Specifikace & anotace

00 Admin ucet (adminx9) OK

Vytvorit lokalni ucet `adminx9`	Hotovo
Pridat do skupiny Administrators	Hotovo
Skryt z login obrazovky (SpecialAccounts\UserList = 0)	Hotovo
Heslo nevypirsi, uzivatel nesmeni heslo	Hotovo
Zadne heslo (aktualne nastavovano z config.json)	Opraveno – prazdny SecureString, config.json heslo odstranen
FullName = "X9.cz s.r.o." (via ADSI)	Opraveno – ADSI SetInfo() po vytvoreni uctu

Proc bez hesla: Ucet je skryty pred uzivateli, slouzi pouze MSP adminstraci. Heslo v config.json by bylo ulozene citelne.

01 Bloatware removal OK

AppX balicky – odstraneni pro vsechny uzivatele a provisioned	Remove-AppxPackage -AllUsers + Remove-AppxProvisionedPackage
Zachovano: Microsoft.WindowsCalculator	Zamerny vyjimek
Windows Capabilities (Fax, IE, OpenSSH, WMP, WordPad, …)	Remove-WindowsCapability
Windows Optional Features (PS 2.0, MediaPlayback, Recall, …)	Disable-WindowsOptionalFeature
Microsoft-RemoteDesktopConnection NESMI byt odstranen	RDP klient musi zustat funkci. Overit ze neni v seznamu.
OneDrive nesmi byt odstranovano tady	OneDrive musi zustat instalovatelny pro M365.

02 Software (winget) TODO

7-Zip (`7zip.7zip`)	OK
Adobe Acrobat Reader 64-bit (`Adobe.Acrobat.Reader.64-bit`)	OK
OpenVPN Connect (`OpenVPNTechnologies.OpenVPNConnect`)	OK
Seznam SW je neuplny – co dalsiho patri dovnitr?	TODO: doplnit uplny seznam
Atera Agent install	Invoke-WebRequest + `msiexec /i /qn`
Adobe PDF default: .pdf -> AcroRd32 po instalaci	OK – UCPD stop/start kolem zápisu asociace
UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice	Reseno: Stop-Service ucpd → HKCR zapis → Start-Service ucpd

Atera Agent URL:
https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337

03 System Registry (HKLM) TODO

Bypass NRO (OOBE\BypassNRO = 1)	OK
Zakaz auto-instalace Teams	ConfigureChatAutoInstall = 0
Zakaz Cloud Optimized Content	OK
Zakaz Widgets / News and Interests	OK
Hesla bez expirace (`net accounts /maxpwage:UNLIMITED`)	OK
Casova zona: Central Europe Standard Time	OK
Zakaz GameDVR	OK
Edge – skryt First Run Experience + zakaz default browser prompt	HideFirstRunExperience=1, DefaultBrowserSettingEnabled=0
Edge policies – panel oblibeny, vyhledavac Google	FavoritesBarEnabled=1, DefaultSearchProviderName=Google, ManagedSearchEngines
Edge policies – tlacitka zobrazit (Historie, Stahnout)	DownloadsButtonEnabled=1, HistoryButtonEnabled=1
Edge policies – tlacitka skryt (Home, Kolekce, Split, Drop, Screenshot, Share, Zpetna vazba)	HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0, WebCaptureEnabled=0, ShareAllowed=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0
Edge policies – obsah a telemetrie	NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, EdgeShoppingAssistantEnabled=0, DiagnosticData=0, …
OneDrive uninstall (intentional)	OneDriveSetup.exe /uninstall – odstrani pre-installed verzi. M365 si nainstaluje vlastni.
Powercfg nastaveni (spotreba energie)	Pridat: standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15
Proxy auto-detect zakaz (AutoDetect = 0)	HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Powercfg prikazy:
powercfg /change standby-timeout-ac 0 (neusne na nabijeni)
powercfg /change monitor-timeout-ac 60 (monitor zhasne po 60 min)
powercfg /change standby-timeout-dc 30
powercfg /change monitor-timeout-dc 15

04 Default Profile (NTUSER.DAT) OK

Taskbar: zarovnat vlevo (TaskbarAl = 0)	Win11 default je center
Taskbar: skryt Search, Copilot, Task View, Widgets, Chat	OK
Taskbar: zobrazit vsechny ikonky v tray (Scheduled task)	ShowAllTrayIcons
Taskbar: vyprazdnit pinlist (TaskbarLayoutModification.xml)	OK
Explorer: zobrazovat pripony souboru (HideFileExt = 0)	OK
Explorer: otevrit na This PC (LaunchTo = 1)	OK
Start menu: vyprazdnit piny (Win11)	ConfigureStartPins = {"pinnedList":[]}
Start menu: zakaz Bing vyhledavani	DisableSearchBoxSuggestions = 1
Copilot: zakaz (TurnOffWindowsCopilot = 1)	OK
NumLock zapnout pri startu (InitialKeyboardIndicators = 2)	OK
Accent barva na titulnich listech (ColorPrevalence = 1)	OK
OneDrive RunOnce klic je tady – smazat	Opraveno – blok odstranen ze scriptu (brani reinstalaci pres M365)
Explorer: ShowRecent = 0, ShowFrequent = 0	Skryt nedavne a caste soubory v Quick Access
Explorer: FullPath = 1 (CabinetState)	Zobrazovat plnou cestu v titulku okna Explorera

Metoda: reg load HKU\DefaultProfile C:\Users\Default\NTUSER.DAT → zapsat zmeny → reg unload HKU\DefaultProfile.
Tato operace musi probihat PRED prvnim prihlasenim uzivatele. Aktualne prihlaseny uzivatel dostava zmeny pres primy zapis do HKCU.

05 Personalizace (barvy, tapeta) OK

System tema (taskbar, Start): Dark	OK
Aplikacni tema: Light	OK
Accent barva: #223B47 (tmave modroseda)	OK
Accent barva na Start a taskbaru: ano	OK
Pruhlednost: vypnuta	OK
Tapeta: jednobarevna #223B47 (bez obrazku)	BackInfo prepise tapetu svym BMP

BackInfo.exe (STEP 07) prepise tapetu BMP se systemovymi informacemi. Jednobarevna tapeta je fallback pro pripad, ze BackInfo nedobehne nebo se nespusti.

06 Scheduled Tasks OK

ShowAllTrayIcons – pri logonu + kazdou 1 min	Win11 automaticky skryva tray ikony
UnlockStartLayout – jednou po aplikaci layoutu	Odemkne Start menu pro uzivatelske zmeny
PDF-DefaultApp pri kazdem logonu – odstranen	PDF asociace nastavena jednou v kroku 02 (UCPD stop/start). Task nebyl nutny.

07 BackInfo (systemovy info na tapete) OK

`07-desktop-info.ps1` SMAZAT – stary pristup	Nahrazeno novym `07-backinfo.ps1`
Zkopirovat `assets/Backinfo/` do `C:\Program Files\Backinfo\`	Implementovano v 07-backinfo.ps1
Spustit `backinfo_W11.ps1` (detekce OS, registry, Startup)	Logika inlinovana v 07-backinfo.ps1
BackInfo.exe v assets/Backinfo/ k dispozici	Hotovo
BackInfo auto-start pri kazdem logonu via Startup shortcut	Shortcut do ProgramData\StartUp vytvori 07-backinfo.ps1

BackInfo.ini konfiguruje: hostname (velky, centrovan), uzivatelske jmeno, OS verze, HW info (CPU, RAM, disk), sitove informace (IP, hostname).

Proc BackInfo misto vlastniho PS: BackInfo.exe podporuje Win10 i Win11 bez specialnich hacku, je stabilni a uz je v assets.

08 Windows aktivace OK Open

OA3 BIOS/UEFI klic – kontrola embedded key	WMI: SoftwareLicensingService.OA3xOriginalProductKey
Klic z config.json (`activation.productKey`)	OK – priorita nad OA3 a GVLK
Fallback na GVLK (KMS client key) dle edice OS	OK
Volitelny KMS server (`activation.kmsServer`)	OK
Preskocit pokud jiz aktivovano	OK
Typ klice: MAK vs KMS vs retail?	Zavisi na klientovi – otevrena otazka

09 PC identita – Rename + C:\X9 New

Rename-Computer dle parametru z TUI nebo config.json	Finalni krok pred restartem – PC name + popis
Nastavit popis pocitace (Computer Description)	Via WMI nebo registry HKLM\SYSTEM\...\ComputerName
Vytvorit `C:\X9\` adresarovou strukturu	Pro logy, skripty, assets
Vlastni ikonka pro `C:\X9\` slozku	Desktop.ini + X9-ikona.ico

Rename-Computer vyzaduje restart. Tento krok musi byt posledni pred finalnim shrnutim. Technik vi, ze po deployi nasleduje restart.

10 Network discovery + firewall New

Nastavit sitovy profil jako Private (ne Public)	`Set-NetConnectionProfile -NetworkCategory Private`
Povolit ping (ICMP) pro diagnostiku	Firewall rule: Enable ICMPv4/ICMPv6
Zapnout Network Discovery pro Private profil	`netsh advfirewall` nebo `Set-NetFirewallRule`

Pozor: Sitovy profil (Private/Public) se muze zmenit po kazdem prihlaseni k jine siti. Zvazit scheduled task pri logonu pro opakovanou korekci profilu.

--- Taskbar pinned apps (profily) New Future

`-ProfileType` parametr: admin vs user varianta	Ruzna sada pinnutych appek dle role uzivatele
XML layout pro "admin": Explorer, PS, Edge, Notepad++, …	TaskbarLayoutModification.xml
XML layout pro "user": Edge, Outlook, Teams, Explorer, …	Odlisna sada pro bezneho zamestnance

Win11 24H2 zmenil zpusob aplikace Taskbar layoutu (ProvisionedLayoutModification.xml vs. starsi TaskbarLayoutModification.xml). Nutno overit kompatibilitu s ruznymy buildy pred implementaci.

Arc xetup.exe – Go TUI launcher Future

Single binary (go:embed scripty + assets)	Offline provoz, jedna stazitelna .exe
TUI form (huh/bubbletea): PC name, popis, product key	Interaktivni zadani dat technikem
Checklist kroku (on/off per-script) + ulozit do config.json	Opakovatelne nasazeni u stejneho klienta
Live log output behem spousteni PS scriptu	Stdout z powershell.exe v realnem case
Finalni summary OK/ERROR	Na konci nasazeni
Self-update: stahnout novou verzi z xetup.x9.cz	Overit hash pred spustenim
config.json: per-klient preset (prefix jmena PC, SW, klic)	Lezi vedle .exe na USB klienta
OpenVPN soubor + doménovy join + domén. uzivatel pro profil	Rozsireni TUI formulare v budoucnu

Struktura: cmd/xetup/, internal/config/, internal/spec/, internal/tui/, internal/runner/

Go zavislosti: bubbletea (TUI framework), huh (forms), lipgloss (styling)

Arc spec.yaml – single source of truth Future

Popis vsech kroku: id, label, script, default	xetup.exe cte spec.yaml pro TUI checklist
Pole "requires" (napr. activation vyzaduje productKey)	TUI upozorni pokud chybi
Auto-generovana dokumentace z spec.yaml	CI akce: spec.yaml → tato stranka
spec.yaml jako SSOT pro tuto stranku i deploy skripty	Idealni stav: stranka vzdy odpovida kodu

Navrh struktury spec.yaml:

steps:
  - id: admin-account
    label: "Admin account (adminx9)"
    script: 00-admin-account.ps1
    default: true
  - id: activation
    label: "Windows activation"
    script: 08-activation.ps1
    default: true
    requires: [productKey]