function Microwin-NewUnattend { param ( [Parameter(Mandatory, Position = 0)] [string]$userName, [Parameter(Position = 1)] [string]$userPassword ) $unattend = @' <#REPLACEME#> 1 CMD /C echo LAU GG>C:\Windows\LogAuditUser.txt StartMenu USER-REPLACEME Administrators PW-REPLACEME PT-STATUS</PlainText> </Password> </LocalAccount> </LocalAccounts> </UserAccounts> <AutoLogon> <Username>USER-REPLACEME</Username> <Enabled>true</Enabled> <LogonCount>1</LogonCount> <Password> <Value>PW-REPLACEME</Value> <PlainText>PT-STATUS</PlainText> </Password> </AutoLogon> <OOBE> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> <SkipUserOOBE>true</SkipUserOOBE> <SkipMachineOOBE>true</SkipMachineOOBE> <HideOnlineAccountScreens>true</HideOnlineAccountScreens> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <HideEULAPage>true</HideEULAPage> <ProtectYourPC>3</ProtectYourPC> </OOBE> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <Order>1</Order> <CommandLine>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 0 /f</CommandLine> </SynchronousCommand> <SynchronousCommand wcm:action="add"> <Order>2</Order> <CommandLine>cmd.exe /c echo 23&gt;c:\windows\csup.txt</CommandLine> </SynchronousCommand> <SynchronousCommand wcm:action="add"> <Order>3</Order> <CommandLine>CMD /C echo GG&gt;C:\Windows\LogOobeSystem.txt</CommandLine> </SynchronousCommand> <SynchronousCommand wcm:action="add"> <Order>4</Order> <CommandLine>powershell -ExecutionPolicy Bypass -File c:\windows\FirstStartup.ps1</CommandLine> </SynchronousCommand> </FirstLogonCommands> </component> </settings> </unattend> '@ $specPass = @' <settings pass="specialize"> <component name="Microsoft-Windows-SQMApi" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <CEIPEnabled>0</CEIPEnabled> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ConfigureChatAutoInstall>false</ConfigureChatAutoInstall> </component> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Order>1</Order> <Path>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v BypassNRO /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>2</Order> <Path>reg.exe load "HKU\DefaultUser" "C:\Users\Default\NTUSER.DAT"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>3</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\Runonce" /v "UninstallCopilot" /t REG_SZ /d "powershell.exe -NoProfile -Command \"Get-AppxPackage -Name 'Microsoft.Windows.Ai.Copilot.Provider' | Remove-AppxPackage;\"" /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>4</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Policies\Microsoft\Windows\WindowsCopilot" /v TurnOffWindowsCopilot /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>5</Order> <Path>reg.exe unload "HKU\DefaultUser"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>6</Order> <Path>reg.exe delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator\UScheduler_Oobe\DevHomeUpdate" /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>7</Order> <Path>reg.exe load "HKU\DefaultUser" "C:\Users\Default\NTUSER.DAT"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>8</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Notepad" /v ShowStoreBanner /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>9</Order> <Path>reg.exe unload "HKU\DefaultUser"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>10</Order> <Path>cmd.exe /c "del "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk""</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>11</Order> <Path>cmd.exe /c "del "C:\Windows\System32\OneDriveSetup.exe""</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>12</Order> <Path>cmd.exe /c "del "C:\Windows\SysWOW64\OneDriveSetup.exe""</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>13</Order> <Path>reg.exe load "HKU\DefaultUser" "C:\Users\Default\NTUSER.DAT"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>14</Order> <Path>reg.exe delete "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\Run" /v OneDriveSetup /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>15</Order> <Path>reg.exe unload "HKU\DefaultUser"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>16</Order> <Path>reg.exe delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator\UScheduler_Oobe\OutlookUpdate" /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>17</Order> <Path>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Communications" /v ConfigureChatAutoInstall /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>18</Order> <Path>powershell.exe -NoProfile -Command "$xml = [xml]::new(); $xml.Load('C:\Windows\Panther\unattend.xml'); $sb = [scriptblock]::Create( $xml.unattend.Extensions.ExtractScript ); Invoke-Command -ScriptBlock $sb -ArgumentList $xml;"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>19</Order> <Path>powershell.exe -NoProfile -Command "Get-Content -LiteralPath 'C:\Windows\Temp\Microwin-RemovePackages.ps1' -Raw | Invoke-Expression;"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>20</Order> <Path>powershell.exe -NoProfile -Command "Get-Content -LiteralPath 'C:\Windows\Temp\remove-caps.ps1' -Raw | Invoke-Expression;"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>21</Order> <Path>reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v ConfigureStartPins /t REG_SZ /d "{ \"pinnedList\": [] }" /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>22</Order> <Path>reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v ConfigureStartPins_ProviderSet /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>23</Order> <Path>reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Start" /v ConfigureStartPins_WinningProvider /t REG_SZ /d B5292708-1619-419B-9923-E5D9F3925E71 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>24</Order> <Path>reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\providers\B5292708-1619-419B-9923-E5D9F3925E71\default\Device\Start" /v ConfigureStartPins /t REG_SZ /d "{ \"pinnedList\": [] }" /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>25</Order> <Path>reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\providers\B5292708-1619-419B-9923-E5D9F3925E71\default\Device\Start" /v ConfigureStartPins_LastWrite /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>26</Order> <Path>net.exe accounts /maxpwage:UNLIMITED</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>27</Order> <Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>28</Order> <Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>29</Order> <Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Dsh" /v AllowNewsAndInterests /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>30</Order> <Path>reg.exe load "HKU\DefaultUser" "C:\Users\Default\NTUSER.DAT"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>31</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>32</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>33</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OEMPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>34</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>35</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>36</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>37</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>38</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>39</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>40</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>41</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>42</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>43</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>44</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>45</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>46</Order> <Path>reg.exe unload "HKU\DefaultUser"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>47</Order> <Path>reg.exe add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 0 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>48</Order> <Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker" /v "PreventDeviceEncryption" /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>49</Order> <Path>reg.exe load "HKU\DefaultUser" "C:\Users\Default\NTUSER.DAT"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>50</Order> <Path>reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\Runonce" /v "ClassicContextMenu" /t REG_SZ /d "reg.exe add \"HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\" /ve /f" /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>51</Order> <Path>reg.exe unload "HKU\DefaultUser"</Path> </RunSynchronousCommand> </RunSynchronous> </component> </settings> '@ if ((Microwin-TestCompatibleImage $imgVersion $([System.Version]::new(10,0,22000,1))) -eq $false) { # Replace the placeholder text with an empty string to make it valid for Windows 10 Setup $unattend = $unattend.Replace("<#REPLACEME#>", "").Trim() } else { # Replace the placeholder text with the Specialize pass $unattend = $unattend.Replace("<#REPLACEME#>", $specPass).Trim() } # User password in Base64. According to Microsoft, this is the way you can hide this sensitive information. # More information can be found here: https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/hide-sensitive-data-in-an-answer-file # Yeah, I know this is not the best way to protect this kind of data, but we all know how Microsoft is - "the Apple of security" (in a sense, it takes them # an eternity to implement basic security features right. Just look at the NTLM and Kerberos situation!) $b64pass = "" # Replace default User and Password values with the provided parameters $unattend = $unattend.Replace("USER-REPLACEME", $userName).Trim() try { # I want to play it safe here - I don't want encoding mismatch problems like last time # NOTE: "Password" needs to be appended to the password specified by the user. Otherwise, a parse error will occur when processing oobeSystem. # This will not be added to the actual password stored in the target system's SAM file - only the provided password $b64pass = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("$($userPassword)Password")) } catch { $b64pass = "" } if ($b64pass -ne "") { # If we could encode the password with Base64, put it in the answer file and indicate that it's NOT in plain text $unattend = $unattend.Replace("PW-REPLACEME", $b64pass).Trim() $unattend = $unattend.Replace("PT-STATUS", "false").Trim() $b64pass = "" } else { $unattend = $unattend.Replace("PW-REPLACEME", $userPassword).Trim() $unattend = $unattend.Replace("PT-STATUS", "true").Trim() } # Save unattended answer file with UTF-8 encoding $unattend | Out-File -FilePath "$env:temp\unattend.xml" -Force -Encoding utf8 }