search

cschneegans / unattend-generator

.NET Core library to create highly customized autounattend.xml files
https://schneegans.de/windows/unattend-generator/
MIT License
338 stars 31 forks source link

Windows 11 24h2 #28

Open VitaleyUsa opened 1 month ago

VitaleyUsa commented 1 month ago

Hello and thank you for this great project. Seems like on 24h2 windows 11 some options are not work like it should. For example, section "Remove bloatware" not removing apps. Defender still persist in system even if i tick option to disable it.

Tried on win11 24h2 download from microsoft site.

cschneegans commented 1 month ago

Did you by any chance edit theautounattend.xml after downloading it? If so, you must make sure that the file is saved without a byte-order mark – Windows 24H2 Setup could otherwise not process the file.

The bloatware removal scripts write output and errors to three log files:

To inspect those files, launch an elevated PowerShell session and type this command:

Get-ChildItem -LiteralPath C:\Windows\Temp -Force -Filter remove*.log | Get-Content | ConvertFrom-Json

Disabling Windows Defender on 24H2 will fail when Windows is not installed to the C: drive, see https://github.com/cschneegans/unattend-generator/issues/29.

stimpy81 commented 1 month ago

I also use this wonderful tool to customise 24H2 and it works perfectly fine. All bloatware gone, all customisations done. I'm not entirely sure that Defender is fully removed as I still see the icon, and the hyper-annoying SmartSreen is still active. I then use the wonderful Defender removal tool included in AnWave to actually and completely nuke Defender from orbit. It's the only tool that I have ever found that does it properly, without issue, and it's not even its primary function!

https://sourceforge.net/projects/nvidia-power-management/

cschneegans commented 1 month ago

You are correct to observe that the Windows Security notification icon is still there:

image

However, that's not a bad thing, as this also means that Windows will not complain about Defender not running. The relevant Defender services and the MsMpEng.exe process are indeed disabled:

PS C:\> Get-Service -Name Sense, WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend

Status   Name               DisplayName
------   ----               -----------
Stopped  Sense              Windows Defender Advanced Threat Pr...
Stopped  WdBoot             Microsoft Defender Antivirus Boot D...
Stopped  WdFilter           Microsoft Defender Antivirus Mini-F...
Stopped  WdNisDrv           Microsoft Defender Antivirus Networ...
Stopped  WdNisSvc           Microsoft Defender Antivirus Networ...
Stopped  WinDefend          Microsoft Defender Antivirus Service

PS C:\> Get-Process -Name MsMpEng
Get-Process : Cannot find a process with the name "MsMpEng". Verify the process name and call the cmdlet again.

Furthermore, I have just added a new option Disable Smart App Control for Windows 11, based on Shawn Brink's .reg files. Feel free to check it out.

stimpy81 commented 1 month ago

You are a hero! Thank you for your hard work and effort with your generator, It's a lifesaver!

Kudos for the Smart App Control option! I am really not a fan of SmartScreen either, do you think you could add an option to remove that? It's an awful system that nobody wants as it's so intrusive and confusing.

I made my own script to remove it, as many Defender removers don't remove it, or don't remove all of it, and it comes back after a reboot or two.

It's made up of years of research by me, because I'm no coder/scripter finding out all the best settings that actually work, don't upset Windows, leaves Windows Update fully working, as well as not coming back later. Obviously, a big upgrade may bring it back, but that happens to Defender too.

Here's my .BAT file. It's amateur, but it works... You're also more intelligent than I, so don't laugh at some of the code. But these registry settings are 100%

@echo off

:: BatchGotAdmin
:-------------------------------------
REM  --> Check for permissions
    IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" (
>nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SYSTEMROOT%\SysWOW64\config\system"
) ELSE (
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
)

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    set params= %*
    echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params:"=""%", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    del "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    pushd "%CD%"
    CD /D "%~dp0"

set Policies=HKEY_LOCAL_MACHINE\SOFTWARE\Policies

echo == Disabling SmartScreen

REG ADD "%Policies%\Microsoft\Windows\System" /f /v EnableSmartScreen /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Windows Defender\SmartScreen" /f /v ConfigureAppInstallControlEnabled /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Windows Defender\SmartScreen" /f /v ConfigureAppInstallControl /t REG_SZ /d "Anywhere"
REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v Enabled /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v EnabledV8 /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v EnabledV9 /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /f /v 2301 /t REG_DWORD /d "3"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen" /f /v value /t REG_DWORD /d "0"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /f /v SmartScreenEnabled /t REG_SZ /d "Off"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /f /v EnableSmartScreen /t REG_DWORD /d "0"

echo == Disabling SmartScreen for Store and Apps

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /f /v EnableWebContentEvaluation /t REG_DWORD /d "0"
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /f /v PreventOverride /t REG_DWORD /d "0"
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State" /f /v AppAndBrowser_StoreAppsSmartScreenOff /t REG_DWORD /d "0"
REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /f /v "EnabledV9" /t REG_DWORD /d "0"

echo == Disabling SmartScreen for Microsoft Edge

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge" /f /v SmartScreenEnabled /t REG_DWORD /d "0"
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge" /f /v SmartScreenPuaEnabled /t REG_DWORD /d "0"
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State" /f /v AppAndBrowser_EdgeSmartScreenOff /t REG_DWORD /d "0"

echo == Disabling Smart App Control

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy" /f /v VerifiedAndReputablePolicyState /t REG_DWORD /d "0"

echo == Stopping SmartScreen and Cleaning Up

takeown /s %computername% /u %username% /f "%WinDir%\System32\smartscreen.exe"
icacls "%WinDir%\System32\smartscreen.exe" /grant:r %username%:F
taskkill /im smartscreen.exe /f
del "%WinDir%\System32\smartscreen.exe" /s /f /q

takeown /s %computername% /u %username% /f "%WinDir%\System32\smartscreen.dll"
icacls "%WinDir%\System32\smartscreen.dll" /grant:r %username%:F
del "%WinDir%\System32\smartscreen.dll" /s /f /q

takeown /s %computername% /u %username% /f "%WinDir%\System32\smartscreenps.dll"
icacls "%WinDir%\System32\smartscreenps.dll" /grant:r %username%:F
del "%WinDir%\System32\smartscreenps.dll" /s /f /q

pause
VitaleyUsa commented 1 month ago

Did you by any chance edit theautounattend.xml after downloading it? If so, you must make sure that the file is saved without a byte-order mark – Windows 24H2 Setup could otherwise not process the file.

The bloatware removal scripts write output and errors to three log files:

  • C:\Windows\Temp\remove-caps.log
  • C:\Windows\Temp\remove-features.log
  • C:\Windows\Temp\remove-packages.log

To inspect those files, launch an elevated PowerShell session and type this command:

Get-ChildItem -LiteralPath C:\Windows\Temp -Force -Filter remove*.log | Get-Content | ConvertFrom-Json

Disabling Windows Defender on 24H2 will fail when Windows is not installed to the C: drive, see #29.

thank you in advanced for this great utility yes, you are right - there are only icon from defender, however, all apps still persists, everything other works i'm not editing *.xml neither install it on other disk

tried both 24h2 and 23h2 in hyper-v downloaded from ms site dunno why it not work, maybe some language/locale issue?

stimpy81 commented 1 month ago

Did you by any chance edit theautounattend.xml after downloading it? If so, you must make sure that the file is saved without a byte-order mark – Windows 24H2 Setup could otherwise not process the file. The bloatware removal scripts write output and errors to three log files:

  • C:\Windows\Temp\remove-caps.log
  • C:\Windows\Temp\remove-features.log
  • C:\Windows\Temp\remove-packages.log

To inspect those files, launch an elevated PowerShell session and type this command: Get-ChildItem -LiteralPath C:\Windows\Temp -Force -Filter remove*.log | Get-Content | ConvertFrom-Json Disabling Windows Defender on 24H2 will fail when Windows is not installed to the C: drive, see #29.

thank you in advanced for this great utility yes, you are right - there are only icon from defender, however, all apps still persists, everything other works i'm not editing *.xml neither install it on other disk

tried both 24h2 and 23h2 in hyper-v downloaded from ms site dunno why it not work, maybe some language/locale issue?

Where did you get the Windows .ISO file that you are using from, and which build number is it? Also is the .ISO file altered in anyway?

Mine is 26100.1301.240725-1635.GE_RELEASE_SVC_PROD3_CLIENTMULTI_X64FRE_EN-GB.iso and I built it myself from UUPdump, and works flawlessly with the autounattend.xml file generated from here on 4 different computers.

cschneegans commented 1 month ago

The bloatware removal scripts write output and errors to three log files:

  • C:\Windows\Temp\remove-caps.log
  • C:\Windows\Temp\remove-features.log
  • C:\Windows\Temp\remove-packages.log

To inspect those files, launch an elevated PowerShell session and type this command: Get-ChildItem -LiteralPath C:\Windows\Temp -Force -Filter remove*.log | Get-Content | ConvertFrom-Json

thank you in advanced for this great utility yes, you are right - there are only icon from defender, however, all apps still persists, everything other works i'm not editing *.xml neither install it on other disk

You really need to check the log files.

cschneegans commented 1 month ago

I am really not a fan of SmartScreen either, do you think you could add an option to remove that? It's an awful system that nobody wants as it's so intrusive and confusing.

Compared to other Windows security settings, SmartScreen really seems to be a nightmare to configure. For example, Shawn Brink has at least four tutorials to cover this topic:

His .reg files are usually very good, but I simply cannot guarantee they all work as intended on both Windows 10 and 11. Also, there might be interdependencies with other settings offered by my service (like Disable Windows Defender), and testing all combinations is not possible for me. Furthermore, since I use Google Chrome, I have never experienced that much problems with SmartScreen.

For the time being, I do not intend to add SmartScreen settings to my service. However, I will look into the possibility to use Group Policies with autounattend.xml files – these seem to be much more manageable than .reg files.

stimpy81 commented 1 month ago

As far as I'm aware, there is no difference between 10 & 11. I posted the script many months ago over on My Digital Life and I've had zero issues reported, but obviously that's no guarantee. I did use Shawns work as some of the reference for my script, but it's very simplistic and does not stay disabled for long, but most of it came from manually digging through the registry and a few other sources too - A compilation of greatest hits if you will!

SmartScreen is more of an annoyance than anything. It's what is responsible, among other things, for those annoying blue dialog boxes that ask if you are sure you want to install and application or not, and the one that you have to click a link to actually run it. It's reliant on an Internet connection, as it sends a file hash to Microsoft and compares it to their own database before allowing the user to run the installation or not. It can be very slow, but it's mostly confusing for those that don't really understand that they have to click the "more info" link to actually run something that Microsoft does not have in its database...

image

But I totally understand your point and appreciate you looking into the group policy option.

cschneegans commented 4 weeks ago

It turned out that SmartScreen configuration is not that hard after all – https://github.com/cschneegans/unattend-generator/commit/355cad9c9d272ff20c5ce2f175a5c932b9d9bc94 consists of only 9 registry values.

This is how the SmartScreen settings page looks in Windows 11 immediately after installation with the new Disable SmartScreen in Windows and Edge setting enabled:

no-smartscreen-win11

stimpy81 commented 4 weeks ago

Thank you so much!