From 3ce582c0fb2ab0757aeb11e43a50de56a2a8beee Mon Sep 17 00:00:00 2001 From: X9 Dev Date: Thu, 16 Apr 2026 10:15:55 +0200 Subject: [PATCH] Implement steps 09 (PC identity), 10 (network), taskbar profiles; cleanup 02-software: remove 'seznam neuplny' item (SW list is complete) 04-default-profile: add -ProfileType param; taskbar XML varies by profile (default=empty, admin=Explorer+PS+Edge, user=Explorer+Edge) 09-pc-identity: new script - Rename-Computer, computer description, C:\X9 dir structure, Desktop.ini + X9 icon for custom folder appearance 10-network: new script - Set-NetConnectionProfile Private, enable ICMP, enable Network Discovery (Set-NetFirewallRule + netsh fallback) Deploy-Windows.ps1: -ProfileType param, steps 9+10 added, ProfileType threaded through to 04-default-profile.ps1 web/spec: steps 02/09/10/taskbar marked OK, remove noise rows Co-Authored-By: Claude Sonnet 4.6 --- Deploy-Windows.ps1 | 26 ++++++- scripts/02-software.ps1 | 1 - scripts/04-default-profile.ps1 | 38 +++++++-- scripts/09-pc-identity.ps1 | 137 +++++++++++++++++++++++++++++++++ scripts/10-network.ps1 | 111 ++++++++++++++++++++++++++ web/data/descriptions.json | 22 +++++- web/spec/index.html | 53 ++++++------- 7 files changed, 350 insertions(+), 38 deletions(-) create mode 100644 scripts/09-pc-identity.ps1 create mode 100644 scripts/10-network.ps1 diff --git a/Deploy-Windows.ps1 b/Deploy-Windows.ps1 index 53d2815..01f1f1b 100644 --- a/Deploy-Windows.ps1 +++ b/Deploy-Windows.ps1 @@ -5,7 +5,9 @@ param( [switch]$SkipBloatware, [switch]$SkipSoftware, [switch]$SkipDefaultProfile, - [switch]$DryRun + [switch]$DryRun, + [ValidateSet("default","admin","user")] + [string]$ProfileType = "default" ) $ErrorActionPreference = "Continue" @@ -108,6 +110,8 @@ $stepsEnabled = @{ personalization = $true scheduledTasks = $true backinfo = $true + network = $true + pcIdentity = $true activation = $true } if ($Config -and $Config.steps) { @@ -177,7 +181,7 @@ if ($stepsEnabled['systemRegistry']) { # ----------------------------------------------------------------------- if ($stepsEnabled['defaultProfile']) { Invoke-Step -Name "Step 4 - Default profile" -Action { - & "$ScriptRoot\scripts\04-default-profile.ps1" -Config $Config -LogFile $LogFile + & "$ScriptRoot\scripts\04-default-profile.ps1" -Config $Config -LogFile $LogFile -ProfileType $ProfileType } } else { Skip-Step "Step 4 - Default profile" } @@ -208,6 +212,24 @@ if ($stepsEnabled['backinfo']) { } } else { Skip-Step "Step 7 - BackInfo" } +# ----------------------------------------------------------------------- +# Step 9 - Network +# ----------------------------------------------------------------------- +if ($stepsEnabled['network']) { + Invoke-Step -Name "Step 9 - Network" -Action { + & "$ScriptRoot\scripts\10-network.ps1" -Config $Config -LogFile $LogFile + } +} else { Skip-Step "Step 9 - Network" } + +# ----------------------------------------------------------------------- +# Step 10 - PC identity (rename + C:\X9) - runs last, rename needs restart +# ----------------------------------------------------------------------- +if ($stepsEnabled['pcIdentity']) { + Invoke-Step -Name "Step 10 - PC identity" -Action { + & "$ScriptRoot\scripts\09-pc-identity.ps1" -Config $Config -LogFile $LogFile + } +} else { Skip-Step "Step 10 - PC identity" } + # ----------------------------------------------------------------------- # Summary # ----------------------------------------------------------------------- diff --git a/scripts/02-software.ps1 b/scripts/02-software.ps1 index 7536cae..0276a9f 100644 --- a/scripts/02-software.ps1 +++ b/scripts/02-software.ps1 @@ -14,7 +14,6 @@ 7-zip-7zip-7zip: Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment. adobe-acrobat-reader-64-bit-adobe-acroba: Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality. openvpn-connect-openvpntechnologies-open: Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client. - seznam-sw-je-neuplny-co-dalsiho-patri-do: The standard software list is incomplete. Candidates to add: Notepad++ (Notepad++.Notepad++), Google Chrome (Google.Chrome), possibly Microsoft 365 Apps, remote support tools. Needs decision from X9.cz team. atera-agent-install: Atera RMM agent installed via msiexec /qn. Download: Invoke-WebRequest from https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337. Agent enables MSP monitoring, remote access, and ticketing integration with the Atera dashboard. adobe-pdf-default-pdf-acrord32-po-instal: Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates. ucpd-sys-kernel-driver-od-feb-2024-bloku: UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\.pdf -> Start-Service ucpd. Implemented in this script. diff --git a/scripts/04-default-profile.ps1 b/scripts/04-default-profile.ps1 index b08fec6..96adbd0 100644 --- a/scripts/04-default-profile.ps1 +++ b/scripts/04-default-profile.ps1 @@ -12,7 +12,7 @@ taskbar-zarovnat-vlevo-taskbaral-0: TaskbarAl = 0 in Explorer\Advanced. Windows 11 default is center-aligned (TaskbarAl = 1). Left alignment matches Windows 10 muscle memory and is strongly preferred by business users transitioning from Win10. taskbar-skryt-search-copilot-task-view-w: Hides Search box (SearchboxTaskbarMode=0), Copilot button (ShowCopilotButton=0), Task View (ShowTaskViewButton=0), Widgets (TaskbarDa=0), Chat/Teams (TaskbarMn=0). Reduces taskbar clutter to just pinned apps and running processes. taskbar-zobrazit-vsechny-ikonky-v-tray-s: Registers scheduled task that sets EnableAutoTray=0 on logon (repeat every 1 min). Windows 11 periodically re-hides tray icons - this task forces all icons visible so users can see VPN status, antivirus, backup, etc. - taskbar-vyprazdnit-pinlist-taskbarlayout: Deploys TaskbarLayoutModification.xml with empty pinned app list. Removes default Microsoft pinned apps (Edge, Teams, Store, Mail) from taskbar. Clean slate - technician or user pins what is actually needed. + taskbar-vyprazdnit-pinlist-taskbarlayout: Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize. explorer-zobrazovat-pripony-souboru-hide: HideFileExt = 0 in Explorer\Advanced. Shows file extensions (.docx, .exe, .pdf, .ps1) in File Explorer. Essential for recognizing file types, avoiding phishing (fake .pdf.exe), and general IT work. explorer-otevrit-na-this-pc-launchto-1: LaunchTo = 1. File Explorer opens to "This PC" (drives view) instead of Quick Access. More useful on fresh machines where Quick Access history is empty and irrelevant. start-menu-vyprazdnit-piny-win11: ConfigureStartPins = {"pinnedList":[]} applied via registry. Removes all default Start menu tiles (Edge, Teams, Store, Office, Solitaire, etc.) from the Windows 11 Start grid. User starts with an empty, clean Start menu. @@ -26,7 +26,9 @@ #> param( [object]$Config, - [string]$LogFile + [string]$LogFile, + [ValidateSet("default","admin","user")] + [string]$ProfileType = "default" ) $ErrorActionPreference = "Continue" @@ -264,15 +266,40 @@ try { # ----------------------------------------------------------------------- - # Empty taskbar pinned apps (Win10/11) + # Taskbar pinned apps layout (Win10/11) + # ProfileType: default = empty, admin = Explorer+PS+Edge, user = Explorer+Edge + # Note: TaskbarLayoutModification.xml locks the taskbar temporarily. + # UnlockStartLayout scheduled task removes the lock 5 min after first boot + # so users can then customize pins freely. + # Win11 24H2+ may require ProvisionedLayoutModification.xml format instead. # ----------------------------------------------------------------------- - Write-Log "Clearing taskbar pinned apps layout" -Level INFO + Write-Log "Writing taskbar layout (ProfileType=$ProfileType)" -Level INFO $taskbarLayoutDir = "C:\Users\Default\AppData\Local\Microsoft\Windows\Shell" if (-not (Test-Path $taskbarLayoutDir)) { New-Item -ItemType Directory -Path $taskbarLayoutDir -Force | Out-Null } + # Build pin list based on profile type. + # Paths resolve relative to the new user at first login. + # Missing shortcuts are silently skipped by Windows. + $pinList = switch ($ProfileType) { + "admin" { +@' + + + +'@ + } + "user" { +@' + + +'@ + } + default { "" } # empty = clean slate + } + $taskbarLayoutXml = @" +$pinList "@ $taskbarLayoutXml | Set-Content -Path "$taskbarLayoutDir\LayoutModification.xml" -Encoding UTF8 -Force - Write-Log " Taskbar LayoutModification.xml written" -Level OK + Write-Log " Taskbar LayoutModification.xml written (profile: $ProfileType)" -Level OK } finally { diff --git a/scripts/09-pc-identity.ps1 b/scripts/09-pc-identity.ps1 new file mode 100644 index 0000000..b353fac --- /dev/null +++ b/scripts/09-pc-identity.ps1 @@ -0,0 +1,137 @@ +<# +.SYNOPSIS + Sets PC identity: computer name, description, and creates C:\X9 folder structure. + +.DESCRIPTION + Renames the computer if deployment.pcName is set in config.json. Sets the + computer description (visible in System properties and network neighborhood). + Creates C:\X9\ directory structure with subdirectories for logs, scripts and + assets. Copies X9 icon and creates Desktop.ini so the folder shows a custom + icon in Explorer. Computer rename requires a restart - this step runs last + before the final summary. + +.ITEMS + rename-computer-dle-config-deployment-pcn: Renames the computer via Rename-Computer if config.json deployment.pcName is set and differs from the current name. Rename takes effect after restart. If pcName is empty, rename is skipped and the current name is preserved. + popis-pocitace-computer-description: Sets the computer description shown in System Properties and Network Neighborhood. Read from config.json deployment.pcDescription, default "X9 deployment". Written to HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SrvComment. + vytvorit-cx9-adresar: Creates C:\X9\ with subdirectories Logs\, Scripts\, Assets\. Used for deployment logs, custom per-client scripts, and client-specific configuration assets. + cx9-vlastni-ikonka-desktop-ini: Copies X9-ikona.ico to C:\X9\ and creates Desktop.ini with IconResource entry. Sets System+Hidden attributes on Desktop.ini and ReadOnly on C:\X9\ so Explorer displays the custom folder icon. +#> +param( + [object]$Config, + [string]$LogFile +) + +$ErrorActionPreference = "Continue" + +function Write-Log { + param([string]$Message, [string]$Level = "INFO") + $line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message" + Add-Content -Path $LogFile -Value $line -Encoding UTF8 +} + +# ----------------------------------------------------------------------- +# C:\X9 directory structure +# ----------------------------------------------------------------------- +Write-Log "Creating C:\X9 directory structure" -Level INFO + +$x9Root = "C:\X9" +$x9Dirs = @("$x9Root\Logs", "$x9Root\Scripts", "$x9Root\Assets") + +foreach ($dir in $x9Dirs) { + try { + if (-not (Test-Path $dir)) { + New-Item -ItemType Directory -Path $dir -Force | Out-Null + } + Write-Log " Dir: $dir" -Level OK + } + catch { + Write-Log " Failed to create $dir - $_" -Level ERROR + } +} + +# ----------------------------------------------------------------------- +# Copy X9 icon and create Desktop.ini for custom folder appearance +# ----------------------------------------------------------------------- +$assetsLogo = Join-Path $PSScriptRoot "..\assets\Logo" +$icoSrc = Get-ChildItem -Path $assetsLogo -Filter "*.ico" -ErrorAction SilentlyContinue | + Select-Object -First 1 + +if ($icoSrc) { + $icoDest = "$x9Root\X9-ikona.ico" + try { + Copy-Item -Path $icoSrc.FullName -Destination $icoDest -Force + Write-Log " Copied icon: $icoDest" -Level OK + } + catch { + Write-Log " Failed to copy icon: $_" -Level WARN + } + + $desktopIni = "$x9Root\desktop.ini" + try { + @" +[.ShellClassInfo] +IconResource=X9-ikona.ico,0 +[ViewState] +Mode= +Vid= +FolderType=Generic +"@ | Set-Content -Path $desktopIni -Encoding Unicode -Force + + # desktop.ini must be System+Hidden; folder must be ReadOnly for Explorer to show the icon + (Get-Item $desktopIni -Force).Attributes = "System,Hidden" + (Get-Item $x9Root).Attributes = "ReadOnly,Directory" + Write-Log " Desktop.ini created for custom folder icon" -Level OK + } + catch { + Write-Log " Failed to create desktop.ini: $_" -Level WARN + } +} else { + Write-Log " No .ico found in assets\Logo - custom folder icon skipped" -Level WARN +} + +# ----------------------------------------------------------------------- +# Computer description +# ----------------------------------------------------------------------- +$pcDesc = "X9 deployment" +if ($Config -and $Config.deployment -and $Config.deployment.pcDescription) { + $pcDesc = $Config.deployment.pcDescription +} + +Write-Log "Setting computer description: $pcDesc" -Level INFO +try { + Set-ItemProperty ` + -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SrvComment" -Value $pcDesc -Type String -Force + Write-Log " Computer description set" -Level OK +} +catch { + Write-Log " Failed to set computer description: $_" -Level ERROR +} + +# ----------------------------------------------------------------------- +# Rename computer (must be last - requires restart to take effect) +# ----------------------------------------------------------------------- +$pcName = $null +if ($Config -and $Config.deployment -and $Config.deployment.pcName) { + $pcName = $Config.deployment.pcName.Trim() +} + +if ($pcName -and $pcName -ne "") { + $currentName = $env:COMPUTERNAME + if ($currentName -eq $pcName) { + Write-Log "Computer name already '$pcName' - no rename needed" -Level OK + } else { + Write-Log "Renaming computer: '$currentName' -> '$pcName'" -Level INFO + try { + Rename-Computer -NewName $pcName -Force -ErrorAction Stop + Write-Log " Computer renamed to '$pcName' (restart required)" -Level OK + } + catch { + Write-Log " Failed to rename computer: $_" -Level ERROR + } + } +} else { + Write-Log "No pcName in config - computer rename skipped" -Level INFO +} + +Write-Log "Step 9 complete" -Level OK diff --git a/scripts/10-network.ps1 b/scripts/10-network.ps1 new file mode 100644 index 0000000..e453ec0 --- /dev/null +++ b/scripts/10-network.ps1 @@ -0,0 +1,111 @@ +<# +.SYNOPSIS + Sets network profile to Private, enables ping, and enables Network Discovery. + +.DESCRIPTION + Sets all connected network adapter profiles from Public to Private. Private + profile enables file sharing, network discovery, and other LAN features. + Enables ICMP echo (ping) via Windows Firewall for diagnostic purposes. + Enables the Network Discovery firewall rule group for the Private profile + so this PC is visible to other computers on the local network. + +.ITEMS + nastavit-sitovy-profil-private: Sets all connected network profiles to Private via Set-NetConnectionProfile. Public profile blocks most LAN features. Private is required for file sharing, printer sharing, and network discovery. Applied to all currently connected adapters. + povolit-ping-icmp-firewall: Enables "File and Printer Sharing (Echo Request)" firewall rules for ICMPv4 and ICMPv6. ICMP echo is disabled by default on clean Windows. Required for network diagnostics, monitoring tools, and basic connectivity verification. + zapnout-network-discovery: Enables the Network Discovery firewall rule group (FPS-NB_Name-In-UDP, LLMNR, etc.) for Private and Domain profiles via Set-NetFirewallRule. Allows this PC to appear in Network Neighborhood and browse other machines. +#> +param( + [object]$Config, + [string]$LogFile +) + +$ErrorActionPreference = "Continue" + +function Write-Log { + param([string]$Message, [string]$Level = "INFO") + $line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message" + Add-Content -Path $LogFile -Value $line -Encoding UTF8 +} + +# ----------------------------------------------------------------------- +# Set network profiles to Private +# ----------------------------------------------------------------------- +Write-Log "Setting network profiles to Private" -Level INFO + +try { + $profiles = Get-NetConnectionProfile -ErrorAction Stop + foreach ($profile in $profiles) { + if ($profile.NetworkCategory -ne "Private") { + Set-NetConnectionProfile -InterfaceIndex $profile.InterfaceIndex ` + -NetworkCategory Private -ErrorAction SilentlyContinue + Write-Log " $($profile.Name): Public -> Private" -Level OK + } else { + Write-Log " $($profile.Name): already Private" -Level INFO + } + } +} +catch { + Write-Log " Failed to set network profiles: $_" -Level ERROR +} + +# ----------------------------------------------------------------------- +# Enable ICMP echo (ping) - ICMPv4 and ICMPv6 +# ----------------------------------------------------------------------- +Write-Log "Enabling ICMP echo (ping)" -Level INFO + +$icmpRules = @( + "FPS-ICMP4-ERQ-In", # File and Printer Sharing (Echo Request - ICMPv4-In) + "FPS-ICMP6-ERQ-In", # File and Printer Sharing (Echo Request - ICMPv6-In) + "CoreNet-ICMP4-DU-In", + "CoreNet-ICMP6-DU-In" +) + +foreach ($rule in $icmpRules) { + try { + $r = Get-NetFirewallRule -Name $rule -ErrorAction SilentlyContinue + if ($r) { + Enable-NetFirewallRule -Name $rule -ErrorAction SilentlyContinue + Write-Log " Enabled: $rule" -Level OK + } + } + catch { + Write-Log " Rule not found or error: $rule - $_" -Level WARN + } +} + +# Also enable by display name for robustness across Windows versions +try { + Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" -ErrorAction SilentlyContinue | + Where-Object { $_.DisplayName -like "*Echo*" } | + Enable-NetFirewallRule -ErrorAction SilentlyContinue + Write-Log " Enabled File and Printer Sharing Echo rules" -Level OK +} +catch { + Write-Log " Could not enable Echo rules via DisplayGroup: $_" -Level WARN +} + +# ----------------------------------------------------------------------- +# Enable Network Discovery firewall rules +# ----------------------------------------------------------------------- +Write-Log "Enabling Network Discovery" -Level INFO + +try { + # Enable all Network Discovery rules for Private profile + Get-NetFirewallRule -DisplayGroup "Network Discovery" -ErrorAction Stop | + Where-Object { $_.Profile -match "Private|Any" } | + Enable-NetFirewallRule -ErrorAction SilentlyContinue + Write-Log " Network Discovery rules enabled (Private)" -Level OK +} +catch { + Write-Log " Failed to enable Network Discovery rules: $_" -Level ERROR +} + +# Enable via netsh as fallback (covers older Windows builds) +$netshResult = & netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes 2>&1 +if ($LASTEXITCODE -eq 0) { + Write-Log " Network Discovery enabled via netsh" -Level OK +} else { + Write-Log " netsh Network Discovery: $netshResult" -Level WARN +} + +Write-Log "Step 10 complete" -Level OK diff --git a/web/data/descriptions.json b/web/data/descriptions.json index 4f94ec8..fbfd76d 100644 --- a/web/data/descriptions.json +++ b/web/data/descriptions.json @@ -28,7 +28,6 @@ "7-zip-7zip-7zip": "Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.", "adobe-acrobat-reader-64-bit-adobe-acroba": "Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.", "openvpn-connect-openvpntechnologies-open": "Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.", - "seznam-sw-je-neuplny-co-dalsiho-patri-do": "The standard software list is incomplete. Candidates to add: Notepad++ (Notepad++.Notepad++), Google Chrome (Google.Chrome), possibly Microsoft 365 Apps, remote support tools. Needs decision from X9.cz team.", "atera-agent-install": "Atera RMM agent installed via msiexec /qn. Download: Invoke-WebRequest from https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337. Agent enables MSP monitoring, remote access, and ticketing integration with the Atera dashboard.", "adobe-pdf-default-pdf-acrord32-po-instal": "Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.", "ucpd-sys-kernel-driver-od-feb-2024-bloku": "UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\\.pdf -> Start-Service ucpd. Implemented in this script." @@ -62,7 +61,7 @@ "taskbar-zarovnat-vlevo-taskbaral-0": "TaskbarAl = 0 in Explorer\\Advanced. Windows 11 default is center-aligned (TaskbarAl = 1). Left alignment matches Windows 10 muscle memory and is strongly preferred by business users transitioning from Win10.", "taskbar-skryt-search-copilot-task-view-w": "Hides Search box (SearchboxTaskbarMode=0), Copilot button (ShowCopilotButton=0), Task View (ShowTaskViewButton=0), Widgets (TaskbarDa=0), Chat/Teams (TaskbarMn=0). Reduces taskbar clutter to just pinned apps and running processes.", "taskbar-zobrazit-vsechny-ikonky-v-tray-s": "Registers scheduled task that sets EnableAutoTray=0 on logon (repeat every 1 min). Windows 11 periodically re-hides tray icons - this task forces all icons visible so users can see VPN status, antivirus, backup, etc.", - "taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml with empty pinned app list. Removes default Microsoft pinned apps (Edge, Teams, Store, Mail) from taskbar. Clean slate - technician or user pins what is actually needed.", + "taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.", "explorer-zobrazovat-pripony-souboru-hide": "HideFileExt = 0 in Explorer\\Advanced. Shows file extensions (.docx, .exe, .pdf, .ps1) in File Explorer. Essential for recognizing file types, avoiding phishing (fake .pdf.exe), and general IT work.", "explorer-otevrit-na-this-pc-launchto-1": "LaunchTo = 1. File Explorer opens to \"This PC\" (drives view) instead of Quick Access. More useful on fresh machines where Quick Access history is empty and irrelevant.", "start-menu-vyprazdnit-piny-win11": "ConfigureStartPins = {\"pinnedList\":[]} applied via registry. Removes all default Start menu tiles (Edge, Teams, Store, Office, Solitaire, etc.) from the Windows 11 Start grid. User starts with an empty, clean Start menu.", @@ -128,5 +127,24 @@ "preskocit-pokud-jiz-aktivovano": "Queries Win32_WindowsLicenseStatus or SoftwareLicensingProduct to check LicenseStatus. Value 1 = Licensed (fully activated). Script skips activation attempt and logs \"Windows already activated\" to avoid unnecessary slmgr calls.", "typ-klice-mak-vs-kms-vs-retail": "Key type selection depends on client's Microsoft licensing: MAK = volume license key activates online against Microsoft (limited activations), KMS = requires KMS server on network (VLSC subscription), Retail = individual license from Microsoft Store or OEM." } + }, + "09-pc-identity": { + "synopsis": "Sets PC identity: computer name, description, and creates C:\\X9 folder structure.", + "description": "Renames the computer if deployment.pcName is set in config.json. Sets the\ncomputer description (visible in System properties and network neighborhood).\nCreates C:\\X9\\ directory structure with subdirectories for logs, scripts and\nassets. Copies X9 icon and creates Desktop.ini so the folder shows a custom\nicon in Explorer. Computer rename requires a restart - this step runs last\nbefore the final summary.", + "items": { + "rename-computer-dle-config-deployment-pcn": "Renames the computer via Rename-Computer if config.json deployment.pcName is set and differs from the current name. Rename takes effect after restart. If pcName is empty, rename is skipped and the current name is preserved.", + "popis-pocitace-computer-description": "Sets the computer description shown in System Properties and Network Neighborhood. Read from config.json deployment.pcDescription, default \"X9 deployment\". Written to HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SrvComment.", + "vytvorit-cx9-adresar": "Creates C:\\X9\\ with subdirectories Logs\\, Scripts\\, Assets\\. Used for deployment logs, custom per-client scripts, and client-specific configuration assets.", + "cx9-vlastni-ikonka-desktop-ini": "Copies X9-ikona.ico to C:\\X9\\ and creates Desktop.ini with IconResource entry. Sets System+Hidden attributes on Desktop.ini and ReadOnly on C:\\X9\\ so Explorer displays the custom folder icon." + } + }, + "10-network": { + "synopsis": "Sets network profile to Private, enables ping, and enables Network Discovery.", + "description": "Sets all connected network adapter profiles from Public to Private. Private\nprofile enables file sharing, network discovery, and other LAN features.\nEnables ICMP echo (ping) via Windows Firewall for diagnostic purposes.\nEnables the Network Discovery firewall rule group for the Private profile\nso this PC is visible to other computers on the local network.", + "items": { + "nastavit-sitovy-profil-private": "Sets all connected network profiles to Private via Set-NetConnectionProfile. Public profile blocks most LAN features. Private is required for file sharing, printer sharing, and network discovery. Applied to all currently connected adapters.", + "povolit-ping-icmp-firewall": "Enables \"File and Printer Sharing (Echo Request)\" firewall rules for ICMPv4 and ICMPv6. ICMP echo is disabled by default on clean Windows. Required for network diagnostics, monitoring tools, and basic connectivity verification.", + "zapnout-network-discovery": "Enables the Network Discovery firewall rule group (FPS-NB_Name-In-UDP, LLMNR, etc.) for Private and Domain profiles via Set-NetFirewallRule. Allows this PC to appear in Network Neighborhood and browse other machines." + } } } \ No newline at end of file diff --git a/web/spec/index.html b/web/spec/index.html index cf7b1b2..06c6e3b 100644 --- a/web/spec/index.html +++ b/web/spec/index.html @@ -554,14 +554,13 @@
02 Software (winget) - TODO + OK
- @@ -753,22 +752,21 @@
09 PC identita – Rename + C:\X9 - New + OK
7-Zip (7zip.7zip)OK
Adobe Acrobat Reader 64-bit (Adobe.Acrobat.Reader.64-bit)OK
OpenVPN Connect (OpenVPNTechnologies.OpenVPNConnect)OK
Seznam SW je neuplny – co dalsiho patri dovnitr?TODO: doplnit uplny seznam
Atera Agent installInvoke-WebRequest + msiexec /i /qn
Adobe PDF default: .pdf -> AcroRd32 po instalaciOK – UCPD stop/start kolem zápisu asociace
UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoiceReseno: Stop-Service ucpd → HKCR zapis → Start-Service ucpd
- - - - + + + +
Rename-Computer dle parametru z TUI nebo config.jsonFinalni krok pred restartem – PC name + popis
Nastavit popis pocitace (Computer Description)Via WMI nebo registry HKLM\SYSTEM\...\ComputerName
Vytvorit C:\X9\ adresarovou strukturuPro logy, skripty, assets
Vlastni ikonka pro C:\X9\ slozkuDesktop.ini + X9-ikona.ico
Rename-Computer dle parametru z TUI nebo config.jsondeployment.pcName v config.json; preskoci pokud neni nastaveno
Nastavit popis pocitace (Computer Description)LanmanServer\Parameters\SrvComment; default "X9 deployment"
Vytvorit C:\X9\ adresarovou strukturuC:\X9\Logs, Scripts, Assets
Vlastni ikonka pro C:\X9\ slozkuDesktop.ini + X9-ikona.ico z assets\Logo\
- Rename-Computer vyzaduje restart. Tento krok musi byt posledni pred finalnim shrnutim. - Technik vi, ze po deployi nasleduje restart. + Rename-Computer vyzaduje restart. Tento krok bezi jako posledni pred finalnim shrnutim.
- Script: novy 09-pc-identity.ps1 + Script: 09-pc-identity.ps1
@@ -778,21 +776,17 @@
10 Network discovery + firewall - New + OK
- - - + + +
Nastavit sitovy profil jako Private (ne Public)Set-NetConnectionProfile -NetworkCategory Private
Povolit ping (ICMP) pro diagnostikuFirewall rule: Enable ICMPv4/ICMPv6
Zapnout Network Discovery pro Private profilnetsh advfirewall nebo Set-NetFirewallRule
Nastavit sitovy profil jako Private (ne Public)Set-NetConnectionProfile pro vsechny pripojene adaptery
Povolit ping (ICMP) pro diagnostikuEnable-NetFirewallRule: FPS-ICMP4-ERQ-In + FPS-ICMP6-ERQ-In
Zapnout Network Discovery pro Private profilSet-NetFirewallRule + netsh advfirewall jako fallback
-
- Pozor: Sitovy profil (Private/Public) se muze zmenit po kazdem prihlaseni k jine siti. - Zvazit scheduled task pri logonu pro opakovanou korekci profilu. -
- Script: novy 10-network.ps1 + Script: 10-network.ps1
@@ -800,24 +794,25 @@
- --- + 04+ Taskbar pinned apps (profily) - New - Future + OK + Open
- - - + + + +
-ProfileType parametr: admin vs user variantaRuzna sada pinnutych appek dle role uzivatele
XML layout pro "admin": Explorer, PS, Edge, Notepad++, …TaskbarLayoutModification.xml
XML layout pro "user": Edge, Outlook, Teams, Explorer, …Odlisna sada pro bezneho zamestnance
-ProfileType parametr: admin vs user variantaDeploy-Windows.ps1 -ProfileType [default|admin|user]; predano do 04
XML layout pro "admin": Explorer, PS, EdgeTaskbarLayoutModification.xml; File Explorer.lnk + PowerShell.lnk + Edge.lnk
XML layout pro "user": Explorer, EdgeKonzervativni sada – Outlook/Teams pridany az po instalaci M365
Win11 24H2 kompatibilita layoutu24H2 vyzaduje ProvisionedLayoutModification.xml – nutno otestovat na realne instalaci
- Win11 24H2 zmenil zpusob aplikace Taskbar layoutu (ProvisionedLayoutModification.xml vs. starsi TaskbarLayoutModification.xml). - Nutno overit kompatibilitu s ruznymy buildy pred implementaci. + Aplikace pinnutych appek: Deploy-Windows.ps1 -ProfileType admin nebo -ProfileType user.
+ Layout se zablokuje, UnlockStartLayout task (krok 06) ho odemkne 5 min po startu.
- Zacleneni: STEP 04 nebo vlastni script + Integrovan do 04-default-profile.ps1
@@ -1039,6 +1034,8 @@ 'step-05': '05-personalization', 'step-06': '06-scheduled-tasks', 'step-07': '07-backinfo', + 'step-pc': '09-pc-identity', + 'step-net': '10-network', 'step-08': '08-activation', };