Windows Configs

Warning

Update (December 23, 2024): Windows Defender no longer detects the ISOs as a malware with a possible update on cloud-delivered protection. Thanks for the update, Microsoft! The cautionary steps here are kept for historical reasons and as an advice for any piece of software under the same condition.

Starting 1.1.0-24H2, Windows Defender WILL detect the ISOs in the releases as a trojan, Trojan:Script/Wacatac.B!ml.

THIS IS A FALSE POSITIVE AND IT HAS TO DO WITH THE FACT THAT THE ISO CONTAINS THE sources FOLDER TO MIMIC WINDOWS ISO LAYOUT!

I know it doesn't have to do with anything else because I also scanned a faulty package of the same ISO where the $OEM$ folder is on the root instead of its parent, the sources folder, and no detections were raised.

Should you have any concerns about an alleged malware, I STRONGLY advice you to;

1. Do some research about the specific detection: Trojan:Script/Wacatac.B!ml
2. Check the contents of the detected file,
3. Check the code of the repo if available, INCLUDING THE CODE FOR THE GITHUB WORKFLOW,
4. Upload the detected file to VirusTotal,
5. Stop using the detected file and just take what you need in general.

If you're too limited on data for an upload a file this big to VrsTtl, I did the work for you.

Any demands to fix this without clear help on how will be ignored/frowned upon. PRs are always welcome if YOU happen to have a way to get rid of this.

This right here is my configuration for Windows, made for myself, documented for everyone.

May alternatively be called "St-Denis Sane Unattend Configuration", or "St-DeSUCo" in short.

How to use

Each approach has a different way to use this piece of work. Major known ones are covered here.

Virtual Machines

1. Create the VM with the stock Windows 10/11 ISO, you may power it off when it boots into the setup.

VMware Workstation users must NOT power on the VM after it's been created if Easy Install is in place!

2. Add a new CD drive and put the ISO in releases to it.

You may also pack your own by checking .github/workflows/release.yml Build ISO step in this repo.

3. Boot the VM up and roll with it!

Rufus/Media Creation Tool/Manual file copy [Recommended for UEFI!]

1. Flash the USB drive with the stock Windows 10/11 ISO.
2. Mount the ISO and copy autounattend.xml to the root of the drive. For example, if your flash drive is in drive E:, you have to copy autounattend.xml there.
3. Boot from the USB and roll with it!

Ventoy/dd in Linux/Direct ISO modification [Recommended for Legacy BIOS!]

1. Download the ISO from Microsoft's website or create one using Media Creation Tool.
2. Inject the autounattend.xml file into the ISO using the appropriate software. I use UltraISO on Windows.
3. Copy the ISO to your Ventoy drive/Flash the ISO using dd.
4. Boot into the setup and roll with it!

File list

• autounattend.xml: Answer file to bundle with installer disk to do the base configuration automatically.
• encode-for-autounattend.sh: A simple Bash script to encode your password for non-plain-text use in autounattend.xml.
• winget-bundle.cmd: Script to install as many apps as possible from Winget in batches. Winget is already smart enough to know when it's installing something, so the order of installed apps will be rather random once it's fully done.
• applist.txt: Hand-written text file to list apps that aren't in winget-bundle.cmd. Those are either not in Winget repos or installed externally on purpose.
• mods.txt: Documentation for post-install modifications I make to Windows that won't be handled by scripts or can't be done reliably by answer files.
• resources.txt: Links to resources that will be useful in case of need.

autounattend.xml

• Installs Windows 10/11 Pro using the generic product key depending on the install media bundled.
  • Language: English International
  • Locale configuration: English (Canada)
  • Time zone: Windows should detect this post-install when it's online.
  • Keyboard layouts;
    • Canadian French in English (Canada) (Default)
    • US in English (Canada)
    • Turkish Q in Turkish (Turkey)
  • Licensing info;
    • User name: Linda St-Denis
    • Organization name: SpringWolf R&D Labs
• Lets the user do the partitioning.
• Computer name is set to ST-DENIS-TEMP as a placeholder since a script will construct a hostname and set that one pre-OOBE.
• Creates two password-locked administrator user accounts:
  • Linda (Display name: Linda St-Denis)
  • Sara (Display name: Sara St-Denis)
• Constructs a hostname according to device model and sets that pre-OOBE.
  • The hostname is prefixed with st-denis-.
  • The portion after the last space and before the first unacceptable character (anything that's not a letter or number) is taken into consideration for the rest. For example,
    • If your motherboard reports the model as "Excalibur G770", the hostname will be st-denis-g770.
    • If your motherboard reports the model as "VMware20,1", the hostname will be st-denis-vmware20.
  • The hostname is trimmed accordingly for NetBIOS compliance for network name, much like how Windows does it internally.
    • If your hostname ends up being st-denis-vmware20, the network name will be ST-DENIS-VMWARE.
    • This doesn't impact the hostname you see on your local system and in Settings, it will still be st-denis-vmware20.
• Configures the system pre-OOBE such that;
  • Hibernation is enabled if possible.
  • Intel WiFi and Bluetooth drivers are installed for connectivity.
    • You may also see their progress in their own setup windows.
    • Even though it looks like it, AutoHotKey was NOT involved in the process of that setup. Intel provides a /passive switch in most of its setup programs that will basically run you through the setup on its own with the optimal defaults.
  • Device Guard is disabled for proper support for Type 2 hypervisors such as VirtualBox and VMware Workstation.
  • Hyper-V is disabled in BCD store for the same reason.
  • The network requirement bypass is enabled. (BypassNRO)
  • Long pathnames are enabled as suggested by Python installer.
  • Windows Update will assume the system is active all the time and won't reboot the system when it thinks it's inactive.
  • Bitlocker automatic encryption is disabled. User may opt into encrypting their device manually through Manage Bitlocker Control Panel applet.
  • Microsoft Edge's annoying first-run experience is hidden, so that you won't have to go through it every time you create a new account or perform a new installation with the answer file.
  • Sets default start menu pins to omit unnecessary bloat in pinned section on Windows 11. List of apps pinned:
    • Microsoft Edge
    • Microsoft 365 (Office) UWP
    • Word*
    • Excel*
    • PowerPoint*
    • Outlook (New)
    • Microsoft Store
    • Settings
    • Xbox
• Configures the system on first logon of the first administrator (likely configured during OOBE or within the answer file) such that;
  • File extensions are enabled.
  • Hidden files are enabled, but protected system files are still kept hidden.
  • No unwanted app is installed automatically. I don't think you want some sane configuration only for Candy Crush to be installed automatically, right?
  • NumLock is enabled on boot regardless of BIOS settings.
  • C:\Windows.old is deleted if it exists.
• Configures each new user on their first logon such that;
  • Search icon is set to "Icon only"
  • Taskbar pins are replaced with the layout from Windows 11 RTM;
    • File Explorer
    • Microsoft Edge
    • Microsoft Store

* Word, Excel and PowerPoint are a part of Microsoft Office suite and are NOT preinstalled. These default pins will be placed on new accounts only if that suite was present at the time the account was created.

encode-for-autounattend.sh

• Self-explanatory.

winget-bundle.cmd

• A couple of start winget commands designed to do one thing: Install every single possible app listed inside.
• List of apps;
  • msstore/"Samsung Account"
  • winget/7zip.7zip
  • winget/Discord.Discord
  • msstore/"Python 3.11"
  • msstore/"Speedtest by Ookla"
  • msstore/9NCBCSZSJRSB (Spotify)
  • winget/Valve.Steam
  • msstore/"Unigram"
  • winget/Microsoft.WindowsTerminal
  • msstore/"WhatsApp"
• There's also a winget-bundle-optional.cmd that will install all other apps I use myself that others might not need/want.
  • winget/Git.Git
  • winget/GitHub.cli
  • winget/Google.Chrome
  • winget/Windscribe.Windscribe
  • msstore/"Samsung Cloud Assistant"
  • msstore/"Microsoft To Do"
  • winget/Microsoft.PowerToys
  • winget/Microsoft.VisualStudioCode
  • winget/Oracle.VirtualBox
  • msstore/"Quick Share"
  • winget/Google.QuickShare"
  • msstore/"Rufus"
  • msstore/"Samsung Gallery"
  • msstore/"Slack"
  • winget/StartIsBack.StartAllBack
    • You can use the second line instead of the first if you have a key to activate SAB with.
    • I STRONGLY RECOMMEND that you use SAB if you have OCD and use Windows 11 22H2+!
      • Windows 11 build 22621.1344 (version 22H2 KB5022913 update) updates the taskbar in a way that breaks the minimise animations while reimplementing the system tray menu. This change has been the default since 23H2 RTM.
  • winget/tailscale.tailscale
  • winget/CodeSector.TeraCopy
  • winget/Transmission.Transmission
    • Installs winget/Microsoft.VCRedist.2015+.x64 in advance as a dependency.
  • winget/VideoLAN.VLC
• To run both of these at once, just run winget-bundle-all.cmd instead.

applist.txt

• Self explanatory.

mods.txt

• Self explanatory.

resources.txt

• Self explanatory.

Credits

• https://schneegans.de/windows/unattend-generator/
• Microsoft documentation for Winget and answer files
• https://github.com/dianaw353/dotfiles

To-Do

1. Add NVIDIA app into post-first-logon.
2. Remove more of the less frequently used apps from Start pins.
3. GitHub Actions for building a discrete ISO with these files. (Basically a data CD ISO with the files in this repo.)

You may alternatively opt for a tool like AnyBurn or UltraISO for the time being.