microsoft.XboxSpeechToTextOverlay | Xbox Speech |
 | Microsoft.GamingApp | Gaming App |
 | Microsoft.YourPhone | Phone Link |
 | Microsoft.ZuneMusic | Music |
 | Microsoft.ZuneVideo | Movies and TV |
-NOTE: Microsoft.WindowsCalculator is intentionally KEPT.
+After Acrobat: UCPD driver stopped, .pdf → AcroExch.Document.DC set via HKCR, UCPD restarted.
-### 1b - Windows Capabilities
+Atera RMM agent: downloaded from x9.servicedesk.atera.com, installed via msiexec /qn with -Wait.
 | Capability | Description |
 |---|---|
 | Print.Fax.Scan | Fax and Scan |
 | Language.Handwriting | Handwriting |
 | Browser.InternetExplorer | Internet Explorer |
 | MathRecognizer | Math Input |
 | OneCoreUAP.OneSync | OneSync |
 | OpenSSH.Client | OpenSSH client |
 | Microsoft.Windows.MSPaint | Paint (Win32) |
 | Microsoft.Windows.PowerShell.ISE | PowerShell ISE |
 | App.Support.QuickAssist | Quick Assist |
 | Microsoft.Windows.SnippingTool | Snipping Tool |
 | App.StepsRecorder | Steps Recorder |
 | Hello.Face.* | Windows Hello face |
 | Media.WindowsMediaPlayer | Windows Media Player |
 | Microsoft.Windows.WordPad | WordPad |
 ### 1c - Windows Optional Features
 | Feature | Description |
 |---|---|
 | MediaPlayback | Media playback |
 | MicrosoftWindowsPowerShellV2Root | PowerShell 2.0 |
 | Microsoft-RemoteDesktopConnection | RDP client |
 | Recall | Windows Recall (AI) |
 | Microsoft-SnippingTool | Snipping Tool (feature) |
 ---
-## STEP 2 - Software installation (winget)
+## Step 03 - System registry (HKLM)
-| Software | Winget ID | Notes |
+Always applied: password max age unlimited, timezone (Central Europe Standard Time).
 |---|---|---|
 | 7-Zip | `7zip.7zip` | OK |
 | Adobe Acrobat Reader | `Adobe.Acrobat.Reader.64-bit` | OK, see note |
 | OpenVPN Connect | `OpenVPNTechnologies.OpenVPNConnect` | OK |
 | ... | ... | TODO: complete list |
-> Adobe Acrobat Reader: After install, script sets .pdf -> AcroRd32 as default.
+Feature-toggled sections:
-> Scheduled task PDF-DefaultApp restores this association on every logon as a guard
+- **systemTweaks**: BypassNRO, disable Teams auto-install, Widgets, GameDVR, Recall, Copilot search
-> against Edge overwriting it.
+- **edgePolicies**: mandatory (first-run, telemetry) + recommended (UI defaults user can change)
-
+- **oneDriveUninstall**: removes consumer OneDrive (no policy block - M365 can reinstall)
-> BackInfo: NOT used. Replaced by custom PowerShell scheduled task DesktopInfo.
+- **powercfg**: standby-ac=0, monitor-ac=60, standby-dc=30, monitor-dc=15
-> See STEP 7.
+- **proxyDisable**: WPAD auto-detect off
 ---
-## STEP 3 - System settings (HKLM - applies to whole system)
+## Step 04 - Default Profile + Personalization
-| Setting | Value | Notes |
+Single hive load of C:\Users\Default\NTUSER.DAT. All changes applied to both Default
-|---|---|---|
+hive and current HKCU. Feature-toggled sections:
-| Disable NRO (bypass network check) | HKLM\...\OOBE\BypassNRO = 1 | |
+
-| Disable auto-install of Teams | ConfigureChatAutoInstall = 0 | |
+- **taskbarTweaks**: left alignment, hide Search/Copilot/TaskView/Widgets/Chat, show all
-| Disable Cloud Optimized Content | DisableCloudOptimizedContent = 1 | |
+  tray icons, taskbar layout XML per ProfileType (default/admin/user), NumLock on
-| Disable Widgets (News and Interests) | HKLM\...\Dsh\AllowNewsAndInterests = 0 | |
+- **startMenuTweaks**: empty pins, disable Bing search, disable Copilot, disable GameDVR
-| Edge - hide First Run Experience | HKLM\Policies\Edge\HideFirstRunExperience = 1 | |
+- **explorerTweaks**: show extensions, LaunchTo=ThisPC, hide Recent/Frequent, full path
-| Passwords - no expiration | net accounts /maxpwage:UNLIMITED | |
+
-| Time zone | Central Europe Standard Time | |
+Personalization (always): dark shell / light apps, accent #223B47, transparency off,
-| OneDrive - remove | Delete OneDriveSetup.exe + Start Menu lnk | |
+solid wallpaper #223B47 (BackInfo overwrites on logon).
 | Outlook (new) - disable auto-install | Delete UScheduler registry key | |
 | Disable GameDVR | AppCaptureEnabled = 0 | |
 ---
-## STEP 4 - Default Profile (NTUSER.DAT)
+## Step 07 - BackInfo
-Settings applied to C:\Users\Default\NTUSER.DAT - inherited by every new user on first logon.
+Copies BackInfo.exe + INI to C:\Program Files\Backinfo\. Detects OS, writes OSName to
-
+registry. Creates startup shortcut for all users. BackInfo renders system info BMP as
-Method: script loads Default hive (reg load), makes changes, unloads (reg unload).
+desktop wallpaper on every logon.
 | Setting | Key / Value | Description |
 |---|---|---|
 | Taskbar - align left | TaskbarAl = 0 | Win11 default is center |
 | Taskbar - hide Search box | SearchboxTaskbarMode = 0 | |
 | Taskbar - hide Copilot button | ShowCopilotButton = 0 | |
 | Taskbar - hide Task View button | ShowTaskViewButton = 0 | |
 | Taskbar - hide Widgets | TaskbarDa = 0 | |
 | Taskbar - hide Chat/Teams button | TaskbarMn = 0 | |
 | Taskbar - show all tray icons | Scheduled task ShowAllTrayIcons | Runs on every logon |
 | Taskbar - empty pinlist | TaskbarLayoutModification.xml | Removes default pinned apps |
 | Explorer - show file extensions | HideFileExt = 0 | |
 | Explorer - open to This PC | LaunchTo = 1 | Instead of Quick Access |
 | Start menu - empty pins | ConfigureStartPins = {"pinnedList":[]} | Win11 |
 | Start menu - disable Bing results | DisableSearchBoxSuggestions = 1 | |
 | Copilot - disable | TurnOffWindowsCopilot = 1 | |
 | GameDVR - disable | AppCaptureEnabled = 0 | |
 | OneDrive - remove RunOnce key | Delete OneDriveSetup from Run | |
 | Num Lock on startup - enable | InitialKeyboardIndicators = 2 | |
 | Accent color on title bars | ColorPrevalence = 1 | |
 ---
-## STEP 5 - Personalization (colors, wallpaper)
+## Step 10 - Network
-Applied to both Default Profile and currently logged-in user.
+Sets all connected adapters to Private profile. Enables ICMP echo (ping) and Network
-
+Discovery firewall rules.
 | Setting | Value |
 |---|---|
 | System theme (taskbar, Start) | Dark |
 | App theme | Light |
 | Accent color | #223B47 (dark blue-gray) |
 | Accent color on Start and taskbar | Yes |
 | Accent color on title bars | Yes |
 | Transparency | Disabled |
 | Wallpaper | Solid color #223B47 (no image) |
 NOTE: DesktopInfo scheduled task (STEP 7) will overwrite the wallpaper with a system
 info BMP. The solid color here is only a fallback if DesktopInfo is not running.
 ---
-## STEP 6 - Scheduled Tasks
+## Step 11 - Dell Command | Update
-| Task | Trigger | Purpose |
+Detects Dell hardware via Win32_ComputerSystem.Manufacturer. On non-Dell: skips silently.
-|---|---|---|
+On Dell: installs DCU Universal via winget, runs dcu-cli.exe /applyUpdates with
-| ShowAllTrayIcons | Every logon, every 1 min | Show all icons in system tray (Win11) |
+-reboot=disable. Feature-toggled: drivers/firmware and BIOS separately. Exit 9 when
-| UnlockStartLayout | Once after layout is applied | Unlock Start menu layout |
+BIOS/firmware updates are staged (finalize on next restart).
 | PDF-DefaultApp | Every logon | Restore .pdf -> Adobe Reader if Edge overwrote it |
 | DesktopInfo | Every logon | Render system info onto desktop wallpaper |
 ---
-## STEP 7 - DesktopInfo (BackInfo replacement)
+## Step 09 - PC identity
-Custom PowerShell scheduled task. No external dependencies.
+Creates C:\X9\ directory (Logs, Scripts, Assets) with custom folder icon.
-
+Sets computer description. Renames computer if config.json pcName is set and differs
-**What it displays:**
+from current. Exit 9 only when rename actually happened (restart required).
 - Computer name (hostname)
 - IP address
 - Windows version and build
 - Logged-in username
 - Deployment date
 **How it works:**
 1. PS script collects system info
 2. Renders text onto bitmap via WPF / System.Drawing
 3. Saves BMP to C:\Windows\Setup\Scripts\desktopinfo.bmp
 4. Sets BMP as desktop wallpaper via SystemParametersInfo
 5. Runs on every user logon via Scheduled Task
 **Why not BackInfo:**
 - BackInfo has Win11 rendering issues requiring registry hacks
 - External EXE dependency is hard to distribute
 - Custom PS solution = full control, no dependencies, works on Win10 and Win11
 ---
-## STEP 8 - Logging and output
+## Step 12 - Windows Update
- Every step writes to C:\Windows\Setup\Scripts\Deploy.log
+Installs PSWindowsUpdate module, runs one update pass. Exit 9 when updates were installed
- Format: [HH:mm:ss] Step description - OK / ERROR: ...
+(reboot needed for next round). Exit 0 when fully up to date. xetup state machine handles
- At end: summary report (how many steps OK, how many failed)
+the reboot cycle automatically.
 - Log stays on disk for diagnostics
 ---
-## Script switches
+## Config structure
-| Switch | Behavior |
+```json
-|---|---|
+{
-| `-SkipBloatware` | Skip step 1 |
+  "deployment": { "pcName": "", "pcDescription": "", "timezone": "...", "profileType": "default" },
-| `-SkipSoftware` | Skip step 2 |
+  "adminAccount": { "username": "adminx9" },
-| `-SkipDefaultProfile` | Skip step 4 |
+  "activation": { "productKey": "", "kmsServer": "" },
-| `-DryRun` | Run through steps without changes, log only |
+  "software": { "install": [{ "name": "...", "wingetId": "..." }] },
  "steps": { "adminAccount": true, ... },
  "features": { "software": { "wingetInstalls": true, "pdfDefault": true, "ateraAgent": true }, ... },
  "bloatware": { "keepPackages": ["Microsoft.WindowsCalculator"] }
 }
 ```
 ---
-## Open questions
+## Email report
-| # | Question | Status |
+Sent via SMTP2Go at end of deployment. HTML with per-step status table, timestamps,
-|---|---|---|
+OK/ERROR/SKIPPED counts. Subject: "xetup report HOSTNAME".
-| 1 | BackInfo replacement | DONE - custom PS scheduled task DesktopInfo |
+From: xetup@x9.cz, To: net@x9.cz.
 | 2 | Complete SW list for winget | TODO |
 | 3 | Per-client variability via config.json | FUTURE |
 | 4 | Admin account adminx9 - script or manual? | DONE - script (00-admin-account.ps1) |