Implement full deployment script suite (steps 1-7)
- Deploy-Windows.ps1: master script with Write-Log, Invoke-Step, summary report, DryRun support
- 01-bloatware.ps1: remove AppX packages, Windows Capabilities, Optional Features
- 02-software.ps1: winget installs from config.json, set Adobe Reader as default PDF app
- 03-system-registry.ps1: HKLM tweaks (NRO bypass, Teams, Widgets, Edge, OneDrive, GameDVR, Recall, timezone)
- 04-default-profile.ps1: NTUSER.DAT changes for taskbar, Explorer, Start menu, NumLock, Copilot
- 05-personalization.ps1: dark/light theme, accent color #223B47, transparency off, wallpaper
- 06-scheduled-tasks.ps1: ShowAllTrayIcons, PDF-DefaultApp, UnlockStartLayout tasks
- 07-desktop-info.ps1: DesktopInfo render script (System.Drawing BMP), scheduled task, deploy date registry
- tests/Test-Deployment.ps1: post-deployment verification, 30+ checks
- CLAUDE.md: add Czech communication preference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 09:44:38 +01:00
|
|
|
param(
|
|
|
|
|
[object]$Config,
|
|
|
|
|
[string]$LogFile
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
$ErrorActionPreference = "Continue"
|
|
|
|
|
|
|
|
|
|
function Write-Log {
|
|
|
|
|
param([string]$Message, [string]$Level = "INFO")
|
|
|
|
|
$line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message"
|
|
|
|
|
Add-Content -Path $LogFile -Value $line -Encoding UTF8
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-14 20:06:01 +01:00
|
|
|
Add-Type -TypeDefinition @"
|
|
|
|
|
using System;
|
|
|
|
|
using System.Runtime.InteropServices;
|
|
|
|
|
public class RegPrivilege {
|
|
|
|
|
[DllImport("advapi32.dll", ExactSpelling=true, SetLastError=true)]
|
|
|
|
|
static extern bool AdjustTokenPrivileges(IntPtr htok, bool disAll, ref TokPriv1Luid newState, int len, IntPtr prev, IntPtr relen);
|
|
|
|
|
[DllImport("kernel32.dll", ExactSpelling=true)]
|
|
|
|
|
static extern IntPtr GetCurrentProcess();
|
|
|
|
|
[DllImport("advapi32.dll", ExactSpelling=true, SetLastError=true)]
|
|
|
|
|
static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
|
|
|
|
|
[DllImport("advapi32.dll", SetLastError=true)]
|
|
|
|
|
static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
|
|
|
|
|
[StructLayout(LayoutKind.Sequential, Pack=1)]
|
|
|
|
|
struct TokPriv1Luid { public int Count; public long Luid; public int Attr; }
|
|
|
|
|
const int TOKEN_QUERY = 0x8;
|
|
|
|
|
const int TOKEN_ADJUST = 0x20;
|
|
|
|
|
const int SE_PRIVILEGE_ENABLED = 2;
|
|
|
|
|
public static bool Enable(string privilege) {
|
|
|
|
|
IntPtr htok = IntPtr.Zero;
|
|
|
|
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST | TOKEN_QUERY, ref htok)) return false;
|
|
|
|
|
TokPriv1Luid tp; tp.Count = 1; tp.Luid = 0; tp.Attr = SE_PRIVILEGE_ENABLED;
|
|
|
|
|
if (!LookupPrivilegeValue(null, privilege, ref tp.Luid)) return false;
|
|
|
|
|
return AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
"@ -ErrorAction SilentlyContinue
|
|
|
|
|
|
2026-03-14 19:37:47 +01:00
|
|
|
function Grant-RegWriteAccess {
|
|
|
|
|
param([string]$Path)
|
2026-03-14 20:06:01 +01:00
|
|
|
# Grants Administrators FullControl on a TrustedInstaller-owned registry key.
|
|
|
|
|
# Enables SeTakeOwnershipPrivilege + SeRestorePrivilege to override ACL.
|
2026-03-14 19:37:47 +01:00
|
|
|
try {
|
2026-03-14 20:06:01 +01:00
|
|
|
[RegPrivilege]::Enable("SeTakeOwnershipPrivilege") | Out-Null
|
|
|
|
|
[RegPrivilege]::Enable("SeRestorePrivilege") | Out-Null
|
|
|
|
|
|
2026-03-14 19:37:47 +01:00
|
|
|
$hive = $Path -replace '^(HKLM|HKCU|HKU|HKCR|HKCC):\\.*', '$1'
|
|
|
|
|
$subkey = $Path -replace '^(HKLM|HKCU|HKU|HKCR|HKCC):\\', ''
|
|
|
|
|
$rootKey = switch ($hive) {
|
|
|
|
|
"HKLM" { [Microsoft.Win32.Registry]::LocalMachine }
|
|
|
|
|
"HKCU" { [Microsoft.Win32.Registry]::CurrentUser }
|
|
|
|
|
"HKCR" { [Microsoft.Win32.Registry]::ClassesRoot }
|
|
|
|
|
}
|
2026-03-14 20:06:01 +01:00
|
|
|
|
|
|
|
|
# Take ownership (requires SeTakeOwnershipPrivilege)
|
|
|
|
|
$key = $rootKey.OpenSubKey($subkey,
|
|
|
|
|
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
|
|
|
|
|
[System.Security.AccessControl.RegistryRights]::TakeOwnership)
|
2026-03-14 19:37:47 +01:00
|
|
|
if ($key) {
|
|
|
|
|
$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
|
|
|
|
|
$acl.SetOwner([System.Security.Principal.NTAccount]"BUILTIN\Administrators")
|
|
|
|
|
$key.SetAccessControl($acl)
|
|
|
|
|
$key.Close()
|
|
|
|
|
}
|
2026-03-14 20:06:01 +01:00
|
|
|
|
|
|
|
|
# Grant FullControl to Administrators (requires ChangePermissions)
|
|
|
|
|
$key = $rootKey.OpenSubKey($subkey,
|
|
|
|
|
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
|
|
|
|
|
[System.Security.AccessControl.RegistryRights]::ChangePermissions)
|
2026-03-14 19:37:47 +01:00
|
|
|
if ($key) {
|
|
|
|
|
$acl = $key.GetAccessControl()
|
|
|
|
|
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
|
|
|
|
|
"BUILTIN\Administrators",
|
|
|
|
|
[System.Security.AccessControl.RegistryRights]::FullControl,
|
|
|
|
|
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit",
|
|
|
|
|
[System.Security.AccessControl.PropagationFlags]::None,
|
2026-03-14 20:06:01 +01:00
|
|
|
[System.Security.AccessControl.AccessControlType]::Allow)
|
2026-03-14 19:37:47 +01:00
|
|
|
$acl.SetAccessRule($rule)
|
|
|
|
|
$key.SetAccessControl($acl)
|
|
|
|
|
$key.Close()
|
|
|
|
|
}
|
2026-03-14 20:06:01 +01:00
|
|
|
Write-Log " ACL fixed for $Path" -Level INFO
|
2026-03-14 19:37:47 +01:00
|
|
|
}
|
|
|
|
|
catch {
|
|
|
|
|
Write-Log " Grant-RegWriteAccess failed for $Path - $_" -Level WARN
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Implement full deployment script suite (steps 1-7)
- Deploy-Windows.ps1: master script with Write-Log, Invoke-Step, summary report, DryRun support
- 01-bloatware.ps1: remove AppX packages, Windows Capabilities, Optional Features
- 02-software.ps1: winget installs from config.json, set Adobe Reader as default PDF app
- 03-system-registry.ps1: HKLM tweaks (NRO bypass, Teams, Widgets, Edge, OneDrive, GameDVR, Recall, timezone)
- 04-default-profile.ps1: NTUSER.DAT changes for taskbar, Explorer, Start menu, NumLock, Copilot
- 05-personalization.ps1: dark/light theme, accent color #223B47, transparency off, wallpaper
- 06-scheduled-tasks.ps1: ShowAllTrayIcons, PDF-DefaultApp, UnlockStartLayout tasks
- 07-desktop-info.ps1: DesktopInfo render script (System.Drawing BMP), scheduled task, deploy date registry
- tests/Test-Deployment.ps1: post-deployment verification, 30+ checks
- CLAUDE.md: add Czech communication preference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 09:44:38 +01:00
|
|
|
function Set-Reg {
|
|
|
|
|
param(
|
|
|
|
|
[string]$Path,
|
|
|
|
|
[string]$Name,
|
|
|
|
|
$Value,
|
|
|
|
|
[string]$Type = "DWord"
|
|
|
|
|
)
|
|
|
|
|
try {
|
|
|
|
|
if (-not (Test-Path $Path)) {
|
2026-03-14 19:37:47 +01:00
|
|
|
New-Item -Path $Path -Force -ErrorAction Stop | Out-Null
|
Implement full deployment script suite (steps 1-7)
- Deploy-Windows.ps1: master script with Write-Log, Invoke-Step, summary report, DryRun support
- 01-bloatware.ps1: remove AppX packages, Windows Capabilities, Optional Features
- 02-software.ps1: winget installs from config.json, set Adobe Reader as default PDF app
- 03-system-registry.ps1: HKLM tweaks (NRO bypass, Teams, Widgets, Edge, OneDrive, GameDVR, Recall, timezone)
- 04-default-profile.ps1: NTUSER.DAT changes for taskbar, Explorer, Start menu, NumLock, Copilot
- 05-personalization.ps1: dark/light theme, accent color #223B47, transparency off, wallpaper
- 06-scheduled-tasks.ps1: ShowAllTrayIcons, PDF-DefaultApp, UnlockStartLayout tasks
- 07-desktop-info.ps1: DesktopInfo render script (System.Drawing BMP), scheduled task, deploy date registry
- tests/Test-Deployment.ps1: post-deployment verification, 30+ checks
- CLAUDE.md: add Czech communication preference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 09:44:38 +01:00
|
|
|
}
|
2026-03-14 19:37:47 +01:00
|
|
|
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force -ErrorAction Stop
|
Implement full deployment script suite (steps 1-7)
- Deploy-Windows.ps1: master script with Write-Log, Invoke-Step, summary report, DryRun support
- 01-bloatware.ps1: remove AppX packages, Windows Capabilities, Optional Features
- 02-software.ps1: winget installs from config.json, set Adobe Reader as default PDF app
- 03-system-registry.ps1: HKLM tweaks (NRO bypass, Teams, Widgets, Edge, OneDrive, GameDVR, Recall, timezone)
- 04-default-profile.ps1: NTUSER.DAT changes for taskbar, Explorer, Start menu, NumLock, Copilot
- 05-personalization.ps1: dark/light theme, accent color #223B47, transparency off, wallpaper
- 06-scheduled-tasks.ps1: ShowAllTrayIcons, PDF-DefaultApp, UnlockStartLayout tasks
- 07-desktop-info.ps1: DesktopInfo render script (System.Drawing BMP), scheduled task, deploy date registry
- tests/Test-Deployment.ps1: post-deployment verification, 30+ checks
- CLAUDE.md: add Czech communication preference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 09:44:38 +01:00
|
|
|
Write-Log " SET $Path\$Name = $Value" -Level OK
|
|
|
|
|
}
|
|
|
|
|
catch {
|
2026-03-14 20:03:30 +01:00
|
|
|
# Retry 1: grant write access via ACL manipulation
|
2026-03-14 19:37:47 +01:00
|
|
|
try {
|
|
|
|
|
Grant-RegWriteAccess -Path $Path
|
|
|
|
|
if (-not (Test-Path $Path)) {
|
|
|
|
|
New-Item -Path $Path -Force -ErrorAction Stop | Out-Null
|
|
|
|
|
}
|
|
|
|
|
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force -ErrorAction Stop
|
|
|
|
|
Write-Log " SET $Path\$Name = $Value (after ACL fix)" -Level OK
|
2026-03-14 20:03:30 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
catch { }
|
|
|
|
|
|
|
|
|
|
# Retry 2: write via scheduled task running as SYSTEM
|
|
|
|
|
# SYSTEM has full registry access regardless of key ACL
|
|
|
|
|
try {
|
|
|
|
|
$regType = switch ($Type) {
|
|
|
|
|
"DWord" { "REG_DWORD" }
|
|
|
|
|
"String" { "REG_SZ" }
|
|
|
|
|
"ExpandString"{ "REG_EXPAND_SZ" }
|
|
|
|
|
"MultiString" { "REG_MULTI_SZ" }
|
|
|
|
|
"QWord" { "REG_QWORD" }
|
|
|
|
|
default { "REG_DWORD" }
|
|
|
|
|
}
|
|
|
|
|
# Convert registry PS path to reg.exe path
|
|
|
|
|
$regPath = $Path -replace '^HKLM:\\', 'HKLM\' `
|
|
|
|
|
-replace '^HKCU:\\', 'HKCU\' `
|
|
|
|
|
-replace '^HKCR:\\', 'HKCR\'
|
|
|
|
|
$tempScript = "$env:TEMP\set-reg-system-$([System.IO.Path]::GetRandomFileName()).ps1"
|
|
|
|
|
"reg add `"$regPath`" /v `"$Name`" /t $regType /d $Value /f" |
|
|
|
|
|
Set-Content -Path $tempScript -Encoding UTF8
|
|
|
|
|
|
|
|
|
|
$taskName = "TempRegFix-$([System.IO.Path]::GetRandomFileName())"
|
|
|
|
|
$action = New-ScheduledTaskAction -Execute "cmd.exe" `
|
|
|
|
|
-Argument "/c reg add `"$regPath`" /v `"$Name`" /t $regType /d $Value /f"
|
|
|
|
|
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
|
|
|
|
|
$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Seconds 30)
|
|
|
|
|
$task = New-ScheduledTask -Action $action -Principal $principal -Settings $settings
|
|
|
|
|
|
|
|
|
|
Register-ScheduledTask -TaskName $taskName -InputObject $task -Force | Out-Null
|
|
|
|
|
Start-ScheduledTask -TaskName $taskName
|
|
|
|
|
Start-Sleep -Seconds 2
|
|
|
|
|
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
|
|
|
|
Remove-Item $tempScript -Force -ErrorAction SilentlyContinue
|
|
|
|
|
|
|
|
|
|
# Verify it was written
|
|
|
|
|
$written = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name
|
|
|
|
|
if ($null -ne $written) {
|
|
|
|
|
Write-Log " SET $Path\$Name = $Value (via SYSTEM task)" -Level OK
|
|
|
|
|
} else {
|
|
|
|
|
Write-Log " FAILED $Path\$Name - SYSTEM task ran but value not found" -Level ERROR
|
|
|
|
|
}
|
2026-03-14 19:37:47 +01:00
|
|
|
}
|
|
|
|
|
catch {
|
|
|
|
|
Write-Log " FAILED $Path\$Name - $_" -Level ERROR
|
|
|
|
|
}
|
Implement full deployment script suite (steps 1-7)
- Deploy-Windows.ps1: master script with Write-Log, Invoke-Step, summary report, DryRun support
- 01-bloatware.ps1: remove AppX packages, Windows Capabilities, Optional Features
- 02-software.ps1: winget installs from config.json, set Adobe Reader as default PDF app
- 03-system-registry.ps1: HKLM tweaks (NRO bypass, Teams, Widgets, Edge, OneDrive, GameDVR, Recall, timezone)
- 04-default-profile.ps1: NTUSER.DAT changes for taskbar, Explorer, Start menu, NumLock, Copilot
- 05-personalization.ps1: dark/light theme, accent color #223B47, transparency off, wallpaper
- 06-scheduled-tasks.ps1: ShowAllTrayIcons, PDF-DefaultApp, UnlockStartLayout tasks
- 07-desktop-info.ps1: DesktopInfo render script (System.Drawing BMP), scheduled task, deploy date registry
- tests/Test-Deployment.ps1: post-deployment verification, 30+ checks
- CLAUDE.md: add Czech communication preference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 09:44:38 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function Remove-Reg {
|
|
|
|
|
param([string]$Path, [string]$Name)
|
|
|
|
|
try {
|
|
|
|
|
if (Test-Path $Path) {
|
|
|
|
|
Remove-ItemProperty -Path $Path -Name $Name -Force -ErrorAction SilentlyContinue
|
|
|
|
|
Write-Log " REMOVED $Path\$Name" -Level OK
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
catch {
|
|
|
|
|
Write-Log " FAILED removing $Path\$Name - $_" -Level ERROR
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Write-Log "3 - Applying HKLM system registry tweaks" -Level STEP
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Bypass Network Requirement on OOBE (BypassNRO)
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" `
|
|
|
|
|
-Name "BypassNRO" -Value 1
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Disable auto-install of Teams (Chat)
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Communications" `
|
|
|
|
|
-Name "ConfigureChatAutoInstall" -Value 0
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Disable Cloud Optimized Content (ads in Start menu etc.)
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" `
|
|
|
|
|
-Name "DisableCloudOptimizedContent" -Value 1
|
|
|
|
|
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" `
|
|
|
|
|
-Name "DisableWindowsConsumerFeatures" -Value 1
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Disable Widgets (News and Interests)
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Dsh" `
|
|
|
|
|
-Name "AllowNewsAndInterests" -Value 0
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Microsoft Edge - hide First Run Experience
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" `
|
|
|
|
|
-Name "HideFirstRunExperience" -Value 1
|
|
|
|
|
|
|
|
|
|
# Also disable Edge desktop shortcut creation after install
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate" `
|
|
|
|
|
-Name "CreateDesktopShortcutDefault" -Value 0
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Password - no expiration
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Write-Log " Setting password max age to UNLIMITED" -Level INFO
|
|
|
|
|
$pwResult = & net accounts /maxpwage:UNLIMITED 2>&1
|
|
|
|
|
if ($LASTEXITCODE -eq 0) {
|
|
|
|
|
Write-Log " Password max age set to UNLIMITED" -Level OK
|
|
|
|
|
} else {
|
|
|
|
|
Write-Log " Failed to set password max age: $pwResult" -Level ERROR
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Time zone
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
$tz = "Central Europe Standard Time"
|
|
|
|
|
if ($Config -and $Config.deployment -and $Config.deployment.timezone) {
|
|
|
|
|
$tz = $Config.deployment.timezone
|
|
|
|
|
}
|
|
|
|
|
Write-Log " Setting time zone: $tz" -Level INFO
|
|
|
|
|
try {
|
|
|
|
|
Set-TimeZone -Id $tz -ErrorAction Stop
|
|
|
|
|
Write-Log " Time zone set: $tz" -Level OK
|
|
|
|
|
}
|
|
|
|
|
catch {
|
|
|
|
|
Write-Log " Failed to set time zone: $_" -Level ERROR
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
2026-03-23 16:03:38 +01:00
|
|
|
# OneDrive - uninstall from clean Windows (no policy block)
|
|
|
|
|
# NOTE: No policy key is set intentionally - M365 installation can reinstall
|
|
|
|
|
# and run OneDrive normally. Policy DisableFileSyncNGSC would prevent that.
|
Implement full deployment script suite (steps 1-7)
- Deploy-Windows.ps1: master script with Write-Log, Invoke-Step, summary report, DryRun support
- 01-bloatware.ps1: remove AppX packages, Windows Capabilities, Optional Features
- 02-software.ps1: winget installs from config.json, set Adobe Reader as default PDF app
- 03-system-registry.ps1: HKLM tweaks (NRO bypass, Teams, Widgets, Edge, OneDrive, GameDVR, Recall, timezone)
- 04-default-profile.ps1: NTUSER.DAT changes for taskbar, Explorer, Start menu, NumLock, Copilot
- 05-personalization.ps1: dark/light theme, accent color #223B47, transparency off, wallpaper
- 06-scheduled-tasks.ps1: ShowAllTrayIcons, PDF-DefaultApp, UnlockStartLayout tasks
- 07-desktop-info.ps1: DesktopInfo render script (System.Drawing BMP), scheduled task, deploy date registry
- tests/Test-Deployment.ps1: post-deployment verification, 30+ checks
- CLAUDE.md: add Czech communication preference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 09:44:38 +01:00
|
|
|
# -----------------------------------------------------------------------
|
2026-03-23 16:03:38 +01:00
|
|
|
Write-Log " Uninstalling OneDrive" -Level INFO
|
Implement full deployment script suite (steps 1-7)
- Deploy-Windows.ps1: master script with Write-Log, Invoke-Step, summary report, DryRun support
- 01-bloatware.ps1: remove AppX packages, Windows Capabilities, Optional Features
- 02-software.ps1: winget installs from config.json, set Adobe Reader as default PDF app
- 03-system-registry.ps1: HKLM tweaks (NRO bypass, Teams, Widgets, Edge, OneDrive, GameDVR, Recall, timezone)
- 04-default-profile.ps1: NTUSER.DAT changes for taskbar, Explorer, Start menu, NumLock, Copilot
- 05-personalization.ps1: dark/light theme, accent color #223B47, transparency off, wallpaper
- 06-scheduled-tasks.ps1: ShowAllTrayIcons, PDF-DefaultApp, UnlockStartLayout tasks
- 07-desktop-info.ps1: DesktopInfo render script (System.Drawing BMP), scheduled task, deploy date registry
- tests/Test-Deployment.ps1: post-deployment verification, 30+ checks
- CLAUDE.md: add Czech communication preference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 09:44:38 +01:00
|
|
|
|
|
|
|
|
# Remove OneDriveSetup.exe if present
|
|
|
|
|
$oneDrivePaths = @(
|
|
|
|
|
"$env:SystemRoot\System32\OneDriveSetup.exe"
|
|
|
|
|
"$env:SystemRoot\SysWOW64\OneDriveSetup.exe"
|
|
|
|
|
)
|
|
|
|
|
foreach ($odPath in $oneDrivePaths) {
|
|
|
|
|
if (Test-Path $odPath) {
|
|
|
|
|
try {
|
|
|
|
|
# Uninstall first
|
|
|
|
|
& $odPath /uninstall 2>&1 | Out-Null
|
|
|
|
|
Write-Log " OneDrive uninstalled via $odPath" -Level OK
|
|
|
|
|
}
|
|
|
|
|
catch {
|
|
|
|
|
Write-Log " OneDrive uninstall failed: $_" -Level WARN
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Remove OneDrive Start Menu shortcut
|
|
|
|
|
$odLnk = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"
|
|
|
|
|
if (Test-Path $odLnk) {
|
|
|
|
|
Remove-Item $odLnk -Force -ErrorAction SilentlyContinue
|
|
|
|
|
Write-Log " Removed OneDrive Start Menu shortcut" -Level OK
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Outlook (new) - disable auto-install via UScheduler
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Write-Log " Disabling Outlook (new) auto-install" -Level INFO
|
|
|
|
|
|
|
|
|
|
$uschedulerPaths = @(
|
|
|
|
|
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler_Oobe\OutlookUpdate"
|
|
|
|
|
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\OutlookUpdate"
|
|
|
|
|
)
|
|
|
|
|
foreach ($uPath in $uschedulerPaths) {
|
|
|
|
|
if (Test-Path $uPath) {
|
|
|
|
|
try {
|
|
|
|
|
Remove-Item -Path $uPath -Recurse -Force
|
|
|
|
|
Write-Log " Removed UScheduler key: $uPath" -Level OK
|
|
|
|
|
}
|
|
|
|
|
catch {
|
|
|
|
|
Write-Log " Failed to remove UScheduler key: $_" -Level WARN
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Disable GameDVR
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" `
|
|
|
|
|
-Name "AllowGameDVR" -Value 0
|
|
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Disable Recall (Windows AI feature)
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" `
|
|
|
|
|
-Name "DisableAIDataAnalysis" -Value 1
|
|
|
|
|
|
Add config GUI, USB launcher, flash folder; fix bugs
- config-editor.hta: lightweight WYSIWYG HTA editor for config.json
- Step on/off toggles with info tooltips
- Editable software list (winget packages)
- Settings: timezone, admin account, desktopInfo, PDF default
- Run.cmd: USB launcher with UAC auto-elevation and deployment menu
- flash/: minimal USB-ready subset (Deploy, scripts, config, GUI, launcher)
- config.json: add steps section for per-step enable/disable
- Deploy-Windows.ps1: read steps from config, CLI switches override
- 03-system-registry.ps1: add SearchOnTaskbarMode HKLM policy (Win11 search fix)
- 04-default-profile.ps1: fix systray - clear TrayNotify cache + proper Explorer restart
- 06-scheduled-tasks.ps1: fix Register-Task trigger array, ShowAllTrayIcons Win11 fix,
PDF-DefaultApp runs as SYSTEM via HKCR (bypasses UserChoice Hash validation)
- 02-software.ps1: remove unreliable UserChoice ProgId write without Hash
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-16 09:35:42 +01:00
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Search on taskbar - hide via HKLM policy (Win11 22H2+ enforcement)
|
|
|
|
|
# User-level SearchboxTaskbarMode alone is insufficient on newer Win11 builds;
|
|
|
|
|
# this policy key ensures the setting survives Windows Updates.
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" `
|
|
|
|
|
-Name "SearchOnTaskbarMode" -Value 0
|
|
|
|
|
|
2026-03-15 18:24:47 +01:00
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
# Start menu - hide Recommended section (Win11)
|
|
|
|
|
# -----------------------------------------------------------------------
|
|
|
|
|
Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" `
|
|
|
|
|
-Name "HideRecommendedSection" -Value 1
|
|
|
|
|
|
Implement full deployment script suite (steps 1-7)
- Deploy-Windows.ps1: master script with Write-Log, Invoke-Step, summary report, DryRun support
- 01-bloatware.ps1: remove AppX packages, Windows Capabilities, Optional Features
- 02-software.ps1: winget installs from config.json, set Adobe Reader as default PDF app
- 03-system-registry.ps1: HKLM tweaks (NRO bypass, Teams, Widgets, Edge, OneDrive, GameDVR, Recall, timezone)
- 04-default-profile.ps1: NTUSER.DAT changes for taskbar, Explorer, Start menu, NumLock, Copilot
- 05-personalization.ps1: dark/light theme, accent color #223B47, transparency off, wallpaper
- 06-scheduled-tasks.ps1: ShowAllTrayIcons, PDF-DefaultApp, UnlockStartLayout tasks
- 07-desktop-info.ps1: DesktopInfo render script (System.Drawing BMP), scheduled task, deploy date registry
- tests/Test-Deployment.ps1: post-deployment verification, 30+ checks
- CLAUDE.md: add Czech communication preference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 09:44:38 +01:00
|
|
|
Write-Log "Step 3 complete" -Level OK
|
