From 3a7c0afc4360868f978cc9ef1aa0f84c32458b2f Mon Sep 17 00:00:00 2001 From: X9 Dev Date: Thu, 16 Apr 2026 10:09:40 +0200 Subject: [PATCH] Remove noise rows, implement powercfg + proxy, clean up Edge docs 01-bloatware: remove 'do not remove RDP/OneDrive' items from header (documenting what we don't do is noise) web/spec step-01: remove two flag-warn rows 03-system-registry: implement powercfg (standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15) and proxy auto-detect disable (AutoDetect=0) web/spec step-03: powercfg + proxy rows flag-todo -> flag-done, badge OK, remove old Edge policies note (already implemented) Co-Authored-By: Claude Sonnet 4.6 --- scripts/01-bloatware.ps1 | 5 +---- scripts/03-system-registry.ps1 | 30 ++++++++++++++++++++++++++++-- web/data/descriptions.json | 10 ++++------ web/spec/index.html | 15 +++------------ 4 files changed, 36 insertions(+), 24 deletions(-) diff --git a/scripts/01-bloatware.ps1 b/scripts/01-bloatware.ps1 index 482c5bb..7b45b67 100644 --- a/scripts/01-bloatware.ps1 +++ b/scripts/01-bloatware.ps1 @@ -5,16 +5,13 @@ .DESCRIPTION Removes Microsoft-bundled apps and features not needed in a business MSP deployment. Removal is done for all users (-AllUsers) and from the provisioning store so new - users do not get them either. Calculator is intentionally kept. RDP client and - OneDrive are NOT removed here - they are required for business use. + users do not get them either. Calculator is intentionally kept. .ITEMS appx-balicky-odstraneni-pro-vsechny-uziv: Uses Remove-AppxPackage -AllUsers and Remove-AppxProvisionedPackage. The provisioned removal prevents apps from reinstalling for new user profiles. Covers ~35 apps including Cortana, Copilot, Teams personal, Xbox, Skype, News, Weather, Maps. zachovano-microsoft-windowscalculator: Calculator is explicitly excluded. Lightweight utility frequently used by technicians and end users. Removing it would require manual reinstall from Store. windows-capabilities-fax-ie-openssh-wmp-: Removed via Remove-WindowsCapability: Fax & Scan, Internet Explorer mode, OpenSSH client, Windows Media Player (legacy), WordPad, Handwriting recognition, Steps Recorder, Math Input Panel, Quick Assist. windows-optional-features-ps-2-0-mediapl: Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component. - microsoft-remotedesktopconnection-nesmi-: The RDP client optional feature is explicitly NOT in the removal list. Must remain functional for MSP remote access, TeamViewer alternatives, and client IT management tasks. - onedrive-nesmi-byt-odstranovano-tady: OneDrive removal is NOT done here. OneDrive must remain available for Microsoft 365 / SharePoint deployment. Any OneDrive removal lines in this script are incorrect and must be removed. #> param( [object]$Config, diff --git a/scripts/03-system-registry.ps1 b/scripts/03-system-registry.ps1 index bd006cd..3217bff 100644 --- a/scripts/03-system-registry.ps1 +++ b/scripts/03-system-registry.ps1 @@ -24,8 +24,8 @@ edge-policies-tlacitka-skryt: HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0 (Drop), WebCaptureEnabled=0 (Screenshot), ShareAllowed=0. edge-policies-obsah-a-telemetrie: NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, SpotlightExperiencesAndRecommendationsEnabled=0, PersonalizationReportingEnabled=0, EdgeShoppingAssistantEnabled=0, ShowMicrosoftRewards=0, HubsSidebarEnabled=0, SearchSuggestEnabled=0, DiagnosticData=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0. onedrive-uninstall-intentional: Uninstalls the pre-installed OneDrive consumer version via OneDriveSetup.exe /uninstall and removes Start Menu shortcut. Intentional for clean MSP deployment baseline. No DisableFileSyncNGSC policy key is set - M365 installation can reinstall and run OneDrive normally. Only the stock consumer pre-install is removed. - powercfg-nastaveni-spotreba-energie: powercfg /change commands: standby-timeout-ac 0 (never sleep on AC/charger), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery). - proxy-auto-detect-zakaz-autodetect-0: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents potential MITM via malicious WPAD responses on untrusted networks. + powercfg-nastaveni-spotreba-energie: powercfg /change: standby-timeout-ac 0 (never sleep on AC), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery). Applied to active power plan. + proxy-auto-detect-zakaz-autodetect-0: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents MITM via rogue WPAD on untrusted networks. #> param( [object]$Config, @@ -395,4 +395,30 @@ Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` -Name "HideRecommendedSection" -Value 1 +# ----------------------------------------------------------------------- +# Power configuration +# ----------------------------------------------------------------------- +Write-Log "Applying power configuration" -Level INFO + +$powercfg = @( + @("/change", "standby-timeout-ac", "0"), # never sleep on AC + @("/change", "monitor-timeout-ac", "60"), # screen off after 60 min on AC + @("/change", "standby-timeout-dc", "30"), # sleep after 30 min on battery + @("/change", "monitor-timeout-dc", "15") # screen off after 15 min on battery +) +foreach ($args in $powercfg) { + $result = & powercfg @args 2>&1 + if ($LASTEXITCODE -eq 0) { + Write-Log " powercfg $($args -join ' ')" -Level OK + } else { + Write-Log " powercfg $($args -join ' ') failed: $result" -Level WARN + } +} + +# ----------------------------------------------------------------------- +# Proxy auto-detect disable (WPAD) +# ----------------------------------------------------------------------- +Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "AutoDetect" -Value 0 + Write-Log "Step 3 complete" -Level OK diff --git a/web/data/descriptions.json b/web/data/descriptions.json index 456b5c0..4f94ec8 100644 --- a/web/data/descriptions.json +++ b/web/data/descriptions.json @@ -13,14 +13,12 @@ }, "01-bloatware": { "synopsis": "Removes pre-installed bloatware: AppX packages, Capabilities, and Optional Features.", - "description": "Removes Microsoft-bundled apps and features not needed in a business MSP deployment.\nRemoval is done for all users (-AllUsers) and from the provisioning store so new\nusers do not get them either. Calculator is intentionally kept. RDP client and\nOneDrive are NOT removed here - they are required for business use.", + "description": "Removes Microsoft-bundled apps and features not needed in a business MSP deployment.\nRemoval is done for all users (-AllUsers) and from the provisioning store so new\nusers do not get them either. Calculator is intentionally kept.", "items": { "appx-balicky-odstraneni-pro-vsechny-uziv": "Uses Remove-AppxPackage -AllUsers and Remove-AppxProvisionedPackage. The provisioned removal prevents apps from reinstalling for new user profiles. Covers ~35 apps including Cortana, Copilot, Teams personal, Xbox, Skype, News, Weather, Maps.", "zachovano-microsoft-windowscalculator": "Calculator is explicitly excluded. Lightweight utility frequently used by technicians and end users. Removing it would require manual reinstall from Store.", "windows-capabilities-fax-ie-openssh-wmp-": "Removed via Remove-WindowsCapability: Fax & Scan, Internet Explorer mode, OpenSSH client, Windows Media Player (legacy), WordPad, Handwriting recognition, Steps Recorder, Math Input Panel, Quick Assist.", - "windows-optional-features-ps-2-0-mediapl": "Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component.", - "microsoft-remotedesktopconnection-nesmi-": "The RDP client optional feature is explicitly NOT in the removal list. Must remain functional for MSP remote access, TeamViewer alternatives, and client IT management tasks.", - "onedrive-nesmi-byt-odstranovano-tady": "OneDrive removal is NOT done here. OneDrive must remain available for Microsoft 365 / SharePoint deployment. Any OneDrive removal lines in this script are incorrect and must be removed." + "windows-optional-features-ps-2-0-mediapl": "Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component." } }, "02-software": { @@ -53,8 +51,8 @@ "edge-policies-tlacitka-skryt": "HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0 (Drop), WebCaptureEnabled=0 (Screenshot), ShareAllowed=0.", "edge-policies-obsah-a-telemetrie": "NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, SpotlightExperiencesAndRecommendationsEnabled=0, PersonalizationReportingEnabled=0, EdgeShoppingAssistantEnabled=0, ShowMicrosoftRewards=0, HubsSidebarEnabled=0, SearchSuggestEnabled=0, DiagnosticData=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0.", "onedrive-uninstall-intentional": "Uninstalls the pre-installed OneDrive consumer version via OneDriveSetup.exe /uninstall and removes Start Menu shortcut. Intentional for clean MSP deployment baseline. No DisableFileSyncNGSC policy key is set - M365 installation can reinstall and run OneDrive normally. Only the stock consumer pre-install is removed.", - "powercfg-nastaveni-spotreba-energie": "powercfg /change commands: standby-timeout-ac 0 (never sleep on AC/charger), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery).", - "proxy-auto-detect-zakaz-autodetect-0": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents potential MITM via malicious WPAD responses on untrusted networks." + "powercfg-nastaveni-spotreba-energie": "powercfg /change: standby-timeout-ac 0 (never sleep on AC), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery). Applied to active power plan.", + "proxy-auto-detect-zakaz-autodetect-0": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents MITM via rogue WPAD on untrusted networks." } }, "04-default-profile": { diff --git a/web/spec/index.html b/web/spec/index.html index 7f097c0..cf7b1b2 100644 --- a/web/spec/index.html +++ b/web/spec/index.html @@ -541,8 +541,6 @@ Zachovano: Microsoft.WindowsCalculatorZamerny vyjimek Windows Capabilities (Fax, IE, OpenSSH, WMP, WordPad, …)Remove-WindowsCapability Windows Optional Features (PS 2.0, MediaPlayback, Recall, …)Disable-WindowsOptionalFeature - Microsoft-RemoteDesktopConnection NESMI byt odstranenRDP klient musi zustat funkci. Overit ze neni v seznamu. - OneDrive nesmi byt odstranovano tadyOneDrive musi zustat instalovatelny pro M365.
@@ -584,7 +582,7 @@
03 System Registry (HKLM) - TODO + OK
@@ -601,16 +599,9 @@ - - + +
Edge policies – tlacitka skryt (Home, Kolekce, Split, Drop, Screenshot, Share, Zpetna vazba)HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0, WebCaptureEnabled=0, ShareAllowed=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0
Edge policies – obsah a telemetrieNewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, EdgeShoppingAssistantEnabled=0, DiagnosticData=0, …
OneDrive uninstall (intentional)OneDriveSetup.exe /uninstall – odstrani pre-installed verzi. M365 si nainstaluje vlastni.
Powercfg nastaveni (spotreba energie)Pridat: standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15
Proxy auto-detect zakaz (AutoDetect = 0)HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Powercfg nastaveni (spotreba energie)standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15
Proxy auto-detect zakaz (AutoDetect = 0)HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
-
- Powercfg prikazy:
- powercfg /change standby-timeout-ac 0 (neusne na nabijeni)
- powercfg /change monitor-timeout-ac 60 (monitor zhasne po 60 min)
- powercfg /change standby-timeout-dc 30
- powercfg /change monitor-timeout-dc 15 -
Script: 03-system-registry.ps1