{"id":7848976,"url":"https://github.com/Destroyarr/WindowsImageBuilding","last_synced_at":"2025-07-19T06:30:46.519Z","repository":{"id":158551503,"uuid":"219331446","full_name":"Destroyarr/WindowsImageBuilding","owner":"Destroyarr","description":"Windows image building. NTLite profiles and PowerShell scripts.","archived":false,"fork":false,"pushed_at":"2024-02-25T13:07:43.000Z","size":154,"stargazers_count":45,"open_issues_count":0,"forks_count":9,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-08-08T14:51:41.390Z","etag":null,"topics":["aik","debloat","deployment","dism","kms","ntlite","privacy","slipstream","tuning","tweak","uup-dump","vdi","virtual-desktop-optimization-tool","waik","windows","windows-10","windows-11","winpe"],"latest_commit_sha":null,"homepage":"","language":"Batchfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Destroyarr.png","metadata":{"files":{"readme":"ReadMe.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2019-11-03T16:35:11.000Z","updated_at":"2024-07-21T01:51:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"2b2594bb-d01c-4b42-b0ad-ef2d1626bbca","html_url":"https://github.com/Destroyarr/WindowsImageBuilding","commit_stats":null,"previous_names":["destroyarr/windowsimagebuilding","infr-automation/windowsimagebuilding"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Destroyarr%2FWindowsImageBuilding","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Destroyarr%2FWindowsImageBuilding/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Destroyarr%2FWindowsImageBuilding/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Destroyarr%2FWindowsImageBuilding/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Destroyarr","download_url":"https://codeload.github.com/Destroyarr/WindowsImageBuilding/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226550214,"owners_count":17650078,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aik","debloat","deployment","dism","kms","ntlite","privacy","slipstream","tuning","tweak","uup-dump","vdi","virtual-desktop-optimization-tool","waik","windows","windows-10","windows-11","winpe"],"created_at":"2024-04-13T02:14:43.296Z","updated_at":"2024-11-26T13:30:39.041Z","avatar_url":"https://github.com/Destroyarr.png","language":"Batchfile","funding_links":[],"categories":["Batchfile"],"sub_categories":[],"readme":"# Windows Gold Disk Building\n\n\u003cdetails\u003e\u003csummary\u003eReferences\u003c/summary\u003ehttps://github.com/atlas-os/atlas\u003c/br\u003e\nhttps://windowsxlite.com/ultralight/\u003c/br\u003e\nhttps://www.elevenforum.com/tutorials/\u003c/br\u003e\nhttps://www.winos.me/\u003c/br\u003e\nhttps://github.com/Chuyu-Team/Dism-Multi-language\u003c/br\u003e\nhttps://www.elevenforum.com/tutorials/?prefix_id=7\u003c/br\u003e\nhttps://www.elevenforum.com/tutorials/?prefix_id=12\u003c/br\u003e\nhttps://www.tenforums.com/tutorials/id-Installation_Upgrade/\u003c/br\u003e\nhttps://www.tenforums.com/tutorials/id-Virtualization/\u003c/br\u003e\nnsnfrm topic/249660-disable-windows-10-telemetry-and-data-collection-collection-of-methods-tools\u003c/br\u003e\nhttps://devblogs.microsoft.com/scripting/automatically-enable-and-disable-trace-logs-using-powershell/\u003c/br\u003e\nhttps://duckduckgo.com/?q=windows+11+disable+logging+tracing\u0026ia=web\u003c/br\u003e\nhttps://msfn.org/\u003c/br\u003e\nhttps://www.youtube.com/playlist?list=PL6G7A0Cr8StGMnC6cS4FBsMcxJAJcm6Fw\u003c/br\u003e\nhttps://www.youtube.com/@ChrisTitusTech/playlists\u003c/br\u003e\nhttps://christitus.com/categories/windows/\u003c/br\u003e\nhttps://github.com/ntdevlabs/tiny11builder\u003c/br\u003e\n\nhttps://chat.openai.com/share/9d143b48-d83d-4ab8-98fa-7e3d1fcb4408\u003c/br\u003e\nhttps://github.com/WinTweaks/windows-optimization\u003c/br\u003e\n\nhttps://github.com/simeononsecurity/Windows-Optimize-Harden-Debloat\u003c/br\u003e\n\nhttps://github.com/hellzerg/optimizer\u003c/br\u003e\n\nhttps://g.co/bard/share/80197208559f\u003c/br\u003e\n\nhttps://claude.ai/chat/13627d29-74f6-4b26-a72b-ee40166b3ae9\u003c/br\u003e\nhtps crustywindo dot ws/\u003c/br\u003e\n\u003c/details\u003e\n\n\n\n## 1. A Dev VM to do all the mods\n\u003cdetails\u003e\u003csummary\u003eReferences\u003c/summary\u003eDevOps practices\u003c/details\u003e\n\n```powershell\n# placeholder\n# preferably download distribution files inside a oracle box VM\n# bring up a VM\n# automate the ISO build/ISO slim\n```\n\n\n### 1.2. Slim down the ISO\n```powershell\n# sysprep same way it's done for VDI - automate\n# but add an full NTLite step before installing ISO and/or before sysprep\n# automated testing\n```\n### References:\nNTLite Windows11 Tuning PreSetupStage xml\n\n## 2. Cloud\n```powershell\n# store the stuff online on the clouds for the drama amplification factor\n```\n\n## 3. OS settings\nPre-configure OS settings  \n+ Slimdown for all use cases - universal image  \n+ Improve speed performance latency - finetune  \n+ Improve reliability and reduce infosec risk - hardening  \n+ Reduce energy footprint - finetune powersettings  \n+ Empower the user correctly - serious users only not for babies \n+ Reduce maintenaince risk and cost - make the system unbreakable somehow \n\n### 3.1 Power Management\n\u003cdetails\u003e\u003csummary\u003eReferences\u003c/summary\u003ehttps://www.softpedia.com/get/System/Launchers-Shutdown-Tools/Power-Plan-Assistant.shtml\u003cbr/\u003e\nhttps://gist.github.com/raspi/203aef3694e34fefebf772c78c37ec2c#file-enable-all-advanced-power-settings-ps1-L5\u003cbr/\u003e\nhttps://gist.github.com/Nt-gm79sp/1f8ea2c2869b988e88b4fbc183731693\u003cbr/\u003e\nhttps://www.tenforums.com/performance-maintenance/149514-list-hidden-power-plan-attributes-maximize-cpu-performance.html\u003cbr/\u003e\nhttps://www.tenforums.com/tutorials/107613-add-remove-ultimate-performance-power-plan-windows-10-a.html\u003cbr/\u003e\nhttps://forums.guru3d.com/threads/windows-power-plan-settings-explorer-utility.416058\u003cbr/\u003e\nhttps://www.notebookcheck.net/Useful-Life-Hack-How-to-Disable-Modern-Standby-Connected-Standby.453125.0.html\u003cbr/\u003e\nhttps://www.dell.com/community/XPS/How-to-disable-modern-standby-in-Windows-21H1/td-p/7996308\u003cbr/\u003e\n\u003c/details\u003e\n\n```powershell\n\n# get rid of hibernation\npowercfg -h off\n\n# use normal standby and not modern standby\n\npowercfg /setdcvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 0\npowercfg /setacvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 0\nREG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Power\\PowerSettings\\F15576E8-98B7-4186-B944-EAFA664402D9 /v Attributes /t REG_DWORD /d 2 /f\n\nSet-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Power\" -Name \"CsEnabled\" -Value 0 -ErrorAction SilentlyContinue\n\n# Coalescing IO - will introduce IO latency to save power\n\n```\n```powershell\n# Get the list of devices that can wake the system\n$wakeDevices = powercfg -devicequery wake_armed\n\n# Disable wake functionality for mouse or touchpad devices\n$wakeDevices | ForEach-Object {\n    if ($_ -like \"*Mouse*\" -or $_ -like \"*Touchpad*\") {\n        powercfg -devicedisablewake \"$_\"\n        Write-Output \"Disabled wake functionality for: $_\"\n    }\n}\n```\n\n``` powershell\n# Disable Wake Timers on AC\npowercfg /SETACVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 0\n# Disable WoL at the OS level\npowercfg -setacvalueindex SCHEME_CURRENT SUB_NONE F44E3DAE-CB3E-4D65-8A2A-7A5C5C6D3090 0\npowercfg -setdcvalueindex SCHEME_CURRENT SUB_NONE F44E3DAE-CB3E-4D65-8A2A-7A5C5C6D3090 0\n\n# Disable WoL for all network adapters\nGet-NetAdapter | Where-Object { $_.Status -eq 'Up' } | ForEach-Object {\n    Write-Output \"Processing $($_.Name)...\"\n    # Disable WoL features\n    Disable-NetAdapterPowerManagement -Name $_.Name -WakeOnMagicPacket $false -WakeOnPattern $false -Confirm:$false\n}\n\nWrite-Output \"WoL has been disabled.\"\n\n\n# Extreme Battery Saver on Idle (example not tested) (checks every 10min for idleness?)\n\n# Define the power plan name\n$powerPlanName = \"Extreme Battery Saver\"\n\n# Check if the power plan exists\n$existingPlan = Get-CimInstance -Namespace root/cimv2/power -ClassName Win32_PowerPlan | Where-Object { $_.ElementName -eq $powerPlanName }\n\nif (-not $existingPlan) {\n    # Create the power plan based on the Power saver\n    $powerSaverGuid = (Get-CimInstance -Namespace root/cimv2/power -ClassName Win32_PowerPlan | Where-Object { $_.ElementName -eq \"Power saver\" }).InstanceID -replace \".*\\{(.*)\\}.*\", '$1'\n    $newPlanGuid = powercfg /duplicate $powerSaverGuid | Out-String | ForEach-Object { $_ -replace \".*\\{(.*)\\}.*\", '$1' }\n    powercfg /changename $newPlanGuid $powerPlanName\n} else {\n    $newPlanGuid = $existingPlan.InstanceID -replace \".*\\{(.*)\\}.*\", '$1'\n}\n\n# Script to activate the power plan\n$scriptContent = @\"\n# Activate the power plan\npowercfg /setactive $newPlanGuid\n\"@\n$scriptPath = \"$env:USERPROFILE\\setBatterySaver.ps1\"\n$scriptContent | Out-File -Path $scriptPath\n\n# Create a scheduled task to run the script when the computer is idle\n$taskAction = New-ScheduledTaskAction -Execute \"powershell.exe\" -Argument \"-ExecutionPolicy Bypass -File $scriptPath\"\n$taskTrigger = New-ScheduledTaskTrigger -AtStartup -RepetitionInterval ([TimeSpan]::FromMinutes(10)) -Idle\nRegister-ScheduledTask -Action $taskAction -Trigger $taskTrigger -TaskName \"ActivateBatterySaver\" -Description \"Switches to battery saver plan when idle\"\n\n\n```\nkill and relaunch apps on standby\n```\n\n\n### 3.2 Disk Encryption\nDelay encryption and present user choice:\n\n```powershell\n1. `fsutil behavior set disableencryption 1`: Disable encryption on the file system.\n2. `cipher /d /s:C:\\`: Decrypt all encrypted files on the C drive. Note that this command only works for files encrypted with the Encrypting File System (EFS). You should be logged in as the user who encrypted the files or an administrator who has the EFS recovery agent certificate. Otherwise, the command will fail, and the files will remain encrypted.\n3. `reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows\\EnhancedStorageDevices\" /v \"TCGSecurityActivationDisabled\" /t REG_DWORD /d \"1\" /f`: Disable the Trusted Platform Module (TPM) security activation to prevent automatic encryption of new storage devices.\n4. `sc config BDESVC start= disabled`: Disable the BitLocker Drive Encryption Service, which is responsible for managing BitLocker operations.\n5. `sc config \"EFS\" start= disabled`: Disable the Encrypting File System (EFS) service, which manages EFS operations.\n\nfsutil behavior set disableencryption 1\ncipher /d /s:C:\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows\\EnhancedStorageDevices\" /v \"TCGSecurityActivationDisabled\" /t REG_DWORD /d \"1\" /f\nsc config BDESVC start= disabled\nsc config \"EFS\" start= disabled\n\n# Add dekstop icon to start Encryption upon user decision\n\n```\n\n## 3.3 IO Optimization\n### 3.3.1 Eliminate everything log, performance counter, record keeping, temp files related\n\nEnable as before: \"Do not allow locations on removable drives to be added to libraries\"\n\nEnable these two ADDITIONAL settings: \"Default excluded paths\" AND \"Prevent indexing certain paths\". In each of those two, specify the drive letters to exclude (i.e. \"F:\\\")\n\n\n\u003cdetails\u003e\u003csummary\u003eReferences\u003c/summary\u003ehttps://yandex.com/search/?text=CrashControl+EnableLogFile\u0026lr=10379 :: this search engine returns better results.\u003c/details\u003e\n\n```powershell\n\n\n# Write Cache\n# Ensure the script is running with administrative privileges\nif (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\")) {\n    Write-Error \"This script needs to be run as an Administrator. Exiting...\"\n    exit\n}\n\n# Maximize write cache via registry (this sets the LargeSystemCache to 1, which maximizes cache)\n$registryPath = \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\"\nSet-ItemProperty -Path $registryPath -Name \"LargeSystemCache\" -Value 1\n\nWrite-Host \"Maximized write cache via registry.\"\n\n\n\n# ADD RAMDISK AND INITIALIZE RAMDISK\n# BELOW CODE IS EXAMPLE PLACEHOLDER NOT WORKING\n# Ensure the script runs with administrative privileges\nif (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\")) {\n    exit\n}\n\n# Mount recovery.wim and extract ramdisk.sys\n$mountPath = \"C:\\TempWIMMount\"\n$recoveryWIM = \"C:\\path_to_recovery.wim\"\nNew-Item -Path $mountPath -ItemType Directory -Force | Out-Null\ndism /Mount-Wim /WimFile:$recoveryWIM /index:1 /MountDir:$mountPath\nCopy-Item \"$mountPath\\Windows\\System32\\drivers\\ramdisk.sys\" \"C:\\Windows\\System32\\drivers\\ramdisk.sys\"\ndism /Unmount-Wim /MountDir:$mountPath /discard\n\n# Registry setup for ramdisk.sys\n$regPath = \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\Ramdisk\"\nNew-Item -Path $regPath -Force | Out-Null\nSet-ItemProperty -Path $regPath -Name \"Type\" -Value 1\nSet-ItemProperty -Path $regPath -Name \"Start\" -Value 0\nSet-ItemProperty -Path $regPath -Name \"ErrorControl\" -Value 1\nSet-ItemProperty -Path $regPath -Name \"ImagePath\" -Value \"system32\\drivers\\ramdisk.sys\"\nSet-ItemProperty -Path $regPath -Name \"Group\" -Value \"Base\"\n\n$regParamsPath = \"$regPath\\Parameters\"\nNew-Item -Path $regParamsPath -Force | Out-Null\nSet-ItemProperty -Path $regParamsPath -Name \"UsePAE\" -Value 0\nSet-ItemProperty -Path $regParamsPath -Name \"DiskSize\" -Value 2147483648  # 2GB in bytes\n\n# Notify the user\nWrite-Output \"RAMDisk setup complete. Please restart your system.\"\n\n\n\n\n- symlink logs and tempfiles to \u003e NUL\n(example)\n@echo off\n\n:: Disable unnecessary event logging\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl\" /v \"EnableLogFile\" /t REG_DWORD /d \"0\" /f\n\n:: Disable automatic memory dump creation\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl\" /v \"CrashDumpEnabled\" /t REG_DWORD /d \"0\" /f\n\n:: Disable DumpStack.log and DumpStack.log.tmp creation\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Reliability\" /v \"StackTraceDatabaseLogEnable\" /t REG_DWORD /d \"0\" /f\n\n:: Disable Windows Error Reporting\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\" /v \"Disabled\" /t REG_DWORD /d \"1\" /f\n\n\n:: Delete existing DumpStack.log and DumpStack.log.tmp files\ndel /f /q C:\\DumpStack.log\ndel /f /q C:\\DumpStack.log.tmp\n\n:: Create a RAM drive (adjust drive letter and size as needed)\nimdisk -a -s 512M -m R: -p \"/fs:ntfs /q /y\"\n\n:: preferably the winpe ramdrive will be more useful\n\n:: Redirect event log files to the RAM drive (replace R: with the desired drive letter)\nwevtutil el \u003e event_logs.txt\nfor /f \"tokens=*\" %%A in (event_logs.txt) do (\n    wevtutil sl %%A /lfn:\"R:\\%%A.evtx\"\n)\n\n:: Clean up\ndel /f /q event_logs.txt\n\n```\n\n\n### 3.3.2 Add a button to reverse the above as needed\n\n## 3.4 Drivers\n\nPrevent out-of-date drivers from MS update\n\n``` powershell\n\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\" /v \"ExcludeWUDriversInQualityUpdate\" /t REG_DWORD /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Settings\" /v \"DeviceInstallDisabled\" /t REG_DWORD /d \"1\" /f\n\n```\n\n## 3.5 Updates\n\u003cdetails\u003e\u003csummary\u003eReferences\u003c/summary\u003ehttps://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-windows-update-policies-you-should-set-and-why/ba-p/3270914\u003c/details\u003e\n\n``` powershell\n:: Set Windows Update policy to receive stable updates only\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\" /v \"DeferFeatureUpdates\" /t REG_DWORD /d \"0\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\" /v \"DeferFeatureUpdatesPeriodInDays\" /t REG_DWORD /d \"0\" /f\n\n:: Set Windows Update to check for updates frequently\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\" /v \"ScheduledInstallDay\" /t REG_DWORD /d \"0\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\" /v \"ScheduledInstallTime\" /t REG_DWORD /d \"1\" /f\n\n\n:: other Microsoft product updates through Windows Update\n(example compatible with Windows 8, 8.1, 10, and 11.)\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\" /v \"IncludeRecommendedUpdates\" /t REG_DWORD /d \"1\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Services\\7971f918-a847-4430-9279-4a52d1efe18d\" /v \"RegisteredWithAU\" /t REG_DWORD /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\" /v \"DoNotConnectToWindowsUpdateInternetLocations\" /t REG_DWORD /d \"0\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\" /v \"IncludeRecommendedUpdates\" /t REG_DWORD /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\" /v \"Include_WSUS31\" /t REG_DWORD /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\" /v \"Include_MSUpdate\" /t REG_DWORD /d \"1\" /f\n```\n\n\n\n## 3.6 Network\n### 3.6.1. Turn off unused network protocols with a scheduled task\n  client for ms net  \n  file and pr sharing  \n  register w dns  \n  netbios  \n  wi fi wake  \n  eth fc  \n  bluetooth\n\n```powershell\nRegister-ScheduledTask -TaskName \"DisableNetworkBindings\" -Trigger (New-ScheduledTaskTrigger -OnEventID 4004 -User \"NT AUTHORITY\\SYSTEM\") -Action (New-ScheduledTaskAction -Execute \"Powershell.exe\" -Argument \"-Command \"Disable-NetAdapterBinding -ComponentID ms_implat,ms_lldp,ms_lltdio,ms_server,ms_msclient,ms_tcpip6,ms_rspndr,ms_pacer -Name *;  Set-NetAdapterAdvancedProperty -DisplayName 'Flow Control' -DisplayValue 'Disabled'\") -Settings (New-ScheduledTaskSettingsSet -Priority 4 -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1)) -Force\n\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters\" /v GlobalQueryBlockList /t REG_MULTI_SZ /d \"local,localhost,localdomain,local.,*\\nmdns,*.local\" /f\n\nnetsh advfirewall firewall add rule name=\"Block UDP 5353\" dir=in action=block protocol=UDP localport=5353\nnetsh advfirewall firewall add rule name=\"Block UDP 5353\" dir=out action=block protocol=UDP localport=5353\nnetsh advfirewall firewall add rule name=\"Block UDP 1900\" dir=in action=block protocol=UDP localport=1900\nnetsh advfirewall firewall add rule name=\"Block UDP 1900\" dir=out action=block protocol=UDP localport=1900\n\nnetsh advfirewall firewall add rule name=\"Block IGMP\" dir=in action=block protocol=IGMP\nnetsh advfirewall firewall add rule name=\"Block IGMP\" dir=out action=block protocol=IGMP\n\nsc config Bonjour Service start=disabled :: make this a scheduledtask\n```\n\n\n### Add button to enable per user need (the igmp upnp mdns and ssdp are used for multimedia stuff)\n - placeholder\n\n## Turn off IPv6\n(Prevent ipv6:: binding)\n```powershell\nnetsh int ipv6 isatap set state disabled #set-Net6to4Configuration\nnetsh interface ipv6 set global randomizeidentifiers=disabled\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\" /v \"DisabledComponents\" /t REG_DWORD /d \"ffffffff\" /f\nnetsh interface ipv6 set teredo disabled\nnetsh interface ipv6 set 6to4 disabled\nnetsh interface ipv6 set isatap disabled\nnetsh interface ipv6 set interface \"Loopback Pseudo-Interface 1\" routerdiscovery=disabled\nnetsh interface ipv6 set interface \"Loopback Pseudo-Interface 1\" dadtransmits=0 store=active\nnetsh interface ipv6 set interface \"Loopback Pseudo-Interface 1\" routeradvertise=disabled\nnetsh advfirewall firewall add rule name=\"Block all IPv6 traffic\" protocol=icmpv6:255,any dir=in action=block\nnetsh advfirewall firewall add rule name=\"Block all IPv6 traffic\" protocol=icmpv6:255,any dir=out action=block\nnetsh advfirewall firewall add rule name=\"Block all IPv6 TCP/UDP traffic\" protocol=TCPv6,UDPv6 dir=in action=block\nnetsh advfirewall firewall add rule name=\"Block all IPv6 TCP/UDP traffic\" protocol=TCPv6,UDPv6 dir=out action=block\n(edge=yes)\nnetsh advfirewall firewall add rule name=\"Block all IPv6 traffic\" protocol=any dir=in action=block edge=yes profile=any interface=any\nnetsh advfirewall firewall add rule name=\"Block all IPv6 traffic\" protocol=any dir=out action=block edge=yes profile=any interface=any\n```\n\n### Firewall default disallow\nfw dis inbound out- allj, cast teredo v6 cortana mDNS Narrator network discovery remote assist start wi-fi direct windows calc windows search wireless display\n```powershell\nSet-NetFirewallProfile -DefaultInboundaction Block\n```\n## remove Wireless Display\n\n### disallow allow remote assist because it's laggy\n```powershell\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Remote Assistance\" /v \"fAllowToGetHelp\" /t REG_DWORD /d \"0\" /f\n```\n\n### SMB tuning\ndisable default admin and disk share server  \nrestrict access over anonymous connections  \nprevent joining homegroup  \nhide computer from browser list  \nprevent network auto discovery  \nhide entire network in network neighborhood\n``` powershell\n# Run this script with elevated privileges (as an administrator)\n\n# 1. Disable default admin shares (like C$, D$, etc.)\n# This will disable the administrative shares for the system root and system volume root directories\nSet-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" -Name \"AutoShareWks\" -Value 0\n\n# 2. Restrict access over anonymous connections\n# This will prevent anonymous access to the computer from the network\nSet-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" -Name \"RestrictAnonymous\" -Value 2\n\n# 3. Hide the computer from the browser list\n# This will prevent the computer from appearing in the list of networked devices\nSet-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters\" -Name \"Hidden\" -Value 1\nRestart-Service \"LanmanServer\" -Force\n\n# 4. WRONG Prevent network auto-discovery\n# This will set the network profile to private and then disable network discovery for it\nGet-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private\nSet-NetFirewallProfile -Profile Private -NetworkDiscovery Disabled\n\n# 5. Hide entire network in Network Neighborhood \n# This will prevent the computer from displaying the entire network in the Network Neighborhood\nSet-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" -Name \"NoEntireNetwork\" -Type DWord -Value 1\n\n# Notify that the script has completed\nWrite-Output \"Script execution completed. Please note that some changes might require a user logoff or system restart to fully take effect.\"\n\n```\n\n### Hardening and tuning\ndis UAC pw  \nact  \nuninst add remove onedrive  \ndis msteams startup\n\n## Edge\nedge start withot data  \n  privacy statement reject all  \n  multilingual text suggestions\n  edge://flags\n  #media-router-cast-allow-all-ips\n  #media-route-dial-provider\n  #edge-autoplay-user-setting-block-option +\n  #smooth-scrolling\n\n## Regional\nadd kbd remove kbd  \nadd language basic typing ocr (not lang pack)  \nfirst day of week\n\n## Tooling\nadd latest ps  \nwin event colletor service?  \noffice  \nwinpe setup  \nrun apps in containers  \n11 KB5010474  \n11 KB2267602  \n11 KB4052623  \nupd ms store apps  \nprevent system volume information folder creation  \nstorage spaces not working  \n+zip fldr  \n-wrk fldr  \n+rmdks crp  \n\nMS Store:  \n- turn off autoplay videos\n\n## Graphics\nTurn off GUI fx  \ngoogle.com/search?q=UserPreferencesMask+value+in+the+Registry+to+enable+the+Classic+graphics+mode ?\n\n## Eliminate Smooth scrolling\n@echo off\nreg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v \"SmoothScroll\" /t REG_SZ /d \"0\" /f\nreg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v \"MouseWheelRouting\" /t REG_SZ /d \"0\" /f\necho Smooth scrolling has been disabled. Please restart your computer for the changes to take effect.\npause\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDestroyarr%2FWindowsImageBuilding","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDestroyarr%2FWindowsImageBuilding","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDestroyarr%2FWindowsImageBuilding/lists"}