-
Notifications
You must be signed in to change notification settings - Fork 26
/
Win10Hub_Unattend.xml
141 lines (141 loc) · 10.2 KB
/
Win10Hub_Unattend.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="generalize">
<component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<PersistAllDeviceInstalls>false</PersistAllDeviceInstalls>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="AMD64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<ConvertibleSlateModePromptPreference>0</ConvertibleSlateModePromptPreference>
</component>
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Order>1</Order>
<Description>PowerShell Execution Policy</Description>
<Path>powershell.exe -noprofile -command "Set-ExecutionPolicy Restricted -Force"</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>2</Order>
<Description>EnableAdmin</Description>
<Path>cmd /c net user Administrator /active:yes</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>3</Order>
<Description>Enable use of Bitlocker authentication requiring preboot keyboard input on slates</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSEnablePrebootInputProtectorsOnSlates /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>4</Order>
<Description>Require Additional Authentication at startup for Bitlocker</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>5</Order>
<Description>Allow TPM</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>6</Order>
<Description>Allow Startup Key with TPM</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>7</Order>
<Description>Allow startup key and PIN with TPM</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>8</Order>
<Description>Allow startup PIN with TPM</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>11</Order>
<Description>Enable Virtualization-based Security features</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>12</Order>
<Description>Require Secure Boot with DMA for Virtualization-based Security features</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v RequirePlatformSecurityFeatures /d 3 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>13</Order>
<Description>Enable Virtualization-based Security with UEFI lock</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v Locked /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>14</Order>
<Description>Protect Code Integrity policies using Virtualization-based Security with UEFI lock</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>15</Order>
<Description>Protect Code Integrity policies using Virtualization-based Security with UEFI lock</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Locked /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>16</Order>
<Description>Protect Credentials using Virtualization-based Security</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" /v Enabled /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>17</Order>
<Description>Enable Credential Guard with UEFI lock</Description>
<Path>cmd /c reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>18</Order>
<Description>Spectre/Meltdown mitigation</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>19</Order>
<Description>Spectre/Meltdown mitigation</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>20</Order>
<Description>Spectre/Meltdown mitigation</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>23</Order>
<Description>Disable Microsoft Edge first-run popup</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" /v PreventFirstRunPage /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>24</Order>
<Description>Disable Consumer Features</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>25</Order>
<Description>Disable "How to use Windows" popups</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableSoftLanding /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
</RunSynchronous>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="AMD64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<FirstLogonCommands>
<SynchronousCommand>
<Order>1</Order>
<Description>Customize Device</Description>
<CommandLine><![CDATA[%ProgramFiles%\Surface\PosterCustomization.cmd]]></CommandLine>
</SynchronousCommand>
<SynchronousCommand>
<Order>2</Order>
<Description>Office Culture Refresh - X64</Description>
<CommandLine><![CDATA["%CommonProgramFiles%\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=CULTUREREFRESH RemoveNonClientCultures=True displaylevel=False]]></CommandLine>
</SynchronousCommand>
</FirstLogonCommands>
</component>
<component name="Microsoft-Windows-TabletPC-Platform-Input-Core" processorArchitecture="AMD64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<TouchKeyboardAutoInvokeEnabled>True</TouchKeyboardAutoInvokeEnabled>
</component>
</settings>
</unattend>