[MicroWin] Preparation for 2025 (#3066)

* Set Boot Manager entry timeout to 0

Fixes #2562

* Exclude Windows Hello stuff from package removal

* Obscure passwords with Base64 and fix indentation

Fixes #3064

* Fix name of excluded package

* Update comment

It reflects my feelings towards Microsoft when it comes to security a lot better

* Remove jargon of scratch directory options

* Package exclusion improvements

- Removed AppX packages from OS package exclusion list
- Added exclusion of PowerShell ISE (source: Discord server - yes, some people still use the PowerShell ISE)

* Exclude Windows Photo Viewer from dir removal

* Improve copy operation to Ventoy drives

This change may fix the issues where there's a conflict between both Ventoy's and MicroWin's unattended answer files, causing target images to stop working as expected during OOBE

* Add VirtIO functionality and more enhancements

- Added the ability to grab VirtIO Guest Tools
- Modified the description of the Copy ISO files function because it basically had nonsense

* Fix typo (#3104)

* Access specific property of ISO image object

Only show the ISO path. No one is interested in the storage type

* Add detections for expedited app removal

They only affect 24H2 and newer. Earlier releases don't have these expedited apps

* Update message

* Add VirtIO instructions to MicroWin page

* Add DISM command fallback

This fallback is triggered if an exception occurs while getting information with the cmdlets (I couldn't test this on my host as everything magically works now - sometimes it threw the Class not registered error)

* Exclude OpenSSH from package removal

Some people need this to avoid installing third-party programs like PuTTY

* Fixed some more indentation

functions/microwin/Microwin-NewUnattend.ps1

@@ -31,7 +31,7 @@ function Microwin-NewUnattend {
                             <Group>Administrators</Group>
                             <Password>
                                 <Value>PW-REPLACEME</Value>
-                                <PlainText>true</PlainText>
+                                <PlainText>PT-STATUS</PlainText>
                             </Password>
                         </LocalAccount>
                     </LocalAccounts>
@@ -42,7 +42,7 @@ function Microwin-NewUnattend {
                     <LogonCount>1</LogonCount>
                     <Password>
                         <Value>PW-REPLACEME</Value>
-                        <PlainText>true</PlainText>
+                        <PlainText>PT-STATUS</PlainText>
                     </Password>
                 </AutoLogon>
                 <OOBE>
@@ -295,15 +295,40 @@ function Microwin-NewUnattend {
     </settings>
 '@
     if ((Microwin-TestCompatibleImage $imgVersion $([System.Version]::new(10,0,22000,1))) -eq $false) {
-    # Replace the placeholder text with an empty string to make it valid for Windows 10 Setup
-    $unattend = $unattend.Replace("<#REPLACEME#>", "").Trim()
+        # Replace the placeholder text with an empty string to make it valid for Windows 10 Setup
+        $unattend = $unattend.Replace("<#REPLACEME#>", "").Trim()
     } else {
-    # Replace the placeholder text with the Specialize pass
-    $unattend = $unattend.Replace("<#REPLACEME#>", $specPass).Trim()
+        # Replace the placeholder text with the Specialize pass
+        $unattend = $unattend.Replace("<#REPLACEME#>", $specPass).Trim()
     }
+
+    # User password in Base64. According to Microsoft, this is the way you can hide this sensitive information.
+    # More information can be found here: https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/hide-sensitive-data-in-an-answer-file
+    # Yeah, I know this is not the best way to protect this kind of data, but we all know how Microsoft is - "the Apple of security" (in a sense, it takes them
+    # an eternity to implement basic security features right. Just look at the NTLM and Kerberos situation!)
+
+    $b64pass = ""
+
     # Replace default User and Password values with the provided parameters
     $unattend = $unattend.Replace("USER-REPLACEME", $userName).Trim()
-    $unattend = $unattend.Replace("PW-REPLACEME", $userPassword).Trim()
+    try {
+        # I want to play it safe here - I don't want encoding mismatch problems like last time
+
+        # NOTE: "Password" needs to be appended to the password specified by the user. Otherwise, a parse error will occur when processing oobeSystem.
+        # This will not be added to the actual password stored in the target system's SAM file - only the provided password
+        $b64pass = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("$($userPassword)Password"))
+    } catch {
+        $b64pass = ""
+    }
+    if ($b64pass -ne "") {
+        # If we could encode the password with Base64, put it in the answer file and indicate that it's NOT in plain text
+        $unattend = $unattend.Replace("PW-REPLACEME", $b64pass).Trim()
+        $unattend = $unattend.Replace("PT-STATUS", "false").Trim()
+        $b64pass = ""
+    } else {
+        $unattend = $unattend.Replace("PW-REPLACEME", $userPassword).Trim()
+        $unattend = $unattend.Replace("PT-STATUS", "true").Trim()
+    }
 
     # Save unattended answer file with UTF-8 encoding
     $unattend | Out-File -FilePath "$env:temp\unattend.xml" -Force -Encoding utf8