Steve Borba

My notes, I hope they help you, feel free to comment/add to them

Custom Windows Install

I have seen a few ways to do it; here are potential ways:
Use this MS tool (worked, but you have to download the dvd as part of it).
This is potential (haven’t tried it).
Another (worked, but not consistently), this one is open admin cmd and:

diskpart
  list disk
  select disk {USB_DISK_NUMBER}
  clean
  create partition primary
  select partition 1
  active
  format fs=ntfs quick
exit
cd /d {ISO_ROOT}\boot
bootsect /nt60 {USB_DRIVE_LETTER:}

Then extract the DVD version you want onto the disk (i.e. Windows 10 Enterprise)

Next, we put an Answer File in the root, you may need to change some settings around (i.e. Organization, Username/Password, CD Keys, or Time Zone).

Now test it to make sure it works; careful though, I have seen it install without any prompts.
If it doesn’t work, make sure UEFI boot is on.

Now that may be good enough for some, but to take it a little further, lets change the mount and modify the wim

dism /get-imageinfo /imagefile:D:\sources\install.wim
md c:\dismtemp
dism /mount-image /imagefile:D:\sources\install.wim /index:%Index% /mountdir:c:\dismtemp

replace the %Index% with the index you get from the first command.

One thing I do is remove the Pre-provisioned “apps”

powershell -command "Get-AppxProvisionedPackage -path c:\dismtemp | ? { !($_.DisplayName -in ('Microsoft.WindowsStore,Microsoft.WindowsCalculator,Microsoft.WindowsAlarms,Microsoft.Appconnector,Microsoft.WindowsCamera,Microsoft.MicrosoftOfficeHub,Microsoft.Office.OneNote'.Split(','))) } | Remove-AppxProvisionedPackage -Path c:\dismtemp"

That one left a few of the apps, adjust to your needs.

Next, we can modify the optional windows features.

powershell -command "Disable-WindowsOptionalFeature -Path c:\dismtemp -FeatureName 'SMB1Protocol','Printing-Foundation-InternetPrinting-Client','FaxServicesClientPackage'"

powershell -command "Enable-WindowsOptionalFeature -path c:\dismtemp -FeatureName 'NetFx3' -Source 'd:\Sources\SxS'"

Again adjust to your needs

Next we can make changes to the HKLM\Software registry, and here is a list of changes I do.

REG LOAD HKU\Software c:\dismtemp\Windows\System32\config\SOFTWARE

Rem ##### Hide the annoying "Please Wait"
reg add HKU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFirstLogonAnimation /t Reg_DWORD /d 0 /f

rem ##### Set BackGround
reg add "HKU\Software\Wow6432Node\Policies\Microsoft\Windows\Personalization" /v LockScreenImage /d c:\Windows\BackGround.jpg /f
reg add "HKU\Software\Policies\Microsoft\Windows\Personalization" /v LockScreenImage /d c:\Windows\BackGround.jpg /f

Rem ##### Hide One Drive in Explorer
reg add "HKU\Software\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /t REG_DWORD /d 0 /f
reg add "HKU\Software\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /t REG_DWORD /d 0 /f
reg add "HKU\Software\Policies\Microsoft\Windows\SkyDrive" /v DisableFileSync /d 1 /t REG_DWORD /f
reg add "HKU\Software\Classes\CLSID\{8E74D236-7F35-4720-B138-1FED0B85EA75}\ShellFolder" /v Attributes /d 0 /t REG_DWORD /f

Rem ##### Change Logon Picture to Accent Color
REM reg add "HKU\Software\Policies\Microsoft\Windows\System" /v DisableLogonBackgroundImage /d 1 /t REG_DWORD /f

Rem ##### Disable Data Collection
reg add HKU\Software\Policies\Microsoft\Windows\DataCollection /v AllowTelemetry /t Reg_DWORD /d 0 /f >nul

rem ##### Disable network probing
reg add HKU\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator /t REG_DWORD /f /v EnableActiveProbing /d 0
reg add "HKU\Software\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\010103000F0000F0010000000F0000F0C967A3643C3AD745950DA7859209176EF5B87C875FA20DF21951640E807D7C24" /v "Category" /t reg_dword /d 0 /f

rem ##### Disable Windows store
rem reg add HKU\Software\Policies\Microsoft\WindowsStore /t REG_DWORD /f /v RemoveWindowsStore /d 1

Rem ##### enable smartsreen to protect from unknown "apps"
reg add "HKU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /d RequireAdmin /f

REG UNLOAD HKU\Software

Next we can modify the default user profile:

SET HKEY=HKU\Default
REG LOAD %HKEY% c:\dismtemp\Users\Default\NTUSER.DAT

REM Sound and end-application
REG ADD "%HKEY%\Control Panel\Sound" /v Beep /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Sound" /v ExtendedSounds /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Desktop" /v HungAppTimeout /t REG_SZ /d 5000 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v WaitToKillAppTimeout /t REG_SZ /d 4000 /f
 
REM Set Background
reg add "%HKEY%\Control Panel\Colors" /v Background /t REG_SZ /d "120 120 120" /f
REG ADD "%HKEY%\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\windows\cbblogo.jpg" /f
reg delete "%HKEY%\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
reg add "%HKEY%\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 10 /f
reg add "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /f /v "MotionAccentId_v1.00" /t REG_DWORD /d 219

REM Command Prompt settings
REG ADD "%HKEY%\Console" /v QuickEdit /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Console" /v ScreenBufferSize /t REG_DWORD /d 655294544 /f

REG ADD "%HKEY%\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections" /v SaveConnections /d "no" /t REG_SZ /f

REM Show all in tray
reg add "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer" /v EnableAutoTray /t REG_DWORD /d 0 /f
reg add "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f

REM Hide Intel Tray
reg add "%HKEY%\Software\Intel\Display\igfxcui\igfxtray" /v "ShowOptimalBalloon" /t REG_DWORD /d 1 /f
reg add "%HKEY%\Software\Intel\Display\igfxcui\igfxtray" /v "ShowGraphicsBalloon" /t REG_DWORD /d 0 /f
reg add "%HKEY%\Software\Intel\Display\igfxcui\igfxtray\TrayIcon" /v "ShowTrayIcon" /t REG_DWORD /d 0 /f
reg add "%HKEY%\Software\Intel\Display\igfxcui\profiles\Display" /v "IsWarningEnabled" /t REG_DWORd /d 1 /f
reg add "%HKEY%\Software\Intel\Display\igfxcui\virtualKeyboard" /v "ShowVirtualKeyBoard" /t REG_DWORD /d 0 /f

REM Language bar - only apply if using single regional settings
REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ShowStatus /t REG_DWORD /d 3 /f
REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v Label /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ExtraIconsOnMinimized /t REG_DWORD /d 0 /f
 
REM Windows Explorer
rem REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v SeparateProcess /t REG_DWORD /d 1 /f
rem REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarSizeMove /t REG_DWORD /d 0 /f
rem REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarSmallIcons /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowHelp /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_NotifyNewApps /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_LargeMFUIcons /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideDrivesWithNoMedia /t REG_DWORD /d 0 /f
rem REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v SharingWizardOn /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v AlwaysShowMenus /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d YES /f
REG ADD "%HKEY%\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /ve /t REG_EXPAND_SZ /d "" /f

Rem Show desktop Items
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}" /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}" /t REG_DWORD /d 0 /f
 
REM Windows 8 navigation settings
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v OpenAtLogon /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v DesktopFirst /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v MakeAllAppsDefault /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v MonitorOverride /t REG_DWORD /d 0 /f

REM Internet Explorer options
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\Main" /v StatusBarOther /t reg_dword /d 1 /f
reg add "%HKEY%\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "about:blank" /f
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 2 /f
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f

REM Windows Media Player
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v DesktopShortcut /d No /t REG_SZ /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v QuickLaunchShortcut /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AcceptedPrivacyStatement /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v FirstRun /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v DisableMRU /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AutoCopyCD /d 0 /t REG_DWORD /f

REM Other Applications
Reg Add "%HKEY%\Software\Sysinternals\Process Explorer" /f /v EulaAccepted /t Reg_DWORD /d 1
Reg Add "%HKEY%\Software\Sysinternals\Process Monitor" /f /v EulaAccepted /t Reg_DWORD /d 1

REM Disable Spying
reg add "%HKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f
reg add "%HKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /v Value /d Deny /f

REM Hide Search box
reg add "%HKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f

REM Hide One Drive
reg delete "%HKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v onedrive /f
reg delete "%HKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v onedrivesetup /f

REM Add run once to Pin Icons
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Runonce" /v PinIcons /t REG_SZ /d "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -windowstyle hidden -file c:\cbb\PinIcons.ps1" /f

Rem Hide Synaptecs Tray Icon
reg add "%HKEY%\SOFTWARE\Synaptics\SynTPEnh" /v TrayIcon /t REG_DWORD /d 25 /f

REG UNLOAD %HKEY%

Now we unmount the image (some times I get an error and have to do it a second time – I blame AV)

dism /unmount-image /mountdir:c:\dismtemp /commit

Now we need to take care of the rest, like installing applications, disabling services, or configuring other settings, there has to be a better way, but this is what I have for now:

Rem ##### Disabled un-needed services
for %%a in (hpsrv,igfxCUIService1.0.0.0,lanmanserver,HomeGroupProvider,dmwappushsvc,DiagTrack) do sc config %%a start=disabled

rem ##### Apply policy
copy Policy.inf c:\Temp
pushd c:\temp
 secedit /configure /db Database.sdb /cfg Policy.inf /overwrite /log Config.Log /quiet
Popd

rem ##### Disable netbios / LLMNR / Other network properties
wmic nicconfig where (TcpIpNetBiosOptions!=Null and TcpIpNetBiosOptions!=2) call setTcpIpNetBios 2
powershell -command "Get-NetAdapterBinding | ? { $_.ElementName -in ('ms_pacer,ms_implat,ms_rspndr,ms_tcpip6,ms_lldp,ms_lltdio'.Split(',')) } | Disable-NetAdapterBinding"

rem ##### Add Computername to my computer icon
reg add HKLM\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_EXPAND_SZ /f /ve /d %%COMPUTERNAME%%
reg delete HKLM\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} /v LocalizedString /f
reg query HKLM\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} /ve | find /i "COMPUTERNAME" > nul

rem ##### Turn on Hibernate
powercfg -h on

rem ##### Change count down to 5 seconds
bcdedit /timeout 5

rem ##### Set Pagefile
wmic computersystem where name="%computername%" set AutomaticManagedPagefile=False
wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=4096,MaximumSize=4096

rem ##### Install Default programs
if exist Installs\install.bat Call Installs\install.bat

rem ##### enable bit locker
powershell -command "Enable-BitLocker c: -TpmProtector "

rem ##### install all windows updates
powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -file WindowsUpdates.ps1

Save that as {USB}\sources\$OEM$\$1\Scripts\Settings.bat
(and save WindowsUpdates.ps1 and Policy.inf there too – without the .txt)
Optional, create a folder {USB}\sources\$OEM$\$1\Scripts\Installs with a set of installs and a script called Install.bat

A new option I have added to my install is a context MD5 generator through powershell:

reg add HKLM\SOFTWARE\Classes\*\shell\GetMD5\command /t REG_EXPAND_SZ /f /ve /d "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command \"(New-Object -ComObject Wscript.Shell).Popup(('%1 = '+(get-filehash -Algorithm md5 '%1').Hash),0,'File Hash',0x0)\""

 

2 Responses to “Custom Windows Install”

  1. Matt says:

    Also leave the appx Microsoft.WindowsStore

    1. sjborbajr says:

      Updated to leave that, and the fixed spelling error you told me about too.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>