x9/xetup
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases 5 Packages Wiki Activity Actions

docs: rewrite CLAUDE.md and SPEC.md to reflect current state
All checks were successful
release / build-and-release (push) Successful in 24s
Details

Browse source 
Both files were significantly outdated - referencing deleted scripts
(Deploy-Windows.ps1, 05-personalization, 06-scheduled-tasks,
07-desktop-info), wrong step ordering, completed TODOs listed as
planned, and missing new features (email report, pre-flight checks,
parallel winget, common.ps1).

Rewritten from scratch based on actual current code state.
No historical cruft, no "planned changes" that are already done.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
X9 Dev 2026-04-17 12:36:12 +02:00
parent 64646f1b7f
commit 2f0e176e82
2 changed files with 226 additions and 335 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

242
CLAUDE.md
View file

@ -2,14 +2,16 @@
## Project context
MSP deployment script for X9.cz - automated preparation of new Windows 10/11 computers for clients.
Replaces ~3 hours of manual setup with a single PowerShell script (evolving toward Go TUI launcher).
MSP deployment tool for X9.cz - automated preparation of new Windows 10/11 computers.
Go GUI launcher (xetup.exe) embeds PowerShell scripts, runs them sequentially, handles
reboot cycles for Windows Update, and sends an email report when done.
**Key parameters:**
- Target OS: Windows 10 and Windows 11 (x64), including unsupported HW
- Execution: as Administrator on already-installed Windows (not WinPE/autounattend)
- Execution: as Administrator on already-installed Windows (not WinPE/autounattend, not OOBE)
- Volume: ~20 machines per month, various clients
- Operator: MSP technician on-site at client
- Entry point: xetup.exe only (no CLI script entry point)
---
@ -23,27 +25,76 @@ Replaces ~3 hours of manual setup with a single PowerShell script (evolving towa
## Repo structure
```
windows-deployment-new/
xetup/
├── CLAUDE.md <- this file
├── SPEC.md <- technical specification
├── Deploy-Windows.ps1 <- master script (entry point)
├── embed.go <- embeds scripts/ and assets/ into binary
├── cmd/xetup/
│ ├── main.go <- entry point: extract, load config, launch GUI
│ └── app.manifest <- Windows manifest (requireAdministrator)
├── internal/
│ ├── config/config.go <- Config struct, Load/Save, DefaultConfig
│ ├── gui/gui.go <- Walk GUI: form run summary (3 phases)
│ ├── runner/runner.go <- sequential PS script executor with log streaming
│ ├── state/state.go <- JSON state file for reboot-resume persistence
│ ├── prereboot/ <- autologon + X9-Resume scheduled task for reboot cycle
│ ├── preflight/ <- pre-run checks (admin, winget, network, disk)
│ └── report/report.go <- HTML email report via SMTP2Go
├── scripts/
│ ├── 00-admin-account.ps1 <- create hidden admin account
│ ├── common.ps1 <- shared functions (Write-Log, Get-Feature, Load-Config)
│ ├── 00-admin-account.ps1 <- create hidden admin account (adminx9, no password)
│ ├── 01-bloatware.ps1 <- remove AppX, Capabilities, Features
│ ├── 02-software.ps1 <- winget installs + Adobe PDF default
│ ├── 03-system-registry.ps1 <- HKLM tweaks
│ ├── 04-default-profile.ps1 <- C:\Users\Default\NTUSER.DAT changes
│ ├── 05-personalization.ps1 <- colors, wallpaper, theme
│ ├── 06-scheduled-tasks.ps1 <- register scheduled tasks
│ ├── 07-desktop-info.ps1 <- TO BE DELETED (replaced by BackInfo)
│ └── 08-activation.ps1 <- Windows activation via slmgr
│ ├── 02-software.ps1 <- parallel winget installs + Adobe PDF default + Atera
│ ├── 03-system-registry.ps1 <- HKLM tweaks, Edge policies, OneDrive, powercfg
│ ├── 04-default-profile.ps1 <- NTUSER.DAT + HKCU + personalization (merged)
│ ├── 07-backinfo.ps1 <- deploy BackInfo.exe + startup shortcut
│ ├── 08-activation.ps1 <- Windows activation (OA3 config key GVLK)
│ ├── 09-pc-identity.ps1 <- rename PC + C:\X9 folder (exit 9 on rename)
│ ├── 10-network.ps1 <- Private profile, ping, Network Discovery
│ ├── 11-dell-update.ps1 <- Dell Command | Update (auto-skip on non-Dell)
│ └── 12-windows-update.ps1 <- PSWindowsUpdate reboot cycle (exit 9)
├── config/
│ └── config.json <- per-client config
│ └── config.json <- default config template
├── assets/
│ ├── Backinfo/ <- BackInfo.exe + .ini + backinfo_W11.ps1
│ ├── Backinfo/ <- BackInfo.exe + .ini
│ └── Logo/ <- X9-ikona.ico, X9-logo.jpeg
└── tests/
└── Test-Deployment.ps1 <- post-deployment verification
├── tests/
│ └── Test-Deployment.ps1 <- post-deployment verification
└── web/ <- xetup.x9.cz static site
```
---
## Execution flow
```
xetup.exe start
→ extract scripts/ and assets/ to temp dir
→ state file exists? → resume mode (skip form, run pending steps)
→ normal mode:
1. Pre-flight checks (admin, winget, network, disk) shown in GUI
2. Config form (PC name, key, profile, step checkboxes)
3. Write runtime config JSON (reflects GUI selections)
4. Run steps sequentially via powershell.exe -File -ConfigPath -LogFile
5. Step exits 9? → save state, setup autologon + X9-Resume task, reboot
6. After reboot → xetup resumes, runs remaining steps
7. All done → cleanup autologon, send email report, show summary
```
## Step execution order
```
00 Admin account (adminx9)
08 Windows activation
01 Bloatware removal
02 Software (parallel winget + Atera + PDF default)
03 System Registry (HKLM + Edge policies)
04 Default Profile + Personalization (single hive load)
07 BackInfo
10 Network discovery
11 Dell Command | Update
09 PC identity (rename triggers reboot via exit 9)
12 Windows Update (reboot cycle via exit 9)
```
---
@ -51,115 +102,79 @@ windows-deployment-new/
## Conventions and rules
### PowerShell
- Always `#Requires -RunAsAdministrator` in master script
- `$ErrorActionPreference = "Continue"` - script must survive partial failures
- Log every step to `C:\Windows\Setup\Scripts\Deploy.log`
- Logging via `Write-Log` function defined in master script
- `Invoke-Step` function wraps every step - catches errors, logs, continues
- Comments in English, code in English
- NO diacritics - no accented characters anywhere: not in comments, not in user messages, not in log output
- NO emoticons - not in comments, not in output messages
- Reason: encoding issues across systems, log readability, compatibility
- All scripts use `common.ps1` (dot-sourced): Write-Log, Get-Feature, Load-Config
- Scripts receive `-ConfigPath` (path to JSON) and `-LogFile` params
- Scripts parse config themselves via `Load-Config $ConfigPath`
- `$ErrorActionPreference = "Continue"` - scripts survive partial failures
- Exit code 9 = "reboot required" - runner saves state and triggers restart
- Log to `C:\Windows\Setup\Scripts\Deploy.log`
- NO diacritics anywhere (encoding issues across systems)
- NO emoticons
### Master script structure
```powershell
# 1. Load config.json
# 2. Run individual scripts in order
# 3. Print summary report at end (OK/ERROR counts)
```
### Go / GUI
- Walk-based GUI (Windows only, CGO required)
- Cross-compile: `CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc GOOS=windows GOARCH=amd64`
- Three phases: config form → live log → summary with reboot countdown
- Features system: steps can have sub-features (checkboxes in GUI), controlled via config.features
### Master script switches
| Switch | Behavior |
|---|---|
| `-SkipBloatware` | Skip step 1 |
| `-SkipSoftware` | Skip step 2 |
| `-SkipDefaultProfile` | Skip step 4 |
| `-DryRun` | Run without changes, log only |
### Config
- `config.json` is the template, `config-runtime.json` is written to temp at runtime
- GUI regenerates runtime config before starting the run
- `DefaultConfig()` in config.go provides sensible defaults when config.json is absent
- Features default to `true` when missing from config
### Testing
- Test VM: Windows 10/11 x64 on VMware ESXi (X9.cz internal infrastructure)
- Before each test: take snapshot
- After test: revert snapshot
- Dev environment: x64 VM only - NOT ARM (no Parallels/Apple Silicon for testing)
- Test VM: Windows 10/11 x64 on VMware ESXi
- Before each test: take snapshot, after test: revert
- Dev environment: x64 VM only (not ARM)
---
## Important notes
### BackInfo (replaces custom DesktopInfo)
BackInfo.exe IS used. Located in assets/Backinfo/. Deployment:
1. Copy assets/Backinfo/ to C:\Program Files\Backinfo\
2. Run backinfo_W11.ps1 (detects OS, writes registry, creates Startup shortcut)
3. BackInfo.exe auto-starts on every logon, reads INI, renders BMP with system info
- Configurable via BackInfo.ini (fonts, positions, data sources)
- Displays: hostname (centered, large), username, OS, HW info, network info
- DELETE 07-desktop-info.ps1 - no longer needed
### Adobe Reader as default PDF app
- After install: set .pdf -> AcroRd32 association
- Scheduled task PDF-DefaultApp restores association on every logon (guard against Edge overwriting it)
- NOTE: UCPD.sys (kernel driver since Feb 2024) blocks UserChoice writes. Consider disabling UCPD during deployment.
### Default Profile
- Changes to C:\Users\Default\NTUSER.DAT via reg load / reg unload
- Applies to all new users - critical for MSP deployment
- Currently logged-in user gets changes via direct write to HKCU
### Winget
- Always use --accept-package-agreements --accept-source-agreements
- Check winget availability before running installs
- Log result of every install
### Atera Agent
- Download: `Invoke-WebRequest -Uri "https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337" -OutFile setup.msi`
- Install: `msiexec /i setup.msi /qn`
## Key implementation details
### Admin account (adminx9)
- NO PASSWORD (changed from previous version)
- No password (empty), hidden from login screen, Administrators group
- FullName = "X9.cz s.r.o." (via ADSI)
- Hidden from login screen
- Added to Administrators group
- Also used by prereboot for autologon during reboot cycles
### Edge policies
- Mandatory (`Policies\Microsoft\Edge`): HideFirstRunExperience, DefaultBrowserSettingEnabled, DiagnosticData, FeedbackSurveysEnabled
- Recommended (`Policies\Microsoft\Edge\Recommended`): everything else (user can override)
### PDF default
- Adobe Reader set via HKCR\.pdf after install
- UCPD driver stopped during association write, restarted after
### Reboot-resume cycle
- `prereboot_windows.go`: copies xetup.exe to stable path, sets autologon for adminx9, registers X9-Resume scheduled task
- `state.go`: persists pending steps + accumulated results across reboots
- Steps 09 (pcIdentity on rename) and 12 (windowsUpdate) can trigger exit 9
- Cleanup: disables autologon, removes X9-Resume task
### Email report
- Sent via SMTP2Go (mail-eu.smtp2go.com:2525) at end of deployment
- From: xetup@x9.cz, To: net@x9.cz
- Subject: "xetup report HOSTNAME"
- HTML body with per-step status table
### Parallel winget
- 02-software.ps1 launches all winget installs as background jobs (Start-Job)
- Jobs run simultaneously, results collected after all complete
---
## DO NOT
- Do not use $ErrorActionPreference = "Stop" - script must survive partial failure
- Do not remove Calculator (Microsoft.WindowsCalculator) - intentionally kept
- Do not use `$ErrorActionPreference = "Stop"` - scripts must survive partial failure
- Do not remove Calculator (Microsoft.WindowsCalculator)
- Do not use ARM VM for testing
- Do not write scripts depending on specific username - script is universal
- Do not write scripts depending on specific username
- Do not use hardcoded paths that do not exist on clean Windows
- NO diacritics - no accented characters in any part of any script
- NO emoticons - none in comments, log messages or output
- Do not remove OneDrive - must remain installable for M365
- Do not remove RDP/RDS - must remain functional
- Do not remove Microsoft-RemoteDesktopConnection from Optional Features
---
## Planned changes (from review v2, 2026-04-15)
### Must fix
- [ ] Remove OneDrive uninstall from 03-system-registry.ps1 and 04-default-profile.ps1
- [ ] Remove password from admin account, add FullName = "X9.cz s.r.o."
- [ ] Delete 07-desktop-info.ps1, replace with BackInfo deployment step
- [ ] Add powercfg settings (standby-timeout-ac 0, monitor-timeout-ac 60, etc.)
- [ ] Add proxy auto-detect disable (AutoDetect = 0)
- [ ] Add Atera Agent install step
- [ ] Extend Edge policies (~15 more keys)
### New features (from colleague spec v2)
- [ ] Taskbar pinned apps: admin vs user variants via XML layout + -ProfileType parameter
- [ ] Explorer: ShowRecent=0, ShowFrequent=0, FullPath=1 in CabinetState
- [ ] Network discovery: enable ping, set private network profile (post-restart step)
- [ ] PC rename: Rename-Computer as final step before restart
- [ ] C:\X9 directory structure with custom folder icon
### Architecture evolution
- [ ] Go TUI launcher (xetup.exe) embedding PS scripts
- [ ] spec.yaml as single source of truth
- [ ] Web platform at xetup.x9.cz (Forgejo + docs + comments)
- [ ] Self-update mechanism in xetup.exe
- NO diacritics in any file
- NO emoticons
- Do not remove OneDrive policy-block-free (M365 must be able to reinstall it)
- Do not remove RDP/RDS or Microsoft-RemoteDesktopConnection
- Do not create Deploy-Windows.ps1 or other CLI entry points (xetup.exe is sole entry point)
---
@ -167,9 +182,6 @@ BackInfo.exe IS used. Located in assets/Backinfo/. Deployment:
| # | Question | Status |
|---|---|---|
| 1 | BackInfo replacement | DONE - using BackInfo.exe from assets/ |
| 2 | Complete SW list for winget | TODO - list incomplete |
| 3 | Per-client variability via config.json | FUTURE |
| 4 | Admin account adminx9 | DECIDED - no password, FullName "X9.cz s.r.o." |
| 5 | UCPD driver workaround for PDF default | TODO - disable during deployment |
| 6 | Atera MFA bypass | OPEN - does aeid parameter avoid MFA? |
| 1 | Complete SW list for winget | TODO - list may be incomplete |
| 2 | Atera MFA bypass | OPEN - does aeid parameter avoid MFA? |
| 3 | `--resume` flag | Passed by prereboot task but not parsed - resume detected via state file |

319
SPEC.md
View file

@ -1,16 +1,14 @@
# MSP Windows Deployment - Specification (SPEC.md)
# MSP Windows Deployment - Specification
> Version: 0.2 (draft)
> Author: X9.cz
> Purpose: Automated preparation of new Windows 10/11 computers for clients
> Purpose: Automated preparation of new Windows 10/11 computers for X9.cz clients
---
## Overview
Script replaces ~3 hours of manual computer setup. Run once as Administrator on
already-installed Windows, performs everything automatically, saves result to Default
Profile so settings apply to every subsequent user.
xetup.exe replaces ~3 hours of manual computer setup. GUI launcher embeds PowerShell
scripts, runs them sequentially, handles reboot cycles, sends email report when done.
Settings are applied to Default Profile (NTUSER.DAT) so every new user inherits them.
---
@ -18,276 +16,157 @@ Profile so settings apply to every subsequent user.
- Windows 10 or Windows 11 (x64)
- Run as Administrator
- Internet connection (for winget installs)
- Computer received either as clean OEM install or with manufacturer pre-installed Windows
- Internet connection (for winget installs, Atera agent, Windows Update)
- Post-OOBE (fully installed Windows with at least one user account)
---
## What the script does NOT do
## Step execution order
- Does not install Windows (not an autounattend.xml for clean install)
- Does not create images
- Does not manage the computer ongoing (one-time deployment)
| # | Step | Script | Notes |
|---|---|---|---|
| 00 | Admin account | 00-admin-account.ps1 | adminx9, no password, hidden |
| 08 | Windows activation | 08-activation.ps1 | OA3 → config key → GVLK fallback |
| 01 | Bloatware removal | 01-bloatware.ps1 | AppX + Capabilities + Features |
| 02 | Software install | 02-software.ps1 | Parallel winget + Atera + PDF default |
| 03 | System registry | 03-system-registry.ps1 | HKLM tweaks, Edge, powercfg, WPAD |
| 04 | Profile + personalization | 04-default-profile.ps1 | NTUSER.DAT + HKCU + theme |
| 07 | BackInfo | 07-backinfo.ps1 | System info wallpaper overlay |
| 10 | Network | 10-network.ps1 | Private profile, ping, discovery |
| 11 | Dell Update | 11-dell-update.ps1 | Auto-skip on non-Dell HW |
| 09 | PC identity | 09-pc-identity.ps1 | Rename + C:\X9 (reboot on rename) |
| 12 | Windows Update | 12-windows-update.ps1 | Multi-round reboot cycle |
---
## Script structure
Script is divided into steps. Each step logs its result. Steps can be skipped with switches.
---
## STEP 0a - Admin account
## Step 00 - Admin account
Creates local admin account `adminx9`:
- Password from `config.json` (`adminAccount.password`)
- No password (empty) - account is hidden, only accessible to technicians
- FullName = "X9.cz s.r.o." (via ADSI)
- Added to Administrators group
- Password never expires, user cannot change password
- Hidden from Windows login screen (SpecialAccounts\UserList = 0)
- Hidden from login screen (SpecialAccounts\UserList = 0)
- Password never expires
---
## STEP 0b - Windows activation
## Step 08 - Windows activation
Activates Windows using product key from config:
- Key from `config.json` (`activation.productKey`) - set to real MAK/retail key for production
- Falls back to GVLK (KMS client key) matched by detected OS edition
- Optional KMS server via `activation.kmsServer`
- If already activated, skips silently
Priority: OA3 embedded key (BIOS/UEFI) → config.json productKey → GVLK by edition.
Optional KMS server via config.json. Skips if already activated (LicenseStatus = 1).
---
## STEP 1 - Bloatware removal
## Step 01 - Bloatware removal
### 1a - AppX packages (UWP apps)
Removes ~35 AppX packages (Cortana, Copilot, Teams, Xbox, Skype, News, etc.),
~14 Windows Capabilities (Fax, IE, WordPad, etc.), and Optional Features
(PowerShell 2.0, Recall). Calculator intentionally kept.
Removed for all users (-AllUsers) and from provisioned packages (so they do not return for new users).
---
| Package | Description |
## Step 02 - Software installation
Parallel winget installs (Start-Job):
| Software | Winget ID |
|---|---|
| Microsoft.Microsoft3DViewer | 3D Viewer |
| Microsoft.BingSearch | Bing Search |
| Microsoft.WindowsCamera | Camera |
| Clipchamp.Clipchamp | Clipchamp video editor |
| Microsoft.WindowsAlarms | Clock / Alarm |
| Microsoft.Copilot | Copilot AI |
| Microsoft.549981C3F5F10 | Cortana |
| Microsoft.Windows.DevHome | Dev Home |
| MicrosoftCorporationII.MicrosoftFamily | Family Safety |
| Microsoft.WindowsFeedbackHub | Feedback Hub |
| Microsoft.Edge.GameAssist | Game Assist |
| Microsoft.GetHelp | Help |
| Microsoft.Getstarted | Tips / Get Started |
| microsoft.windowscommunicationsapps | Mail and Calendar |
| Microsoft.WindowsMaps | Maps |
| Microsoft.MixedReality.Portal | Mixed Reality |
| Microsoft.BingNews | News |
| Microsoft.MicrosoftOfficeHub | Office Hub |
| Microsoft.Office.OneNote | OneNote |
| Microsoft.OutlookForWindows | Outlook (new) |
| Microsoft.Paint | Paint (new UWP) |
| Microsoft.MSPaint | Paint (legacy) |
| Microsoft.People | People |
| Microsoft.Windows.Photos | Photos |
| Microsoft.PowerAutomateDesktop | Power Automate |
| MicrosoftCorporationII.QuickAssist | Quick Assist |
| Microsoft.SkypeApp | Skype |
| Microsoft.ScreenSketch | Snipping Tool |
| Microsoft.MicrosoftSolitaireCollection | Solitaire |
| Microsoft.MicrosoftStickyNotes | Sticky Notes |
| MicrosoftTeams / MSTeams | Teams (personal) |
| Microsoft.Todos | To Do |
| Microsoft.WindowsSoundRecorder | Voice Recorder |
| Microsoft.Wallet | Wallet |
| Microsoft.BingWeather | Weather |
| Microsoft.WindowsTerminal | Windows Terminal |
| Microsoft.Xbox.TCUI | Xbox UI |
| Microsoft.XboxApp | Xbox |
| Microsoft.XboxGameOverlay | Xbox Game Overlay |
| Microsoft.XboxGamingOverlay | Xbox Gaming Overlay |
| Microsoft.XboxIdentityProvider | Xbox Identity |
| Microsoft.XboxSpeechToTextOverlay | Xbox Speech |
| Microsoft.GamingApp | Gaming App |
| Microsoft.YourPhone | Phone Link |
| Microsoft.ZuneMusic | Music |
| Microsoft.ZuneVideo | Movies and TV |
| 7-Zip | 7zip.7zip |
| Adobe Acrobat Reader 64-bit | Adobe.Acrobat.Reader.64-bit |
| OpenVPN Connect | OpenVPNTechnologies.OpenVPNConnect |
NOTE: Microsoft.WindowsCalculator is intentionally KEPT.
After Acrobat: UCPD driver stopped, .pdf → AcroExch.Document.DC set via HKCR, UCPD restarted.
### 1b - Windows Capabilities
| Capability | Description |
|---|---|
| Print.Fax.Scan | Fax and Scan |
| Language.Handwriting | Handwriting |
| Browser.InternetExplorer | Internet Explorer |
| MathRecognizer | Math Input |
| OneCoreUAP.OneSync | OneSync |
| OpenSSH.Client | OpenSSH client |
| Microsoft.Windows.MSPaint | Paint (Win32) |
| Microsoft.Windows.PowerShell.ISE | PowerShell ISE |
| App.Support.QuickAssist | Quick Assist |
| Microsoft.Windows.SnippingTool | Snipping Tool |
| App.StepsRecorder | Steps Recorder |
| Hello.Face.* | Windows Hello face |
| Media.WindowsMediaPlayer | Windows Media Player |
| Microsoft.Windows.WordPad | WordPad |
### 1c - Windows Optional Features
| Feature | Description |
|---|---|
| MediaPlayback | Media playback |
| MicrosoftWindowsPowerShellV2Root | PowerShell 2.0 |
| Microsoft-RemoteDesktopConnection | RDP client |
| Recall | Windows Recall (AI) |
| Microsoft-SnippingTool | Snipping Tool (feature) |
Atera RMM agent: downloaded from x9.servicedesk.atera.com, installed via msiexec /qn with -Wait.
---
## STEP 2 - Software installation (winget)
## Step 03 - System registry (HKLM)
| Software | Winget ID | Notes |
|---|---|---|
| 7-Zip | `7zip.7zip` | OK |
| Adobe Acrobat Reader | `Adobe.Acrobat.Reader.64-bit` | OK, see note |
| OpenVPN Connect | `OpenVPNTechnologies.OpenVPNConnect` | OK |
| ... | ... | TODO: complete list |
Always applied: password max age unlimited, timezone (Central Europe Standard Time).
> Adobe Acrobat Reader: After install, script sets .pdf -> AcroRd32 as default.
> Scheduled task PDF-DefaultApp restores this association on every logon as a guard
> against Edge overwriting it.
> BackInfo: NOT used. Replaced by custom PowerShell scheduled task DesktopInfo.
> See STEP 7.
Feature-toggled sections:
- **systemTweaks**: BypassNRO, disable Teams auto-install, Widgets, GameDVR, Recall, Copilot search
- **edgePolicies**: mandatory (first-run, telemetry) + recommended (UI defaults user can change)
- **oneDriveUninstall**: removes consumer OneDrive (no policy block - M365 can reinstall)
- **powercfg**: standby-ac=0, monitor-ac=60, standby-dc=30, monitor-dc=15
- **proxyDisable**: WPAD auto-detect off
---
## STEP 3 - System settings (HKLM - applies to whole system)
## Step 04 - Default Profile + Personalization
| Setting | Value | Notes |
|---|---|---|
| Disable NRO (bypass network check) | HKLM\...\OOBE\BypassNRO = 1 | |
| Disable auto-install of Teams | ConfigureChatAutoInstall = 0 | |
| Disable Cloud Optimized Content | DisableCloudOptimizedContent = 1 | |
| Disable Widgets (News and Interests) | HKLM\...\Dsh\AllowNewsAndInterests = 0 | |
| Edge - hide First Run Experience | HKLM\Policies\Edge\HideFirstRunExperience = 1 | |
| Passwords - no expiration | net accounts /maxpwage:UNLIMITED | |
| Time zone | Central Europe Standard Time | |
| OneDrive - remove | Delete OneDriveSetup.exe + Start Menu lnk | |
| Outlook (new) - disable auto-install | Delete UScheduler registry key | |
| Disable GameDVR | AppCaptureEnabled = 0 | |
Single hive load of C:\Users\Default\NTUSER.DAT. All changes applied to both Default
hive and current HKCU. Feature-toggled sections:
- **taskbarTweaks**: left alignment, hide Search/Copilot/TaskView/Widgets/Chat, show all
tray icons, taskbar layout XML per ProfileType (default/admin/user), NumLock on
- **startMenuTweaks**: empty pins, disable Bing search, disable Copilot, disable GameDVR
- **explorerTweaks**: show extensions, LaunchTo=ThisPC, hide Recent/Frequent, full path
Personalization (always): dark shell / light apps, accent #223B47, transparency off,
solid wallpaper #223B47 (BackInfo overwrites on logon).
---
## STEP 4 - Default Profile (NTUSER.DAT)
## Step 07 - BackInfo
Settings applied to C:\Users\Default\NTUSER.DAT - inherited by every new user on first logon.
Method: script loads Default hive (reg load), makes changes, unloads (reg unload).
| Setting | Key / Value | Description |
|---|---|---|
| Taskbar - align left | TaskbarAl = 0 | Win11 default is center |
| Taskbar - hide Search box | SearchboxTaskbarMode = 0 | |
| Taskbar - hide Copilot button | ShowCopilotButton = 0 | |
| Taskbar - hide Task View button | ShowTaskViewButton = 0 | |
| Taskbar - hide Widgets | TaskbarDa = 0 | |
| Taskbar - hide Chat/Teams button | TaskbarMn = 0 | |
| Taskbar - show all tray icons | Scheduled task ShowAllTrayIcons | Runs on every logon |
| Taskbar - empty pinlist | TaskbarLayoutModification.xml | Removes default pinned apps |
| Explorer - show file extensions | HideFileExt = 0 | |
| Explorer - open to This PC | LaunchTo = 1 | Instead of Quick Access |
| Start menu - empty pins | ConfigureStartPins = {"pinnedList":[]} | Win11 |
| Start menu - disable Bing results | DisableSearchBoxSuggestions = 1 | |
| Copilot - disable | TurnOffWindowsCopilot = 1 | |
| GameDVR - disable | AppCaptureEnabled = 0 | |
| OneDrive - remove RunOnce key | Delete OneDriveSetup from Run | |
| Num Lock on startup - enable | InitialKeyboardIndicators = 2 | |
| Accent color on title bars | ColorPrevalence = 1 | |
Copies BackInfo.exe + INI to C:\Program Files\Backinfo\. Detects OS, writes OSName to
registry. Creates startup shortcut for all users. BackInfo renders system info BMP as
desktop wallpaper on every logon.
---
## STEP 5 - Personalization (colors, wallpaper)
## Step 10 - Network
Applied to both Default Profile and currently logged-in user.
| Setting | Value |
|---|---|
| System theme (taskbar, Start) | Dark |
| App theme | Light |
| Accent color | #223B47 (dark blue-gray) |
| Accent color on Start and taskbar | Yes |
| Accent color on title bars | Yes |
| Transparency | Disabled |
| Wallpaper | Solid color #223B47 (no image) |
NOTE: DesktopInfo scheduled task (STEP 7) will overwrite the wallpaper with a system
info BMP. The solid color here is only a fallback if DesktopInfo is not running.
Sets all connected adapters to Private profile. Enables ICMP echo (ping) and Network
Discovery firewall rules.
---
## STEP 6 - Scheduled Tasks
## Step 11 - Dell Command | Update
| Task | Trigger | Purpose |
|---|---|---|
| ShowAllTrayIcons | Every logon, every 1 min | Show all icons in system tray (Win11) |
| UnlockStartLayout | Once after layout is applied | Unlock Start menu layout |
| PDF-DefaultApp | Every logon | Restore .pdf -> Adobe Reader if Edge overwrote it |
| DesktopInfo | Every logon | Render system info onto desktop wallpaper |
Detects Dell hardware via Win32_ComputerSystem.Manufacturer. On non-Dell: skips silently.
On Dell: installs DCU Universal via winget, runs dcu-cli.exe /applyUpdates with
-reboot=disable. Feature-toggled: drivers/firmware and BIOS separately. Exit 9 when
BIOS/firmware updates are staged (finalize on next restart).
---
## STEP 7 - DesktopInfo (BackInfo replacement)
## Step 09 - PC identity
Custom PowerShell scheduled task. No external dependencies.
**What it displays:**
- Computer name (hostname)
- IP address
- Windows version and build
- Logged-in username
- Deployment date
**How it works:**
1. PS script collects system info
2. Renders text onto bitmap via WPF / System.Drawing
3. Saves BMP to C:\Windows\Setup\Scripts\desktopinfo.bmp
4. Sets BMP as desktop wallpaper via SystemParametersInfo
5. Runs on every user logon via Scheduled Task
**Why not BackInfo:**
- BackInfo has Win11 rendering issues requiring registry hacks
- External EXE dependency is hard to distribute
- Custom PS solution = full control, no dependencies, works on Win10 and Win11
Creates C:\X9\ directory (Logs, Scripts, Assets) with custom folder icon.
Sets computer description. Renames computer if config.json pcName is set and differs
from current. Exit 9 only when rename actually happened (restart required).
---
## STEP 8 - Logging and output
## Step 12 - Windows Update
- Every step writes to C:\Windows\Setup\Scripts\Deploy.log
- Format: [HH:mm:ss] Step description - OK / ERROR: ...
- At end: summary report (how many steps OK, how many failed)
- Log stays on disk for diagnostics
Installs PSWindowsUpdate module, runs one update pass. Exit 9 when updates were installed
(reboot needed for next round). Exit 0 when fully up to date. xetup state machine handles
the reboot cycle automatically.
---
## Script switches
## Config structure
| Switch | Behavior |
|---|---|
| `-SkipBloatware` | Skip step 1 |
| `-SkipSoftware` | Skip step 2 |
| `-SkipDefaultProfile` | Skip step 4 |
| `-DryRun` | Run through steps without changes, log only |
```json
{
"deployment": { "pcName": "", "pcDescription": "", "timezone": "...", "profileType": "default" },
"adminAccount": { "username": "adminx9" },
"activation": { "productKey": "", "kmsServer": "" },
"software": { "install": [{ "name": "...", "wingetId": "..." }] },
"steps": { "adminAccount": true, ... },
"features": { "software": { "wingetInstalls": true, "pdfDefault": true, "ateraAgent": true }, ... },
"bloatware": { "keepPackages": ["Microsoft.WindowsCalculator"] }
}
```
---
## Open questions
## Email report
| # | Question | Status |
|---|---|---|
| 1 | BackInfo replacement | DONE - custom PS scheduled task DesktopInfo |
| 2 | Complete SW list for winget | TODO |
| 3 | Per-client variability via config.json | FUTURE |
| 4 | Admin account adminx9 - script or manual? | DONE - script (00-admin-account.ps1) |
Sent via SMTP2Go at end of deployment. HTML with per-step status table, timestamps,
OK/ERROR/SKIPPED counts. Subject: "xetup report HOSTNAME".
From: xetup@x9.cz, To: net@x9.cz.