forked from microsoft/SurfaceDeploymentAccelerator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Win10Ent_Unattend.xml
121 lines (121 loc) · 8.82 KB
/
Win10Ent_Unattend.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Order>1</Order>
<Description>PowerShell Execution Policy</Description>
<Path>powershell.exe -noprofile -command "Set-ExecutionPolicy Restricted -Force"</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>2</Order>
<Description>EnableAdmin</Description>
<Path>cmd /c net user Administrator /active:yes</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>3</Order>
<Description>Enable use of Bitlocker authentication requiring preboot keyboard input on slates</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSEnablePrebootInputProtectorsOnSlates /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>4</Order>
<Description>Require Additional Authentication at startup for Bitlocker</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>5</Order>
<Description>Allow TPM</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>6</Order>
<Description>Allow Startup Key with TPM</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>7</Order>
<Description>Allow startup key and PIN with TPM</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>8</Order>
<Description>Allow startup PIN with TPM</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>11</Order>
<Description>Enable Virtualization-based Security features</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>12</Order>
<Description>Require Secure Boot with DMA for Virtualization-based Security features</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v RequirePlatformSecurityFeatures /d 3 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>13</Order>
<Description>Enable Virtualization-based Security with UEFI lock</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v Locked /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>14</Order>
<Description>Protect Code Integrity policies using Virtualization-based Security with UEFI lock</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>15</Order>
<Description>Protect Code Integrity policies using Virtualization-based Security with UEFI lock</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Locked /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>16</Order>
<Description>Protect Credentials using Virtualization-based Security</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" /v Enabled /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>17</Order>
<Description>Enable Credential Guard with UEFI lock</Description>
<Path>cmd /c reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>18</Order>
<Description>Spectre/Meltdown mitigation</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>19</Order>
<Description>Spectre/Meltdown mitigation</Description>
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>20</Order>
<Description>Spectre/Meltdown mitigation</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>23</Order>
<Description>Disable Microsoft Edge first-run popup</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" /v PreventFirstRunPage /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>24</Order>
<Description>Disable Consumer Features</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>25</Order>
<Description>Disable "How to use Windows" popups</Description>
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableSoftLanding /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
</RunSynchronous>
</component>
</settings>
<settings pass="generalize">
<component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DoNotCleanUpNonPresentDevices>true</DoNotCleanUpNonPresentDevices>
<PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:d:/temp/enterprise/10.0.18363/x64/sourcewims/install.wim#Windows 10 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>