mirror of
https://github.com/ntdevlabs/tiny11builder.git
synced 2025-09-16 14:18:01 +02:00
cc7e53647e
Updated `tiny11maker.ps1` to replace `Remove-RegistryKey` with `Remove-RegistryValue` for specific registry values. Expanded the cleanup section to include detailed checks and messages for the existence and removal of temporary files and directories, improving script robustness and user feedback.
598 lines
33 KiB
PowerShell
598 lines
33 KiB
PowerShell
# Enable debugging
|
|
#Set-PSDebug -Trace 1
|
|
|
|
<#
|
|
.SYNOPSIS
|
|
Scripts to build a trimmed-down Windows 11 image.
|
|
|
|
.DESCRIPTION
|
|
This is a script created to automate the build of a streamlined Windows 11 image, similar to tiny10.
|
|
My main goal is to use only Microsoft utilities like DISM, and no utilities from external sources.
|
|
The only executable included is oscdimg.exe, which is provided in the Windows ADK and it is used to create bootable ISO images.
|
|
|
|
.PARAMETER ISO
|
|
Drive letter given to the mounted iso (eg: E)
|
|
|
|
.PARAMETER SCRATCH
|
|
Drive letter of the desired scratch disk (eg: D)
|
|
|
|
.EXAMPLE
|
|
.\tiny11maker.ps1 E D
|
|
.\tiny11maker.ps1 -ISO E -SCRATCH D
|
|
.\tiny11maker.ps1 -SCRATCH D -ISO E
|
|
.\tiny11maker.ps1
|
|
|
|
*If you put only the value in parameters the first one must be the iso mounted. The second is the scratch drive.
|
|
prefer the use of "-ISO" as you can put in the order you want.
|
|
|
|
.NOTES
|
|
Auteur: ntdevlabs
|
|
Date: 05-06-24
|
|
#>
|
|
|
|
#---------[ Parameters ]---------#
|
|
param (
|
|
[ValidatePattern('^[c-zC-Z]$')][string]$ISO,
|
|
[ValidatePattern('^[c-zC-Z]$')][string]$SCRATCH
|
|
)
|
|
|
|
if (-not $SCRATCH) {
|
|
$ScratchDisk = $PSScriptRoot -replace '[\\]+$', ''
|
|
} else {
|
|
$ScratchDisk = $SCRATCH + ":"
|
|
}
|
|
|
|
#---------[ Functions ]---------#
|
|
function Set-RegistryValue {
|
|
param (
|
|
[string]$path,
|
|
[string]$name,
|
|
[string]$type,
|
|
[string]$value
|
|
)
|
|
try {
|
|
& 'reg' 'add' $path '/v' $name '/t' $type '/d' $value '/f' | Out-Null
|
|
Write-Output "Set registry value: $path\$name"
|
|
} catch {
|
|
Write-Output "Error setting registry value: $_"
|
|
}
|
|
}
|
|
|
|
function Remove-RegistryValue {
|
|
param (
|
|
[string]$path
|
|
)
|
|
try {
|
|
& 'reg' 'delete' $path '/f' | Out-Null
|
|
Write-Output "Removed registry value: $path"
|
|
} catch {
|
|
Write-Output "Error removing registry value: $_"
|
|
}
|
|
}
|
|
|
|
#---------[ Execution ]---------#
|
|
# Check if PowerShell execution is restricted
|
|
if ((Get-ExecutionPolicy) -eq 'Restricted') {
|
|
Write-Host "Your current PowerShell Execution Policy is set to Restricted, which prevents scripts from running. Do you want to change it to RemoteSigned? (yes/no)"
|
|
$response = Read-Host
|
|
if ($response -eq 'yes') {
|
|
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Confirm:$false
|
|
} else {
|
|
Write-Host "The script cannot be run without changing the execution policy. Exiting..."
|
|
exit
|
|
}
|
|
}
|
|
|
|
# Check and run the script as admin if required
|
|
$adminSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
|
|
$adminGroup = $adminSID.Translate([System.Security.Principal.NTAccount])
|
|
$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
|
|
$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
|
|
$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator
|
|
if (! $myWindowsPrincipal.IsInRole($adminRole))
|
|
{
|
|
Write-Host "Restarting Tiny11 image creator as admin in a new window, you can close this one."
|
|
$newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell";
|
|
$newProcess.Arguments = $myInvocation.MyCommand.Definition;
|
|
$newProcess.Verb = "runas";
|
|
[System.Diagnostics.Process]::Start($newProcess);
|
|
exit
|
|
}
|
|
|
|
if (-not (Test-Path -Path "$PSScriptRoot/autounattend.xml")) {
|
|
Invoke-RestMethod "https://raw.githubusercontent.com/ntdevlabs/tiny11builder/refs/heads/main/autounattend.xml" -OutFile "$PSScriptRoot/autounattend.xml"
|
|
}
|
|
|
|
# Start the transcript and prepare the window
|
|
Start-Transcript -Path "$ScratchDisk\tiny11.log"
|
|
|
|
$Host.UI.RawUI.WindowTitle = "Tiny11 image creator"
|
|
Clear-Host
|
|
Write-Host "Welcome to the tiny11 image creator! Release: 05-06-24"
|
|
|
|
$hostArchitecture = $Env:PROCESSOR_ARCHITECTURE
|
|
New-Item -ItemType Directory -Force -Path "$ScratchDisk\tiny11\sources" | Out-Null
|
|
do {
|
|
if (-not $ISO) {
|
|
$DriveLetter = Read-Host "Please enter the drive letter for the Windows 11 image"
|
|
} else {
|
|
$DriveLetter = $ISO
|
|
}
|
|
if ($DriveLetter -match '^[c-zC-Z]$') {
|
|
$DriveLetter = $DriveLetter + ":"
|
|
Write-Output "Drive letter set to $DriveLetter"
|
|
} else {
|
|
Write-Output "Invalid drive letter. Please enter a letter between C and Z."
|
|
}
|
|
} while ($DriveLetter -notmatch '^[c-zC-Z]:$')
|
|
|
|
if ((Test-Path "$DriveLetter\sources\boot.wim") -eq $false -or (Test-Path "$DriveLetter\sources\install.wim") -eq $false) {
|
|
if ((Test-Path "$DriveLetter\sources\install.esd") -eq $true) {
|
|
Write-Host "Found install.esd, converting to install.wim..."
|
|
Get-WindowsImage -ImagePath $DriveLetter\sources\install.esd
|
|
$index = Read-Host "Please enter the image index"
|
|
Write-Host ' '
|
|
Write-Host 'Converting install.esd to install.wim. This may take a while...'
|
|
Export-WindowsImage -SourceImagePath $DriveLetter\sources\install.esd -SourceIndex $index -DestinationImagePath $ScratchDisk\tiny11\sources\install.wim -Compressiontype Maximum -CheckIntegrity
|
|
} else {
|
|
Write-Host "Can't find Windows OS Installation files in the specified Drive Letter.."
|
|
Write-Host "Please enter the correct DVD Drive Letter.."
|
|
exit
|
|
}
|
|
}
|
|
|
|
Write-Host "Copying Windows image..."
|
|
Copy-Item -Path "$DriveLetter\*" -Destination "$ScratchDisk\tiny11" -Recurse -Force | Out-Null
|
|
Set-ItemProperty -Path "$ScratchDisk\tiny11\sources\install.esd" -Name IsReadOnly -Value $false > $null 2>&1
|
|
Remove-Item "$ScratchDisk\tiny11\sources\install.esd" > $null 2>&1
|
|
Write-Host "Copy complete!"
|
|
Start-Sleep -Seconds 2
|
|
Clear-Host
|
|
Write-Host "Getting image information:"
|
|
$ImagesIndex = (Get-WindowsImage -ImagePath $ScratchDisk\tiny11\sources\install.wim).ImageIndex
|
|
while ($ImagesIndex -notcontains $index) {
|
|
Get-WindowsImage -ImagePath $ScratchDisk\tiny11\sources\install.wim
|
|
$index = Read-Host "Please enter the image index"
|
|
}
|
|
Write-Host "Mounting Windows image. This may take a while."
|
|
$wimFilePath = "$ScratchDisk\tiny11\sources\install.wim"
|
|
& takeown "/F" $wimFilePath
|
|
& icacls $wimFilePath "/grant" "$($adminGroup.Value):(F)"
|
|
try {
|
|
Set-ItemProperty -Path $wimFilePath -Name IsReadOnly -Value $false -ErrorAction Stop
|
|
} catch {
|
|
# This block will catch the error and suppress it.
|
|
}
|
|
New-Item -ItemType Directory -Force -Path "$ScratchDisk\scratchdir" > $null
|
|
Mount-WindowsImage -ImagePath $ScratchDisk\tiny11\sources\install.wim -Index $index -Path $ScratchDisk\scratchdir
|
|
|
|
$imageIntl = & dism /English /Get-Intl "/Image:$($ScratchDisk)\scratchdir"
|
|
$languageLine = $imageIntl -split '\n' | Where-Object { $_ -match 'Default system UI language : ([a-zA-Z]{2}-[a-zA-Z]{2})' }
|
|
|
|
if ($languageLine) {
|
|
$languageCode = $Matches[1]
|
|
Write-Host "Default system UI language code: $languageCode"
|
|
} else {
|
|
Write-Host "Default system UI language code not found."
|
|
}
|
|
|
|
$imageInfo = & 'dism' '/English' '/Get-WimInfo' "/wimFile:$($ScratchDisk)\tiny11\sources\install.wim" "/index:$index"
|
|
$lines = $imageInfo -split '\r?\n'
|
|
|
|
foreach ($line in $lines) {
|
|
if ($line -like '*Architecture : *') {
|
|
$architecture = $line -replace 'Architecture : ',''
|
|
# If the architecture is x64, replace it with amd64
|
|
if ($architecture -eq 'x64') {
|
|
$architecture = 'amd64'
|
|
}
|
|
Write-Host "Architecture: $architecture"
|
|
break
|
|
}
|
|
}
|
|
|
|
if (-not $architecture) {
|
|
Write-Host "Architecture information not found."
|
|
}
|
|
|
|
Write-Host "Mounting complete! Performing removal of applications..."
|
|
|
|
$packages = & 'dism' '/English' "/image:$($ScratchDisk)\scratchdir" '/Get-ProvisionedAppxPackages' |
|
|
ForEach-Object {
|
|
if ($_ -match 'PackageName : (.*)') {
|
|
$matches[1]
|
|
}
|
|
}
|
|
$packagePrefixes = 'Clipchamp.Clipchamp_', 'Microsoft.BingNews_', 'Microsoft.BingWeather_', 'Microsoft.GamingApp_', 'Microsoft.GetHelp_', 'Microsoft.Getstarted_', 'Microsoft.MicrosoftOfficeHub_', 'Microsoft.MicrosoftSolitaireCollection_', 'Microsoft.People_', 'Microsoft.PowerAutomateDesktop_', 'Microsoft.Todos_', 'Microsoft.WindowsAlarms_', 'microsoft.windowscommunicationsapps_', 'Microsoft.WindowsFeedbackHub_', 'Microsoft.WindowsMaps_', 'Microsoft.WindowsSoundRecorder_', 'Microsoft.Xbox.TCUI_', 'Microsoft.XboxGamingOverlay_', 'Microsoft.XboxGameOverlay_', 'Microsoft.XboxSpeechToTextOverlay_', 'Microsoft.YourPhone_', 'Microsoft.ZuneMusic_', 'Microsoft.ZuneVideo_', 'MicrosoftCorporationII.MicrosoftFamily_', 'MicrosoftCorporationII.QuickAssist_', 'MicrosoftTeams_', 'Microsoft.549981C3F5F10_'
|
|
|
|
$packagesToRemove = $packages | Where-Object {
|
|
$packageName = $_
|
|
$packagePrefixes -contains ($packagePrefixes | Where-Object { $packageName -like "$_*" })
|
|
}
|
|
foreach ($package in $packagesToRemove) {
|
|
& 'dism' '/English' "/image:$($ScratchDisk)\scratchdir" '/Remove-ProvisionedAppxPackage' "/PackageName:$package"
|
|
}
|
|
|
|
|
|
Write-Host "Removing Edge:"
|
|
Remove-Item -Path "$ScratchDisk\scratchdir\Program Files (x86)\Microsoft\Edge" -Recurse -Force | Out-Null
|
|
Remove-Item -Path "$ScratchDisk\scratchdir\Program Files (x86)\Microsoft\EdgeUpdate" -Recurse -Force | Out-Null
|
|
Remove-Item -Path "$ScratchDisk\scratchdir\Program Files (x86)\Microsoft\EdgeCore" -Recurse -Force | Out-Null
|
|
if ($architecture -eq 'amd64') {
|
|
$folderPath = Get-ChildItem -Path "$ScratchDisk\scratchdir\Windows\WinSxS" -Filter "amd64_microsoft-edge-webview_31bf3856ad364e35*" -Directory | Select-Object -ExpandProperty FullName
|
|
|
|
if ($folderPath) {
|
|
& 'takeown' '/f' $folderPath '/r' | Out-Null
|
|
& icacls $folderPath "/grant" "$($adminGroup.Value):(F)" '/T' '/C' | Out-Null
|
|
Remove-Item -Path $folderPath -Recurse -Force | Out-Null
|
|
} else {
|
|
Write-Host "Folder not found."
|
|
}
|
|
} elseif ($architecture -eq 'arm64') {
|
|
$folderPath = Get-ChildItem -Path "$ScratchDisk\scratchdir\Windows\WinSxS" -Filter "arm64_microsoft-edge-webview_31bf3856ad364e35*" -Directory | Select-Object -ExpandProperty FullName | Out-Null
|
|
|
|
if ($folderPath) {
|
|
& 'takeown' '/f' $folderPath '/r'| Out-Null
|
|
& icacls $folderPath "/grant" "$($adminGroup.Value):(F)" '/T' '/C' | Out-Null
|
|
Remove-Item -Path $folderPath -Recurse -Force | Out-Null
|
|
} else {
|
|
Write-Host "Folder not found."
|
|
}
|
|
} else {
|
|
Write-Host "Unknown architecture: $architecture"
|
|
}
|
|
& 'takeown' '/f' "$ScratchDisk\scratchdir\Windows\System32\Microsoft-Edge-Webview" '/r' | Out-Null
|
|
& 'icacls' "$ScratchDisk\scratchdir\Windows\System32\Microsoft-Edge-Webview" '/grant' "$($adminGroup.Value):(F)" '/T' '/C' | Out-Null
|
|
Remove-Item -Path "$ScratchDisk\scratchdir\Windows\System32\Microsoft-Edge-Webview" -Recurse -Force | Out-Null
|
|
Write-Host "Removing OneDrive:"
|
|
& 'takeown' '/f' "$ScratchDisk\scratchdir\Windows\System32\OneDriveSetup.exe" | Out-Null
|
|
& 'icacls' "$ScratchDisk\scratchdir\Windows\System32\OneDriveSetup.exe" '/grant' "$($adminGroup.Value):(F)" '/T' '/C' | Out-Null
|
|
Remove-Item -Path "$ScratchDisk\scratchdir\Windows\System32\OneDriveSetup.exe" -Force | Out-Null
|
|
Write-Host "Removal complete!"
|
|
Start-Sleep -Seconds 2
|
|
Clear-Host
|
|
Write-Host "Loading registry..."
|
|
reg load HKLM\zCOMPONENTS $ScratchDisk\scratchdir\Windows\System32\config\COMPONENTS | Out-Null
|
|
reg load HKLM\zDEFAULT $ScratchDisk\scratchdir\Windows\System32\config\default | Out-Null
|
|
reg load HKLM\zNTUSER $ScratchDisk\scratchdir\Users\Default\ntuser.dat | Out-Null
|
|
reg load HKLM\zSOFTWARE $ScratchDisk\scratchdir\Windows\System32\config\SOFTWARE | Out-Null
|
|
reg load HKLM\zSYSTEM $ScratchDisk\scratchdir\Windows\System32\config\SYSTEM | Out-Null
|
|
Write-Host "Bypassing system requirements(on the system image):"
|
|
Set-RegistryValue 'HKLM\zDEFAULT\Control Panel\UnsupportedHardwareNotificationCache' 'SV1' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zDEFAULT\Control Panel\UnsupportedHardwareNotificationCache' 'SV2' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Control Panel\UnsupportedHardwareNotificationCache' 'SV1' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Control Panel\UnsupportedHardwareNotificationCache' 'SV2' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassCPUCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassRAMCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassSecureBootCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassStorageCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassTPMCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\MoSetup' 'AllowUpgradesWithUnsupportedTPMOrCPU' 'REG_DWORD' '1'
|
|
Write-Host "Disabling Sponsored Apps:"
|
|
Set-RegistryValue 'HKLM\zNTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'OemPreInstalledAppsEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'PreInstalledAppsEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SilentInstalledAppsEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Policies\Microsoft\Windows\CloudContent' 'DisableWindowsConsumerFeatures' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'ContentDeliveryAllowed' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Microsoft\PolicyManager\current\device\Start' 'ConfigureStartPins' 'REG_SZ' '{"pinnedList": [{}]}'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'ContentDeliveryAllowed' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'ContentDeliveryAllowed' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'FeatureManagementEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'OemPreInstalledAppsEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'PreInstalledAppsEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'PreInstalledAppsEverEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SilentInstalledAppsEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SoftLandingEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SubscribedContentEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SubscribedContent-310093Enabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SubscribedContent-338388Enabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SubscribedContent-338389Enabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SubscribedContent-338393Enabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SubscribedContent-353694Enabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SubscribedContent-353696Enabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SubscribedContentEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager' 'SystemPaneSuggestionsEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Policies\Microsoft\PushToInstall' 'DisablePushToInstall' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Policies\Microsoft\MRT' 'DontOfferThroughWUAU' 'REG_DWORD' '1'
|
|
Remove-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions'
|
|
Remove-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps'
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Policies\Microsoft\Windows\CloudContent' 'DisableConsumerAccountStateContent' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Policies\Microsoft\Windows\CloudContent' 'DisableCloudOptimizedContent' 'REG_DWORD' '1'
|
|
Write-Host "Enabling Local Accounts on OOBE:"
|
|
& 'reg' 'add' 'HKLM\zSOFTWARE\Microsoft\Windows\CurrentVersion\OOBE' '/v' 'BypassNRO' '/t' 'REG_DWORD' '/d' '1' '/f' | Out-Null
|
|
Copy-Item -Path "$PSScriptRoot\autounattend.xml" -Destination "$ScratchDisk\scratchdir\Windows\System32\Sysprep\autounattend.xml" -Force | Out-Null
|
|
Write-Host "Disabling Reserved Storage:"
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager' 'ShippedWithReserves' 'REG_DWORD' '0'
|
|
Write-Host "Disabling BitLocker Device Encryption"
|
|
Set-RegistryValue 'HKLM\zSYSTEM\ControlSet001\Control\BitLocker' 'PreventDeviceEncryption' 'REG_DWORD' '1'
|
|
Write-Host "Disabling Chat icon:"
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Policies\Microsoft\Windows\Windows Chat' 'ChatIcon' 'REG_DWORD' '3'
|
|
Set-RegistryValue 'HKLM\zNTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced' 'TaskbarMn' 'REG_DWORD' '0'
|
|
Write-Host "Removing Edge related registries"
|
|
Remove-RegistryValue "HKEY_LOCAL_MACHINE\zSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge"
|
|
Remove-RegistryValue "HKEY_LOCAL_MACHINE\zSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge Update"
|
|
Write-Host "Disabling OneDrive folder backup"
|
|
Set-RegistryValue "HKLM\zSOFTWARE\Policies\Microsoft\Windows\OneDrive" "DisableFileSyncNGSC" "REG_DWORD" "1"
|
|
Write-Host "Disabling Telemetry:"
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo' 'Enabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Windows\CurrentVersion\Privacy' 'TailoredExperiencesWithDiagnosticDataEnabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy' 'HasAccepted' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Input\TIPC' 'Enabled' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\InputPersonalization' 'RestrictImplicitInkCollection' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\InputPersonalization' 'RestrictImplicitTextCollection' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\InputPersonalization\TrainedDataStore' 'HarvestContacts' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Software\Microsoft\Personalization\Settings' 'AcceptedPrivacyPolicy' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Policies\Microsoft\Windows\DataCollection' 'AllowTelemetry' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\ControlSet001\Services\dmwappushservice' 'Start' 'REG_DWORD' '4'
|
|
## Prevents installation or DevHome and Outlook
|
|
Write-Host "Prevents installation or DevHome and Outlook:"
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler_Oobe\OutlookUpdate' 'workCompleted' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\OutlookUpdate' 'workCompleted' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\DevHomeUpdate' 'workCompleted' 'REG_DWORD' '1'
|
|
Remove-RegistryValue 'HKLM\zSOFTWARE\Microsoft\WindowsUpdate\Orchestrator\UScheduler_Oobe\OutlookUpdate'
|
|
Remove-RegistryValue 'HKLM\zSOFTWARE\Microsoft\WindowsUpdate\Orchestrator\UScheduler_Oobe\DevHomeUpdate'
|
|
|
|
## this function allows PowerShell to take ownership of the Scheduled Tasks registry key from TrustedInstaller. Based on Jose Espitia's script.
|
|
function Enable-Privilege {
|
|
param(
|
|
[ValidateSet(
|
|
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
|
|
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
|
|
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
|
|
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
|
|
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
|
|
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
|
|
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
|
|
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
|
|
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
|
|
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
|
|
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
|
|
$Privilege,
|
|
## The process on which to adjust the privilege. Defaults to the current process.
|
|
$ProcessId = $pid,
|
|
## Switch to disable the privilege, rather than enable it.
|
|
[Switch] $Disable
|
|
)
|
|
$definition = @'
|
|
using System;
|
|
using System.Runtime.InteropServices;
|
|
|
|
public class AdjPriv
|
|
{
|
|
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
|
|
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
|
|
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
|
|
|
|
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
|
|
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
|
|
[DllImport("advapi32.dll", SetLastError = true)]
|
|
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
|
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
|
internal struct TokPriv1Luid
|
|
{
|
|
public int Count;
|
|
public long Luid;
|
|
public int Attr;
|
|
}
|
|
|
|
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
|
|
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
|
|
internal const int TOKEN_QUERY = 0x00000008;
|
|
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
|
|
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
|
|
{
|
|
bool retVal;
|
|
TokPriv1Luid tp;
|
|
IntPtr hproc = new IntPtr(processHandle);
|
|
IntPtr htok = IntPtr.Zero;
|
|
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
|
|
tp.Count = 1;
|
|
tp.Luid = 0;
|
|
if(disable)
|
|
{
|
|
tp.Attr = SE_PRIVILEGE_DISABLED;
|
|
}
|
|
else
|
|
{
|
|
tp.Attr = SE_PRIVILEGE_ENABLED;
|
|
}
|
|
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
|
|
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
|
|
return retVal;
|
|
}
|
|
}
|
|
'@
|
|
|
|
$processHandle = (Get-Process -id $ProcessId).Handle
|
|
$type = Add-Type $definition -PassThru
|
|
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
|
|
}
|
|
|
|
Enable-Privilege SeTakeOwnershipPrivilege
|
|
|
|
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
|
|
$regACL = $regKey.GetAccessControl()
|
|
$regACL.SetOwner($adminGroup)
|
|
$regKey.SetAccessControl($regACL)
|
|
$regKey.Close()
|
|
Write-Host "Owner changed to Administrators."
|
|
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
|
|
$regACL = $regKey.GetAccessControl()
|
|
$regRule = New-Object System.Security.AccessControl.RegistryAccessRule ($adminGroup,"FullControl","ContainerInherit","None","Allow")
|
|
$regACL.SetAccessRule($regRule)
|
|
$regKey.SetAccessControl($regACL)
|
|
Write-Host "Permissions modified for Administrators group."
|
|
Write-Host "Registry key permissions successfully updated."
|
|
$regKey.Close()
|
|
|
|
Write-Host 'Deleting Application Compatibility Appraiser'
|
|
Remove-RegistryValue 'HKEY_LOCAL_MACHINE\zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0600DD45-FAF2-4131-A006-0B17509B9F78}'
|
|
Write-Host 'Deleting Customer Experience Improvement Program'
|
|
Remove-RegistryValue 'HKEY_LOCAL_MACHINE\zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4738DE7A-BCC1-4E2D-B1B0-CADB044BFA81}'
|
|
Remove-RegistryValue 'HKEY_LOCAL_MACHINE\zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6FAC31FA-4A85-4E64-BFD5-2154FF4594B3}'
|
|
Remove-RegistryValue 'HKEY_LOCAL_MACHINE\zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FC931F16-B50A-472E-B061-B6F79A71EF59}'
|
|
Write-Host 'Deleting Program Data Updater'
|
|
Remove-RegistryValue 'HKEY_LOCAL_MACHINE\zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0671EB05-7D95-4153-A32B-1426B9FE61DB}'
|
|
Write-Host 'Deleting autochk proxy'
|
|
Remove-RegistryValue 'HKEY_LOCAL_MACHINE\zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87BF85F4-2CE1-4160-96EA-52F554AA28A2}'
|
|
Remove-RegistryValue 'HKEY_LOCAL_MACHINE\zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8A9C643C-3D74-4099-B6BD-9C6D170898B1}'
|
|
Write-Host 'Deleting QueueReporting'
|
|
Remove-RegistryValue 'HKEY_LOCAL_MACHINE\zSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3176A65-4E44-4ED3-AA73-3283660ACB9C}'
|
|
Write-Host "Tweaking complete!"
|
|
Write-Host "Unmounting Registry..."
|
|
$regKey.Close()
|
|
reg unload HKLM\zCOMPONENTS | Out-Null
|
|
reg unload HKLM\zDRIVERS | Out-Null
|
|
reg unload HKLM\zDEFAULT | Out-Null
|
|
reg unload HKLM\zNTUSER | Out-Null
|
|
reg unload HKLM\zSCHEMA | Out-Null
|
|
reg unload HKLM\zSOFTWARE
|
|
reg unload HKLM\zSYSTEM | Out-Null
|
|
Write-Host "Cleaning up image..."
|
|
Repair-WindowsImage -Path $ScratchDisk\scratchdir -StartComponentCleanup -ResetBase
|
|
Write-Host "Cleanup complete."
|
|
Write-Host ' '
|
|
Write-Host "Unmounting image..."
|
|
Dismount-WindowsImage -Path $ScratchDisk\scratchdir -Save
|
|
Write-Host "Exporting image..."
|
|
# Compressiontype Recovery is not supported with PShell https://learn.microsoft.com/en-us/powershell/module/dism/export-windowsimage?view=windowsserver2022-ps#-compressiontype
|
|
Export-WindowsImage -SourceImagePath $ScratchDisk\tiny11\sources\install.wim -SourceIndex $index -DestinationImagePath $ScratchDisk\tiny11\sources\install2.wim -CompressionType Fast
|
|
Remove-Item -Path "$ScratchDisk\tiny11\sources\install.wim" -Force | Out-Null
|
|
Rename-Item -Path "$ScratchDisk\tiny11\sources\install2.wim" -NewName "install.wim" | Out-Null
|
|
Write-Host "Windows image completed. Continuing with boot.wim."
|
|
Start-Sleep -Seconds 2
|
|
Clear-Host
|
|
Write-Host "Mounting boot image:"
|
|
$wimFilePath = "$ScratchDisk\tiny11\sources\boot.wim"
|
|
& takeown "/F" $wimFilePath | Out-Null
|
|
& icacls $wimFilePath "/grant" "$($adminGroup.Value):(F)"
|
|
Set-ItemProperty -Path $wimFilePath -Name IsReadOnly -Value $false
|
|
Mount-WindowsImage -ImagePath $ScratchDisk\tiny11\sources\boot.wim -Index 2 -Path $ScratchDisk\scratchdir
|
|
Write-Host "Loading registry..."
|
|
reg load HKLM\zCOMPONENTS $ScratchDisk\scratchdir\Windows\System32\config\COMPONENTS
|
|
reg load HKLM\zDEFAULT $ScratchDisk\scratchdir\Windows\System32\config\default
|
|
reg load HKLM\zNTUSER $ScratchDisk\scratchdir\Users\Default\ntuser.dat
|
|
reg load HKLM\zSOFTWARE $ScratchDisk\scratchdir\Windows\System32\config\SOFTWARE
|
|
reg load HKLM\zSYSTEM $ScratchDisk\scratchdir\Windows\System32\config\SYSTEM
|
|
Write-Host "Bypassing system requirements(on the setup image):"
|
|
Set-RegistryValue 'HKLM\zDEFAULT\Control Panel\UnsupportedHardwareNotificationCache' 'SV1' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zDEFAULT\Control Panel\UnsupportedHardwareNotificationCache' 'SV2' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Control Panel\UnsupportedHardwareNotificationCache' 'SV1' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zNTUSER\Control Panel\UnsupportedHardwareNotificationCache' 'SV2' 'REG_DWORD' '0'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassCPUCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassRAMCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassSecureBootCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassStorageCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\LabConfig' 'BypassTPMCheck' 'REG_DWORD' '1'
|
|
Set-RegistryValue 'HKLM\zSYSTEM\Setup\MoSetup' 'AllowUpgradesWithUnsupportedTPMOrCPU' 'REG_DWORD' '1'
|
|
Write-Host "Tweaking complete!"
|
|
Write-Host "Unmounting Registry..."
|
|
$regKey.Close()
|
|
reg unload HKLM\zCOMPONENTS | Out-Null
|
|
reg unload HKLM\zDRIVERS | Out-Null
|
|
reg unload HKLM\zDEFAULT | Out-Null
|
|
reg unload HKLM\zNTUSER | Out-Null
|
|
reg unload HKLM\zSCHEMA | Out-Null
|
|
$regKey.Close()
|
|
reg unload HKLM\zSOFTWARE
|
|
reg unload HKLM\zSYSTEM | Out-Null
|
|
Write-Host "Unmounting image..."
|
|
Dismount-WindowsImage -Path $ScratchDisk\scratchdir -Save
|
|
Clear-Host
|
|
Write-Host "The tiny11 image is now completed. Proceeding with the making of the ISO..."
|
|
Write-Host "Copying unattended file for bypassing MS account on OOBE..."
|
|
Copy-Item -Path "$PSScriptRoot\autounattend.xml" -Destination "$ScratchDisk\tiny11\autounattend.xml" -Force | Out-Null
|
|
Write-Host "Creating ISO image..."
|
|
$ADKDepTools = "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\$hostarchitecture\Oscdimg"
|
|
$localOSCDIMGPath = "$PSScriptRoot\oscdimg.exe"
|
|
|
|
if ([System.IO.Directory]::Exists($ADKDepTools)) {
|
|
Write-Host "Will be using oscdimg.exe from system ADK."
|
|
$OSCDIMG = "$ADKDepTools\oscdimg.exe"
|
|
} else {
|
|
Write-Host "ADK folder not found. Will be using bundled oscdimg.exe."
|
|
|
|
$url = "https://msdl.microsoft.com/download/symbols/oscdimg.exe/3D44737265000/oscdimg.exe"
|
|
|
|
if (-not (Test-Path -Path $localOSCDIMGPath)) {
|
|
Write-Host "Downloading oscdimg.exe..."
|
|
Invoke-WebRequest -Uri $url -OutFile $localOSCDIMGPath
|
|
|
|
if (Test-Path $localOSCDIMGPath) {
|
|
Write-Host "oscdimg.exe downloaded successfully."
|
|
} else {
|
|
Write-Error "Failed to download oscdimg.exe."
|
|
exit 1
|
|
}
|
|
} else {
|
|
Write-Host "oscdimg.exe already exists locally."
|
|
}
|
|
|
|
$OSCDIMG = $localOSCDIMGPath
|
|
}
|
|
|
|
& "$OSCDIMG" '-m' '-o' '-u2' '-udfver102' "-bootdata:2#p0,e,b$ScratchDisk\tiny11\boot\etfsboot.com#pEF,e,b$ScratchDisk\tiny11\efi\microsoft\boot\efisys.bin" "$ScratchDisk\tiny11" "$PSScriptRoot\tiny11.iso"
|
|
|
|
# Finishing up
|
|
Write-Host "Creation completed! Press any key to exit the script..."
|
|
Read-Host "Press Enter to continue"
|
|
Write-Host "Performing Cleanup..."
|
|
Remove-Item -Path "$ScratchDisk\tiny11" -Recurse -Force | Out-Null
|
|
Remove-Item -Path "$ScratchDisk\scratchdir" -Recurse -Force | Out-Null
|
|
Write-Output "Ejecting Iso drive"
|
|
Get-Volume -DriveLetter $DriveLetter[0] | Get-DiskImage | Dismount-DiskImage
|
|
Write-Output "Iso drive ejected"
|
|
Write-Output "Removing oscdimg.exe..."
|
|
Remove-Item -Path "$PSScriptRoot\oscdimg.exe" -Force -ErrorAction SilentlyContinue
|
|
Write-Output "Removing autounattend.xml..."
|
|
Remove-Item -Path "$PSScriptRoot\autounattend.xml" -Force -ErrorAction SilentlyContinue
|
|
|
|
Write-Output "Cleanup check :"
|
|
if (Test-Path -Path "$ScratchDisk\tiny11") {
|
|
Write-Output "tiny11 folder still exists. Attempting to remove it again..."
|
|
Remove-Item -Path "$ScratchDisk\tiny11" -Recurse -Force -ErrorAction SilentlyContinue
|
|
if (Test-Path -Path "$ScratchDisk\tiny11") {
|
|
Write-Output "Failed to remove tiny11 folder."
|
|
} else {
|
|
Write-Output "tiny11 folder removed successfully."
|
|
}
|
|
} else {
|
|
Write-Output "tiny11 folder does not exist. No action needed."
|
|
}
|
|
if (Test-Path -Path "$ScratchDisk\scratchdir") {
|
|
Write-Output "scratchdir folder still exists. Attempting to remove it again..."
|
|
Remove-Item -Path "$ScratchDisk\scratchdir" -Recurse -Force -ErrorAction SilentlyContinue
|
|
if (Test-Path -Path "$ScratchDisk\scratchdir") {
|
|
Write-Output "Failed to remove scratchdir folder."
|
|
} else {
|
|
Write-Output "scratchdir folder removed successfully."
|
|
}
|
|
} else {
|
|
Write-Output "scratchdir folder does not exist. No action needed."
|
|
}
|
|
if (Test-Path -Path "$PSScriptRoot\oscdimg.exe") {
|
|
Write-Output "oscdimg.exe still exists. Attempting to remove it again..."
|
|
Remove-Item -Path "$PSScriptRoot\oscdimg.exe" -Force -ErrorAction SilentlyContinue
|
|
if (Test-Path -Path "$PSScriptRoot\oscdimg.exe") {
|
|
Write-Output "Failed to remove oscdimg.exe."
|
|
} else {
|
|
Write-Output "oscdimg.exe removed successfully."
|
|
}
|
|
} else {
|
|
Write-Output "oscdimg.exe does not exist. No action needed."
|
|
}
|
|
if (Test-Path -Path "$PSScriptRoot\autounattend.xml") {
|
|
Write-Output "autounattend.xml still exists. Attempting to remove it again..."
|
|
Remove-Item -Path "$PSScriptRoot\autounattend.xml" -Force -ErrorAction SilentlyContinue
|
|
if (Test-Path -Path "$PSScriptRoot\autounattend.xml") {
|
|
Write-Output "Failed to remove autounattend.xml."
|
|
} else {
|
|
Write-Output "autounattend.xml removed successfully."
|
|
}
|
|
} else {
|
|
Write-Output "autounattend.xml does not exist. No action needed."
|
|
}
|
|
|
|
# Stop the transcript
|
|
Stop-Transcript
|
|
exit |