First pass runs during deployment (no reboot). Then registers X9-WindowsUpdate
scheduled task that fires on every logon, installs remaining updates, and
self-deletes when system is fully up to date - covers the typical 2-3 reboot
cycles needed on a fresh Windows install.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs NuGet provider + PSWindowsUpdate from PSGallery, then runs
Install-WindowsUpdate -AcceptAll -IgnoreReboot. No auto-reboot -
operator restarts manually after all steps complete.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
C:\Windows\Setup\Scripts\ does not exist on a fresh Windows install.
Add New-Item -Force before Add-Content so the first log write creates
the directory automatically.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Walk uses Win32 controls directly — no GPU/OpenGL dependency — so the app
renders correctly on VMware ESXi, Hyper-V and any other VM. No MinGW needed
in CI; pure cross-compile with GOOS=windows.
- internal/gui/gui.go: rewrite with Walk declarative API (3 phases:
form → live run → summary); load/save config via native FileDialog;
Closing event cancels running scripts cleanly
- cmd/xetup/app.manifest: UAC requireAdministrator + ComCtl32 v6 +
per-monitor DPI awareness (rsrc generates rsrc.syso in CI)
- .forgejo/workflows/release.yml: drop MinGW, add rsrc generation step
- go.mod/go.sum: remove Fyne and all its deps; only Walk (3 deps total)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
VMware SVGA II (ESXi) and similar virtual GPUs don't support the OpenGL
version Fyne needs - window opens but stays blank. Force FYNE_RENDERER=software
so Fyne uses CPU/GDI rendering instead. No visible difference for this UI.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Drop bubbletea, huh, lipgloss and all their transitive deps
- Add fyne.io/fyne/v2 – native Windows GUI, dark theme
- New internal/gui/gui.go: 3-phase window (form → live run → summary)
- Form: PC name, product key, profile, per-step checkboxes
- Load config / Save config buttons for per-client presets
- SPUSTIT button auto-saves to default config.json
- Live run: virtualised log list, ZASTAVIT button
- Summary: per-step status + elapsed time, ZAVRIT button
- cmd/xetup/main.go: pass cfgPath to gui.Run so save/load works
- CI: add mingw-w64-gcc, CGO_ENABLED=1, -H windowsgui flag
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Forgejo Actions workflow: builds Windows x64 exe on push to main
- Runner config: golang:1.24-alpine container on xetup Docker network
- docker-compose.yml: runner with docker socket + config mount
- nginx: /dl shortlink + /forgejo-api proxy for landing page
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use path.Join (always '/') for embed.FS reads, filepath.Join only for OS paths.
filepath.Join on Windows produces backslashes which embed.FS doesn't accept,
causing "failed to extract scripts" on startup.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- nginx.conf: add /dl -> latest xetup.exe release redirect (update on each release)
- index.html: replace irm/iex command with 'curl -Lo xetup.exe xetup.x9.cz/dl'
works with built-in curl.exe on Win10/11, no PowerShell execution policy needed
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- BackInfo (exe + ini + ps1) in assets/
- X9 logo (ico + jpeg) in assets/Logo/
- Colleague specs and review results in docs/
- Interactive review page v2 (review.html)
- Updated CLAUDE.md with all decisions from 2026-04-15 session
- Updated .gitignore (flash.zip, W11.pdf)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Windows reuses TranscodedWallpaper cache and ignores updated BMP
if the path stays the same. Clear cache before SystemParametersInfo
so wallpaper always reloads.
Add per-run logging to desktopinfo.log for diagnostics.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without delay the task fires before network init, causing
Get-NetIPAddress to return nothing and IP showing as N/A.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Centered block on desktop: hostname large bold (36pt), then detail
lines in Segoe UI 14pt - user, OS (bold), CPU+RAM on one line,
IPs+domain on one line. Collects CPU count/speed, total RAM, all
IPv4 addresses, and domain/workgroup. Background #556364.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Microsoft-RemoteDesktopConnection is required for Remote Desktop
connections and must not be disabled on business machines.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
DisableFileSyncNGSC=1 prevented OneDrive from launching after M365
installation. Keep uninstall for clean PCs but drop the policy key so
Office 365 can reinstall and run OneDrive without restrictions.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add Search subkey for Win10 search box hiding
- Clear TrayNotify icon streams as Win11 systray workaround
- Restart Explorer to apply taskbar changes in current session
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 04-default-profile.ps1 + 05-personalization.ps1: show This PC icon on
desktop via HideDesktopIcons CLSID {20D04FE0...} = 0
- 03-system-registry.ps1: HideRecommendedSection = 1 hides Win11 Start
menu Recommended section (HKLM policy)
- 04-default-profile.ps1: Start_TrackProgs = 0 and Start_TrackDocs = 0
hide recently added/opened items from Start menu
- 01-bloatware.ps1: add 7EE7776C.LinkedInforWindows to removal list
- tests/Test-Deployment.ps1: add checks for all three new settings
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 03-system-registry.ps1: replace .NET OpenSubKey approach with proper
P/Invoke that enables SeTakeOwnershipPrivilege and SeRestorePrivilege
before attempting to take ownership of TrustedInstaller-owned keys
(e.g. HKLM\...\Communications\ConfigureChatAutoInstall)
- Remove SYSTEM scheduled task fallback (not needed with token approach)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 03-system-registry.ps1: Set-Reg now has 3-tier retry: direct write,
ACL manipulation, fallback to scheduled task running as SYSTEM (which
has unrestricted registry access - handles TrustedInstaller-owned keys)
- 02-software.ps1: add Acrobat DC path (Acrobat.exe) before legacy
AcroRd32.exe paths - winget installs Acrobat DC not Reader DC
- 06-scheduled-tasks.ps1: same Adobe path fix in PDF-DefaultApp script
- tests/Test-Deployment.ps1: Adobe check covers both Acrobat DC and
Reader DC install paths
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 03-system-registry.ps1: add Grant-RegWriteAccess helper; Set-Reg now
retries with ACL fix when Set-ItemProperty throws SecurityException
(e.g. HKLM\...\Communications owned by TrustedInstaller)
- 04-default-profile.ps1: add Grant-HiveWriteAccess helper; Set-ProfileReg
retries with ACL fix on Default hive keys with restricted permissions
- Both scripts: add -ErrorAction Stop to Set-ItemProperty so errors are
properly caught by try/catch instead of bypassing it
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 00-admin-account.ps1: create/update adminx9, add to Administrators,
hide from login screen via SpecialAccounts\UserList
- 08-activation.ps1: activate via config key or GVLK fallback matched
by OS edition; supports optional KMS server; skips if already active
- config.json: add adminAccount block (password), activation block
(productKey placeholder, kmsServer)
- Deploy-Windows.ps1: add Step 0a and Step 0b before bloatware removal
- Test-Deployment.ps1: add checks for admin account and activation
- SPEC.md: document new steps, close open question #4
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
