Stensel8
diff --git a/‎CHANGELOG.md‎
Lines changed: 19 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Scripts/Archived/Fix-Spotlight.ps1‎
Lines changed: 64 additions & 0 deletions b/‎Scripts/Archived/Fix-Spotlight.ps1‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎Scripts/Archived/Get-IntuneHash.ps1‎
Lines changed: 1 addition & 1 deletion b/‎Scripts/Archived/Get-IntuneHash.ps1‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Scripts/Deploy.ps1‎
Lines changed: 123 additions & 30 deletions b/‎Scripts/Deploy.ps1‎
Lines changed: 123 additions & 30 deletions
@@ -7,6 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.5.4] - 2025-11-19
+
+### Added
+- Additional security hardening based on CISO recommendations.
+- Additional Winget exit codes to better understand installation results.
+
+### Changed
+- Merged Autorun disable options into Harden-Windows.ps1 for better maintainability and understandability.
+
+### Fixed
+- Improved handling of situations where the script was not run as admin and PowerShell 7 was not present on the system.
+- Implemented PSScriptAnalyzer suggestions to enhance code quality and best practices.
+- Improved GitHub API usage: Scripts now perform more attempts to obtain a good release.
+- Fixed an issue where the deployment tried to use the wrong command to silently update a Dell device driver.
+- Fixed an issue where the logs did not properly capture the output of Driver installs.
+
+---
+
 ## [0.5.3] - 2025-11-18
 
 ### Fixed
@@ -84,6 +102,7 @@ First open-source release of WinDeploy - Windows Deployment Automation Toolkit.
 
 ---
 
+[0.5.4]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.5.4
 [0.5.3]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.5.3
 [0.5.2]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.5.2
 [0.5.0]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.5.0
 
@@ -59,7 +59,7 @@ graph TD
     G --> H[Launch Deploy.ps1]
     H --> I[Update Drivers]
     I --> J[Install RMM Agent]
-    J --> K[Disable AutoRun]
+    J --> K[Windows Hardening]
     K --> L[Install Applications]
     L --> M[Remove Bloatware]
     M --> N[Apply Theme]
 
@@ -0,0 +1,64 @@
+# Complete script to activate Windows Spotlight for Lock Screen and Desktop
+# Based on registry adjustments, package re-registration and policy resets
+# Run as Administrator; restart after execution for full effect
+
+# Step 1: Remove blocking policies (CloudContent)
+Write-Host "Step 1: Removing blocking policies..." -ForegroundColor Green
+$policyPath = "HKCU:\Software\Policies\Microsoft\Windows\CloudContent"
+if (Test-Path $policyPath) {
+    Remove-ItemProperty -Path $policyPath -Name "DisableSpotlightCollectionOnDesktop" -ErrorAction SilentlyContinue
+    Remove-ItemProperty -Path $policyPath -Name "DisableWindowsSpotlightFeatures" -ErrorAction SilentlyContinue
+    Remove-ItemProperty -Path $policyPath -Name "TurnOffAllWindowsSpotlightFeatures" -ErrorAction SilentlyContinue
+    Remove-ItemProperty -Path $policyPath -Name "ConfigureWindowsSpotlightOnLockScreen" -ErrorAction SilentlyContinue
+    Write-Host "Policies removed or reset." -ForegroundColor Yellow
+} else {
+    Write-Host "No blocking policies found." -ForegroundColor Cyan
+}
+
+# Step 2: Create DesktopSpotlight registry keys if they are missing
+Write-Host "Step 2: Creating DesktopSpotlight keys..." -ForegroundColor Green
+$desktopSpotlightPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\DesktopSpotlight"
+if (-not (Test-Path $desktopSpotlightPath)) {
+    New-Item -Path $desktopSpotlightPath -Force | Out-Null
+    Write-Host "DesktopSpotlight folder created." -ForegroundColor Yellow
+}
+$values = @("RegistrationStatusCheck", "Rotation", "State", "UpdateTask", "UpdateTimer", "WallpaperRefresh")
+foreach ($val in $values) {
+    if (-not (Get-ItemProperty -Path $desktopSpotlightPath -Name $val -ErrorAction SilentlyContinue)) {
+        New-ItemProperty -Path $desktopSpotlightPath -Name $val -PropertyType String -Value "" -Force | Out-Null
+        Write-Host "Key '$val' created." -ForegroundColor Yellow
+    }
+}
+
+# Step 3: Reset and activate ContentDeliveryManager keys
+Write-Host "Step 3: Resetting ContentDeliveryManager..." -ForegroundColor Green
+$contentPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
+Remove-ItemProperty -Path $contentPath -Name "NoSpotlight" -ErrorAction SilentlyContinue
+Remove-ItemProperty -Path $contentPath -Name "NoRotatingLockScreen" -ErrorAction SilentlyContinue
+Remove-ItemProperty -Path $contentPath -Name "RotatingLockScreenOverlayEnabled" -ErrorAction SilentlyContinue
+Remove-ItemProperty -Path $contentPath -Name "RotatingLockScreenOverlayContentEnabled" -ErrorAction SilentlyContinue
+# Activate
+Set-ItemProperty -Path $contentPath -Name "ContentDeliveryAllowed" -Value 1 -Type DWord -Force
+Set-ItemProperty -Path $contentPath -Name "RotatingLockScreenEnabled" -Value 1 -Type DWord -Force
+Set-ItemProperty -Path $contentPath -Name "RotatingLockScreenOverlayEnabled" -Value 1 -Type DWord -Force
+Set-ItemProperty -Path $contentPath -Name "RotatingLockScreenOverlayContentEnabled" -Value 1 -Type DWord -Force
+Set-ItemProperty -Path $contentPath -Name "SubscribedContent-338389Enabled" -Value 1 -Type DWord -Force  # For desktop Spotlight
+Write-Host "ContentDeliveryManager activated." -ForegroundColor Yellow
+
+# Step 4: Re-register Spotlight package (for lockscreen and desktop)
+Write-Host "Step 4: Re-registering Spotlight package..." -ForegroundColor Green
+Get-AppxPackage -allusers Microsoft.Windows.ContentDeliveryManager | ForEach-Object {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
+Write-Host "Package registered." -ForegroundColor Yellow
+
+# Step 5: Optional policy-check and reset (if DisableSpotlightFeatures exists, set to 0)
+Write-Host "Step 5: Extra policy-check..." -ForegroundColor Green
+if ((Get-ItemProperty -Path $policyPath -Name "DisableSpotlightFeatures" -ErrorAction SilentlyContinue)) {
+    Set-ItemProperty -Path $policyPath -Name "DisableSpotlightFeatures" -Value 0 -Type DWord -Force
+    Write-Host "DisableSpotlightFeatures disabled." -ForegroundColor Yellow
+}
+
+# Step 6: Restart Explorer to apply changes
+Write-Host "Step 6: Restarting Explorer..." -ForegroundColor Green
+Stop-Process -Name explorer -Force -ErrorAction SilentlyContinue
+Start-Sleep -Seconds 2
+Write-Host "Script completed! Log out/in or restart for full effect. Check Settings > Personalization > Background." -ForegroundColor Green
@@ -94,4 +94,4 @@ try {
 } catch {
     Write-Error "Failed to collect hardware hash: $($_.Exception.Message)"
     exit 1
-}
+}
@@ -1,22 +1,58 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = 'Continue'
 
-# Fetch the latest release tag for downloading scripts
-$releaseTag = "main"
-try {
-    $latestRelease = Invoke-RestMethod -Uri "https://api.github.com/repos/Stensel8/WinDeploy/releases/latest" -ErrorAction SilentlyContinue
-    if ($latestRelease.tag_name) {
-        $releaseTag = $latestRelease.tag_name
+# Fetch latest release with retry logic
+function Get-LatestRelease {
+    param(
+        [int]$MaxRetries = 3,
+        [int]$RetryDelay = 5
+    )
+
+    for ($attempt = 1; $attempt -le $MaxRetries; $attempt++) {
+        try {
+            $latestRelease = Invoke-RestMethod -Uri "https://api.github.com/repos/Stensel8/WinDeploy/releases/latest" -ErrorAction Stop
+            if ($latestRelease.tag_name) {
+                return $latestRelease.tag_name
+            }
+        } catch {
+            $errorMsg = $_.Exception.Message
+            Write-Warning "Failed to fetch latest release (attempt $attempt/$MaxRetries): $errorMsg"
+
+            if ($attempt -lt $MaxRetries) {
+                if ($errorMsg -match "403|401") {
+                    Write-Host "Possible issue: GitHub API rate limit or authentication required" -ForegroundColor Yellow
+                } elseif ($errorMsg -match "404") {
+                    Write-Host "Possible issue: No releases found in repository" -ForegroundColor Yellow
+                }
+                Write-Host "Waiting $RetryDelay seconds before retry..." -ForegroundColor Cyan
+                Start-Sleep -Seconds $RetryDelay
+            }
+        }
     }
-} catch {
-    Write-Warning "Failed to fetch latest release, using main branch."
+    return $null
+}
+
+# Fetch the latest release tag - REQUIRED for deployment
+$releaseTag = Get-LatestRelease
+if (!$releaseTag) {
+    Write-Output "ERROR: Failed to fetch latest release from GitHub."
+    Write-Output "Releases are required for deployment. Development branches are not used."
+    Write-Output "Please check:"
+    Write-Output "  1. Your internet connection"
+    Write-Output "  2. GitHub API accessibility"
+    Write-Output "  3. Repository has published releases: github.com/Stensel8/WinDeploy/releases"
+    Read-Host "Press Enter to exit"
+    exit 1
 }
 
 # Read version
 $version = $null
 try {
     $version = Invoke-RestMethod -Uri "https://raw.githubusercontent.com/Stensel8/WinDeploy/$releaseTag/VERSION" -ErrorAction SilentlyContinue
     $version = $version.Trim()
+    if ($version) {
+        Write-Output "Version: $version"
+    }
 } catch {
     Write-Warning "Failed to fetch version information."
 }
@@ -65,11 +101,61 @@ if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdenti
     exit 1
 }
 
+# Log execution context for debugging
+$scriptExecutionContext = Get-ScriptDisplay
+Write-DeployLog "Deployment started. Execution context: $scriptExecutionContext"
+
+# Helper function to download scripts with retry logic
+function Get-DeploymentScript {
+    param(
+        [string]$ScriptName,
+        [string]$LocalPath,
+        [int]$MaxRetries = 3,
+        [int]$RetryDelay = 5
+    )
+
+    for ($attempt = 1; $attempt -le $MaxRetries; $attempt++) {
+        try {
+            Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Stensel8/WinDeploy/$releaseTag/Scripts/Deployment/$ScriptName" -OutFile $LocalPath -UseBasicParsing -ErrorAction Stop
+            Write-DeployLog "Downloaded $ScriptName to $LocalPath"
+            return $true
+        } catch {
+            $errorMsg = $_.Exception.Message
+            Write-Warning "Download attempt $attempt/$MaxRetries failed for $ScriptName`: $errorMsg"
+
+            if ($attempt -lt $MaxRetries) {
+                # Diagnose the issue
+                if ($errorMsg -match "403|401") {
+                    Write-Host "Possible issue: GitHub API rate limit reached" -ForegroundColor Yellow
+                } elseif ($errorMsg -match "404") {
+                    Write-Host "Possible issue: $ScriptName not found in release $releaseTag" -ForegroundColor Yellow
+                } elseif ($errorMsg -match "timeout|timed out") {
+                    Write-Host "Possible issue: Network timeout" -ForegroundColor Yellow
+                }
+
+                Write-Host "Waiting $RetryDelay seconds before retry..." -ForegroundColor Cyan
+                Start-Sleep -Seconds $RetryDelay
+            }
+        }
+    }
+
+    # If all download attempts failed, try local copy
+    $localSourcePath = Join-Path -Path (Join-Path -Path $PSScriptRoot -ChildPath "Deployment") -ChildPath $ScriptName
+    if (Test-Path $localSourcePath) {
+        Copy-Item $localSourcePath $LocalPath -Force
+        Write-DeployLog "Copied local $ScriptName to $LocalPath"
+        return $true
+    }
+
+    Write-Warning "Cannot download or find $ScriptName after $MaxRetries attempts"
+    return $false
+}
+
 # Define deployment steps (customize as needed)
 $deploymentSteps = @(
     @{ Name = "Driver Installation";        ScriptName = "Install-Drivers.ps1" }
     @{ Name = "RMM Agent Installation";     ScriptName = "Install-RMMAgent.ps1" }
-    @{ Name = "AutoRun Disable";            ScriptName = "Disable-AutoRun.ps1" }
+    @{ Name = "Windows Hardening";          ScriptName = "Harden-Windows.ps1" }
     @{ Name = "Application Installation";   ScriptName = "Install-Applications.ps1" }
     @{ Name = "Bloatware Removal";          ScriptName = "Remove-Bloat.ps1" }
     @{ Name = "Theme Configuration";        ScriptName = "Set-Theme.ps1" }
@@ -88,39 +174,46 @@ foreach ($step in $deploymentSteps) {
     Write-Output "  $($step.Name)"
     Write-Output "======================================== "
     Write-Output ""
+
     $localPath = Join-Path -Path $dlRoot -ChildPath $step.ScriptName
-    $scriptAvailable = $false
-    try {
-        Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Stensel8/WinDeploy/$releaseTag/Scripts/Deployment/$($step.ScriptName)" -OutFile $localPath -UseBasicParsing -ErrorAction Stop
-        Write-DeployLog "Downloaded $($step.ScriptName) to $localPath"
-        $scriptAvailable = $true
-    } catch {
-        # If download fails, use local copy if available
-        $localSourcePath = Join-Path -Path (Join-Path -Path $PSScriptRoot -ChildPath "Deployment") -ChildPath $step.ScriptName
-        if (Test-Path $localSourcePath) {
-            Copy-Item $localSourcePath $localPath -Force
-            Write-DeployLog "Copied local $($step.ScriptName) to $localPath"
-            $scriptAvailable = $true
-        } else {
-            Write-Warning "Cannot download or find $($step.ScriptName): $_"
-            $allSuccessful = $false
-            continue
-        }
-    }
+
+    # Download script with retry logic
+    $scriptAvailable = Get-DeploymentScript -ScriptName $step.ScriptName -LocalPath $localPath
+
     if ($scriptAvailable) {
         $argumentList = "-ExecutionPolicy Bypass -File `"$localPath`""
         $proc = Start-Process pwsh -ArgumentList $argumentList -Wait -NoNewWindow -PassThru
         if ($proc.ExitCode -ne 0) {
+            Write-Warning "$($step.Name) completed with errors (Exit Code: $($proc.ExitCode))"
             $allSuccessful = $false
         }
+    } else {
+        Write-Warning "Skipping $($step.Name) - script unavailable"
+        $allSuccessful = $false
     }
 }
 
-# Download optional fix Spotlight script. Sometimes Spotlight option is not present and needs a little help.
+# Download optional fix Spotlight script with retry
+Write-Output ""
+Write-Output "Downloading optional scripts..."
 try {
     $fixScriptPath = Join-Path $dlRoot "Fix-Spotlight.ps1"
-    Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Stensel8/WinDeploy/$releaseTag/Scripts/Archived/Fix-Spotlight.ps1" -OutFile $fixScriptPath -UseBasicParsing -ErrorAction Stop
-    Write-DeployLog "Downloaded Fix-Spotlight.ps1 to $fixScriptPath as an optional script to fix missing Spotlight options on the system."
+    $downloaded = $false
+    for ($attempt = 1; $attempt -le 3; $attempt++) {
+        try {
+            Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Stensel8/WinDeploy/$releaseTag/Scripts/Archived/Fix-Spotlight.ps1" -OutFile $fixScriptPath -UseBasicParsing -ErrorAction Stop
+            Write-DeployLog "Downloaded Fix-Spotlight.ps1 to $fixScriptPath as an optional script to fix missing Spotlight options on the system."
+            $downloaded = $true
+            break
+        } catch {
+            if ($attempt -lt 3) {
+                Start-Sleep -Seconds 5
+            }
+        }
+    }
+    if (-not $downloaded) {
+        Write-DeployLog "Optional: Could not download Fix-Spotlight.ps1 after 3 attempts"
+    }
 } catch {
     Write-DeployLog "Optional: Could not download Fix-Spotlight.ps1: $_"
 }