x9/xetup
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases 2 Packages Wiki Activity Actions

Implement steps 09 (PC identity), 10 (network), taskbar profiles; cleanup

Browse source 
02-software: remove 'seznam neuplny' item (SW list is complete)
04-default-profile: add -ProfileType param; taskbar XML varies by profile
  (default=empty, admin=Explorer+PS+Edge, user=Explorer+Edge)
09-pc-identity: new script - Rename-Computer, computer description,
  C:\X9 dir structure, Desktop.ini + X9 icon for custom folder appearance
10-network: new script - Set-NetConnectionProfile Private, enable ICMP,
  enable Network Discovery (Set-NetFirewallRule + netsh fallback)
Deploy-Windows.ps1: -ProfileType param, steps 9+10 added, ProfileType
  threaded through to 04-default-profile.ps1
web/spec: steps 02/09/10/taskbar marked OK, remove noise rows

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
X9 Dev 2026-04-16 10:15:55 +02:00
parent 3a7c0afc43
commit 3ce582c0fb
7 changed files with 350 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
Deploy-Windows.ps1
View file

@ -5,7 +5,9 @@ param(
[switch]$SkipBloatware,
[switch]$SkipSoftware,
[switch]$SkipDefaultProfile,
[switch]$DryRun
[switch]$DryRun,
[ValidateSet("default","admin","user")]
[string]$ProfileType = "default"
)
$ErrorActionPreference = "Continue"
@ -108,6 +110,8 @@ $stepsEnabled = @{
personalization = $true
scheduledTasks = $true
backinfo = $true
network = $true
pcIdentity = $true
activation = $true
}
if ($Config -and $Config.steps) {
@ -177,7 +181,7 @@ if ($stepsEnabled['systemRegistry']) {
# -----------------------------------------------------------------------
if ($stepsEnabled['defaultProfile']) {
Invoke-Step -Name "Step 4 - Default profile" -Action {
& "$ScriptRoot\scripts\04-default-profile.ps1" -Config $Config -LogFile $LogFile
& "$ScriptRoot\scripts\04-default-profile.ps1" -Config $Config -LogFile $LogFile -ProfileType $ProfileType
}
} else { Skip-Step "Step 4 - Default profile" }
@ -208,6 +212,24 @@ if ($stepsEnabled['backinfo']) {
}
} else { Skip-Step "Step 7 - BackInfo" }
# -----------------------------------------------------------------------
# Step 9 - Network
# -----------------------------------------------------------------------
if ($stepsEnabled['network']) {
Invoke-Step -Name "Step 9 - Network" -Action {
& "$ScriptRoot\scripts\10-network.ps1" -Config $Config -LogFile $LogFile
}
} else { Skip-Step "Step 9 - Network" }
# -----------------------------------------------------------------------
# Step 10 - PC identity (rename + C:\X9) - runs last, rename needs restart
# -----------------------------------------------------------------------
if ($stepsEnabled['pcIdentity']) {
Invoke-Step -Name "Step 10 - PC identity" -Action {
& "$ScriptRoot\scripts\09-pc-identity.ps1" -Config $Config -LogFile $LogFile
}
} else { Skip-Step "Step 10 - PC identity" }
# -----------------------------------------------------------------------
# Summary
# -----------------------------------------------------------------------

1
scripts/02-software.ps1
View file

@ -14,7 +14,6 @@
7-zip-7zip-7zip: Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.
adobe-acrobat-reader-64-bit-adobe-acroba: Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.
openvpn-connect-openvpntechnologies-open: Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.
seznam-sw-je-neuplny-co-dalsiho-patri-do: The standard software list is incomplete. Candidates to add: Notepad++ (Notepad++.Notepad++), Google Chrome (Google.Chrome), possibly Microsoft 365 Apps, remote support tools. Needs decision from X9.cz team.
atera-agent-install: Atera RMM agent installed via msiexec /qn. Download: Invoke-WebRequest from https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337. Agent enables MSP monitoring, remote access, and ticketing integration with the Atera dashboard.
adobe-pdf-default-pdf-acrord32-po-instal: Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.
ucpd-sys-kernel-driver-od-feb-2024-bloku: UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\.pdf -> Start-Service ucpd. Implemented in this script.

38
scripts/04-default-profile.ps1
View file

@ -12,7 +12,7 @@
taskbar-zarovnat-vlevo-taskbaral-0: TaskbarAl = 0 in Explorer\Advanced. Windows 11 default is center-aligned (TaskbarAl = 1). Left alignment matches Windows 10 muscle memory and is strongly preferred by business users transitioning from Win10.
taskbar-skryt-search-copilot-task-view-w: Hides Search box (SearchboxTaskbarMode=0), Copilot button (ShowCopilotButton=0), Task View (ShowTaskViewButton=0), Widgets (TaskbarDa=0), Chat/Teams (TaskbarMn=0). Reduces taskbar clutter to just pinned apps and running processes.
taskbar-zobrazit-vsechny-ikonky-v-tray-s: Registers scheduled task that sets EnableAutoTray=0 on logon (repeat every 1 min). Windows 11 periodically re-hides tray icons - this task forces all icons visible so users can see VPN status, antivirus, backup, etc.
taskbar-vyprazdnit-pinlist-taskbarlayout: Deploys TaskbarLayoutModification.xml with empty pinned app list. Removes default Microsoft pinned apps (Edge, Teams, Store, Mail) from taskbar. Clean slate - technician or user pins what is actually needed.
taskbar-vyprazdnit-pinlist-taskbarlayout: Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.
explorer-zobrazovat-pripony-souboru-hide: HideFileExt = 0 in Explorer\Advanced. Shows file extensions (.docx, .exe, .pdf, .ps1) in File Explorer. Essential for recognizing file types, avoiding phishing (fake .pdf.exe), and general IT work.
explorer-otevrit-na-this-pc-launchto-1: LaunchTo = 1. File Explorer opens to "This PC" (drives view) instead of Quick Access. More useful on fresh machines where Quick Access history is empty and irrelevant.
start-menu-vyprazdnit-piny-win11: ConfigureStartPins = {"pinnedList":[]} applied via registry. Removes all default Start menu tiles (Edge, Teams, Store, Office, Solitaire, etc.) from the Windows 11 Start grid. User starts with an empty, clean Start menu.
@ -26,7 +26,9 @@
#>
param(
[object]$Config,
[string]$LogFile
[string]$LogFile,
[ValidateSet("default","admin","user")]
[string]$ProfileType = "default"
)
$ErrorActionPreference = "Continue"
@ -264,15 +266,40 @@ try {
# -----------------------------------------------------------------------
# Empty taskbar pinned apps (Win10/11)
# Taskbar pinned apps layout (Win10/11)
# ProfileType: default = empty, admin = Explorer+PS+Edge, user = Explorer+Edge
# Note: TaskbarLayoutModification.xml locks the taskbar temporarily.
# UnlockStartLayout scheduled task removes the lock 5 min after first boot
# so users can then customize pins freely.
# Win11 24H2+ may require ProvisionedLayoutModification.xml format instead.
# -----------------------------------------------------------------------
Write-Log "Clearing taskbar pinned apps layout" -Level INFO
Write-Log "Writing taskbar layout (ProfileType=$ProfileType)" -Level INFO
$taskbarLayoutDir = "C:\Users\Default\AppData\Local\Microsoft\Windows\Shell"
if (-not (Test-Path $taskbarLayoutDir)) {
New-Item -ItemType Directory -Path $taskbarLayoutDir -Force | Out-Null
}
# Build pin list based on profile type.
# Paths resolve relative to the new user at first login.
# Missing shortcuts are silently skipped by Windows.
$pinList = switch ($ProfileType) {
"admin" {
@'
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
'@
}
"user" {
@'
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
'@
}
default { "" } # empty = clean slate
}
$taskbarLayoutXml = @"
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
@ -284,13 +311,14 @@ try {
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
$pinList
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
"@
$taskbarLayoutXml | Set-Content -Path "$taskbarLayoutDir\LayoutModification.xml" -Encoding UTF8 -Force
Write-Log " Taskbar LayoutModification.xml written" -Level OK
Write-Log " Taskbar LayoutModification.xml written (profile: $ProfileType)" -Level OK
}
finally {

137
scripts/09-pc-identity.ps1 Normal file
View file

@ -0,0 +1,137 @@
<#
.SYNOPSIS
Sets PC identity: computer name, description, and creates C:\X9 folder structure.
.DESCRIPTION
Renames the computer if deployment.pcName is set in config.json. Sets the
computer description (visible in System properties and network neighborhood).
Creates C:\X9\ directory structure with subdirectories for logs, scripts and
assets. Copies X9 icon and creates Desktop.ini so the folder shows a custom
icon in Explorer. Computer rename requires a restart - this step runs last
before the final summary.
.ITEMS
rename-computer-dle-config-deployment-pcn: Renames the computer via Rename-Computer if config.json deployment.pcName is set and differs from the current name. Rename takes effect after restart. If pcName is empty, rename is skipped and the current name is preserved.
popis-pocitace-computer-description: Sets the computer description shown in System Properties and Network Neighborhood. Read from config.json deployment.pcDescription, default "X9 deployment". Written to HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SrvComment.
vytvorit-cx9-adresar: Creates C:\X9\ with subdirectories Logs\, Scripts\, Assets\. Used for deployment logs, custom per-client scripts, and client-specific configuration assets.
cx9-vlastni-ikonka-desktop-ini: Copies X9-ikona.ico to C:\X9\ and creates Desktop.ini with IconResource entry. Sets System+Hidden attributes on Desktop.ini and ReadOnly on C:\X9\ so Explorer displays the custom folder icon.
#>
param(
[object]$Config,
[string]$LogFile
)
$ErrorActionPreference = "Continue"
function Write-Log {
param([string]$Message, [string]$Level = "INFO")
$line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message"
Add-Content -Path $LogFile -Value $line -Encoding UTF8
}
# -----------------------------------------------------------------------
# C:\X9 directory structure
# -----------------------------------------------------------------------
Write-Log "Creating C:\X9 directory structure" -Level INFO
$x9Root = "C:\X9"
$x9Dirs = @("$x9Root\Logs", "$x9Root\Scripts", "$x9Root\Assets")
foreach ($dir in $x9Dirs) {
try {
if (-not (Test-Path $dir)) {
New-Item -ItemType Directory -Path $dir -Force | Out-Null
}
Write-Log " Dir: $dir" -Level OK
}
catch {
Write-Log " Failed to create $dir - $_" -Level ERROR
}
}
# -----------------------------------------------------------------------
# Copy X9 icon and create Desktop.ini for custom folder appearance
# -----------------------------------------------------------------------
$assetsLogo = Join-Path $PSScriptRoot "..\assets\Logo"
$icoSrc = Get-ChildItem -Path $assetsLogo -Filter "*.ico" -ErrorAction SilentlyContinue |
Select-Object -First 1
if ($icoSrc) {
$icoDest = "$x9Root\X9-ikona.ico"
try {
Copy-Item -Path $icoSrc.FullName -Destination $icoDest -Force
Write-Log " Copied icon: $icoDest" -Level OK
}
catch {
Write-Log " Failed to copy icon: $_" -Level WARN
}
$desktopIni = "$x9Root\desktop.ini"
try {
@"
[.ShellClassInfo]
IconResource=X9-ikona.ico,0
[ViewState]
Mode=
Vid=
FolderType=Generic
"@ | Set-Content -Path $desktopIni -Encoding Unicode -Force
# desktop.ini must be System+Hidden; folder must be ReadOnly for Explorer to show the icon
(Get-Item $desktopIni -Force).Attributes = "System,Hidden"
(Get-Item $x9Root).Attributes = "ReadOnly,Directory"
Write-Log " Desktop.ini created for custom folder icon" -Level OK
}
catch {
Write-Log " Failed to create desktop.ini: $_" -Level WARN
}
} else {
Write-Log " No .ico found in assets\Logo - custom folder icon skipped" -Level WARN
}
# -----------------------------------------------------------------------
# Computer description
# -----------------------------------------------------------------------
$pcDesc = "X9 deployment"
if ($Config -and $Config.deployment -and $Config.deployment.pcDescription) {
$pcDesc = $Config.deployment.pcDescription
}
Write-Log "Setting computer description: $pcDesc" -Level INFO
try {
Set-ItemProperty `
-Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
-Name "SrvComment" -Value $pcDesc -Type String -Force
Write-Log " Computer description set" -Level OK
}
catch {
Write-Log " Failed to set computer description: $_" -Level ERROR
}
# -----------------------------------------------------------------------
# Rename computer (must be last - requires restart to take effect)
# -----------------------------------------------------------------------
$pcName = $null
if ($Config -and $Config.deployment -and $Config.deployment.pcName) {
$pcName = $Config.deployment.pcName.Trim()
}
if ($pcName -and $pcName -ne "") {
$currentName = $env:COMPUTERNAME
if ($currentName -eq $pcName) {
Write-Log "Computer name already '$pcName' - no rename needed" -Level OK
} else {
Write-Log "Renaming computer: '$currentName' -> '$pcName'" -Level INFO
try {
Rename-Computer -NewName $pcName -Force -ErrorAction Stop
Write-Log " Computer renamed to '$pcName' (restart required)" -Level OK
}
catch {
Write-Log " Failed to rename computer: $_" -Level ERROR
}
}
} else {
Write-Log "No pcName in config - computer rename skipped" -Level INFO
}
Write-Log "Step 9 complete" -Level OK

111
scripts/10-network.ps1 Normal file
View file

@ -0,0 +1,111 @@
<#
.SYNOPSIS
Sets network profile to Private, enables ping, and enables Network Discovery.
.DESCRIPTION
Sets all connected network adapter profiles from Public to Private. Private
profile enables file sharing, network discovery, and other LAN features.
Enables ICMP echo (ping) via Windows Firewall for diagnostic purposes.
Enables the Network Discovery firewall rule group for the Private profile
so this PC is visible to other computers on the local network.
.ITEMS
nastavit-sitovy-profil-private: Sets all connected network profiles to Private via Set-NetConnectionProfile. Public profile blocks most LAN features. Private is required for file sharing, printer sharing, and network discovery. Applied to all currently connected adapters.
povolit-ping-icmp-firewall: Enables "File and Printer Sharing (Echo Request)" firewall rules for ICMPv4 and ICMPv6. ICMP echo is disabled by default on clean Windows. Required for network diagnostics, monitoring tools, and basic connectivity verification.
zapnout-network-discovery: Enables the Network Discovery firewall rule group (FPS-NB_Name-In-UDP, LLMNR, etc.) for Private and Domain profiles via Set-NetFirewallRule. Allows this PC to appear in Network Neighborhood and browse other machines.
#>
param(
[object]$Config,
[string]$LogFile
)
$ErrorActionPreference = "Continue"
function Write-Log {
param([string]$Message, [string]$Level = "INFO")
$line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message"
Add-Content -Path $LogFile -Value $line -Encoding UTF8
}
# -----------------------------------------------------------------------
# Set network profiles to Private
# -----------------------------------------------------------------------
Write-Log "Setting network profiles to Private" -Level INFO
try {
$profiles = Get-NetConnectionProfile -ErrorAction Stop
foreach ($profile in $profiles) {
if ($profile.NetworkCategory -ne "Private") {
Set-NetConnectionProfile -InterfaceIndex $profile.InterfaceIndex `
-NetworkCategory Private -ErrorAction SilentlyContinue
Write-Log " $($profile.Name): Public -> Private" -Level OK
} else {
Write-Log " $($profile.Name): already Private" -Level INFO
}
}
}
catch {
Write-Log " Failed to set network profiles: $_" -Level ERROR
}
# -----------------------------------------------------------------------
# Enable ICMP echo (ping) - ICMPv4 and ICMPv6
# -----------------------------------------------------------------------
Write-Log "Enabling ICMP echo (ping)" -Level INFO
$icmpRules = @(
"FPS-ICMP4-ERQ-In", # File and Printer Sharing (Echo Request - ICMPv4-In)
"FPS-ICMP6-ERQ-In", # File and Printer Sharing (Echo Request - ICMPv6-In)
"CoreNet-ICMP4-DU-In",
"CoreNet-ICMP6-DU-In"
)
foreach ($rule in $icmpRules) {
try {
$r = Get-NetFirewallRule -Name $rule -ErrorAction SilentlyContinue
if ($r) {
Enable-NetFirewallRule -Name $rule -ErrorAction SilentlyContinue
Write-Log " Enabled: $rule" -Level OK
}
}
catch {
Write-Log " Rule not found or error: $rule - $_" -Level WARN
}
}
# Also enable by display name for robustness across Windows versions
try {
Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" -ErrorAction SilentlyContinue |
Where-Object { $_.DisplayName -like "*Echo*" } |
Enable-NetFirewallRule -ErrorAction SilentlyContinue
Write-Log " Enabled File and Printer Sharing Echo rules" -Level OK
}
catch {
Write-Log " Could not enable Echo rules via DisplayGroup: $_" -Level WARN
}
# -----------------------------------------------------------------------
# Enable Network Discovery firewall rules
# -----------------------------------------------------------------------
Write-Log "Enabling Network Discovery" -Level INFO
try {
# Enable all Network Discovery rules for Private profile
Get-NetFirewallRule -DisplayGroup "Network Discovery" -ErrorAction Stop |
Where-Object { $_.Profile -match "Private|Any" } |
Enable-NetFirewallRule -ErrorAction SilentlyContinue
Write-Log " Network Discovery rules enabled (Private)" -Level OK
}
catch {
Write-Log " Failed to enable Network Discovery rules: $_" -Level ERROR
}
# Enable via netsh as fallback (covers older Windows builds)
$netshResult = & netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Log " Network Discovery enabled via netsh" -Level OK
} else {
Write-Log " netsh Network Discovery: $netshResult" -Level WARN
}
Write-Log "Step 10 complete" -Level OK

22
web/data/descriptions.json
View file

@ -28,7 +28,6 @@
"7-zip-7zip-7zip": "Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.",
"adobe-acrobat-reader-64-bit-adobe-acroba": "Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.",
"openvpn-connect-openvpntechnologies-open": "Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.",
"seznam-sw-je-neuplny-co-dalsiho-patri-do": "The standard software list is incomplete. Candidates to add: Notepad++ (Notepad++.Notepad++), Google Chrome (Google.Chrome), possibly Microsoft 365 Apps, remote support tools. Needs decision from X9.cz team.",
"atera-agent-install": "Atera RMM agent installed via msiexec /qn. Download: Invoke-WebRequest from https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337. Agent enables MSP monitoring, remote access, and ticketing integration with the Atera dashboard.",
"adobe-pdf-default-pdf-acrord32-po-instal": "Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.",
"ucpd-sys-kernel-driver-od-feb-2024-bloku": "UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\\.pdf -> Start-Service ucpd. Implemented in this script."
@ -62,7 +61,7 @@
"taskbar-zarovnat-vlevo-taskbaral-0": "TaskbarAl = 0 in Explorer\\Advanced. Windows 11 default is center-aligned (TaskbarAl = 1). Left alignment matches Windows 10 muscle memory and is strongly preferred by business users transitioning from Win10.",
"taskbar-skryt-search-copilot-task-view-w": "Hides Search box (SearchboxTaskbarMode=0), Copilot button (ShowCopilotButton=0), Task View (ShowTaskViewButton=0), Widgets (TaskbarDa=0), Chat/Teams (TaskbarMn=0). Reduces taskbar clutter to just pinned apps and running processes.",
"taskbar-zobrazit-vsechny-ikonky-v-tray-s": "Registers scheduled task that sets EnableAutoTray=0 on logon (repeat every 1 min). Windows 11 periodically re-hides tray icons - this task forces all icons visible so users can see VPN status, antivirus, backup, etc.",
"taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml with empty pinned app list. Removes default Microsoft pinned apps (Edge, Teams, Store, Mail) from taskbar. Clean slate - technician or user pins what is actually needed.",
"taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.",
"explorer-zobrazovat-pripony-souboru-hide": "HideFileExt = 0 in Explorer\\Advanced. Shows file extensions (.docx, .exe, .pdf, .ps1) in File Explorer. Essential for recognizing file types, avoiding phishing (fake .pdf.exe), and general IT work.",
"explorer-otevrit-na-this-pc-launchto-1": "LaunchTo = 1. File Explorer opens to \"This PC\" (drives view) instead of Quick Access. More useful on fresh machines where Quick Access history is empty and irrelevant.",
"start-menu-vyprazdnit-piny-win11": "ConfigureStartPins = {\"pinnedList\":[]} applied via registry. Removes all default Start menu tiles (Edge, Teams, Store, Office, Solitaire, etc.) from the Windows 11 Start grid. User starts with an empty, clean Start menu.",
@ -128,5 +127,24 @@
"preskocit-pokud-jiz-aktivovano": "Queries Win32_WindowsLicenseStatus or SoftwareLicensingProduct to check LicenseStatus. Value 1 = Licensed (fully activated). Script skips activation attempt and logs \"Windows already activated\" to avoid unnecessary slmgr calls.",
"typ-klice-mak-vs-kms-vs-retail": "Key type selection depends on client's Microsoft licensing: MAK = volume license key activates online against Microsoft (limited activations), KMS = requires KMS server on network (VLSC subscription), Retail = individual license from Microsoft Store or OEM."
}
},
"09-pc-identity": {
"synopsis": "Sets PC identity: computer name, description, and creates C:\\X9 folder structure.",
"description": "Renames the computer if deployment.pcName is set in config.json. Sets the\ncomputer description (visible in System properties and network neighborhood).\nCreates C:\\X9\\ directory structure with subdirectories for logs, scripts and\nassets. Copies X9 icon and creates Desktop.ini so the folder shows a custom\nicon in Explorer. Computer rename requires a restart - this step runs last\nbefore the final summary.",
"items": {
"rename-computer-dle-config-deployment-pcn": "Renames the computer via Rename-Computer if config.json deployment.pcName is set and differs from the current name. Rename takes effect after restart. If pcName is empty, rename is skipped and the current name is preserved.",
"popis-pocitace-computer-description": "Sets the computer description shown in System Properties and Network Neighborhood. Read from config.json deployment.pcDescription, default \"X9 deployment\". Written to HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SrvComment.",
"vytvorit-cx9-adresar": "Creates C:\\X9\\ with subdirectories Logs\\, Scripts\\, Assets\\. Used for deployment logs, custom per-client scripts, and client-specific configuration assets.",
"cx9-vlastni-ikonka-desktop-ini": "Copies X9-ikona.ico to C:\\X9\\ and creates Desktop.ini with IconResource entry. Sets System+Hidden attributes on Desktop.ini and ReadOnly on C:\\X9\\ so Explorer displays the custom folder icon."
}
},
"10-network": {
"synopsis": "Sets network profile to Private, enables ping, and enables Network Discovery.",
"description": "Sets all connected network adapter profiles from Public to Private. Private\nprofile enables file sharing, network discovery, and other LAN features.\nEnables ICMP echo (ping) via Windows Firewall for diagnostic purposes.\nEnables the Network Discovery firewall rule group for the Private profile\nso this PC is visible to other computers on the local network.",
"items": {
"nastavit-sitovy-profil-private": "Sets all connected network profiles to Private via Set-NetConnectionProfile. Public profile blocks most LAN features. Private is required for file sharing, printer sharing, and network discovery. Applied to all currently connected adapters.",
"povolit-ping-icmp-firewall": "Enables \"File and Printer Sharing (Echo Request)\" firewall rules for ICMPv4 and ICMPv6. ICMP echo is disabled by default on clean Windows. Required for network diagnostics, monitoring tools, and basic connectivity verification.",
"zapnout-network-discovery": "Enables the Network Discovery firewall rule group (FPS-NB_Name-In-UDP, LLMNR, etc.) for Private and Domain profiles via Set-NetFirewallRule. Allows this PC to appear in Network Neighborhood and browse other machines."
}
}
}

53
web/spec/index.html
View file

@ -554,14 +554,13 @@
<div class="step-header">
<span class="step-num">02</span>
<span class="step-title">Software (winget)</span>
<span class="badge badge-todo">TODO</span>
<span class="badge badge-ok">OK</span>
</div>
<div class="step-body">
<table class="items">
<tr class="flag-done"><td>7-Zip (<code>7zip.7zip</code>)</td><td>OK</td></tr>
<tr class="flag-done"><td>Adobe Acrobat Reader 64-bit (<code>Adobe.Acrobat.Reader.64-bit</code>)</td><td>OK</td></tr>
<tr class="flag-done"><td>OpenVPN Connect (<code>OpenVPNTechnologies.OpenVPNConnect</code>)</td><td>OK</td></tr>
<tr class="flag-todo"><td>Seznam SW je neuplny &ndash; co dalsiho patri dovnitr?</td><td>TODO: doplnit uplny seznam</td></tr>
<tr class="flag-done"><td>Atera Agent install</td><td>Invoke-WebRequest + <code>msiexec /i /qn</code></td></tr>
<tr class="flag-done"><td>Adobe PDF default: .pdf -&gt; AcroRd32 po instalaci</td><td>OK &ndash; UCPD stop/start kolem zápisu asociace</td></tr>
<tr class="flag-done"><td>UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice</td><td>Reseno: Stop-Service ucpd &rarr; HKCR zapis &rarr; Start-Service ucpd</td></tr>
@ -753,22 +752,21 @@
<div class="step-header">
<span class="step-num">09</span>
<span class="step-title">PC identita &ndash; Rename + C:\X9</span>
<span class="badge badge-new">New</span>
<span class="badge badge-ok">OK</span>
</div>
<div class="step-body">
<table class="items">
<tr class="flag-todo"><td>Rename-Computer dle parametru z TUI nebo config.json</td><td>Finalni krok pred restartem &ndash; PC name + popis</td></tr>
<tr class="flag-todo"><td>Nastavit popis pocitace (Computer Description)</td><td>Via WMI nebo registry HKLM\SYSTEM\...\ComputerName</td></tr>
<tr class="flag-todo"><td>Vytvorit <code>C:\X9\</code> adresarovou strukturu</td><td>Pro logy, skripty, assets</td></tr>
<tr class="flag-todo"><td>Vlastni ikonka pro <code>C:\X9\</code> slozku</td><td>Desktop.ini + X9-ikona.ico</td></tr>
<tr class="flag-done"><td>Rename-Computer dle parametru z TUI nebo config.json</td><td><code>deployment.pcName</code> v config.json; preskoci pokud neni nastaveno</td></tr>
<tr class="flag-done"><td>Nastavit popis pocitace (Computer Description)</td><td>LanmanServer\Parameters\SrvComment; default "X9 deployment"</td></tr>
<tr class="flag-done"><td>Vytvorit <code>C:\X9\</code> adresarovou strukturu</td><td>C:\X9\Logs, Scripts, Assets</td></tr>
<tr class="flag-done"><td>Vlastni ikonka pro <code>C:\X9\</code> slozku</td><td>Desktop.ini + X9-ikona.ico z assets\Logo\</td></tr>
</table>
<div class="note">
Rename-Computer vyzaduje restart. Tento krok musi byt posledni pred finalnim shrnutim.
Technik vi, ze po deployi nasleduje restart.
Rename-Computer vyzaduje restart. Tento krok bezi jako posledni pred finalnim shrnutim.
</div>
</div>
<div class="step-footer">
<span class="step-status">Script: novy <code>09-pc-identity.ps1</code></span>
<span class="step-status">Script: <code>09-pc-identity.ps1</code></span>
<div class="comment-widget" data-issue="12"></div>
</div>
</div>
@ -778,21 +776,17 @@
<div class="step-header">
<span class="step-num">10</span>
<span class="step-title">Network discovery + firewall</span>
<span class="badge badge-new">New</span>
<span class="badge badge-ok">OK</span>
</div>
<div class="step-body">
<table class="items">
<tr class="flag-todo"><td>Nastavit sitovy profil jako Private (ne Public)</td><td><code>Set-NetConnectionProfile -NetworkCategory Private</code></td></tr>
<tr class="flag-todo"><td>Povolit ping (ICMP) pro diagnostiku</td><td>Firewall rule: Enable ICMPv4/ICMPv6</td></tr>
<tr class="flag-todo"><td>Zapnout Network Discovery pro Private profil</td><td><code>netsh advfirewall</code> nebo <code>Set-NetFirewallRule</code></td></tr>
<tr class="flag-done"><td>Nastavit sitovy profil jako Private (ne Public)</td><td>Set-NetConnectionProfile pro vsechny pripojene adaptery</td></tr>
<tr class="flag-done"><td>Povolit ping (ICMP) pro diagnostiku</td><td>Enable-NetFirewallRule: FPS-ICMP4-ERQ-In + FPS-ICMP6-ERQ-In</td></tr>
<tr class="flag-done"><td>Zapnout Network Discovery pro Private profil</td><td>Set-NetFirewallRule + netsh advfirewall jako fallback</td></tr>
</table>
<div class="note">
Pozor: Sitovy profil (Private/Public) se muze zmenit po kazdem prihlaseni k jine siti.
Zvazit scheduled task pri logonu pro opakovanou korekci profilu.
</div>
</div>
<div class="step-footer">
<span class="step-status">Script: novy <code>10-network.ps1</code></span>
<span class="step-status">Script: <code>10-network.ps1</code></span>
<div class="comment-widget" data-issue="10"></div>
</div>
</div>
@ -800,24 +794,25 @@
<!-- TASKBAR -->
<div class="step" id="step-taskbar">
<div class="step-header">
<span class="step-num">---</span>
<span class="step-num">04+</span>
<span class="step-title">Taskbar pinned apps (profily)</span>
<span class="badge badge-new">New</span>
<span class="badge badge-future">Future</span>
<span class="badge badge-ok">OK</span>
<span class="badge badge-open">Open</span>
</div>
<div class="step-body">
<table class="items">
<tr class="flag-todo"><td><code>-ProfileType</code> parametr: admin vs user varianta</td><td>Ruzna sada pinnutych appek dle role uzivatele</td></tr>
<tr class="flag-todo"><td>XML layout pro "admin": Explorer, PS, Edge, Notepad++, …</td><td>TaskbarLayoutModification.xml</td></tr>
<tr class="flag-todo"><td>XML layout pro "user": Edge, Outlook, Teams, Explorer, …</td><td>Odlisna sada pro bezneho zamestnance</td></tr>
<tr class="flag-done"><td><code>-ProfileType</code> parametr: admin vs user varianta</td><td>Deploy-Windows.ps1 -ProfileType [default|admin|user]; predano do 04</td></tr>
<tr class="flag-done"><td>XML layout pro "admin": Explorer, PS, Edge</td><td>TaskbarLayoutModification.xml; File Explorer.lnk + PowerShell.lnk + Edge.lnk</td></tr>
<tr class="flag-done"><td>XML layout pro "user": Explorer, Edge</td><td>Konzervativni sada &ndash; Outlook/Teams pridany az po instalaci M365</td></tr>
<tr class="flag-open"><td>Win11 24H2 kompatibilita layoutu</td><td>24H2 vyzaduje ProvisionedLayoutModification.xml &ndash; nutno otestovat na realne instalaci</td></tr>
</table>
<div class="note">
Win11 24H2 zmenil zpusob aplikace Taskbar layoutu (ProvisionedLayoutModification.xml vs. starsi TaskbarLayoutModification.xml).
Nutno overit kompatibilitu s ruznymy buildy pred implementaci.
Aplikace pinnutych appek: <code>Deploy-Windows.ps1 -ProfileType admin</code> nebo <code>-ProfileType user</code>.<br>
Layout se zablokuje, UnlockStartLayout task (krok 06) ho odemkne 5 min po startu.
</div>
</div>
<div class="step-footer">
<span class="step-status">Zacleneni: STEP 04 nebo vlastni script</span>
<span class="step-status">Integrovan do <code>04-default-profile.ps1</code></span>
<div class="comment-widget" data-issue="13"></div>
</div>
</div>
@ -1039,6 +1034,8 @@
'step-05': '05-personalization',
'step-06': '06-scheduled-tasks',
'step-07': '07-backinfo',
'step-pc': '09-pc-identity',
'step-net': '10-network',
'step-08': '08-activation',
};