forked from microsoft/SurfaceDeploymentAccelerator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Win10Ent_Unattend.xml
171 lines (171 loc) · 12.2 KB
/
Win10Ent_Unattend.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UserData>
<ProductKey></ProductKey>
</UserData>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Order>1</Order>
<Description>EnableAdmin</Description>
<Path>cmd /c net user Administrator /active:yes</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>2</Order>
<Description>Enable use of Bitlocker authentication requiring preboot keyboard input on slates</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSEnablePrebootInputProtectorsOnSlates /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>3</Order>
<Description>Require Additional Authentication at startup for Bitlocker</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>4</Order>
<Description>Allow TPM</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>5</Order>
<Description>Allow Startup Key with TPM</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>6</Order>
<Description>Allow startup key and PIN with TPM</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>7</Order>
<Description>Allow startup PIN with TPM</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>8</Order>
<Description>Use XTS-AES-256 Bitlocker encryption algorithm for OS drives</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EncryptionMethodWithXtsOs /d 7 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>9</Order>
<Description>Use XTS-AES-256 Bitlocker encryption algorithm for fixed non-OS drives</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EncryptionMethodWithXtsFdv /d 7 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>10</Order>
<Description>Used space only Bitlocker encryption</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSEncryptionType /d 2 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>11</Order>
<Description>Enable Virtualization-based Security features</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>12</Order>
<Description>Require Secure Boot with DMA for Virtualization-based Security features</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v RequirePlatformSecurityFeatures /d 3 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>13</Order>
<Description>Enable Virtualization-based Security with UEFI lock</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v Locked /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>14</Order>
<Description>Protect Code Integrity policies using Virtualization-based Security with UEFI lock</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>15</Order>
<Description>Protect Code Integrity policies using Virtualization-based Security with UEFI lock</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Locked /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>16</Order>
<Description>Protect Credentials using Virtualization-based Security</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" /v Enabled /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>17</Order>
<Description>Enable Credential Guard with UEFI lock</Description>
<Path>reg.exe add "HKLM\System\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>18</Order>
<Description>Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown)</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>19</Order>
<Description>Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown)</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>20</Order>
<Description>Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown)</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>21</Order>
<Description>Mitigating Spectre variant 2 with Retpoline</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400 /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>22</Order>
<Description>Mitigating Spectre variant 2 with Retpoline</Description>
<Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x400 /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>24</Order>
<Description>Disable Consumer Features</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>25</Order>
<Description>Disable "How to use Windows" popups</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableSoftLanding /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>26</Order>
<Description>Install VC 2013 x86 runtimes</Description>
<Path>C:\Windows\Temp\VCRuntimes\2013\vcredist_x86.exe /install /passive /norestart</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>27</Order>
<Description>Install VC 2013 x64 runtimes</Description>
<Path>C:\Windows\Temp\VCRuntimes\2013\vcredist_x64.exe /install /passive /norestart</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>28</Order>
<Description>Install VC 2015 x86 runtimes</Description>
<Path>C:\Windows\Temp\VCRuntimes\2015\vc_redist.x86.exe /install /passive /norestart</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>29</Order>
<Description>Install VC 2015 x64 runtimes</Description>
<Path>C:\Windows\Temp\VCRuntimes\2015\vc_redist.x64.exe /install /passive /norestart</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>30</Order>
<Description>Install VC 2017 x86 runtimes</Description>
<Path>C:\Windows\Temp\VCRuntimes\2017\vc_redist.x86.exe /install /passive /norestart</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>31</Order>
<Description>Install VC 2017 x64 runtimes</Description>
<Path>C:\Windows\Temp\VCRuntimes\2017\vc_redist.x64.exe /install /passive /norestart</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>32</Order>
<Description>Disable Microsoft Edge first-run popup</Description>
<Path>reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" /v PreventFirstRunPage /d 1 /t REG_DWORD /f</Path>
</RunSynchronousCommand>
</RunSynchronous>
</component>
</settings>
</unattend>