Specifikace & anotace

00 Admin ucet (adminx9) OK

Vytvorit lokalni ucet `adminx9`	Hotovo
Pridat do skupiny Administrators	Hotovo
Skryt z login obrazovky (SpecialAccounts\UserList = 0)	Hotovo
Heslo nevypirsi, uzivatel nesmeni heslo	Hotovo
Zadne heslo (aktualne nastavovano z config.json)	Opraveno – prazdny SecureString, config.json heslo odstranen
FullName = "X9.cz s.r.o." (via ADSI)	Opraveno – ADSI SetInfo() po vytvoreni uctu

Proc bez hesla: Ucet je skryty pred uzivateli, slouzi pouze MSP adminstraci. Heslo v config.json by bylo ulozene citelne.

01 Bloatware removal OK

AppX balicky – odstraneni pro vsechny uzivatele a provisioned	Remove-AppxPackage -AllUsers + Remove-AppxProvisionedPackage
Zachovano: Microsoft.WindowsCalculator	Zamerny vyjimek
Windows Capabilities (Fax, IE, OpenSSH, WMP, WordPad, …)	Remove-WindowsCapability
Windows Optional Features (PS 2.0, MediaPlayback, Recall, …)	Disable-WindowsOptionalFeature

02 Software (winget) OK

7-Zip (`7zip.7zip`)	OK
Adobe Acrobat Reader 64-bit (`Adobe.Acrobat.Reader.64-bit`)	OK
OpenVPN Connect (`OpenVPNTechnologies.OpenVPNConnect`)	OK
Atera Agent install	Invoke-WebRequest + `msiexec /i /qn`
Adobe PDF default: .pdf -> AcroRd32 po instalaci	OK – UCPD stop/start kolem zápisu asociace
UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice	Reseno: Stop-Service ucpd → HKCR zapis → Start-Service ucpd

Atera Agent URL:
https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337

03 System Registry (HKLM) OK

Bypass NRO (OOBE\BypassNRO = 1)	OK
Zakaz auto-instalace Teams	ConfigureChatAutoInstall = 0
Zakaz Cloud Optimized Content	OK
Zakaz Widgets / News and Interests	OK
Hesla bez expirace (`net accounts /maxpwage:UNLIMITED`)	OK
Casova zona: Central Europe Standard Time	OK
Zakaz GameDVR	OK
Edge – skryt First Run Experience + zakaz default browser prompt	HideFirstRunExperience=1, DefaultBrowserSettingEnabled=0
Edge policies – panel oblibeny, vyhledavac Google	FavoritesBarEnabled=1, DefaultSearchProviderName=Google, ManagedSearchEngines
Edge policies – tlacitka zobrazit (Historie, Stahnout)	DownloadsButtonEnabled=1, HistoryButtonEnabled=1
Edge policies – tlacitka skryt (Home, Kolekce, Split, Drop, Screenshot, Share, Zpetna vazba)	HomeButtonEnabled=0, SplitScreenEnabled=0, EdgeEDropEnabled=0, WebCaptureEnabled=0, ShareAllowed=0, FeedbackSurveysEnabled=0, EdgeCollectionsEnabled=0
Edge policies – obsah a telemetrie	NewTabPageContentEnabled=0, ShowRecommendationsEnabled=0, EdgeShoppingAssistantEnabled=0, DiagnosticData=0, …
OneDrive uninstall (intentional)	OneDriveSetup.exe /uninstall – odstrani pre-installed verzi. M365 si nainstaluje vlastni.
Powercfg nastaveni (spotreba energie)	standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15
Proxy auto-detect zakaz (AutoDetect = 0)	HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

04 Default Profile (NTUSER.DAT) OK

Taskbar: zarovnat vlevo (TaskbarAl = 0)	Win11 default je center
Taskbar: skryt Search, Copilot, Task View, Widgets, Chat	OK
Taskbar: zobrazit vsechny ikonky v tray (Scheduled task)	ShowAllTrayIcons
Taskbar: vyprazdnit pinlist (TaskbarLayoutModification.xml)	OK
Explorer: zobrazovat pripony souboru (HideFileExt = 0)	OK
Explorer: otevrit na This PC (LaunchTo = 1)	OK
Start menu: vyprazdnit piny (Win11)	ConfigureStartPins = {"pinnedList":[]}
Start menu: zakaz Bing vyhledavani	DisableSearchBoxSuggestions = 1
Copilot: zakaz (TurnOffWindowsCopilot = 1)	OK
NumLock zapnout pri startu (InitialKeyboardIndicators = 2)	OK
Accent barva na titulnich listech (ColorPrevalence = 1)	OK
OneDrive RunOnce klic je tady – smazat	Opraveno – blok odstranen ze scriptu (brani reinstalaci pres M365)
Explorer: ShowRecent = 0, ShowFrequent = 0	Skryt nedavne a caste soubory v Quick Access
Explorer: FullPath = 1 (CabinetState)	Zobrazovat plnou cestu v titulku okna Explorera

Metoda: reg load HKU\DefaultProfile C:\Users\Default\NTUSER.DAT → zapsat zmeny → reg unload HKU\DefaultProfile.
Tato operace musi probihat PRED prvnim prihlasenim uzivatele. Aktualne prihlaseny uzivatel dostava zmeny pres primy zapis do HKCU.

05 Personalizace (barvy, tapeta) OK

System tema (taskbar, Start): Dark	OK
Aplikacni tema: Light	OK
Accent barva: #223B47 (tmave modroseda)	OK
Accent barva na Start a taskbaru: ano	OK
Pruhlednost: vypnuta	OK
Tapeta: jednobarevna #223B47 (bez obrazku)	BackInfo prepise tapetu svym BMP

BackInfo.exe (STEP 07) prepise tapetu BMP se systemovymi informacemi. Jednobarevna tapeta je fallback pro pripad, ze BackInfo nedobehne nebo se nespusti.

06 Scheduled Tasks OK

ShowAllTrayIcons – pri logonu + kazdou 1 min	Win11 automaticky skryva tray ikony
UnlockStartLayout – jednou po aplikaci layoutu	Odemkne Start menu pro uzivatelske zmeny
PDF-DefaultApp pri kazdem logonu – odstranen	PDF asociace nastavena jednou v kroku 02 (UCPD stop/start). Task nebyl nutny.

07 BackInfo (systemovy info na tapete) OK

`07-desktop-info.ps1` SMAZAT – stary pristup	Nahrazeno novym `07-backinfo.ps1`
Zkopirovat `assets/Backinfo/` do `C:\Program Files\Backinfo\`	Implementovano v 07-backinfo.ps1
Spustit `backinfo_W11.ps1` (detekce OS, registry, Startup)	Logika inlinovana v 07-backinfo.ps1
BackInfo.exe v assets/Backinfo/ k dispozici	Hotovo
BackInfo auto-start pri kazdem logonu via Startup shortcut	Shortcut do ProgramData\StartUp vytvori 07-backinfo.ps1

BackInfo.ini konfiguruje: hostname (velky, centrovan), uzivatelske jmeno, OS verze, HW info (CPU, RAM, disk), sitove informace (IP, hostname).

Proc BackInfo misto vlastniho PS: BackInfo.exe podporuje Win10 i Win11 bez specialnich hacku, je stabilni a uz je v assets.

08 Windows aktivace OK Open

OA3 BIOS/UEFI klic – kontrola embedded key	WMI: SoftwareLicensingService.OA3xOriginalProductKey
Klic z config.json (`activation.productKey`)	OK – priorita nad OA3 a GVLK
Fallback na GVLK (KMS client key) dle edice OS	OK
Volitelny KMS server (`activation.kmsServer`)	OK
Preskocit pokud jiz aktivovano	OK
Typ klice: MAK vs KMS vs retail?	Zavisi na klientovi – otevrena otazka

09 PC identita – Rename + C:\X9 OK

Rename-Computer dle parametru z TUI nebo config.json	`deployment.pcName` v config.json; preskoci pokud neni nastaveno
Nastavit popis pocitace (Computer Description)	LanmanServer\Parameters\SrvComment; default "X9 deployment"
Vytvorit `C:\X9\` adresarovou strukturu	C:\X9\Logs, Scripts, Assets
Vlastni ikonka pro `C:\X9\` slozku	Desktop.ini + X9-ikona.ico z assets\Logo\

Rename-Computer vyzaduje restart. Tento krok bezi jako posledni pred finalnim shrnutim.

10 Network discovery + firewall OK

Nastavit sitovy profil jako Private (ne Public)	Set-NetConnectionProfile pro vsechny pripojene adaptery
Povolit ping (ICMP) pro diagnostiku	Enable-NetFirewallRule: FPS-ICMP4-ERQ-In + FPS-ICMP6-ERQ-In
Zapnout Network Discovery pro Private profil	Set-NetFirewallRule + netsh advfirewall jako fallback

11 Dell Command | Update OK

Detekce Dell hardware (`Win32_ComputerSystem`)	Non-Dell stroj krok preskoci bez chyby – stejny skript pro vsechny HW
Instalace Dell Command \| Update via winget	`Dell.CommandUpdate.Universal` – silent, Win10 + Win11
Spusteni vsech aktualizaci: drivery, firmware, BIOS	`dcu-cli.exe /applyUpdates -silent -reboot=disable`
BIOS/firmware se staging – dokonci se pri restartu	Restart po konci deploymenty (krok 10 rename) vse dokonci

Non-Dell stroje: krok se preskoci automaticky, zadna chyba. Dell Latitude, OptiPlex, Precision, Vostro, XPS – vsechny podporovane DCU Universal.

Casova narocnost: 5–20 minut podle poctu dostupnych aktualizaci a rychlosti siteho pripojeni.

04+ Taskbar pinned apps (profily) OK Open

`-ProfileType` parametr: admin vs user varianta	Deploy-Windows.ps1 -ProfileType [default\|admin\|user]; predano do 04
XML layout pro "admin": Explorer, PS, Edge	TaskbarLayoutModification.xml; File Explorer.lnk + PowerShell.lnk + Edge.lnk
XML layout pro "user": Explorer, Edge	Konzervativni sada – Outlook/Teams pridany az po instalaci M365
Win11 24H2 kompatibilita layoutu	24H2 vyzaduje ProvisionedLayoutModification.xml – nutno otestovat na realne instalaci

Aplikace pinnutych appek: Deploy-Windows.ps1 -ProfileType admin nebo -ProfileType user.
Layout se zablokuje, UnlockStartLayout task (krok 06) ho odemkne 5 min po startu.

Arc xetup.exe – Go TUI launcher Future

Single binary (go:embed scripty + assets)	`embed.go` + `cmd/xetup/main.go`; builduje se jako 5 MB .exe
TUI form (huh/bubbletea): PC name, popis, product key	`internal/tui/tui.go` – huh form, 2 stranky
Checklist kroku (on/off per-script) + ulozit do config.json	MultiSelect v TUI; `internal/config/config.go`
Live log output behem spousteni PS scriptu	`internal/runner/runner.go`; channel + bubbletea cmd
Finalni summary OK/ERROR	viewDone() v tui.go
Self-update: stahnout novou verzi z xetup.x9.cz	Overit hash pred spustenim
config.json: per-klient preset (prefix jmena PC, SW, klic)	Lezi vedle .exe na USB klienta
OpenVPN soubor + doménovy join + domén. uzivatel pro profil	Rozsireni TUI formulare v budoucnu

Struktura: cmd/xetup/, internal/config/, internal/spec/, internal/tui/, internal/runner/

Go zavislosti: bubbletea (TUI framework), huh (forms), lipgloss (styling)

Arc spec.yaml – single source of truth Future

Popis vsech kroku: id, label, script, default	xetup.exe cte spec.yaml pro TUI checklist
Pole "requires" (napr. activation vyzaduje productKey)	TUI upozorni pokud chybi
Auto-generovana dokumentace z spec.yaml	CI akce: spec.yaml → tato stranka
spec.yaml jako SSOT pro tuto stranku i deploy skripty	Idealni stav: stranka vzdy odpovida kodu

Navrh struktury spec.yaml:

steps:
  - id: admin-account
    label: "Admin account (adminx9)"
    script: 00-admin-account.ps1
    default: true
  - id: activation
    label: "Windows activation"
    script: 08-activation.ps1
    default: true
    requires: [productKey]

+ Novy pozadavek na automatizaci Pozadavky

Chcete automatizovat neco, co skript zatim neresi? Napiste pozadavek sem – ulozi se do repozitare. Technicky tym ho projde a zaradi do planu.

Nacitam pozadavky...