9.1 KiB
9.1 KiB
MSP Windows Deployment - Specification (SPEC.md)
Version: 0.2 (draft) Author: X9.cz Purpose: Automated preparation of new Windows 10/11 computers for clients
Overview
Script replaces ~3 hours of manual computer setup. Run once as Administrator on already-installed Windows, performs everything automatically, saves result to Default Profile so settings apply to every subsequent user.
Prerequisites
- Windows 10 or Windows 11 (x64)
- Run as Administrator
- Internet connection (for winget installs)
- Computer received either as clean OEM install or with manufacturer pre-installed Windows
What the script does NOT do
- Does not install Windows (not an autounattend.xml for clean install)
- Does not create images
- Does not manage the computer ongoing (one-time deployment)
Script structure
Script is divided into steps. Each step logs its result. Steps can be skipped with switches.
STEP 1 - Bloatware removal
1a - AppX packages (UWP apps)
Removed for all users (-AllUsers) and from provisioned packages (so they do not return for new users).
| Package | Description |
|---|---|
| Microsoft.Microsoft3DViewer | 3D Viewer |
| Microsoft.BingSearch | Bing Search |
| Microsoft.WindowsCamera | Camera |
| Clipchamp.Clipchamp | Clipchamp video editor |
| Microsoft.WindowsAlarms | Clock / Alarm |
| Microsoft.Copilot | Copilot AI |
| Microsoft.549981C3F5F10 | Cortana |
| Microsoft.Windows.DevHome | Dev Home |
| MicrosoftCorporationII.MicrosoftFamily | Family Safety |
| Microsoft.WindowsFeedbackHub | Feedback Hub |
| Microsoft.Edge.GameAssist | Game Assist |
| Microsoft.GetHelp | Help |
| Microsoft.Getstarted | Tips / Get Started |
| microsoft.windowscommunicationsapps | Mail and Calendar |
| Microsoft.WindowsMaps | Maps |
| Microsoft.MixedReality.Portal | Mixed Reality |
| Microsoft.BingNews | News |
| Microsoft.MicrosoftOfficeHub | Office Hub |
| Microsoft.Office.OneNote | OneNote |
| Microsoft.OutlookForWindows | Outlook (new) |
| Microsoft.Paint | Paint (new UWP) |
| Microsoft.MSPaint | Paint (legacy) |
| Microsoft.People | People |
| Microsoft.Windows.Photos | Photos |
| Microsoft.PowerAutomateDesktop | Power Automate |
| MicrosoftCorporationII.QuickAssist | Quick Assist |
| Microsoft.SkypeApp | Skype |
| Microsoft.ScreenSketch | Snipping Tool |
| Microsoft.MicrosoftSolitaireCollection | Solitaire |
| Microsoft.MicrosoftStickyNotes | Sticky Notes |
| MicrosoftTeams / MSTeams | Teams (personal) |
| Microsoft.Todos | To Do |
| Microsoft.WindowsSoundRecorder | Voice Recorder |
| Microsoft.Wallet | Wallet |
| Microsoft.BingWeather | Weather |
| Microsoft.WindowsTerminal | Windows Terminal |
| Microsoft.Xbox.TCUI | Xbox UI |
| Microsoft.XboxApp | Xbox |
| Microsoft.XboxGameOverlay | Xbox Game Overlay |
| Microsoft.XboxGamingOverlay | Xbox Gaming Overlay |
| Microsoft.XboxIdentityProvider | Xbox Identity |
| Microsoft.XboxSpeechToTextOverlay | Xbox Speech |
| Microsoft.GamingApp | Gaming App |
| Microsoft.YourPhone | Phone Link |
| Microsoft.ZuneMusic | Music |
| Microsoft.ZuneVideo | Movies and TV |
NOTE: Microsoft.WindowsCalculator is intentionally KEPT.
1b - Windows Capabilities
| Capability | Description |
|---|---|
| Print.Fax.Scan | Fax and Scan |
| Language.Handwriting | Handwriting |
| Browser.InternetExplorer | Internet Explorer |
| MathRecognizer | Math Input |
| OneCoreUAP.OneSync | OneSync |
| OpenSSH.Client | OpenSSH client |
| Microsoft.Windows.MSPaint | Paint (Win32) |
| Microsoft.Windows.PowerShell.ISE | PowerShell ISE |
| App.Support.QuickAssist | Quick Assist |
| Microsoft.Windows.SnippingTool | Snipping Tool |
| App.StepsRecorder | Steps Recorder |
| Hello.Face.* | Windows Hello face |
| Media.WindowsMediaPlayer | Windows Media Player |
| Microsoft.Windows.WordPad | WordPad |
1c - Windows Optional Features
| Feature | Description |
|---|---|
| MediaPlayback | Media playback |
| MicrosoftWindowsPowerShellV2Root | PowerShell 2.0 |
| Microsoft-RemoteDesktopConnection | RDP client |
| Recall | Windows Recall (AI) |
| Microsoft-SnippingTool | Snipping Tool (feature) |
STEP 2 - Software installation (winget)
| Software | Winget ID | Notes |
|---|---|---|
| 7-Zip | 7zip.7zip |
OK |
| Adobe Acrobat Reader | Adobe.Acrobat.Reader.64-bit |
OK, see note |
| OpenVPN Connect | OpenVPNTechnologies.OpenVPNConnect |
OK |
| ... | ... | TODO: complete list |
Adobe Acrobat Reader: After install, script sets .pdf -> AcroRd32 as default. Scheduled task PDF-DefaultApp restores this association on every logon as a guard against Edge overwriting it.
BackInfo: NOT used. Replaced by custom PowerShell scheduled task DesktopInfo. See STEP 7.
STEP 3 - System settings (HKLM - applies to whole system)
| Setting | Value | Notes |
|---|---|---|
| Disable NRO (bypass network check) | HKLM...\OOBE\BypassNRO = 1 | |
| Disable auto-install of Teams | ConfigureChatAutoInstall = 0 | |
| Disable Cloud Optimized Content | DisableCloudOptimizedContent = 1 | |
| Disable Widgets (News and Interests) | HKLM...\Dsh\AllowNewsAndInterests = 0 | |
| Edge - hide First Run Experience | HKLM\Policies\Edge\HideFirstRunExperience = 1 | |
| Passwords - no expiration | net accounts /maxpwage:UNLIMITED | |
| Time zone | Central Europe Standard Time | |
| OneDrive - remove | Delete OneDriveSetup.exe + Start Menu lnk | |
| Outlook (new) - disable auto-install | Delete UScheduler registry key | |
| Disable GameDVR | AppCaptureEnabled = 0 |
STEP 4 - Default Profile (NTUSER.DAT)
Settings applied to C:\Users\Default\NTUSER.DAT - inherited by every new user on first logon.
Method: script loads Default hive (reg load), makes changes, unloads (reg unload).
| Setting | Key / Value | Description |
|---|---|---|
| Taskbar - align left | TaskbarAl = 0 | Win11 default is center |
| Taskbar - hide Search box | SearchboxTaskbarMode = 0 | |
| Taskbar - hide Copilot button | ShowCopilotButton = 0 | |
| Taskbar - hide Task View button | ShowTaskViewButton = 0 | |
| Taskbar - hide Widgets | TaskbarDa = 0 | |
| Taskbar - hide Chat/Teams button | TaskbarMn = 0 | |
| Taskbar - show all tray icons | Scheduled task ShowAllTrayIcons | Runs on every logon |
| Taskbar - empty pinlist | TaskbarLayoutModification.xml | Removes default pinned apps |
| Explorer - show file extensions | HideFileExt = 0 | |
| Explorer - open to This PC | LaunchTo = 1 | Instead of Quick Access |
| Start menu - empty pins | ConfigureStartPins = {"pinnedList":[]} | Win11 |
| Start menu - disable Bing results | DisableSearchBoxSuggestions = 1 | |
| Copilot - disable | TurnOffWindowsCopilot = 1 | |
| GameDVR - disable | AppCaptureEnabled = 0 | |
| OneDrive - remove RunOnce key | Delete OneDriveSetup from Run | |
| Num Lock on startup - enable | InitialKeyboardIndicators = 2 | |
| Accent color on title bars | ColorPrevalence = 1 |
STEP 5 - Personalization (colors, wallpaper)
Applied to both Default Profile and currently logged-in user.
| Setting | Value |
|---|---|
| System theme (taskbar, Start) | Dark |
| App theme | Light |
| Accent color | #223B47 (dark blue-gray) |
| Accent color on Start and taskbar | Yes |
| Accent color on title bars | Yes |
| Transparency | Disabled |
| Wallpaper | Solid color #223B47 (no image) |
NOTE: DesktopInfo scheduled task (STEP 7) will overwrite the wallpaper with a system info BMP. The solid color here is only a fallback if DesktopInfo is not running.
STEP 6 - Scheduled Tasks
| Task | Trigger | Purpose |
|---|---|---|
| ShowAllTrayIcons | Every logon, every 1 min | Show all icons in system tray (Win11) |
| UnlockStartLayout | Once after layout is applied | Unlock Start menu layout |
| PDF-DefaultApp | Every logon | Restore .pdf -> Adobe Reader if Edge overwrote it |
| DesktopInfo | Every logon | Render system info onto desktop wallpaper |
STEP 7 - DesktopInfo (BackInfo replacement)
Custom PowerShell scheduled task. No external dependencies.
What it displays:
- Computer name (hostname)
- IP address
- Windows version and build
- Logged-in username
- Deployment date
How it works:
- PS script collects system info
- Renders text onto bitmap via WPF / System.Drawing
- Saves BMP to C:\Windows\Setup\Scripts\desktopinfo.bmp
- Sets BMP as desktop wallpaper via SystemParametersInfo
- Runs on every user logon via Scheduled Task
Why not BackInfo:
- BackInfo has Win11 rendering issues requiring registry hacks
- External EXE dependency is hard to distribute
- Custom PS solution = full control, no dependencies, works on Win10 and Win11
STEP 8 - Logging and output
- Every step writes to C:\Windows\Setup\Scripts\Deploy.log
- Format: [HH:mm:ss] Step description - OK / ERROR: ...
- At end: summary report (how many steps OK, how many failed)
- Log stays on disk for diagnostics
Script switches
| Switch | Behavior |
|---|---|
-SkipBloatware |
Skip step 1 |
-SkipSoftware |
Skip step 2 |
-SkipDefaultProfile |
Skip step 4 |
-DryRun |
Run through steps without changes, log only |
Open questions
| # | Question | Status |
|---|---|---|
| 1 | BackInfo replacement | DONE - custom PS scheduled task DesktopInfo |
| 2 | Complete SW list for winget | TODO |
| 3 | Per-client variability via config.json | FUTURE |
| 4 | Admin account adminx9 - script or manual? | OPEN |