x9/xetup
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases 2 Packages Wiki Activity Actions

Remove noise rows, implement powercfg + proxy, clean up Edge docs

Browse source 
01-bloatware: remove 'do not remove RDP/OneDrive' items from header
  (documenting what we don't do is noise)
web/spec step-01: remove two flag-warn rows

03-system-registry: implement powercfg (standby-ac 0, monitor-ac 60,
  standby-dc 30, monitor-dc 15) and proxy auto-detect disable (AutoDetect=0)
web/spec step-03: powercfg + proxy rows flag-todo -> flag-done, badge OK,
  remove old Edge policies note (already implemented)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
X9 Dev 2026-04-16 10:09:40 +02:00
parent 108a22e7cb
commit 3a7c0afc43
4 changed files with 36 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
scripts/01-bloatware.ps1
View file

@ -5,16 +5,13 @@
.DESCRIPTION
Removes Microsoft-bundled apps and features not needed in a business MSP deployment.
Removal is done for all users (-AllUsers) and from the provisioning store so new
users do not get them either. Calculator is intentionally kept. RDP client and
OneDrive are NOT removed here - they are required for business use.
users do not get them either. Calculator is intentionally kept.
.ITEMS
appx-balicky-odstraneni-pro-vsechny-uziv: Uses Remove-AppxPackage -AllUsers and Remove-AppxProvisionedPackage. The provisioned removal prevents apps from reinstalling for new user profiles. Covers ~35 apps including Cortana, Copilot, Teams personal, Xbox, Skype, News, Weather, Maps.
zachovano-microsoft-windowscalculator: Calculator is explicitly excluded. Lightweight utility frequently used by technicians and end users. Removing it would require manual reinstall from Store.
windows-capabilities-fax-ie-openssh-wmp-: Removed via Remove-WindowsCapability: Fax & Scan, Internet Explorer mode, OpenSSH client, Windows Media Player (legacy), WordPad, Handwriting recognition, Steps Recorder, Math Input Panel, Quick Assist.
windows-optional-features-ps-2-0-mediapl: Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component.
microsoft-remotedesktopconnection-nesmi-: The RDP client optional feature is explicitly NOT in the removal list. Must remain functional for MSP remote access, TeamViewer alternatives, and client IT management tasks.
onedrive-nesmi-byt-odstranovano-tady: OneDrive removal is NOT done here. OneDrive must remain available for Microsoft 365 / SharePoint deployment. Any OneDrive removal lines in this script are incorrect and must be removed.
#>
param(
[object]$Config,

30
scripts/03-system-registry.ps1
View file

@ -24,8 +24,8 @@
edge-policies-tlacitka-skryt: HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0 (Drop), WebCaptureEnabled=0 (Screenshot), ShareAllowed=0.
edge-policies-obsah-a-telemetrie: NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, SpotlightExperiencesAndRecommendationsEnabled=0, PersonalizationReportingEnabled=0, EdgeShoppingAssistantEnabled=0, ShowMicrosoftRewards=0, HubsSidebarEnabled=0, SearchSuggestEnabled=0, DiagnosticData=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0.
onedrive-uninstall-intentional: Uninstalls the pre-installed OneDrive consumer version via OneDriveSetup.exe /uninstall and removes Start Menu shortcut. Intentional for clean MSP deployment baseline. No DisableFileSyncNGSC policy key is set - M365 installation can reinstall and run OneDrive normally. Only the stock consumer pre-install is removed.
powercfg-nastaveni-spotreba-energie: powercfg /change commands: standby-timeout-ac 0 (never sleep on AC/charger), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery).
proxy-auto-detect-zakaz-autodetect-0: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents potential MITM via malicious WPAD responses on untrusted networks.
powercfg-nastaveni-spotreba-energie: powercfg /change: standby-timeout-ac 0 (never sleep on AC), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery). Applied to active power plan.
proxy-auto-detect-zakaz-autodetect-0: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents MITM via rogue WPAD on untrusted networks.
#>
param(
[object]$Config,
@ -395,4 +395,30 @@ Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" `
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" `
-Name "HideRecommendedSection" -Value 1
# -----------------------------------------------------------------------
# Power configuration
# -----------------------------------------------------------------------
Write-Log "Applying power configuration" -Level INFO
$powercfg = @(
@("/change", "standby-timeout-ac", "0"), # never sleep on AC
@("/change", "monitor-timeout-ac", "60"), # screen off after 60 min on AC
@("/change", "standby-timeout-dc", "30"), # sleep after 30 min on battery
@("/change", "monitor-timeout-dc", "15") # screen off after 15 min on battery
)
foreach ($args in $powercfg) {
$result = & powercfg @args 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Log " powercfg $($args -join ' ')" -Level OK
} else {
Write-Log " powercfg $($args -join ' ') failed: $result" -Level WARN
}
}
# -----------------------------------------------------------------------
# Proxy auto-detect disable (WPAD)
# -----------------------------------------------------------------------
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
-Name "AutoDetect" -Value 0
Write-Log "Step 3 complete" -Level OK

10
web/data/descriptions.json
View file

@ -13,14 +13,12 @@
},
"01-bloatware": {
"synopsis": "Removes pre-installed bloatware: AppX packages, Capabilities, and Optional Features.",
"description": "Removes Microsoft-bundled apps and features not needed in a business MSP deployment.\nRemoval is done for all users (-AllUsers) and from the provisioning store so new\nusers do not get them either. Calculator is intentionally kept. RDP client and\nOneDrive are NOT removed here - they are required for business use.",
"description": "Removes Microsoft-bundled apps and features not needed in a business MSP deployment.\nRemoval is done for all users (-AllUsers) and from the provisioning store so new\nusers do not get them either. Calculator is intentionally kept.",
"items": {
"appx-balicky-odstraneni-pro-vsechny-uziv": "Uses Remove-AppxPackage -AllUsers and Remove-AppxProvisionedPackage. The provisioned removal prevents apps from reinstalling for new user profiles. Covers ~35 apps including Cortana, Copilot, Teams personal, Xbox, Skype, News, Weather, Maps.",
"zachovano-microsoft-windowscalculator": "Calculator is explicitly excluded. Lightweight utility frequently used by technicians and end users. Removing it would require manual reinstall from Store.",
"windows-capabilities-fax-ie-openssh-wmp-": "Removed via Remove-WindowsCapability: Fax & Scan, Internet Explorer mode, OpenSSH client, Windows Media Player (legacy), WordPad, Handwriting recognition, Steps Recorder, Math Input Panel, Quick Assist.",
"windows-optional-features-ps-2-0-mediapl": "Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component.",
"microsoft-remotedesktopconnection-nesmi-": "The RDP client optional feature is explicitly NOT in the removal list. Must remain functional for MSP remote access, TeamViewer alternatives, and client IT management tasks.",
"onedrive-nesmi-byt-odstranovano-tady": "OneDrive removal is NOT done here. OneDrive must remain available for Microsoft 365 / SharePoint deployment. Any OneDrive removal lines in this script are incorrect and must be removed."
"windows-optional-features-ps-2-0-mediapl": "Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component."
}
},
"02-software": {
@ -53,8 +51,8 @@
"edge-policies-tlacitka-skryt": "HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0 (Drop), WebCaptureEnabled=0 (Screenshot), ShareAllowed=0.",
"edge-policies-obsah-a-telemetrie": "NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, SpotlightExperiencesAndRecommendationsEnabled=0, PersonalizationReportingEnabled=0, EdgeShoppingAssistantEnabled=0, ShowMicrosoftRewards=0, HubsSidebarEnabled=0, SearchSuggestEnabled=0, DiagnosticData=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0.",
"onedrive-uninstall-intentional": "Uninstalls the pre-installed OneDrive consumer version via OneDriveSetup.exe /uninstall and removes Start Menu shortcut. Intentional for clean MSP deployment baseline. No DisableFileSyncNGSC policy key is set - M365 installation can reinstall and run OneDrive normally. Only the stock consumer pre-install is removed.",
"powercfg-nastaveni-spotreba-energie": "powercfg /change commands: standby-timeout-ac 0 (never sleep on AC/charger), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery).",
"proxy-auto-detect-zakaz-autodetect-0": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents potential MITM via malicious WPAD responses on untrusted networks."
"powercfg-nastaveni-spotreba-energie": "powercfg /change: standby-timeout-ac 0 (never sleep on AC), monitor-timeout-ac 60 (screen off after 60 min on AC), standby-timeout-dc 30 (sleep after 30 min on battery), monitor-timeout-dc 15 (screen off after 15 min on battery). Applied to active power plan.",
"proxy-auto-detect-zakaz-autodetect-0": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoDetect = 0. Disables WPAD (Web Proxy Auto-Discovery). Eliminates startup delays from WPAD DNS lookup and prevents MITM via rogue WPAD on untrusted networks."
}
},
"04-default-profile": {

15
web/spec/index.html
View file

@ -541,8 +541,6 @@
<tr class="flag-done"><td>Zachovano: Microsoft.WindowsCalculator</td><td>Zamerny vyjimek</td></tr>
<tr class="flag-done"><td>Windows Capabilities (Fax, IE, OpenSSH, WMP, WordPad, …)</td><td>Remove-WindowsCapability</td></tr>
<tr class="flag-done"><td>Windows Optional Features (PS 2.0, MediaPlayback, Recall, …)</td><td>Disable-WindowsOptionalFeature</td></tr>
<tr class="flag-warn"><td>Microsoft-RemoteDesktopConnection NESMI byt odstranen</td><td>RDP klient musi zustat funkci. Overit ze neni v seznamu.</td></tr>
<tr class="flag-warn"><td>OneDrive nesmi byt odstranovano tady</td><td>OneDrive musi zustat instalovatelny pro M365.</td></tr>
</table>
</div>
<div class="step-footer">
@ -584,7 +582,7 @@
<div class="step-header">
<span class="step-num">03</span>
<span class="step-title">System Registry (HKLM)</span>
<span class="badge badge-todo">TODO</span>
<span class="badge badge-ok">OK</span>
</div>
<div class="step-body">
<table class="items">
@ -601,16 +599,9 @@
<tr class="flag-done"><td>Edge policies &ndash; tlacitka skryt (Home, Kolekce, Split, Drop, Screenshot, Share, Zpetna vazba)</td><td>HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0, WebCaptureEnabled=0, ShareAllowed=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0</td></tr>
<tr class="flag-done"><td>Edge policies &ndash; obsah a telemetrie</td><td>NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, EdgeShoppingAssistantEnabled=0, DiagnosticData=0, &hellip;</td></tr>
<tr class="flag-done"><td>OneDrive uninstall (intentional)</td><td>OneDriveSetup.exe /uninstall &ndash; odstrani pre-installed verzi. M365 si nainstaluje vlastni.</td></tr>
<tr class="flag-todo"><td>Powercfg nastaveni (spotreba energie)</td><td>Pridat: standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15</td></tr>
<tr class="flag-todo"><td>Proxy auto-detect zakaz (AutoDetect = 0)</td><td>HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</td></tr>
<tr class="flag-done"><td>Powercfg nastaveni (spotreba energie)</td><td>standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15</td></tr>
<tr class="flag-done"><td>Proxy auto-detect zakaz (AutoDetect = 0)</td><td>HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</td></tr>
</table>
<div class="note">
<strong>Powercfg prikazy:</strong><br>
<code>powercfg /change standby-timeout-ac 0</code> (neusne na nabijeni)<br>
<code>powercfg /change monitor-timeout-ac 60</code> (monitor zhasne po 60 min)<br>
<code>powercfg /change standby-timeout-dc 30</code><br>
<code>powercfg /change monitor-timeout-dc 15</code>
</div>
</div>
<div class="step-footer">
<span class="step-status">Script: <code>03-system-registry.ps1</code></span>