Specifikace & anotace
OK hotovo, v provozu
Must fix zname chyby, nutno opravit
TODO naplanovano, nerealizovano
Open otevrena otazka
Warn potencialni problem
New nova feature
Future dlouhodoby plan
Stavajici kroky (scripty)
00
Admin ucet (adminx9)
OK
Vytvorit lokalni ucet adminx9 | Hotovo |
| Pridat do skupiny Administrators | Hotovo |
| Skryt z login obrazovky (SpecialAccounts\UserList = 0) | Hotovo |
| Heslo nevypirsi, uzivatel nesmeni heslo | Hotovo |
| Zadne heslo (aktualne nastavovano z config.json) | Opraveno – prazdny SecureString, config.json heslo odstranen |
| FullName = "X9.cz s.r.o." (via ADSI) | Opraveno – ADSI SetInfo() po vytvoreni uctu |
Proc bez hesla: Ucet je skryty pred uzivateli, slouzi pouze MSP adminstraci.
Heslo v config.json by bylo ulozene citelne.
01
Bloatware removal
OK
| AppX balicky – odstraneni pro vsechny uzivatele a provisioned | Remove-AppxPackage -AllUsers + Remove-AppxProvisionedPackage |
| Zachovano: Microsoft.WindowsCalculator | Zamerny vyjimek |
| Windows Capabilities (Fax, IE, OpenSSH, WMP, WordPad, …) | Remove-WindowsCapability |
| Windows Optional Features (PS 2.0, MediaPlayback, Recall, …) | Disable-WindowsOptionalFeature |
02
Software (winget)
OK
7-Zip (7zip.7zip) | OK |
Adobe Acrobat Reader 64-bit (Adobe.Acrobat.Reader.64-bit) | OK |
OpenVPN Connect (OpenVPNTechnologies.OpenVPNConnect) | OK |
| Atera Agent install | Invoke-WebRequest + msiexec /i /qn |
| Adobe PDF default: .pdf -> AcroRd32 po instalaci | OK – UCPD stop/start kolem zápisu asociace |
| UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice | Reseno: Stop-Service ucpd → HKCR zapis → Start-Service ucpd |
Atera Agent URL:
https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337
03
System Registry (HKLM)
OK
| Bypass NRO (OOBE\BypassNRO = 1) | OK |
| Zakaz auto-instalace Teams | ConfigureChatAutoInstall = 0 |
| Zakaz Cloud Optimized Content | OK |
| Zakaz Widgets / News and Interests | OK |
Hesla bez expirace (net accounts /maxpwage:UNLIMITED) | OK |
| Casova zona: Central Europe Standard Time | OK |
| Zakaz GameDVR | OK |
| Edge – skryt First Run Experience + zakaz default browser prompt | HideFirstRunExperience=1, DefaultBrowserSettingEnabled=0 |
| Edge policies – panel oblibeny, vyhledavac Google | FavoritesBarEnabled=1, DefaultSearchProviderName=Google, ManagedSearchEngines |
| Edge policies – tlacitka zobrazit (Historie, Stahnout) | DownloadsButtonEnabled=1, HistoryButtonEnabled=1 |
| Edge policies – tlacitka skryt (Home, Kolekce, Split, Drop, Screenshot, Share, Zpetna vazba) | HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0, WebCaptureEnabled=0, ShareAllowed=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0 |
| Edge policies – obsah a telemetrie | NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, EdgeShoppingAssistantEnabled=0, DiagnosticData=0, … |
| OneDrive uninstall (intentional) | OneDriveSetup.exe /uninstall – odstrani pre-installed verzi. M365 si nainstaluje vlastni. |
| Powercfg nastaveni (spotreba energie) | standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15 |
| Proxy auto-detect zakaz (AutoDetect = 0) | HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
04
Default Profile (NTUSER.DAT)
OK
| Taskbar: zarovnat vlevo (TaskbarAl = 0) | Win11 default je center |
| Taskbar: skryt Search, Copilot, Task View, Widgets, Chat | OK |
| Taskbar: zobrazit vsechny ikonky v tray (Scheduled task) | ShowAllTrayIcons |
| Taskbar: vyprazdnit pinlist (TaskbarLayoutModification.xml) | OK |
| Explorer: zobrazovat pripony souboru (HideFileExt = 0) | OK |
| Explorer: otevrit na This PC (LaunchTo = 1) | OK |
| Start menu: vyprazdnit piny (Win11) | ConfigureStartPins = {"pinnedList":[]} |
| Start menu: zakaz Bing vyhledavani | DisableSearchBoxSuggestions = 1 |
| Copilot: zakaz (TurnOffWindowsCopilot = 1) | OK |
| NumLock zapnout pri startu (InitialKeyboardIndicators = 2) | OK |
| Accent barva na titulnich listech (ColorPrevalence = 1) | OK |
| OneDrive RunOnce klic je tady – smazat | Opraveno – blok odstranen ze scriptu (brani reinstalaci pres M365) |
| Explorer: ShowRecent = 0, ShowFrequent = 0 | Skryt nedavne a caste soubory v Quick Access |
| Explorer: FullPath = 1 (CabinetState) | Zobrazovat plnou cestu v titulku okna Explorera |
Metoda:
Tato operace musi probihat PRED prvnim prihlasenim uzivatele. Aktualne prihlaseny uzivatel dostava zmeny pres primy zapis do HKCU.
reg load HKU\DefaultProfile C:\Users\Default\NTUSER.DAT
→ zapsat zmeny → reg unload HKU\DefaultProfile.Tato operace musi probihat PRED prvnim prihlasenim uzivatele. Aktualne prihlaseny uzivatel dostava zmeny pres primy zapis do HKCU.
05
Personalizace (barvy, tapeta)
OK
| System tema (taskbar, Start): Dark | OK |
| Aplikacni tema: Light | OK |
| Accent barva: #223B47 (tmave modroseda) | OK |
| Accent barva na Start a taskbaru: ano | OK |
| Pruhlednost: vypnuta | OK |
| Tapeta: jednobarevna #223B47 (bez obrazku) | BackInfo prepise tapetu svym BMP |
BackInfo.exe (STEP 07) prepise tapetu BMP se systemovymi informacemi.
Jednobarevna tapeta je fallback pro pripad, ze BackInfo nedobehne nebo se nespusti.
06
Scheduled Tasks
OK
| ShowAllTrayIcons – pri logonu + kazdou 1 min | Win11 automaticky skryva tray ikony |
| UnlockStartLayout – jednou po aplikaci layoutu | Odemkne Start menu pro uzivatelske zmeny |
| PDF-DefaultApp pri kazdem logonu – odstranen | PDF asociace nastavena jednou v kroku 02 (UCPD stop/start). Task nebyl nutny. |
07
BackInfo (systemovy info na tapete)
OK
07-desktop-info.ps1 SMAZAT – stary pristup | Nahrazeno novym 07-backinfo.ps1 |
Zkopirovat assets/Backinfo/ do C:\Program Files\Backinfo\ | Implementovano v 07-backinfo.ps1 |
Spustit backinfo_W11.ps1 (detekce OS, registry, Startup) | Logika inlinovana v 07-backinfo.ps1 |
| BackInfo.exe v assets/Backinfo/ k dispozici | Hotovo |
| BackInfo auto-start pri kazdem logonu via Startup shortcut | Shortcut do ProgramData\StartUp vytvori 07-backinfo.ps1 |
BackInfo.ini konfiguruje: hostname (velky, centrovan), uzivatelske jmeno,
OS verze, HW info (CPU, RAM, disk), sitove informace (IP, hostname).
Proc BackInfo misto vlastniho PS: BackInfo.exe podporuje Win10 i Win11 bez specialnich hacku, je stabilni a uz je v assets.
Proc BackInfo misto vlastniho PS: BackInfo.exe podporuje Win10 i Win11 bez specialnich hacku, je stabilni a uz je v assets.
08
Windows aktivace
OK
Open
| OA3 BIOS/UEFI klic – kontrola embedded key | WMI: SoftwareLicensingService.OA3xOriginalProductKey |
Klic z config.json (activation.productKey) | OK – priorita nad OA3 a GVLK |
| Fallback na GVLK (KMS client key) dle edice OS | OK |
Volitelny KMS server (activation.kmsServer) | OK |
| Preskocit pokud jiz aktivovano | OK |
| Typ klice: MAK vs KMS vs retail? | Zavisi na klientovi – otevrena otazka |
Nove kroky (planovane)
09
PC identita – Rename + C:\X9
OK
| Rename-Computer dle parametru z TUI nebo config.json | deployment.pcName v config.json; preskoci pokud neni nastaveno |
| Nastavit popis pocitace (Computer Description) | LanmanServer\Parameters\SrvComment; default "X9 deployment" |
Vytvorit C:\X9\ adresarovou strukturu | C:\X9\Logs, Scripts, Assets |
Vlastni ikonka pro C:\X9\ slozku | Desktop.ini + X9-ikona.ico z assets\Logo\ |
Rename-Computer vyzaduje restart. Tento krok bezi jako posledni pred finalnim shrnutim.
10
Network discovery + firewall
OK
| Nastavit sitovy profil jako Private (ne Public) | Set-NetConnectionProfile pro vsechny pripojene adaptery |
| Povolit ping (ICMP) pro diagnostiku | Enable-NetFirewallRule: FPS-ICMP4-ERQ-In + FPS-ICMP6-ERQ-In |
| Zapnout Network Discovery pro Private profil | Set-NetFirewallRule + netsh advfirewall jako fallback |
04+
Taskbar pinned apps (profily)
OK
Open
-ProfileType parametr: admin vs user varianta | Deploy-Windows.ps1 -ProfileType [default|admin|user]; predano do 04 |
| XML layout pro "admin": Explorer, PS, Edge | TaskbarLayoutModification.xml; File Explorer.lnk + PowerShell.lnk + Edge.lnk |
| XML layout pro "user": Explorer, Edge | Konzervativni sada – Outlook/Teams pridany az po instalaci M365 |
| Win11 24H2 kompatibilita layoutu | 24H2 vyzaduje ProvisionedLayoutModification.xml – nutno otestovat na realne instalaci |
Aplikace pinnutych appek:
Layout se zablokuje, UnlockStartLayout task (krok 06) ho odemkne 5 min po startu.
Deploy-Windows.ps1 -ProfileType admin nebo -ProfileType user.Layout se zablokuje, UnlockStartLayout task (krok 06) ho odemkne 5 min po startu.
Architektura (budoucnost)
Arc
xetup.exe – Go TUI launcher
Future
| Single binary (go:embed scripty + assets) | embed.go + cmd/xetup/main.go; builduje se jako 5 MB .exe |
| TUI form (huh/bubbletea): PC name, popis, product key | internal/tui/tui.go – huh form, 2 stranky |
| Checklist kroku (on/off per-script) + ulozit do config.json | MultiSelect v TUI; internal/config/config.go |
| Live log output behem spousteni PS scriptu | internal/runner/runner.go; channel + bubbletea cmd |
| Finalni summary OK/ERROR | viewDone() v tui.go |
| Self-update: stahnout novou verzi z xetup.x9.cz | Overit hash pred spustenim |
| config.json: per-klient preset (prefix jmena PC, SW, klic) | Lezi vedle .exe na USB klienta |
| OpenVPN soubor + doménovy join + domén. uzivatel pro profil | Rozsireni TUI formulare v budoucnu |
Struktura:
Go zavislosti: bubbletea (TUI framework), huh (forms), lipgloss (styling)
cmd/xetup/, internal/config/,
internal/spec/, internal/tui/, internal/runner/Go zavislosti: bubbletea (TUI framework), huh (forms), lipgloss (styling)
Arc
spec.yaml – single source of truth
Future
| Popis vsech kroku: id, label, script, default | xetup.exe cte spec.yaml pro TUI checklist |
| Pole "requires" (napr. activation vyzaduje productKey) | TUI upozorni pokud chybi |
| Auto-generovana dokumentace z spec.yaml | CI akce: spec.yaml → tato stranka |
| spec.yaml jako SSOT pro tuto stranku i deploy skripty | Idealni stav: stranka vzdy odpovida kodu |
Navrh struktury spec.yaml:
steps:
- id: admin-account
label: "Admin account (adminx9)"
script: 00-admin-account.ps1
default: true
- id: activation
label: "Windows activation"
script: 08-activation.ps1
default: true
requires: [productKey]
Nove nastaveni – pozadavky
+
Novy pozadavek na automatizaci
Pozadavky
Chcete automatizovat neco, co skript zatim neresi? Napiste pozadavek sem – ulozi se do repozitare. Technicky tym ho projde a zaradi do planu.
Nacitam pozadavky...