Specifikace & anotace
OK hotovo, v provozu
Must fix zname chyby, nutno opravit
TODO naplanovano, nerealizovano
Open otevrena otazka
Warn potencialni problem
New nova feature
Future dlouhodoby plan
Stavajici kroky (scripty)
00
Admin ucet (adminx9)
Must fix
Vytvorit lokalni ucet adminx9 | Hotovo |
| Pridat do skupiny Administrators | Hotovo |
| Skryt z login obrazovky (SpecialAccounts\UserList = 0) | Hotovo |
| Heslo nevypirsi, uzivatel nesmeni heslo | Hotovo |
| Zadne heslo (aktualne nastavovano z config.json) | Zmenit: ucet BEZ hesla (rozhodnuti) |
| FullName = "X9.cz s.r.o." (via ADSI) | Chybi, doplnit |
Proc bez hesla: Ucet je skryty pred uzivateli, slouzi pouze MSP adminstraci.
Heslo v config.json by bylo ulozene citelne.
01
Bloatware removal
OK
| AppX balicky – odstraneni pro vsechny uzivatele a provisioned | Remove-AppxPackage -AllUsers + Remove-AppxProvisionedPackage |
| Zachovano: Microsoft.WindowsCalculator | Zamerny vyjimek |
| Windows Capabilities (Fax, IE, OpenSSH, WMP, WordPad, …) | Remove-WindowsCapability |
| Windows Optional Features (PS 2.0, MediaPlayback, Recall, …) | Disable-WindowsOptionalFeature |
| Microsoft-RemoteDesktopConnection NESMI byt odstranen | RDP klient musi zustat funkci. Overit ze neni v seznamu. |
| OneDrive nesmi byt odstranovano tady | OneDrive musi zustat instalovatelny pro M365. |
02
Software (winget)
TODO
7-Zip (7zip.7zip) | OK |
Adobe Acrobat Reader 64-bit (Adobe.Acrobat.Reader.64-bit) | OK |
OpenVPN Connect (OpenVPNTechnologies.OpenVPNConnect) | OK |
| Seznam SW je neuplny – co dalsiho patri dovnitr? | TODO: doplnit uplny seznam |
| Atera Agent install | Invoke-WebRequest + msiexec /i /qn |
| Adobe PDF default: .pdf -> AcroRd32 po instalaci | OK – UCPD stop/start kolem zápisu asociace |
| UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice | Reseno: Stop-Service ucpd → HKCR zapis → Start-Service ucpd |
Atera Agent URL:
https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337
03
System Registry (HKLM)
TODO
| Bypass NRO (OOBE\BypassNRO = 1) | OK |
| Zakaz auto-instalace Teams | ConfigureChatAutoInstall = 0 |
| Zakaz Cloud Optimized Content | OK |
| Zakaz Widgets / News and Interests | OK |
Hesla bez expirace (net accounts /maxpwage:UNLIMITED) | OK |
| Casova zona: Central Europe Standard Time | OK |
| Zakaz GameDVR | OK |
| Edge – skryt First Run Experience | HKLM\Policies\Edge\HideFirstRunExperience = 1 |
| OneDrive uninstall (intentional) | OneDriveSetup.exe /uninstall – odstrani pre-installed verzi. M365 si nainstaluje vlastni. |
| Edge policies – doplnit ~15 dalsich klicu | Viz seznam nize |
| Powercfg nastaveni (spotreba energie) | Pridat: standby-ac 0, monitor-ac 60, standby-dc 30, monitor-dc 15 |
| Proxy auto-detect zakaz (AutoDetect = 0) | HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
Edge policies k doplneni:
DefaultBrowserSettingEnabled = 0, NewTabPageContentEnabled = 0,
ImportOnEachLaunch = 0, ShowRecommendationsEnabled = 0,
PersonalizationReportingEnabled = 0, SpotlightExperiencesAndRecommendationsEnabled = 0,
DiagnosticData = 0, EdgeShoppingAssistantEnabled = 0, EdgeCollectionsEnabled = 0,
HubsSidebarEnabled = 0, ShowMicrosoftRewards = 0, SearchSuggestEnabled = 0 a dalsi.
Powercfg prikazy:
powercfg /change standby-timeout-ac 0 (neusne na nabijeni)powercfg /change monitor-timeout-ac 60 (monitor zhasne po 60 min)powercfg /change standby-timeout-dc 30powercfg /change monitor-timeout-dc 15
04
Default Profile (NTUSER.DAT)
OK
| Taskbar: zarovnat vlevo (TaskbarAl = 0) | Win11 default je center |
| Taskbar: skryt Search, Copilot, Task View, Widgets, Chat | OK |
| Taskbar: zobrazit vsechny ikonky v tray (Scheduled task) | ShowAllTrayIcons |
| Taskbar: vyprazdnit pinlist (TaskbarLayoutModification.xml) | OK |
| Explorer: zobrazovat pripony souboru (HideFileExt = 0) | OK |
| Explorer: otevrit na This PC (LaunchTo = 1) | OK |
| Start menu: vyprazdnit piny (Win11) | ConfigureStartPins = {"pinnedList":[]} |
| Start menu: zakaz Bing vyhledavani | DisableSearchBoxSuggestions = 1 |
| Copilot: zakaz (TurnOffWindowsCopilot = 1) | OK |
| NumLock zapnout pri startu (InitialKeyboardIndicators = 2) | OK |
| Accent barva na titulnich listech (ColorPrevalence = 1) | OK |
| OneDrive RunOnce klic je tady – smazat | Opraveno – blok odstranen ze scriptu (brani reinstalaci pres M365) |
| Explorer: ShowRecent = 0, ShowFrequent = 0 | Skryt nedavne a caste soubory v Quick Access |
| Explorer: FullPath = 1 (CabinetState) | Zobrazovat plnou cestu v titulku okna Explorera |
Metoda:
Tato operace musi probihat PRED prvnim prihlasenim uzivatele. Aktualne prihlaseny uzivatel dostava zmeny pres primy zapis do HKCU.
reg load HKU\DefaultProfile C:\Users\Default\NTUSER.DAT
→ zapsat zmeny → reg unload HKU\DefaultProfile.Tato operace musi probihat PRED prvnim prihlasenim uzivatele. Aktualne prihlaseny uzivatel dostava zmeny pres primy zapis do HKCU.
05
Personalizace (barvy, tapeta)
OK
| System tema (taskbar, Start): Dark | OK |
| Aplikacni tema: Light | OK |
| Accent barva: #223B47 (tmave modroseda) | OK |
| Accent barva na Start a taskbaru: ano | OK |
| Pruhlednost: vypnuta | OK |
| Tapeta: jednobarevna #223B47 (bez obrazku) | BackInfo prepise tapetu svym BMP |
BackInfo.exe (STEP 07) prepise tapetu BMP se systemovymi informacemi.
Jednobarevna tapeta je fallback pro pripad, ze BackInfo nedobehne nebo se nespusti.
06
Scheduled Tasks
OK
| ShowAllTrayIcons – pri logonu + kazdou 1 min | Win11 automaticky skryva tray ikony |
| UnlockStartLayout – jednou po aplikaci layoutu | Odemkne Start menu pro uzivatelske zmeny |
| PDF-DefaultApp pri kazdem logonu – odstranen | PDF asociace nastavena jednou v kroku 02 (UCPD stop/start). Task nebyl nutny. |
07
BackInfo (systemovy info na tapete)
Must fix
07-desktop-info.ps1 SMAZAT – stary pristup | Nahradit deploym. krokem pro BackInfo.exe |
Zkopirovat assets/Backinfo/ do C:\Program Files\Backinfo\ | Pridat do master scriptu |
Spustit backinfo_W11.ps1 (detekce OS, registry, Startup) | Pridat do master scriptu |
| BackInfo.exe v assets/Backinfo/ k dispozici | Hotovo – jen deploy krok chybi |
| BackInfo auto-start pri kazdem logonu via Startup shortcut | Zaridi backinfo_W11.ps1 |
BackInfo.ini konfiguruje: hostname (velky, centrovan), uzivatelske jmeno,
OS verze, HW info (CPU, RAM, disk), sitove informace (IP, hostname).
Proc BackInfo misto vlastniho PS: BackInfo.exe podporuje Win10 i Win11 bez specialnich hacku, je stabilni a uz je v assets.
Proc BackInfo misto vlastniho PS: BackInfo.exe podporuje Win10 i Win11 bez specialnich hacku, je stabilni a uz je v assets.
08
Windows aktivace
OK
Open
| OA3 BIOS/UEFI klic – kontrola embedded key | WMI: SoftwareLicensingService.OA3xOriginalProductKey |
Klic z config.json (activation.productKey) | OK – priorita nad OA3 a GVLK |
| Fallback na GVLK (KMS client key) dle edice OS | OK |
Volitelny KMS server (activation.kmsServer) | OK |
| Preskocit pokud jiz aktivovano | OK |
| Typ klice: MAK vs KMS vs retail? | Zavisi na klientovi – otevrena otazka |
Nove kroky (planovane)
09
PC identita – Rename + C:\X9
New
| Rename-Computer dle parametru z TUI nebo config.json | Finalni krok pred restartem – PC name + popis |
| Nastavit popis pocitace (Computer Description) | Via WMI nebo registry HKLM\SYSTEM\...\ComputerName |
Vytvorit C:\X9\ adresarovou strukturu | Pro logy, skripty, assets |
Vlastni ikonka pro C:\X9\ slozku | Desktop.ini + X9-ikona.ico |
Rename-Computer vyzaduje restart. Tento krok musi byt posledni pred finalnim shrnutim.
Technik vi, ze po deployi nasleduje restart.
10
Network discovery + firewall
New
| Nastavit sitovy profil jako Private (ne Public) | Set-NetConnectionProfile -NetworkCategory Private |
| Povolit ping (ICMP) pro diagnostiku | Firewall rule: Enable ICMPv4/ICMPv6 |
| Zapnout Network Discovery pro Private profil | netsh advfirewall nebo Set-NetFirewallRule |
Pozor: Sitovy profil (Private/Public) se muze zmenit po kazdem prihlaseni k jine siti.
Zvazit scheduled task pri logonu pro opakovanou korekci profilu.
---
Taskbar pinned apps (profily)
New
Future
-ProfileType parametr: admin vs user varianta | Ruzna sada pinnutych appek dle role uzivatele |
| XML layout pro "admin": Explorer, PS, Edge, Notepad++, … | TaskbarLayoutModification.xml |
| XML layout pro "user": Edge, Outlook, Teams, Explorer, … | Odlisna sada pro bezneho zamestnance |
Win11 24H2 zmenil zpusob aplikace Taskbar layoutu (ProvisionedLayoutModification.xml vs. starsi TaskbarLayoutModification.xml).
Nutno overit kompatibilitu s ruznymy buildy pred implementaci.
Architektura (budoucnost)
Arc
xetup.exe – Go TUI launcher
Future
| Single binary (go:embed scripty + assets) | Offline provoz, jedna stazitelna .exe |
| TUI form (huh/bubbletea): PC name, popis, product key | Interaktivni zadani dat technikem |
| Checklist kroku (on/off per-script) + ulozit do config.json | Opakovatelne nasazeni u stejneho klienta |
| Live log output behem spousteni PS scriptu | Stdout z powershell.exe v realnem case |
| Finalni summary OK/ERROR | Na konci nasazeni |
| Self-update: stahnout novou verzi z xetup.x9.cz | Overit hash pred spustenim |
| config.json: per-klient preset (prefix jmena PC, SW, klic) | Lezi vedle .exe na USB klienta |
| OpenVPN soubor + doménovy join + domén. uzivatel pro profil | Rozsireni TUI formulare v budoucnu |
Struktura:
Go zavislosti: bubbletea (TUI framework), huh (forms), lipgloss (styling)
cmd/xetup/, internal/config/,
internal/spec/, internal/tui/, internal/runner/Go zavislosti: bubbletea (TUI framework), huh (forms), lipgloss (styling)
Arc
spec.yaml – single source of truth
Future
| Popis vsech kroku: id, label, script, default | xetup.exe cte spec.yaml pro TUI checklist |
| Pole "requires" (napr. activation vyzaduje productKey) | TUI upozorni pokud chybi |
| Auto-generovana dokumentace z spec.yaml | CI akce: spec.yaml → tato stranka |
| spec.yaml jako SSOT pro tuto stranku i deploy skripty | Idealni stav: stranka vzdy odpovida kodu |
Navrh struktury spec.yaml:
steps:
- id: admin-account
label: "Admin account (adminx9)"
script: 00-admin-account.ps1
default: true
- id: activation
label: "Windows activation"
script: 08-activation.ps1
default: true
requires: [productKey]