←back to thread

Generate autounattend.xml files for Windows 10/11

(schneegans.de)
215 points nixass | 8 comments | 29 Mar 25 20:44 UTC | HN request time: 0.001s | source | bottom
1. atVelocet ◴[01 Apr 25 22:59 UTC] No.43552177[source]
Since i‘ve been doing this sort of thing for many years here are some basic rules: - Get LTSC (W10) or IoT/Enterprise (W11) images to begin with - Get https://www.ntlite.com/ .. you won‘t find any other tool which does a better job at removing packages, adding drivers, etc. Worth every penny with great support. - Use GroupPolicies to configure your system. Take the time and download them for Office, Edge, Chrome, Firefox and update those that come with Windows. - Integrate drivers not only for the base image but also in the recovery and setup image. - Install a firewall (binisoft is fine) - Use NextDNS - If you don’t mind the security implications: Disable Defender, SmartScreen, BootGuard and VBS (use bcdedit) - Disable Microcode loading (delete the DLL) - Disable Spectre/Meltdown mitigations - If you need Office: Use the LTSC version

Most third party tools are outdated or do stupid stuff which isn’t needed. You can silence Windows with the right GroupPolicies quite easy.

replies(4): >>43553011 #>>43554530 #>>43554546 #>>43558401 #
2. p_ing ◴[02 Apr 25 01:52 UTC] No.43553011[source]
No one should follow those suggestions. They’re wholly unnecessary and plain bad security practices. You make yourself/users significantly more vulnerable with these suggestions for no gain.
3. Novosell ◴[02 Apr 25 07:56 UTC] No.43554530[source]
Disable all antivirsus capabilities, microcode and spectre/meltdown mitigations...

Can't believe NSO group is here doing some weird psyop. Very funny.

4. PufPufPuf ◴[02 Apr 25 07:59 UTC] No.43554546[source]
Exactly what is this trying to achieve? Running a third party tool to modify the OS, disabling security features, using "downloaded" group policies (what policies?), and sending all your DNS traffic to a third party (when on PC it's possible to just modify the etc/hosts file) -- these aren't exactly the best security practices. The only reasonable suggestion is the IoT Windows version.
replies(2): >>43558391 #>>43569027 #
5. 7bit ◴[02 Apr 25 16:22 UTC] No.43558391[source]
Agreed with the "what does this achieve". In Corporate environments you would use SCCM or simply the Windows ADK plus WDS.

Installing a custom Firewall and Antivirus ist straight counteproductive, as ist disabling security features... obvisouly.

Downloading and installing group policies however is often required and a typical enterprise scenario.

Whenever I hear people praise these kind of things I know they don't really have any professional knowledge. It's fine to configure your own system, but suggesting these things SHOULD be done pisses me off to no end.

replies(1): >>43569280 #
6. 7bit ◴[02 Apr 25 16:23 UTC] No.43558401[source]
Doing things for many years doesnt mean you are experienced. Half the stuff you recommend would land straight in the bin of any person who truly has some idea of security, not speaking of true professionals.
7. atVelocet ◴[03 Apr 25 13:04 UTC] No.43569027[source]
Make the system need way less ressouces and get way more raw compute power.

There‘s a reason i wrote a hint about the security. If you keep this in mind and know what you are doing (like take such a setup as a base for VMs) this totally fine.

I am also not aware of any Spectre/Meltdown exploits ever to be found in the wild. If you are not running on a shared system i don’t see a need for those mitigations.

Regarding the third party tool: NTlite uses `dism` under the hood with which you can achieve the same results. You are already sending your DNS to a third party (like your ISP).

You also should never ever alter the hosts file and abuse it for ad blocking and such.

Microsoft supplies the latest group policies for their software. Or how else do you handle those on a local system?

I never said my post was about security but on how to alter your local system in a „more correct“ way with a clear hint about security. If you don’t know what you are doing then you should think twice when touching your system.

8. atVelocet ◴[03 Apr 25 13:25 UTC] No.43569280{3}[source]
Seems i lack a lot of professional knowledge so please enlighten me on how you would do it.

Why use ADK or SCCM for a personal install?

The custom firewall is just a frontend for the builtin firewall.

GP reg keys are used by many third party tools to alter the system. So why use extra software if you can get this directly from the vendor?

And also a rant about anti virus: What do think is the first thing malware does? How does your system get infected if you are using an updated browser, open mails in it and use it for viewing attachments like PDF? Maybe there is even malware out there that does take advantage of high jacking the anti virus and its system priviliges? But who knows… it always depends on the user and the use case.