Implement steps 09 (PC identity), 10 (network), taskbar profiles; cleanup

02-software: remove 'seznam neuplny' item (SW list is complete) 04-default-profile: add -ProfileType param; taskbar XML varies by profile (default=empty, admin=Explorer+PS+Edge, user=Explorer+Edge) 09-pc-identity: new script - Rename-Computer, computer description, C:\X9 dir structure, Desktop.ini + X9 icon for custom folder appearance 10-network: new script - Set-NetConnectionProfile Private, enable ICMP, enable Network Discovery (Set-NetFirewallRule + netsh fallback) Deploy-Windows.ps1: -ProfileType param, steps 9+10 added, ProfileType threaded through to 04-default-profile.ps1 web/spec: steps 02/09/10/taskbar marked OK, remove noise rows Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:15:55 +02:00 · 2026-04-16 10:15:55 +02:00 · 3ce582c0fb
commit 3ce582c0fb
parent 3a7c0afc43
7 changed files with 350 additions and 38 deletions
--- a/Deploy-Windows.ps1
+++ b/Deploy-Windows.ps1
@ -5,7 +5,9 @@ param(
    [switch]$SkipBloatware,
    [switch]$SkipSoftware,
    [switch]$SkipDefaultProfile,
-    [switch]$DryRun
+    [switch]$DryRun,
    [ValidateSet("default","admin","user")]
    [string]$ProfileType = "default"
 )
 $ErrorActionPreference = "Continue"
@ -108,6 +110,8 @@ $stepsEnabled = @{
    personalization = $true
    scheduledTasks  = $true
    backinfo        = $true
    network         = $true
    pcIdentity      = $true
    activation      = $true
 }
 if ($Config -and $Config.steps) {
@ -177,7 +181,7 @@ if ($stepsEnabled['systemRegistry']) {
 # -----------------------------------------------------------------------
 if ($stepsEnabled['defaultProfile']) {
    Invoke-Step -Name "Step 4 - Default profile" -Action {
-        & "$ScriptRoot\scripts\04-default-profile.ps1" -Config $Config -LogFile $LogFile
+        & "$ScriptRoot\scripts\04-default-profile.ps1" -Config $Config -LogFile $LogFile -ProfileType $ProfileType
    }
 } else { Skip-Step "Step 4 - Default profile" }
@ -208,6 +212,24 @@ if ($stepsEnabled['backinfo']) {
    }
 } else { Skip-Step "Step 7 - BackInfo" }
 # -----------------------------------------------------------------------
 # Step 9 - Network
 # -----------------------------------------------------------------------
 if ($stepsEnabled['network']) {
    Invoke-Step -Name "Step 9 - Network" -Action {
        & "$ScriptRoot\scripts\10-network.ps1" -Config $Config -LogFile $LogFile
    }
 } else { Skip-Step "Step 9 - Network" }
 # -----------------------------------------------------------------------
 # Step 10 - PC identity (rename + C:\X9) - runs last, rename needs restart
 # -----------------------------------------------------------------------
 if ($stepsEnabled['pcIdentity']) {
    Invoke-Step -Name "Step 10 - PC identity" -Action {
        & "$ScriptRoot\scripts\09-pc-identity.ps1" -Config $Config -LogFile $LogFile
    }
 } else { Skip-Step "Step 10 - PC identity" }
 # -----------------------------------------------------------------------
 # Summary
 # -----------------------------------------------------------------------
--- a/scripts/02-software.ps1
+++ b/scripts/02-software.ps1
@ -14,7 +14,6 @@
    7-zip-7zip-7zip: Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.
    adobe-acrobat-reader-64-bit-adobe-acroba: Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.
    openvpn-connect-openvpntechnologies-open: Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.
    seznam-sw-je-neuplny-co-dalsiho-patri-do: The standard software list is incomplete. Candidates to add: Notepad++ (Notepad++.Notepad++), Google Chrome (Google.Chrome), possibly Microsoft 365 Apps, remote support tools. Needs decision from X9.cz team.
    atera-agent-install: Atera RMM agent installed via msiexec /qn. Download: Invoke-WebRequest from https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337. Agent enables MSP monitoring, remote access, and ticketing integration with the Atera dashboard.
    adobe-pdf-default-pdf-acrord32-po-instal: Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.
    ucpd-sys-kernel-driver-od-feb-2024-bloku: UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\.pdf -> Start-Service ucpd. Implemented in this script.
--- a/scripts/04-default-profile.ps1
+++ b/scripts/04-default-profile.ps1
@ -12,7 +12,7 @@
    taskbar-zarovnat-vlevo-taskbaral-0: TaskbarAl = 0 in Explorer\Advanced. Windows 11 default is center-aligned (TaskbarAl = 1). Left alignment matches Windows 10 muscle memory and is strongly preferred by business users transitioning from Win10.
    taskbar-skryt-search-copilot-task-view-w: Hides Search box (SearchboxTaskbarMode=0), Copilot button (ShowCopilotButton=0), Task View (ShowTaskViewButton=0), Widgets (TaskbarDa=0), Chat/Teams (TaskbarMn=0). Reduces taskbar clutter to just pinned apps and running processes.
    taskbar-zobrazit-vsechny-ikonky-v-tray-s: Registers scheduled task that sets EnableAutoTray=0 on logon (repeat every 1 min). Windows 11 periodically re-hides tray icons - this task forces all icons visible so users can see VPN status, antivirus, backup, etc.
-    taskbar-vyprazdnit-pinlist-taskbarlayout: Deploys TaskbarLayoutModification.xml with empty pinned app list. Removes default Microsoft pinned apps (Edge, Teams, Store, Mail) from taskbar. Clean slate - technician or user pins what is actually needed.
+    taskbar-vyprazdnit-pinlist-taskbarlayout: Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.
    explorer-zobrazovat-pripony-souboru-hide: HideFileExt = 0 in Explorer\Advanced. Shows file extensions (.docx, .exe, .pdf, .ps1) in File Explorer. Essential for recognizing file types, avoiding phishing (fake .pdf.exe), and general IT work.
    explorer-otevrit-na-this-pc-launchto-1: LaunchTo = 1. File Explorer opens to "This PC" (drives view) instead of Quick Access. More useful on fresh machines where Quick Access history is empty and irrelevant.
    start-menu-vyprazdnit-piny-win11: ConfigureStartPins = {"pinnedList":[]} applied via registry. Removes all default Start menu tiles (Edge, Teams, Store, Office, Solitaire, etc.) from the Windows 11 Start grid. User starts with an empty, clean Start menu.
@ -26,7 +26,9 @@
 #>
 param(
    [object]$Config,
-    [string]$LogFile
+    [string]$LogFile,
    [ValidateSet("default","admin","user")]
    [string]$ProfileType = "default"
 )
 $ErrorActionPreference = "Continue"
@ -264,15 +266,40 @@ try {
    # -----------------------------------------------------------------------
-    # Empty taskbar pinned apps (Win10/11)
+    # Taskbar pinned apps layout (Win10/11)
    # ProfileType: default = empty, admin = Explorer+PS+Edge, user = Explorer+Edge
    # Note: TaskbarLayoutModification.xml locks the taskbar temporarily.
    # UnlockStartLayout scheduled task removes the lock 5 min after first boot
    # so users can then customize pins freely.
    # Win11 24H2+ may require ProvisionedLayoutModification.xml format instead.
    # -----------------------------------------------------------------------
-    Write-Log "Clearing taskbar pinned apps layout" -Level INFO
+    Write-Log "Writing taskbar layout (ProfileType=$ProfileType)" -Level INFO
    $taskbarLayoutDir = "C:\Users\Default\AppData\Local\Microsoft\Windows\Shell"
    if (-not (Test-Path $taskbarLayoutDir)) {
        New-Item -ItemType Directory -Path $taskbarLayoutDir -Force | Out-Null
    }
    # Build pin list based on profile type.
    # Paths resolve relative to the new user at first login.
    # Missing shortcuts are silently skipped by Windows.
    $pinList = switch ($ProfileType) {
        "admin" {
@'
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"/>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
 '@
        }
        "user" {
@'
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"/>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
 '@
        }
        default { "" }   # empty = clean slate
    }
    $taskbarLayoutXml = @"
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
@ -284,13 +311,14 @@ try {
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
 $pinList
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 "@
    $taskbarLayoutXml | Set-Content -Path "$taskbarLayoutDir\LayoutModification.xml" -Encoding UTF8 -Force
-    Write-Log "  Taskbar LayoutModification.xml written" -Level OK
+    Write-Log "  Taskbar LayoutModification.xml written (profile: $ProfileType)" -Level OK
 }
 finally {
--- a/scripts/09-pc-identity.ps1
+++ b/scripts/09-pc-identity.ps1
@ -0,0 +1,137 @@
 <#
 .SYNOPSIS
    Sets PC identity: computer name, description, and creates C:\X9 folder structure.
 .DESCRIPTION
    Renames the computer if deployment.pcName is set in config.json. Sets the
    computer description (visible in System properties and network neighborhood).
    Creates C:\X9\ directory structure with subdirectories for logs, scripts and
    assets. Copies X9 icon and creates Desktop.ini so the folder shows a custom
    icon in Explorer. Computer rename requires a restart - this step runs last
    before the final summary.
 .ITEMS
    rename-computer-dle-config-deployment-pcn: Renames the computer via Rename-Computer if config.json deployment.pcName is set and differs from the current name. Rename takes effect after restart. If pcName is empty, rename is skipped and the current name is preserved.
    popis-pocitace-computer-description: Sets the computer description shown in System Properties and Network Neighborhood. Read from config.json deployment.pcDescription, default "X9 deployment". Written to HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SrvComment.
    vytvorit-cx9-adresar: Creates C:\X9\ with subdirectories Logs\, Scripts\, Assets\. Used for deployment logs, custom per-client scripts, and client-specific configuration assets.
    cx9-vlastni-ikonka-desktop-ini: Copies X9-ikona.ico to C:\X9\ and creates Desktop.ini with IconResource entry. Sets System+Hidden attributes on Desktop.ini and ReadOnly on C:\X9\ so Explorer displays the custom folder icon.
 #>
 param(
    [object]$Config,
    [string]$LogFile
 )
 $ErrorActionPreference = "Continue"
 function Write-Log {
    param([string]$Message, [string]$Level = "INFO")
    $line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message"
    Add-Content -Path $LogFile -Value $line -Encoding UTF8
 }
 # -----------------------------------------------------------------------
 # C:\X9 directory structure
 # -----------------------------------------------------------------------
 Write-Log "Creating C:\X9 directory structure" -Level INFO
 $x9Root = "C:\X9"
 $x9Dirs = @("$x9Root\Logs", "$x9Root\Scripts", "$x9Root\Assets")
 foreach ($dir in $x9Dirs) {
    try {
        if (-not (Test-Path $dir)) {
            New-Item -ItemType Directory -Path $dir -Force | Out-Null
        }
        Write-Log "  Dir: $dir" -Level OK
    }
    catch {
        Write-Log "  Failed to create $dir - $_" -Level ERROR
    }
 }
 # -----------------------------------------------------------------------
 # Copy X9 icon and create Desktop.ini for custom folder appearance
 # -----------------------------------------------------------------------
 $assetsLogo = Join-Path $PSScriptRoot "..\assets\Logo"
 $icoSrc     = Get-ChildItem -Path $assetsLogo -Filter "*.ico" -ErrorAction SilentlyContinue |
              Select-Object -First 1
 if ($icoSrc) {
    $icoDest = "$x9Root\X9-ikona.ico"
    try {
        Copy-Item -Path $icoSrc.FullName -Destination $icoDest -Force
        Write-Log "  Copied icon: $icoDest" -Level OK
    }
    catch {
        Write-Log "  Failed to copy icon: $_" -Level WARN
    }
    $desktopIni = "$x9Root\desktop.ini"
    try {
        @"
 [.ShellClassInfo]
 IconResource=X9-ikona.ico,0
 [ViewState]
 Mode=
 Vid=
 FolderType=Generic
 "@ | Set-Content -Path $desktopIni -Encoding Unicode -Force
        # desktop.ini must be System+Hidden; folder must be ReadOnly for Explorer to show the icon
        (Get-Item $desktopIni -Force).Attributes = "System,Hidden"
        (Get-Item $x9Root).Attributes            = "ReadOnly,Directory"
        Write-Log "  Desktop.ini created for custom folder icon" -Level OK
    }
    catch {
        Write-Log "  Failed to create desktop.ini: $_" -Level WARN
    }
 } else {
    Write-Log "  No .ico found in assets\Logo - custom folder icon skipped" -Level WARN
 }
 # -----------------------------------------------------------------------
 # Computer description
 # -----------------------------------------------------------------------
 $pcDesc = "X9 deployment"
 if ($Config -and $Config.deployment -and $Config.deployment.pcDescription) {
    $pcDesc = $Config.deployment.pcDescription
 }
 Write-Log "Setting computer description: $pcDesc" -Level INFO
 try {
    Set-ItemProperty `
        -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
        -Name "SrvComment" -Value $pcDesc -Type String -Force
    Write-Log "  Computer description set" -Level OK
 }
 catch {
    Write-Log "  Failed to set computer description: $_" -Level ERROR
 }
 # -----------------------------------------------------------------------
 # Rename computer (must be last - requires restart to take effect)
 # -----------------------------------------------------------------------
 $pcName = $null
 if ($Config -and $Config.deployment -and $Config.deployment.pcName) {
    $pcName = $Config.deployment.pcName.Trim()
 }
 if ($pcName -and $pcName -ne "") {
    $currentName = $env:COMPUTERNAME
    if ($currentName -eq $pcName) {
        Write-Log "Computer name already '$pcName' - no rename needed" -Level OK
    } else {
        Write-Log "Renaming computer: '$currentName' -> '$pcName'" -Level INFO
        try {
            Rename-Computer -NewName $pcName -Force -ErrorAction Stop
            Write-Log "  Computer renamed to '$pcName' (restart required)" -Level OK
        }
        catch {
            Write-Log "  Failed to rename computer: $_" -Level ERROR
        }
    }
 } else {
    Write-Log "No pcName in config - computer rename skipped" -Level INFO
 }
 Write-Log "Step 9 complete" -Level OK
--- a/scripts/10-network.ps1
+++ b/scripts/10-network.ps1
@ -0,0 +1,111 @@
 <#
 .SYNOPSIS
    Sets network profile to Private, enables ping, and enables Network Discovery.
 .DESCRIPTION
    Sets all connected network adapter profiles from Public to Private. Private
    profile enables file sharing, network discovery, and other LAN features.
    Enables ICMP echo (ping) via Windows Firewall for diagnostic purposes.
    Enables the Network Discovery firewall rule group for the Private profile
    so this PC is visible to other computers on the local network.
 .ITEMS
    nastavit-sitovy-profil-private: Sets all connected network profiles to Private via Set-NetConnectionProfile. Public profile blocks most LAN features. Private is required for file sharing, printer sharing, and network discovery. Applied to all currently connected adapters.
    povolit-ping-icmp-firewall: Enables "File and Printer Sharing (Echo Request)" firewall rules for ICMPv4 and ICMPv6. ICMP echo is disabled by default on clean Windows. Required for network diagnostics, monitoring tools, and basic connectivity verification.
    zapnout-network-discovery: Enables the Network Discovery firewall rule group (FPS-NB_Name-In-UDP, LLMNR, etc.) for Private and Domain profiles via Set-NetFirewallRule. Allows this PC to appear in Network Neighborhood and browse other machines.
 #>
 param(
    [object]$Config,
    [string]$LogFile
 )
 $ErrorActionPreference = "Continue"
 function Write-Log {
    param([string]$Message, [string]$Level = "INFO")
    $line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message"
    Add-Content -Path $LogFile -Value $line -Encoding UTF8
 }
 # -----------------------------------------------------------------------
 # Set network profiles to Private
 # -----------------------------------------------------------------------
 Write-Log "Setting network profiles to Private" -Level INFO
 try {
    $profiles = Get-NetConnectionProfile -ErrorAction Stop
    foreach ($profile in $profiles) {
        if ($profile.NetworkCategory -ne "Private") {
            Set-NetConnectionProfile -InterfaceIndex $profile.InterfaceIndex `
                                     -NetworkCategory Private -ErrorAction SilentlyContinue
            Write-Log "  $($profile.Name): Public -> Private" -Level OK
        } else {
            Write-Log "  $($profile.Name): already Private" -Level INFO
        }
    }
 }
 catch {
    Write-Log "  Failed to set network profiles: $_" -Level ERROR
 }
 # -----------------------------------------------------------------------
 # Enable ICMP echo (ping) - ICMPv4 and ICMPv6
 # -----------------------------------------------------------------------
 Write-Log "Enabling ICMP echo (ping)" -Level INFO
 $icmpRules = @(
    "FPS-ICMP4-ERQ-In",   # File and Printer Sharing (Echo Request - ICMPv4-In)
    "FPS-ICMP6-ERQ-In",   # File and Printer Sharing (Echo Request - ICMPv6-In)
    "CoreNet-ICMP4-DU-In",
    "CoreNet-ICMP6-DU-In"
 )
 foreach ($rule in $icmpRules) {
    try {
        $r = Get-NetFirewallRule -Name $rule -ErrorAction SilentlyContinue
        if ($r) {
            Enable-NetFirewallRule -Name $rule -ErrorAction SilentlyContinue
            Write-Log "  Enabled: $rule" -Level OK
        }
    }
    catch {
        Write-Log "  Rule not found or error: $rule - $_" -Level WARN
    }
 }
 # Also enable by display name for robustness across Windows versions
 try {
    Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" -ErrorAction SilentlyContinue |
        Where-Object { $_.DisplayName -like "*Echo*" } |
        Enable-NetFirewallRule -ErrorAction SilentlyContinue
    Write-Log "  Enabled File and Printer Sharing Echo rules" -Level OK
 }
 catch {
    Write-Log "  Could not enable Echo rules via DisplayGroup: $_" -Level WARN
 }
 # -----------------------------------------------------------------------
 # Enable Network Discovery firewall rules
 # -----------------------------------------------------------------------
 Write-Log "Enabling Network Discovery" -Level INFO
 try {
    # Enable all Network Discovery rules for Private profile
    Get-NetFirewallRule -DisplayGroup "Network Discovery" -ErrorAction Stop |
        Where-Object { $_.Profile -match "Private|Any" } |
        Enable-NetFirewallRule -ErrorAction SilentlyContinue
    Write-Log "  Network Discovery rules enabled (Private)" -Level OK
 }
 catch {
    Write-Log "  Failed to enable Network Discovery rules: $_" -Level ERROR
 }
 # Enable via netsh as fallback (covers older Windows builds)
 $netshResult = & netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes 2>&1
 if ($LASTEXITCODE -eq 0) {
    Write-Log "  Network Discovery enabled via netsh" -Level OK
 } else {
    Write-Log "  netsh Network Discovery: $netshResult" -Level WARN
 }
 Write-Log "Step 10 complete" -Level OK
--- a/web/data/descriptions.json
+++ b/web/data/descriptions.json
@ -28,7 +28,6 @@
      "7-zip-7zip-7zip": "Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.",
      "adobe-acrobat-reader-64-bit-adobe-acroba": "Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.",
      "openvpn-connect-openvpntechnologies-open": "Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.",
      "seznam-sw-je-neuplny-co-dalsiho-patri-do": "The standard software list is incomplete. Candidates to add: Notepad++ (Notepad++.Notepad++), Google Chrome (Google.Chrome), possibly Microsoft 365 Apps, remote support tools. Needs decision from X9.cz team.",
      "atera-agent-install": "Atera RMM agent installed via msiexec /qn. Download: Invoke-WebRequest from https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337. Agent enables MSP monitoring, remote access, and ticketing integration with the Atera dashboard.",
      "adobe-pdf-default-pdf-acrord32-po-instal": "Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.",
      "ucpd-sys-kernel-driver-od-feb-2024-bloku": "UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\\.pdf -> Start-Service ucpd. Implemented in this script."
@ -62,7 +61,7 @@
      "taskbar-zarovnat-vlevo-taskbaral-0": "TaskbarAl = 0 in Explorer\\Advanced. Windows 11 default is center-aligned (TaskbarAl = 1). Left alignment matches Windows 10 muscle memory and is strongly preferred by business users transitioning from Win10.",
      "taskbar-skryt-search-copilot-task-view-w": "Hides Search box (SearchboxTaskbarMode=0), Copilot button (ShowCopilotButton=0), Task View (ShowTaskViewButton=0), Widgets (TaskbarDa=0), Chat/Teams (TaskbarMn=0). Reduces taskbar clutter to just pinned apps and running processes.",
      "taskbar-zobrazit-vsechny-ikonky-v-tray-s": "Registers scheduled task that sets EnableAutoTray=0 on logon (repeat every 1 min). Windows 11 periodically re-hides tray icons - this task forces all icons visible so users can see VPN status, antivirus, backup, etc.",
-      "taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml with empty pinned app list. Removes default Microsoft pinned apps (Edge, Teams, Store, Mail) from taskbar. Clean slate - technician or user pins what is actually needed.",
+      "taskbar-vyprazdnit-pinlist-taskbarlayout": "Deploys TaskbarLayoutModification.xml. ProfileType=default: empty pins (clean slate). ProfileType=admin: Explorer+PowerShell+Edge. ProfileType=user: Explorer+Edge. Lock is removed by UnlockStartLayout task 5 min after first boot so users can customize.",
      "explorer-zobrazovat-pripony-souboru-hide": "HideFileExt = 0 in Explorer\\Advanced. Shows file extensions (.docx, .exe, .pdf, .ps1) in File Explorer. Essential for recognizing file types, avoiding phishing (fake .pdf.exe), and general IT work.",
      "explorer-otevrit-na-this-pc-launchto-1": "LaunchTo = 1. File Explorer opens to \"This PC\" (drives view) instead of Quick Access. More useful on fresh machines where Quick Access history is empty and irrelevant.",
      "start-menu-vyprazdnit-piny-win11": "ConfigureStartPins = {\"pinnedList\":[]} applied via registry. Removes all default Start menu tiles (Edge, Teams, Store, Office, Solitaire, etc.) from the Windows 11 Start grid. User starts with an empty, clean Start menu.",
@ -128,5 +127,24 @@
      "preskocit-pokud-jiz-aktivovano": "Queries Win32_WindowsLicenseStatus or SoftwareLicensingProduct to check LicenseStatus. Value 1 = Licensed (fully activated). Script skips activation attempt and logs \"Windows already activated\" to avoid unnecessary slmgr calls.",
      "typ-klice-mak-vs-kms-vs-retail": "Key type selection depends on client's Microsoft licensing: MAK = volume license key activates online against Microsoft (limited activations), KMS = requires KMS server on network (VLSC subscription), Retail = individual license from Microsoft Store or OEM."
    }
  },
  "09-pc-identity": {
    "synopsis": "Sets PC identity: computer name, description, and creates C:\\X9 folder structure.",
    "description": "Renames the computer if deployment.pcName is set in config.json. Sets the\ncomputer description (visible in System properties and network neighborhood).\nCreates C:\\X9\\ directory structure with subdirectories for logs, scripts and\nassets. Copies X9 icon and creates Desktop.ini so the folder shows a custom\nicon in Explorer. Computer rename requires a restart - this step runs last\nbefore the final summary.",
    "items": {
      "rename-computer-dle-config-deployment-pcn": "Renames the computer via Rename-Computer if config.json deployment.pcName is set and differs from the current name. Rename takes effect after restart. If pcName is empty, rename is skipped and the current name is preserved.",
      "popis-pocitace-computer-description": "Sets the computer description shown in System Properties and Network Neighborhood. Read from config.json deployment.pcDescription, default \"X9 deployment\". Written to HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SrvComment.",
      "vytvorit-cx9-adresar": "Creates C:\\X9\\ with subdirectories Logs\\, Scripts\\, Assets\\. Used for deployment logs, custom per-client scripts, and client-specific configuration assets.",
      "cx9-vlastni-ikonka-desktop-ini": "Copies X9-ikona.ico to C:\\X9\\ and creates Desktop.ini with IconResource entry. Sets System+Hidden attributes on Desktop.ini and ReadOnly on C:\\X9\\ so Explorer displays the custom folder icon."
    }
  },
  "10-network": {
    "synopsis": "Sets network profile to Private, enables ping, and enables Network Discovery.",
    "description": "Sets all connected network adapter profiles from Public to Private. Private\nprofile enables file sharing, network discovery, and other LAN features.\nEnables ICMP echo (ping) via Windows Firewall for diagnostic purposes.\nEnables the Network Discovery firewall rule group for the Private profile\nso this PC is visible to other computers on the local network.",
    "items": {
      "nastavit-sitovy-profil-private": "Sets all connected network profiles to Private via Set-NetConnectionProfile. Public profile blocks most LAN features. Private is required for file sharing, printer sharing, and network discovery. Applied to all currently connected adapters.",
      "povolit-ping-icmp-firewall": "Enables \"File and Printer Sharing (Echo Request)\" firewall rules for ICMPv4 and ICMPv6. ICMP echo is disabled by default on clean Windows. Required for network diagnostics, monitoring tools, and basic connectivity verification.",
      "zapnout-network-discovery": "Enables the Network Discovery firewall rule group (FPS-NB_Name-In-UDP, LLMNR, etc.) for Private and Domain profiles via Set-NetFirewallRule. Allows this PC to appear in Network Neighborhood and browse other machines."
    }
  }
 }
--- a/web/spec/index.html
+++ b/web/spec/index.html
@ -554,14 +554,13 @@
      <div class="step-header">
        <span class="step-num">02</span>
        <span class="step-title">Software (winget)</span>
-        <span class="badge badge-todo">TODO</span>
+        <span class="badge badge-ok">OK</span>
      </div>
      <div class="step-body">
        <table class="items">
          <tr class="flag-done"><td>7-Zip (<code>7zip.7zip</code>)</td><td>OK</td></tr>
          <tr class="flag-done"><td>Adobe Acrobat Reader 64-bit (<code>Adobe.Acrobat.Reader.64-bit</code>)</td><td>OK</td></tr>
          <tr class="flag-done"><td>OpenVPN Connect (<code>OpenVPNTechnologies.OpenVPNConnect</code>)</td><td>OK</td></tr>
          <tr class="flag-todo"><td>Seznam SW je neuplny &ndash; co dalsiho patri dovnitr?</td><td>TODO: doplnit uplny seznam</td></tr>
          <tr class="flag-done"><td>Atera Agent install</td><td>Invoke-WebRequest + <code>msiexec /i /qn</code></td></tr>
          <tr class="flag-done"><td>Adobe PDF default: .pdf -&gt; AcroRd32 po instalaci</td><td>OK &ndash; UCPD stop/start kolem zápisu asociace</td></tr>
          <tr class="flag-done"><td>UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice</td><td>Reseno: Stop-Service ucpd &rarr; HKCR zapis &rarr; Start-Service ucpd</td></tr>
@ -753,22 +752,21 @@
      <div class="step-header">
        <span class="step-num">09</span>
        <span class="step-title">PC identita &ndash; Rename + C:\X9</span>
-        <span class="badge badge-new">New</span>
+        <span class="badge badge-ok">OK</span>
      </div>
      <div class="step-body">
        <table class="items">
-          <tr class="flag-todo"><td>Rename-Computer dle parametru z TUI nebo config.json</td><td>Finalni krok pred restartem &ndash; PC name + popis</td></tr>
+          <tr class="flag-done"><td>Rename-Computer dle parametru z TUI nebo config.json</td><td><code>deployment.pcName</code> v config.json; preskoci pokud neni nastaveno</td></tr>
-          <tr class="flag-todo"><td>Nastavit popis pocitace (Computer Description)</td><td>Via WMI nebo registry HKLM\SYSTEM\...\ComputerName</td></tr>
+          <tr class="flag-done"><td>Nastavit popis pocitace (Computer Description)</td><td>LanmanServer\Parameters\SrvComment; default "X9 deployment"</td></tr>
-          <tr class="flag-todo"><td>Vytvorit <code>C:\X9\</code> adresarovou strukturu</td><td>Pro logy, skripty, assets</td></tr>
+          <tr class="flag-done"><td>Vytvorit <code>C:\X9\</code> adresarovou strukturu</td><td>C:\X9\Logs, Scripts, Assets</td></tr>
-          <tr class="flag-todo"><td>Vlastni ikonka pro <code>C:\X9\</code> slozku</td><td>Desktop.ini + X9-ikona.ico</td></tr>
+          <tr class="flag-done"><td>Vlastni ikonka pro <code>C:\X9\</code> slozku</td><td>Desktop.ini + X9-ikona.ico z assets\Logo\</td></tr>
        </table>
        <div class="note">
-          Rename-Computer vyzaduje restart. Tento krok musi byt posledni pred finalnim shrnutim.
+          Rename-Computer vyzaduje restart. Tento krok bezi jako posledni pred finalnim shrnutim.
          Technik vi, ze po deployi nasleduje restart.
        </div>
      </div>
      <div class="step-footer">
-        <span class="step-status">Script: novy <code>09-pc-identity.ps1</code></span>
+        <span class="step-status">Script: <code>09-pc-identity.ps1</code></span>
        <div class="comment-widget" data-issue="12"></div>
      </div>
    </div>
@ -778,21 +776,17 @@
      <div class="step-header">
        <span class="step-num">10</span>
        <span class="step-title">Network discovery + firewall</span>
-        <span class="badge badge-new">New</span>
+        <span class="badge badge-ok">OK</span>
      </div>
      <div class="step-body">
        <table class="items">
-          <tr class="flag-todo"><td>Nastavit sitovy profil jako Private (ne Public)</td><td><code>Set-NetConnectionProfile -NetworkCategory Private</code></td></tr>
+          <tr class="flag-done"><td>Nastavit sitovy profil jako Private (ne Public)</td><td>Set-NetConnectionProfile pro vsechny pripojene adaptery</td></tr>
-          <tr class="flag-todo"><td>Povolit ping (ICMP) pro diagnostiku</td><td>Firewall rule: Enable ICMPv4/ICMPv6</td></tr>
+          <tr class="flag-done"><td>Povolit ping (ICMP) pro diagnostiku</td><td>Enable-NetFirewallRule: FPS-ICMP4-ERQ-In + FPS-ICMP6-ERQ-In</td></tr>
-          <tr class="flag-todo"><td>Zapnout Network Discovery pro Private profil</td><td><code>netsh advfirewall</code> nebo <code>Set-NetFirewallRule</code></td></tr>
+          <tr class="flag-done"><td>Zapnout Network Discovery pro Private profil</td><td>Set-NetFirewallRule + netsh advfirewall jako fallback</td></tr>
        </table>
        <div class="note">
          Pozor: Sitovy profil (Private/Public) se muze zmenit po kazdem prihlaseni k jine siti.
          Zvazit scheduled task pri logonu pro opakovanou korekci profilu.
        </div>
      </div>
      <div class="step-footer">
-        <span class="step-status">Script: novy <code>10-network.ps1</code></span>
+        <span class="step-status">Script: <code>10-network.ps1</code></span>
        <div class="comment-widget" data-issue="10"></div>
      </div>
    </div>
@ -800,24 +794,25 @@
    <!-- TASKBAR -->
    <div class="step" id="step-taskbar">
      <div class="step-header">
-        <span class="step-num">---</span>
+        <span class="step-num">04+</span>
        <span class="step-title">Taskbar pinned apps (profily)</span>
-        <span class="badge badge-new">New</span>
+        <span class="badge badge-ok">OK</span>
-        <span class="badge badge-future">Future</span>
+        <span class="badge badge-open">Open</span>
      </div>
      <div class="step-body">
        <table class="items">
-          <tr class="flag-todo"><td><code>-ProfileType</code> parametr: admin vs user varianta</td><td>Ruzna sada pinnutych appek dle role uzivatele</td></tr>
+          <tr class="flag-done"><td><code>-ProfileType</code> parametr: admin vs user varianta</td><td>Deploy-Windows.ps1 -ProfileType [default|admin|user]; predano do 04</td></tr>
-          <tr class="flag-todo"><td>XML layout pro "admin": Explorer, PS, Edge, Notepad++, …</td><td>TaskbarLayoutModification.xml</td></tr>
+          <tr class="flag-done"><td>XML layout pro "admin": Explorer, PS, Edge</td><td>TaskbarLayoutModification.xml; File Explorer.lnk + PowerShell.lnk + Edge.lnk</td></tr>
-          <tr class="flag-todo"><td>XML layout pro "user": Edge, Outlook, Teams, Explorer, …</td><td>Odlisna sada pro bezneho zamestnance</td></tr>
+          <tr class="flag-done"><td>XML layout pro "user": Explorer, Edge</td><td>Konzervativni sada &ndash; Outlook/Teams pridany az po instalaci M365</td></tr>
          <tr class="flag-open"><td>Win11 24H2 kompatibilita layoutu</td><td>24H2 vyzaduje ProvisionedLayoutModification.xml &ndash; nutno otestovat na realne instalaci</td></tr>
        </table>
        <div class="note">
-          Win11 24H2 zmenil zpusob aplikace Taskbar layoutu (ProvisionedLayoutModification.xml vs. starsi TaskbarLayoutModification.xml).
+          Aplikace pinnutych appek: <code>Deploy-Windows.ps1 -ProfileType admin</code> nebo <code>-ProfileType user</code>.<br>
-          Nutno overit kompatibilitu s ruznymy buildy pred implementaci.
+          Layout se zablokuje, UnlockStartLayout task (krok 06) ho odemkne 5 min po startu.
        </div>
      </div>
      <div class="step-footer">
-        <span class="step-status">Zacleneni: STEP 04 nebo vlastni script</span>
+        <span class="step-status">Integrovan do <code>04-default-profile.ps1</code></span>
        <div class="comment-widget" data-issue="13"></div>
      </div>
    </div>
@ -1039,6 +1034,8 @@
    'step-05': '05-personalization',
    'step-06': '06-scheduled-tasks',
    'step-07': '07-backinfo',
    'step-pc': '09-pc-identity',
    'step-net': '10-network',
    'step-08': '08-activation',
  };