Generate autounattend.xml files for Windows 10/11

» schneegans.de

This service lets you create answer files (typically named unattend.xml or autounattend.xml) to perform unattended installations of both Windows 10 and Windows 11, including 24H2. Answer files generated by this service are primarily intended to be used with Windows Setup run from Windows PE to perform clean (rather than upgrade) installations.

Usage · Sample scripts · GitHub · Donate via PayPal · Buy Me a Coffee

Import a file generated by this service
Presets
Region and language settings:
Choose language preferences and keyboard layouts Select one or more languages in order of preference. The first language will also determine the initial regional format, which defines how numbers, dates, times and currency are formatted. You can change the regional format later.
Processor architectures:

When you select multiple processor architectures, a single autounattend.xml file will be created that is applicable to all of these architectures.
Setup settings:
Only check this option if your computer really does not have internet access. You will still have to click the I don't have internet button during Windows Setup in that case. If you just want to create local (“offline”) user accounts in Windows 11, you do not need this option – simply use the User accounts section of this form.
This makes Windows Setup look for a folder named $OEM$ in the root of the drive where your autounattend.xml file is located and copy its contents to the target partition.
By default, PowerShell scripts that run during Windows Setup will have a visible window. This makes debugging easier and lets you use interactive prompts in your scripts, but also carries the risk that this window gets inadvertently or deliberately closed, which would kill the script. If you choose to hide PowerShell windows, any PowerShell scripts during Windows Setup will be run with the -WindowStyle Hidden switch.

Do not enable this checkbox if you are planning to use interactive prompts (like PowerShell's Read-Host cmdlet) in your scripts! Without a visible window, you would be unable to answer these prompts, and Windows Setup could not continue.
Computer name:
Your script will be evaluated during Windows Setup. The script must return a single string, which must be a valid computer name. You can also use a script such as return Read-Host -Prompt 'Enter computer name'; to create an interactive prompt.
Compact OS:
Time zone:
This is useful when your country or region spans multiple time zones, like Australia or the United States.
Partitioning and formatting:
Choose partition layout
The GPT partition layout must be used for UEFI systems. Set the size of the EFI System Partition (ESP) to MB.
MBR The MBR-based partition layout must be used for legacy BIOS systems.
Choose how to install Windows RE
Create a separate partition with a size of MB and install Windows RE to it.
This will install Windows RE in C:\Recovery. No recovery partition will be created. This will delete the C:\Recovery folder and thus free about 600 MB of disk space. No recovery partition will be created. Windows 24H2 seems to ignore this setting and will always create a recovery partition with a minimum size of 600 MB.

If your disk is already partitioned and formatted, enter a diskpart command that has no effect, like REM or SELECT DISK=0. Also note that drive letter assignments (e.g. ASSIGN LETTER=R) will not persist.

Choose partition to install Windows to after script has run

When you let Windows Setup partition your disks unattendedly, there is a risk they were assigned unexpected index numbers. In rare cases, disk 0 does not refer to your primary hard drive, but rather your USB thumb drive. You can therefore provide VBScript code to check the assigned disk index numbers before diskpart is run. If your script returns with WScript.Quit 1, Windows Setup will halt to avoid data loss.
Windows edition:
Such a key can be used to install Windows, but will not activate it. You can change the product key later.
You can also enter your key in the autounattend.xml file yourself to avoid disclosing it. To do so, find the <Key>00000-00000-00000-00000-00000</Key> element and replace the text with your own key. Choose this if your computer came pre-installed with Windows and you want to reuse that license.
User accounts:
Account name Display name Password Group

Leave Display name empty unless you want it to be different from Account name.

First logon

Several settings will only be applied when an administrator logs on for the first time. You should therefore let Windows log you on to an administrator account once – this does not affect subsequent logons. Choose which account to use for this:

The installation ends with the sign-in screen being shown.
Password expiration: This is in accordance to NIST guidelines that no longer recommend password expiration. Passwords expire after 42 days.
Passwords expire after days.

These settings only apply to local accounts. Also, the password of the built-in account Administrator never expires.
Account Lockout policy: By default, Windows will lock out an account after 10 failed logon attempts (threshold) within 10 minutes (window). After 10 minutes (duration), the account is unlocked automatically. Disabling Account Lockout might leave your computer vulnerable to brute-force attacks.
Lock out an account after failed logon attempts within minutes. After minutes, unlock the account automatically.
File Explorer tweaks:
Choose which files are hidden in File Explorer This will hide any file that has the Hidden attribute set. This will only hide files that have both the Hidden and the System attribute set. This setting is recommended for advanced users.
By default, File Explorer would hide extensions for known file types.
Start menu and taskbar:
Choose how to display the search box in the taskbar
Choose icons to display in the taskbar
See Microsoft's documentation for more examples.
This hides the news and weather widget in the lower-left corner in Windows 11. On Windows 10, this will simply set the EnableAutoTray registry value. On Windows 11, this will create a scheduled task that runs periodically in the background and sets all tray icons visible.
Windows 10

Configure the tiles that are initially shown in the Windows 10 Start menu. You can add or remove tiles later. On Windows 11, this setting is simply ignored.

If you select apps in the Remove bloatware section below, Windows 10 will automatically remove their tiles from the Start menu.
Windows 11

Configure the pins that are initially shown in the Windows 11 Start menu. You can add or remove pins later. On Windows 10, this setting is simply ignored.

Avoid this setting if you select apps in the Remove bloatware section below, as Windows 11 will deceptively retain their pins in the Start menu.
System tweaks:
This disables certain services (Sense, WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend) during the Windows PE stage of Windows Setup and thus prevents the MsMpEng.exe process from running. This method was adapted from an article by Rudy Mens.
This will create a scheduled task (named PauseWindowsUpdate) that pauses updates for one week again and again. If you want to run Windows Update for once, click Resume updates in Settings. If you want to enable Windows Update permanently, disable or delete that task.
This turns Smart App Control off in Windows 11. Note that you will not be able to turn it back on. Windows will not create restore points for drive C: and thus use less disk space. This sets the LongPathsEnabled registry value, which enables several programs (including PowerShell, 7-Zip and TreeSize) to use long paths with up to 32,767 characters without resorting to the \\?\ prefix. This removes write permissions on C:\ for the Authenticated Users group. In particular, this prevents unprivileged users from creating bogus folders such as C:\Windows . This runs the command Set-ExecutionPolicy -ExecutionPolicy 'RemoteSigned', which allows the execution of unsigned .ps1 files. This runs the command fsutil.exe behavior set disableLastAccess 1, which can improve file system performance. This creates a scheduled task that periodically moves your active hours, tricking Windows into thinking your device is in use all the time. This changes the sound scheme from Windows Default to No sounds for all users. This sets several registry values that prevent the silent download and installation of suggested apps. Note that as a side effect this will also disable the Manage devices button in the Mobile devices section in Settings. If this bothers you, change the value of DisableWindowsConsumerFeatures to 0. Windows 11 would otherwise enable BitLocker encryption automatically. This will skip the annoying dialogs when Edge is run for the first time. This will stop Edge from running in the background all the time. This will modify the C:\Windows\System32\IntegratedServicesRegionPolicySet.json file such that Edge can be uninstalled even outside the European Economic Area. Note that Windows Update will eventually reset the file to its original state. Therefore, if you want to uninstall Edge, do so right after Windows has been installed. Also, you might see an error 0x80070306 when installing a cumulative update (such as KB5048667), but this should get resolved when you repeat the installation of that update. This may be useful for players of first-person shooters.
Each time a new process is created, Windows writes an event to the Security log. This is a powerful tool for troubleshooting.
Visual effects:
Desktop icons:
Virtual machine support:

Make sure to check the usage notes for how to properly configure your VM.
WLAN / Wi-Fi setup: Choose this if you have a wired connection to the internet.

If both your Wi-Fi router and your computer's Wi-Fi adapter support it, make sure to select WPA3. Otherwise, Windows Setup will try to switch from WPA2 to WPA3 and require manual interaction.

You should not enter your actual Wi-Fi password here. Once you have downloaded the autounattend.xml file, find the password enclosed in <keyMaterial>…</keyMaterial> and adjust it.
Express settings: Windows will not send diagnostic data, personalized input or your location history to Microsoft. Choose this if you value privacy. Windows will send data to Microsoft to provide location-based services, improve language recognition, and show personalized ads. This lets you enable some settings while disabling others.
Lock key settings:
Key Initial state When pressed
Caps Lock
Num Lock
Scroll Lock

This will affect all users and also the login screen.
Personalization settings:

These settings are particularly useful if you want to use Windows without activation when the Personalization settings page is not available.

Colors
Desktop wallpaper
Your script will be evaluated during Windows Setup, after your computer has connected to a network. The script must return a byte[] value, which must contain the image data. For example, you can download an image from the internet, locate an image file on a removable drive or a network share and load it via [IO.File]::ReadAllBytes, or provide the image data directly via [convert]::FromBase64String.
Remove bloatware:

Windows comes with several apps that many users do not want or do not need. Check all the apps you want removed during Windows Setup:

Bloatware removal works best with the original Windows 10 and 11 .iso images downloaded from Microsoft. I did not perform any tests with custom images.
Run custom scripts:

You may want to take a look at some sample scripts first.

Scripts to run in the system context, before user accounts are created
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
  4. Run as a file.
Scripts to modify the default user's registry hive

This will automatically mount the C:\Users\Default\NTUSER.DAT hive, run your scripts and unmount the hive again. Your scripts will be run before user accounts are created – hence, they will affect all user accounts, including the built-in account Administrator. You must access the keys in this hive as follows:

.reg [HKEY_USERS\DefaultUser\…
.cmd HKU\DefaultUser\…
.ps1 Registry::HKU\DefaultUser\…
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
Scripts to run when the first user logs on after Windows has been installed

The first user to log on is typically an administrator. In this case, these scripts will run with elevated privileges.

  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
  4. Run as a file.
Scripts to run whenever a user logs on for the first time
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
  4. Run as a file.
This will restart the explorer.exe process that is responsible for displaying Start menu, taskbar and Desktop. If your scripts in this section make changes to any of these elements, check this box so that they take effect immediately.

Your scripts will be run as follows:

.cmd C:\Windows\Setup\Scripts\unattend-01.cmd
.ps1 powershell.exe -WindowStyle Normal -NoProfile -Command "Get-Content -LiteralPath 'C:\Windows\Setup\Scripts\unattend-02.ps1' -Raw | Invoke-Expression;"
.reg reg.exe import "C:\Windows\Setup\Scripts\unattend-03.reg"
.vbs cscript.exe //E:vbscript "C:\Windows\Setup\Scripts\unattend-04.vbs"
.js cscript.exe //E:jscript "C:\Windows\Setup\Scripts\unattend-05.js"
Windows Defender Application Control:

Applications in C:\Windows, C:\Program Files and C:\Program Files (x86) are allowed to run. Applications stored elsewhere and those in known user-writable folders such as C:\Windows\Temp or C:\Windows\Debug\WIA are not allowed to run. To disable this WDAC policy later, simply delete the file C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{d26bff32-33a2-48a3-b037-10357ee48427}.cip and reboot. To create a more customized policy, see my online WDAC generator.

Choose how to enforce the policy Logs drivers and applications that would have been blocked. When the policy blocks a system driver and thus would prevent Windows from booting, use audit mode. Otherwise, use enforcement mode. Drivers and applications will be blocked unless allowed by the policy.
Choose script enforcement PowerShell will run in Constrained Language Mode. See Script Enforcement for details. PowerShell will run in Full Language Mode.
XML markup for more components:

You can optionally add settings for all available components, with respect to their valid configuration passes.

The generator itself uses some components (displayed with a reddish background below). You may assign your own XML markup to these components, but this will completely replace their generated content, and there is no guarantee that the resulting autounattend.xml file will work as intended.

Do not include settings or component elements with your markup – they will be added automatically.

  1. Insert XML markup to the component.
  2. Insert XML markup to the component.
  3. Insert XML markup to the component.
Download settings: Windows Setup will not process the notautounattend.xml file automatically. Instead, you need to run a command such as setup.exe /Unattend:D:\notautounattend.xml. This is useful to prevent Windows Setup from inadvertently wiping your hard drive, and lets you specify additional parameters such as /NoReboot. In particular, calling setup.exe /NoReboot /Unattend:D:\notautounattend.xml offers a great opportunity to remove 8.3 file names during Windows Setup while still using an answer file.
Submit form:
Contact: Christoph Schneegans (christoph@schneegans.de)