WinDeploy v0.6.0 - Initial public release

Windows Deployment Automation Toolkit for zero-touch Windows deployment
with automatic driver updates, application installation, bloatware removal,
and system hardening.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: Stensel8

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,34 @@
+## Description
+<!-- Clear description of the problem -->
+
+## Current Behavior
+<!-- What happens currently -->
+
+## Expected Behavior
+<!-- What should happen instead -->
+
+## Steps to Reproduce
+1. 
+2. 
+3. 
+
+## Environment
+- PowerShell Version: 
+- Windows Version: 
+- WinDeploy Version: 
+- Execution Method: [USB/Direct/RMM/AutoUnattend]
+
+## Logs
+<!-- Attach relevant logs from C:\WinDeploy\Logs -->
+```
+
+<details>
+<summary>Additional logs</summary>
+```
+Paste logs here
+```
+
+</details>
+
+## Additional Context
+<!-- Any other relevant information -->

.github/dependabot.yml

@@ -0,0 +1,19 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    # No labels configured so Dependabot won't fail if these labels don't exist in the repo
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"

.github/workflows/devskim.yml

@@ -0,0 +1,34 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: DevSkim
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '35 6 * * 3'
+
+jobs:
+  lint:
+    name: DevSkim
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Run DevSkim scanner
+        uses: microsoft/DevSkim-Action@v1
+
+      - name: Upload DevSkim scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: devskim-results.sarif

.github/workflows/powershell.yml

@@ -0,0 +1,49 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# https://github.com/microsoft/action-psscriptanalyzer
+# For more information on PSScriptAnalyzer in general, see
+# https://github.com/PowerShell/PSScriptAnalyzer
+
+name: PSScriptAnalyzer
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '43 19 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: PSScriptAnalyzer
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Run PSScriptAnalyzer
+        uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f
+        with:
+          # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
+          # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
+          path: .\
+          recurse: true
+          # Include your own basic security rules. Removing this option will run all the rules
+          # includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"'
+          output: results.sarif
+
+      # Upload the SARIF file generated in the previous step
+      - name: Upload SARIF results file
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -0,0 +1,49 @@
+# PowerShell
+*.ps1xml
+
+# Logs
+*.log
+Logs/
+*.log.*
+
+# Temporary files
+*.tmp
+*.temp
+Temp/
+tmp/
+
+# Build artifacts
+bin/
+obj/
+out/
+
+# IDE
+.vscode/
+.vs/
+*.suo
+*.user
+.idea/
+
+# OS
+.DS_Store
+Thumbs.db
+desktop.ini
+
+# Deployment artifacts
+Download/
+*.exe
+*.msi
+Agent.exe
+
+# Backup files
+*.bak
+*.backup
+*~
+
+# Test files
+test/
+tests/
+*.test.ps1
+
+# Branding update script (temporary)
+Update-Branding.ps1

CHANGELOG.md

@@ -0,0 +1,175 @@
+# Changelog
+
+All notable changes to WinDeploy will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+## [0.6.0] - 2026-02-02
+
+### Changed
+- Refactored RMM agent installation to be vendor-neutral (USB-based only).
+- Updated all deployment scripts with consistent headers and improved structure.
+- Cloudflare API endpoints restored and verified working.
+- Cleaned up documentation and removed outdated assets.
+
+### Fixed
+- Improved script reliability after extensive internal testing.
+- Various consistency improvements across the codebase.
+
+### Removed
+- Removed vendor-specific RMM integrations in favor of generic USB-based approach.
+
+---
+
+## [0.5.8] - 2025-11-25
+
+### Added
+- Additional documentation for Intune setup.
+
+### Changed
+- Updated dependabot config to use latest actions/checkout version.
+
+## [0.5.7] - 2025-11-21
+
+### Added
+- Additional security messages in Harden-Windows.ps1: Can be manually enabled by the user via GUI.
+- Informational links to each hardening item in Harden-Windows.ps1 output for more details.
+
+### Changed
+- Updated URLs in Harden-Windows.ps1 links to correct and more relevant sources.
+- Changed the order of script execution so the RMM Agent is installed first.
+
+### Fixed
+- Bitlocker enablement issue: Sometimes Bitlocker failed to enable due to the TPM not being ready.
+- Fixed an issue with RMM Agents not installing correctly. [#11](https://github.com/Stensel8/WinDeploy/issues/11)
+- Fixed a rare hang where deployment would stall after detecting the RMM installer on USB. The installer was being invoked via PowerShell incorrectly which could prevent it from receiving silent switches; changed to run the installer directly and wait for completion, added longer timeouts and improved logging.
+
+## [0.5.6] - 2025-11-20
+
+### Added
+- BitLocker enablement in Harden-Windows.ps1: Added registry policies to enable BitLocker and set XTS-AES-256 encryption, plus automated enabling on the OS drive with TPM protection and used-space-only encryption. Which is the recommended approach.
+
+### Changed
+- Enhanced bloatware removal: The Snipping Tool is no longer removed on Windows 11 systems, as it is now integrated into the core OS and provides better screenshot and video capture features compared to the legacy version.
+- Updated Set-Theme.ps1: Added desktop wallpaper configuration to set "C:\Windows\Web\Wallpaper\Windows\img19.jpg" for current and default users alongside dark mode settings.
+
+---
+
+## [0.5.5] - 2025-11-20
+
+### Added
+- Additional fallback to CDN if Microsoft 365 apps fail to install via Winget.
+- Added additional error messages during application installation to keep users informed of the process status.
+- Memory integrity will now be enabled during hardening if supported by the system.
+- Extra Try/Catch blocks around critical sections to improve error handling.
+- Short demo GIF showcasing the deployment process added to the README.md.
+
+### Changed
+- Enhanced the startup banner to reflect session details, such as admin/non-admin status, PowerShell version (5 or 7), and Windows Terminal usage. This informs users about script execution and available controls. Also added a 15-second timer to allow cancellation if the script was launched unintentionally.
+
+## [0.5.4] - 2025-11-19
+
+### Added
+- Additional security hardening based on CISO recommendations.
+- Additional Winget exit codes to better understand installation results.
+
+### Changed
+- Merged Autorun disable options into Harden-Windows.ps1 for better maintainability and understandability.
+
+### Fixed
+- Improved handling of situations where the script was not run as admin and PowerShell 7 was not present on the system.
+- Implemented PSScriptAnalyzer suggestions to enhance code quality and best practices.
+- Improved GitHub API usage: Scripts now perform more attempts to obtain a good release.
+- Fixed an issue where the deployment tried to use the wrong command to silently update a Dell device driver.
+- Fixed an issue where the logs did not properly capture the output of Driver installs.
+
+---
+
+## [0.5.3] - 2025-11-18
+
+### Fixed
+- Fixed PowerShell 7 path refresh issue after installation by hardcoding `$env:ProgramFiles\PowerShell\7\pwsh.exe` to ensure correct executable usage.
+- Fixed: Autounatend scripts not shown in some scenarios.
+
+## [0.5.2] - 2025-11-18
+
+### Added
+- Added documentation images for finding Microsoft Store ID and installing via Microsoft Store
+
+### Changed
+- Changed API for GitHub Releases
+- Updated README.md to improve legend
+- Updated Start.ps1 script
+- Updated Deploy.ps1 script
+
+### Fixed
+- Bugfixes to autologin and locales in autounattend.xml
+- General bugfixes
+
+---
+
+## [0.5.0] - 2025-11-14
+
+### Fixed
+- Fixed bloatware removal printing duplicate messages on screen by removing redundant Write-Output calls
+- Improved admin elevation handling in Start.ps1 and Deploy.ps1 to prevent script crashes when not run as administrator
+
+### Added
+- Added documentation for Intune Autopilot device preparation setup (`Docs/Intune-Autopilot-Setup.md`)
+- Added RMM agent installation support with USB detection and download fallback
+
+### Changed
+- Simplified and improved project structure for better maintainability
+- Streamlined deployment scripts with cleaner, more maintainable code
+- Updated README.md with comprehensive documentation and updated flowchart
+- Reorganized scripts into `Scripts/Deployment/` for better organization
+
+### Removed
+- Removed complex modular architecture in favor of inline scripts
+- Removed unused utility modules and scripts
+
+### Fixed
+- Improved error handling and logging across all scripts
+- Enhanced compatibility and reliability of deployment process
+
+---
+
+## [0.1.2] - 2025-10-22
+
+### Changed
+- Enhanced startup banner with script source detection and color-coded execution info
+- Standardized script headers and documentation blocks for consistency
+- Optimized WinGet preparation and application installation process
+- Improved output formatting for Windows updates
+
+### Fixed
+- Added error logging to catch blocks and improved error messages
+- Increased resiliency in bloatware removal and application installation
+- `Install-WindowsUpdates.ps1`: Removed unused parameter
+
+### Removed
+- Removed all author, company, and version metadata from individual script files
+- Removed redundant `.LINK` sections from documentation blocks
+- Removed verbose bullet lists and "Features:" sections from descriptions
+
+---
+
+## [0.1.1] - 2025-10-21
+
+### Initial Public Release
+
+First open-source release of WinDeploy - Windows Deployment Automation Toolkit. This is the first release under the new name and repository.
+
+---
+
+[0.6.0]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.6.0
+[0.5.5]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.5.5
+[0.5.4]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.5.4
+[0.5.3]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.5.3
+[0.5.2]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.5.2
+[0.5.0]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.5.0
+[0.1.2]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.1.2
+[0.1.1]: https://github.com/Stensel8/WinDeploy/releases/tag/v0.1.1

CONTRIBUTING.md

@@ -0,0 +1,28 @@
+# Contributing to WinDeploy
+
+Thanks — small, tested PRs help most.
+
+### Quick start
+1. Fork → branch → change → PR.  
+2. Test on Windows 11.
+
+### Guidelines
+- Commit: `<type>: short summary` (feat, fix, docs, style, refactor, test, chore).  
+- Follow PowerShell conventions (PascalCase funcs, camelCase vars, verb-noun, comment-based help).  
+- Avoid hard-coded paths; use config/variables.
+
+### Testing
+- Test on a clean Windows 11 machine.  
+- Run PSScriptAnalyzer: Install-Module PSScriptAnalyzer; Invoke-ScriptAnalyzer -Path .\ -Recurse.  
+- No syntax errors; logs show expected behavior.
+
+### Pull requests
+- Update docs if needed, include test notes and related issue references.  
+- Checklist: tested, linter passed, clear description/screenshots.
+
+### Issues
+Include: short description, reproduction steps, expected vs actual, logs and env (Windows/PowerShell versions).
+
+### Allowed / Not allowed
+Welcome: bug fixes, docs, tests, small features.  
+Not accepted: malware, proprietary deps, breaking changes without prior discussion.