Generate autounattend.xml files for Windows 10/11

This service lets you create answer files (typically named unattend.xml or autounattend.xml) to perform unattended installations of Windows 10/11. The .NET library that forms the basis for this service is available on GitHub.

Region and language settings:
Processor architectures:

When you select multiple processor architectures, a single autounattend.xml file will be created that is applicable to all of these architectures.

Setup settings: This effectively runs the oobe\BypassNRO.cmd command, which was discovered by Reddit user aveyo. Note that you still have to click the I don't have internet button during Windows Setup.
Computer name:
Time zone:
This is useful when your country or region spans multiple time zones, like Australia or the United States.
Partitioning and formatting:
Choose partition layout
The GPT partition layout must be used for UEFI systems. Set the size of the EFI System Partition (ESP) to MB.
MBR The MBR-based partition layout must be used for legacy BIOS systems.
Choose how to install Windows RE
Create a separate partition with a size of MB and install Windows RE to it.
This will install Windows RE in C:\Recovery. No recovery partition will be created. This will delete the C:\Recovery folder and thus free about 600 MB of disk space. No recovery partition will be created.

Avoid drive letter assignments (e.g. ASSIGN LETTER=R) in your script as these will not persist.

Choose partition to install Windows to after script has run
Windows edition:
Such a key can be used to install Windows, but will not activate it. You can change the product key later.
You can also enter your key in the autounattend.xml file. To do this, find the <Key>00000-00000-00000-00000-00000</Key> element and replace the text with your key.
User accounts:
Account name Password Group
First logon

Some settings might not be applied until an administrator logs on for the first time. You should therefore let Windows log you on to an administrator account once – this does not affect subsequent logons. Choose which account to use for this:

The installation ends with the sign-in screen being shown.
Choose this if you want to use a Microsoft account.
Account Lockout policy: By default, Windows will lock out an account after 10 failed logon attempts (threshold) within 10 minutes (window). After 10 minutes (duration), the account is unlocked automatically. Disabling Account Lockout might leave your computer vulnerable to brute-force attacks.
Lock out an account after failed logon attempts within minutes. After minutes, unlock the account automatically.
Optimizations: This disables certain services (Sense, WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend) during Windows Setup. A reboot might be required to stop these services. The method to disable Windows Defender on Windows 11 was adapted from an article by Rudy Mens. Windows will not create restore points for drive C: and thus use less disk space. This sets the LongPathsEnabled registry value, which enables several programs (including PowerShell, 7-Zip and TreeSize) to use long paths with up to 32,767 characters without resorting to the \\?\ prefix. This removes write permissions on C:\ for the Authenticated Users group. In particular, this prevents unprivileged users from creating bogus folders such as C:\Windows . This runs the command Set-ExecutionPolicy -ExecutionPolicy 'RemoteSigned', which allows the execution of unsigned .ps1 files. This runs the command fsutil.exe behavior set disableLastAccess 1, which can improve file system performance. This prevents Windows Update from rebooting when a user is signed in. This changes the sound scheme from Windows Default to No sounds for all users. Similiar to SetupComplete.cmd, this will execute the file C:\Windows\Setup\Scripts\UserFirstLogon.cmd whenever a user logs on for the first time. Note that you can place these files in the sources\$OEM$\$1\Windows\Setup\Scripts directory of your Windows installation disk. This sets several registry values that prevent the silent download and installation of suggested apps. This hides the news and weather widget in the lower-left corner in Windows 11.
Each time a new process is created, Windows writes an event to the Security log. This is a powerful tool for troubleshooting.
WLAN / Wi-Fi setup: Choose this if you have a wired connection to the internet.

If both your Wi-Fi router and your computer's Wi-Fi adapter support it, make sure to select WPA3. Otherwise, Windows Setup will try to switch from WPA2 to WPA3 and require manual interaction.

You should not enter your actual Wi-Fi password here. Obfuscate letters and digits, but keep special characters (such as ^ & | < >) unchanged as these require non-trivial escaping. Once you have downloaded the autounattend.xml file, find the password enclosed between keyMaterial^&gt; and ^&lt;/keyMaterial and adjust it.

Express settings: Windows will not send diagnostic data, personalized input or your location history to Microsoft. Choose this if you value privacy. Windows will send data to Microsoft to provide location-based services, improve language recognition, and show personalized ads. This lets you enable some settings while disabling others.
Remove bloatware:

Windows comes with several apps that many users do not want or do not need. Check all the apps you want removed during Windows Setup:

If you select one or more apps to remove, all shortcuts, tiles and pinned icons in the start menu will be deleted, utilizing a technique demonstrated by Michael Niehaus. This is to prevent a user from accidentally reinstalling an app that has just been removed. The method to completely remove OneDrive was described by Stefan Kanthak, with whom I also collaborated to identify the registry keys that block the installation of Dev Home and Outlook for Windows.

Windows Defender Application Control:

Applications in C:\Windows, C:\Program Files and C:\Program Files (x86) are allowed to run. Applications stored elsewhere and those in known user-writable folders such as C:\Windows\Temp or C:\Windows\Debug\WIA are not allowed to run. To disable this WDAC policy later, simply delete the file C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{d26bff32-33a2-48a3-b037-10357ee48427}.cip and reboot. To create a more customized policy, see my online WDAC generator.

Choose how to enforce the policy Logs drivers and applications that would have been blocked. When the policy blocks a system driver and thus would prevent Windows from booting, use audit mode. Otherwise, use enforcement mode. Drivers and applications will be blocked unless allowed by the policy.
Choose script enforcement PowerShell will run in Constrained Language Mode. See Script Enforcement for details. PowerShell will run in Full Language Mode.
Placeholders for more components:

This service can optionally generate templates for all available components, with respect to their valid configuration passes. Look for <!--Placeholder--> comments in the generated autounattend.xml file and fill in the desired settings yourself.

Microsoft-Windows-NetBT
Microsoft-Windows-MapControl-Desktop
Microsoft-Windows-Tpm-Tasks
Microsoft-Windows-TerminalServices-RDP-WinStationExtensions
Microsoft-Windows-PnpCustomizationsWinPE
Microsoft-Windows-BLB-WSB-Online-Main
Microsoft-Windows-Shell-Setup
Microsoft-Windows-CodeIntegrity
Microsoft-Windows-International-Core-WinPE
Microsoft-Windows-Disk-Failure-Diagnostic-Module
Microsoft-Windows-Deployment
Microsoft-Windows-Authentication-AuthUI
Microsoft-Windows-TerminalServices-RemoteConnectionManager
Microsoft-Windows-MobilePC-Sensors-API
Microsoft-Windows-MicrosoftEdgeBrowser
Microsoft-Windows-STObject
Microsoft-Windows-PnpSysprep
Microsoft-Windows-ServerManager-SvrMgrNc
Microsoft-Windows-WLANSVC
Microsoft-Windows-TerminalServices-LocalSessionManager
Microsoft-Windows-WDF-KernelLibrary
Microsoft-Windows-Fax-Service
Microsoft-Windows-PartitionManager
Microsoft-Windows-WWANUI
Microsoft-Windows-SystemSettingsThreshold
Microsoft-Windows-SystemMaintenanceService
Security-Malware-Windows-Defender
Microsoft-Windows-SHWebSVC
Microsoft-Windows-TerminalServices-CentralPublishing
Microsoft-Windows-EnhancedStorage-Adm
Microsoft-Windows-Security-SPP-UX
Microsoft-Windows-Embedded-BootExp
Microsoft-Windows-DeviceAccess
Microsoft-Windows-NetworkBridge
Microsoft-Windows-Embedded-ShellLauncher
Microsoft-Windows-LUA-Settings
Microsoft-Windows-Embedded-KeyboardFilterService
Microsoft-Windows-TwinUI
Microsoft-Windows-RasServer
Microsoft-Windows-TerminalServices-Publishing-WMIProvider
Microsoft-Windows-International-Core
Microsoft-Windows-WiFiNetworkManager
Microsoft-Windows-IE-ESC
Microsoft-Windows-NetworkLoadBalancing-Core
Microsoft-Windows-DiagCpl
Microsoft-Windows-TabletPC-Platform-Input-Core
Microsoft-Windows-HelpAndSupport
Microsoft-Windows-UnattendedJoin
Networking-MPSSVC-Svc
Microsoft-Windows-TapiSetup
Microsoft-Windows-IE-InternetExplorer
Microsoft-Windows-CoreMmRes
Microsoft-Windows-Printing-Spooler-Core
Microsoft-Windows-SystemRestore-Main
Microsoft-Windows-SecureStartup-FilterDriver
Microsoft-Windows-TerminalServices-LicenseServer
Microsoft-Windows-RemoteAssistance-Exe
Microsoft-Windows-WinRE-RecoveryAgent
Microsoft-Windows-ErrorReportingCore
Microsoft-Windows-TCPIP
Microsoft-Windows-Audio-VolumeControl
Microsoft-Windows-Embedded-UnifiedWriteFilter
Microsoft-Windows-Audio-AudioCore
Microsoft-Windows-GPIOButtons
Microsoft-Windows-DeviceGuard-Unattend
Microsoft-Windows-Setup
Microsoft-Windows-SNMP-Agent-Service
Microsoft-Windows-Embedded-EmbeddedLogon
Microsoft-Windows-DNS-Client
Microsoft-Windows-SharedAccess
Microsoft-Windows-OutOfBoxExperience
Microsoft-Windows-PowerCPL
Microsoft-Windows-StorPort-RegistrySettings
Microsoft-Windows-PnpCustomizationsNonWinPE
Microsoft-Windows-WorkstationService
Microsoft-Windows-SQMAPI
Microsoft-Windows-BrowserService
Microsoft-Windows-SMBServer
Microsoft-Windows-Security-SPP
Microsoft-Windows-MediaPlayer-Core
Microsoft-Windows-IE-ClientNetworkProtocolImplementation
Microsoft-Windows-WPD-BusEnumService
Submit form: