x9/xetup
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases 5 Packages Wiki Activity Actions
xetup/SPEC.md
X9 Dev 0cfe7510aa
Some checks failed
release / build-and-release (push) Failing after 32s
Details
feat(03): disable hibernation, Smart App Control; rework Edge config 
- powercfg /hibernate off added to powercfg block
- Smart App Control: VerifiedAndReputablePolicyState=0 (Win11, permanent)
- Edge: replaced non-working Recommended policies with two-tier approach:
  - Mandatory: only HideFirstRunExperience, DefaultBrowserSettingEnabled,
    DiagnosticData, FeedbackSurveysEnabled (privacy/first-run, locked)
  - initial_preferences JSON written to Edge Application dir: sets UI
    defaults (favorites bar, no home button, clean NTP, no shopping/rewards)
    that users can freely override in Edge settings
- Removed invalid PerformanceButtonEnabled policy key
- SPEC.md and web/spec/index.html updated accordingly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-27 17:53:07 +02:00

176 lines
6.2 KiB
Markdown
Raw Blame History

# MSP Windows Deployment - Specification
> Purpose: Automated preparation of new Windows 10/11 computers for X9.cz clients
---
## Overview
xetup.exe replaces ~3 hours of manual computer setup. GUI launcher embeds PowerShell
scripts, runs them sequentially, handles reboot cycles, sends email report when done.
Settings are applied to Default Profile (NTUSER.DAT) so every new user inherits them.
---
## Prerequisites
- Windows 10 or Windows 11 (x64)
- Run as Administrator
- Internet connection (for winget installs, Atera agent, Windows Update)
- Post-OOBE (fully installed Windows with at least one user account)
---
## Step execution order
| # | Step | Script | Notes |
|---|---|---|---|
| 00 | Admin account | 00-admin-account.ps1 | adminx9, no password, hidden |
| 08 | Windows activation | 08-activation.ps1 | OA3 → config key → GVLK fallback |
| 01 | Bloatware removal | 01-bloatware.ps1 | AppX + Capabilities + Features |
| 02 | Software install | 02-software.ps1 | Parallel winget + Atera + PDF default |
| 03 | System registry | 03-system-registry.ps1 | HKLM tweaks, Edge, powercfg, WPAD |
| 04 | Profile + personalization | 04-default-profile.ps1 | NTUSER.DAT + HKCU + theme |
| 07 | BackInfo | 07-backinfo.ps1 | System info wallpaper overlay |
| 10 | Network | 10-network.ps1 | Private profile, ping, discovery |
| 11 | Dell Update | 11-dell-update.ps1 | Auto-skip on non-Dell HW |
| 09 | PC identity | 09-pc-identity.ps1 | Rename + C:\X9 (reboot on rename) |
| 12 | Windows Update | 12-windows-update.ps1 | Multi-round reboot cycle |
---
## Step 00 - Admin account
Creates local admin account `adminx9`:
- No password (empty) - account is hidden, only accessible to technicians
- FullName = "X9.cz s.r.o." (via ADSI)
- Added to Administrators group
- Hidden from login screen (SpecialAccounts\UserList = 0)
- Password never expires
---
## Step 08 - Windows activation
Priority: OA3 embedded key (BIOS/UEFI) → config.json productKey → GVLK by edition.
Optional KMS server via config.json. Skips if already activated (LicenseStatus = 1).
---
## Step 01 - Bloatware removal
Removes ~35 AppX packages (Cortana, Copilot, Teams, Xbox, Skype, News, etc.),
~14 Windows Capabilities (Fax, IE, WordPad, etc.), and Optional Features
(PowerShell 2.0, Recall). Calculator intentionally kept.
---
## Step 02 - Software installation
Parallel winget installs (Start-Job):
| Software | Winget ID |
|---|---|
| 7-Zip | 7zip.7zip |
| Adobe Acrobat Reader 64-bit | Adobe.Acrobat.Reader.64-bit |
| OpenVPN Connect | OpenVPNTechnologies.OpenVPNConnect |
After Acrobat: UCPD driver stopped, .pdf → AcroExch.Document.DC set via HKCR, UCPD restarted.
Atera RMM agent: downloaded from x9.servicedesk.atera.com, installed via msiexec /qn with -Wait.
---
## Step 03 - System registry (HKLM)
Always applied: password max age unlimited, timezone (Central Europe Standard Time).
Feature-toggled sections:
- **systemTweaks**: BypassNRO, disable Teams auto-install, Widgets, GameDVR, Recall, Copilot search,
Smart App Control (VerifiedAndReputablePolicyState=0, permanent)
- **edgePolicies**: mandatory only (HideFirstRunExperience, DefaultBrowserSettingEnabled,
DiagnosticData, FeedbackSurveysEnabled) + initial_preferences file for UI defaults
(favorites bar, no home button, no search suggestions, clean NTP, no rewards/shopping/collections).
initial_preferences is read by Edge once on first profile creation - user can override freely.
- **oneDriveUninstall**: removes consumer OneDrive (no policy block - M365 can reinstall)
- **powercfg**: hibernate off; standby-ac=0, monitor-ac=60, standby-dc=30, monitor-dc=15
- **proxyDisable**: WPAD auto-detect off
---
## Step 04 - Default Profile + Personalization
Single hive load of C:\Users\Default\NTUSER.DAT. All changes applied to both Default
hive and current HKCU. Feature-toggled sections:
- **taskbarTweaks**: left alignment, hide Search/Copilot/TaskView/Widgets/Chat, show all
tray icons, taskbar layout XML per ProfileType (default/admin/user), NumLock on
- **startMenuTweaks**: empty pins, disable Bing search, disable Copilot, disable GameDVR
- **explorerTweaks**: show extensions, LaunchTo=ThisPC, hide Recent/Frequent, full path
Personalization (always): dark shell / light apps, accent #223B47, transparency off,
solid wallpaper #223B47 (BackInfo overwrites on logon).
---
## Step 07 - BackInfo
Copies BackInfo.exe + INI to C:\Program Files\Backinfo\. Detects OS, writes OSName to
registry. Creates startup shortcut for all users. BackInfo renders system info BMP as
desktop wallpaper on every logon.
---
## Step 10 - Network
Sets all connected adapters to Private profile. Enables ICMP echo (ping) and Network
Discovery firewall rules.
---
## Step 11 - Dell Command | Update
Detects Dell hardware via Win32_ComputerSystem.Manufacturer. On non-Dell: skips silently.
On Dell: installs DCU Universal via winget, runs dcu-cli.exe /applyUpdates with
-reboot=disable. Feature-toggled: drivers/firmware and BIOS separately. Exit 9 when
BIOS/firmware updates are staged (finalize on next restart).
---
## Step 09 - PC identity
Creates C:\X9\ directory (Logs, Scripts, Assets) with custom folder icon.
Sets computer description. Renames computer if config.json pcName is set and differs
from current. Exit 9 only when rename actually happened (restart required).
---
## Step 12 - Windows Update
Installs PSWindowsUpdate module, runs one update pass. Exit 9 when updates were installed
(reboot needed for next round). Exit 0 when fully up to date. xetup state machine handles
the reboot cycle automatically.
---
## Config structure
```json
{
"deployment": { "pcName": "", "pcDescription": "", "timezone": "...", "profileType": "default" },
"adminAccount": { "username": "adminx9" },
"activation": { "productKey": "", "kmsServer": "" },
"software": { "install": [{ "name": "...", "wingetId": "..." }] },
"steps": { "adminAccount": true, ... },
"features": { "software": { "wingetInstalls": true, "pdfDefault": true, "ateraAgent": true }, ... },
"bloatware": { "keepPackages": ["Microsoft.WindowsCalculator"] }
}
```
---
## Email report
Sent via SMTP2Go at end of deployment. HTML with per-step status table, timestamps,
OK/ERROR/SKIPPED counts. Subject: "xetup report HOSTNAME".
From: xetup@x9.cz, To: net@x9.cz.
Reference in a new issue View git blame Copy permalink