Microsoft-RemoteDesktopConnection is required for Remote Desktop
connections and must not be disabled on business machines.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
DisableFileSyncNGSC=1 prevented OneDrive from launching after M365
installation. Keep uninstall for clean PCs but drop the policy key so
Office 365 can reinstall and run OneDrive without restrictions.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add Search subkey for Win10 search box hiding
- Clear TrayNotify icon streams as Win11 systray workaround
- Restart Explorer to apply taskbar changes in current session
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 04-default-profile.ps1 + 05-personalization.ps1: show This PC icon on
desktop via HideDesktopIcons CLSID {20D04FE0...} = 0
- 03-system-registry.ps1: HideRecommendedSection = 1 hides Win11 Start
menu Recommended section (HKLM policy)
- 04-default-profile.ps1: Start_TrackProgs = 0 and Start_TrackDocs = 0
hide recently added/opened items from Start menu
- 01-bloatware.ps1: add 7EE7776C.LinkedInforWindows to removal list
- tests/Test-Deployment.ps1: add checks for all three new settings
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 03-system-registry.ps1: replace .NET OpenSubKey approach with proper
P/Invoke that enables SeTakeOwnershipPrivilege and SeRestorePrivilege
before attempting to take ownership of TrustedInstaller-owned keys
(e.g. HKLM\...\Communications\ConfigureChatAutoInstall)
- Remove SYSTEM scheduled task fallback (not needed with token approach)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 03-system-registry.ps1: Set-Reg now has 3-tier retry: direct write,
ACL manipulation, fallback to scheduled task running as SYSTEM (which
has unrestricted registry access - handles TrustedInstaller-owned keys)
- 02-software.ps1: add Acrobat DC path (Acrobat.exe) before legacy
AcroRd32.exe paths - winget installs Acrobat DC not Reader DC
- 06-scheduled-tasks.ps1: same Adobe path fix in PDF-DefaultApp script
- tests/Test-Deployment.ps1: Adobe check covers both Acrobat DC and
Reader DC install paths
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 03-system-registry.ps1: add Grant-RegWriteAccess helper; Set-Reg now
retries with ACL fix when Set-ItemProperty throws SecurityException
(e.g. HKLM\...\Communications owned by TrustedInstaller)
- 04-default-profile.ps1: add Grant-HiveWriteAccess helper; Set-ProfileReg
retries with ACL fix on Default hive keys with restricted permissions
- Both scripts: add -ErrorAction Stop to Set-ItemProperty so errors are
properly caught by try/catch instead of bypassing it
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 00-admin-account.ps1: create/update adminx9, add to Administrators,
hide from login screen via SpecialAccounts\UserList
- 08-activation.ps1: activate via config key or GVLK fallback matched
by OS edition; supports optional KMS server; skips if already active
- config.json: add adminAccount block (password), activation block
(productKey placeholder, kmsServer)
- Deploy-Windows.ps1: add Step 0a and Step 0b before bloatware removal
- Test-Deployment.ps1: add checks for admin account and activation
- SPEC.md: document new steps, close open question #4
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
