Generate autounattend.xml files for Windows 10/11

This service lets you create answer files (typically named unattend.xml or autounattend.xml) to perform unattended installations of both Windows 10 and Windows 11, including the latest 24H2 builds. The .NET library that forms the basis for this service is available on GitHub. If you would like to support this project, you can donate via PayPal.

Region and language settings:
Processor architectures:

When you select multiple processor architectures, a single autounattend.xml file will be created that is applicable to all of these architectures.

Setup settings:
This effectively runs the oobe\BypassNRO.cmd command, which was discovered by Reddit user aveyo. You still have to click the I don't have internet button during Windows Setup.

Only check this option if your computer really does not have internet access. If you just want to create local user accounts in Windows 11, you can always do so in the User accounts section of this form.

Computer name:
Time zone:
This is useful when your country or region spans multiple time zones, like Australia or the United States.
Partitioning and formatting:
Choose partition layout
The GPT partition layout must be used for UEFI systems. Set the size of the EFI System Partition (ESP) to MB.
MBR The MBR-based partition layout must be used for legacy BIOS systems.
Choose how to install Windows RE
Create a separate partition with a size of MB and install Windows RE to it.
This will install Windows RE in C:\Recovery. No recovery partition will be created. This will delete the C:\Recovery folder and thus free about 600 MB of disk space. No recovery partition will be created. Windows 24H2 seems to ignore this setting and will always create a recovery partition with a minimum size of 600 MB.

Avoid drive letter assignments (e.g. ASSIGN LETTER=R) in your script as these will not persist.

Choose partition to install Windows to after script has run
Windows edition:
Such a key can be used to install Windows, but will not activate it. You can change the product key later.
You can also enter your key in the autounattend.xml file. To do this, find the <Key>00000-00000-00000-00000-00000</Key> element and replace the text with your key. Also use this if you plan to install an Enterprise edition of Windows.
User accounts:
Account name Password Group
First logon

Some settings might not be applied until an administrator logs on for the first time. You should therefore let Windows log you on to an administrator account once – this does not affect subsequent logons. Choose which account to use for this:

The installation ends with the sign-in screen being shown.
Choose this if you want to use a Microsoft account.
Password expiration: This is in accordance to NIST guidelines that no longer recommend password expiration. Passwords expire after 42 days.
Passwords expire after days.

These settings only apply to local accounts. Also, the password of the built-in account Administrator never expires.

Account Lockout policy: By default, Windows will lock out an account after 10 failed logon attempts (threshold) within 10 minutes (window). After 10 minutes (duration), the account is unlocked automatically. Disabling Account Lockout might leave your computer vulnerable to brute-force attacks.
Lock out an account after failed logon attempts within minutes. After minutes, unlock the account automatically.
Optimizations:
This disables certain services (Sense, WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend) during Windows Setup. This method was adapted from an article by Rudy Mens. Windows 11 24H2 does not permit to disable these services in the later stages of Setup. With this setting, they are disabled as early as possible, during the Windows PE stage.
Windows will not create restore points for drive C: and thus use less disk space. This sets the LongPathsEnabled registry value, which enables several programs (including PowerShell, 7-Zip and TreeSize) to use long paths with up to 32,767 characters without resorting to the \\?\ prefix. This removes write permissions on C:\ for the Authenticated Users group. In particular, this prevents unprivileged users from creating bogus folders such as C:\Windows . This runs the command Set-ExecutionPolicy -ExecutionPolicy 'RemoteSigned', which allows the execution of unsigned .ps1 files. This runs the command fsutil.exe behavior set disableLastAccess 1, which can improve file system performance. This prevents Windows Update from rebooting when a user is signed in. This changes the sound scheme from Windows Default to No sounds for all users. This sets several registry values that prevent the silent download and installation of suggested apps. This hides the news and weather widget in the lower-left corner in Windows 11. Windows 11 would otherwise enable BitLocker encryption automatically.
Each time a new process is created, Windows writes an event to the Security log. This is a powerful tool for troubleshooting.
Virtual machine support:

See the usage notes to learn how to use the autounattend.xml file when installing Windows on virtual machines.

WLAN / Wi-Fi setup: Choose this if you have a wired connection to the internet.

If both your Wi-Fi router and your computer's Wi-Fi adapter support it, make sure to select WPA3. Otherwise, Windows Setup will try to switch from WPA2 to WPA3 and require manual interaction.

You should not enter your actual Wi-Fi password here. Once you have downloaded the autounattend.xml file, find the password enclosed in <keyMaterial>…</keyMaterial> and adjust it.

Express settings: Windows will not send diagnostic data, personalized input or your location history to Microsoft. Choose this if you value privacy. Windows will send data to Microsoft to provide location-based services, improve language recognition, and show personalized ads. This lets you enable some settings while disabling others.
Remove bloatware:

Windows comes with several apps that many users do not want or do not need. Check all the apps you want removed during Windows Setup:

Bloatware removal works best with the original Windows 10 and 11 .iso images downloaded from Microsoft. I did not perform any tests with custom images.

If you select one or more apps to remove, all shortcuts, tiles and pinned icons in the start menu will be deleted, utilizing a technique demonstrated by Michael Niehaus. This is to prevent a user from accidentally reinstalling an app that has just been removed. The method to completely remove OneDrive was described by Stefan Kanthak, with whom I also collaborated to identify the registry keys that block the installation of Dev Home and Outlook for Windows on Windows 11 23H2.

Run custom scripts:
Scripts to run in the system context, before user accounts are created
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
  4. Run as a file.
Scripts to modify the default user's registry hive

This will automatically mount the C:\Users\Default\NTUSER.DAT hive, run your scripts and unmount the hive again. Your scripts will be run before user accounts are created – hence, they will affect all user accounts, including the built-in account Administrator. You must access the keys in this hive as follows:

.reg [HKEY_USERS\DefaultUser\…
.cmd HKU\DefaultUser\…
.ps1 Registry::HKU\DefaultUser\…
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
Scripts to run when the first user logs on
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
  4. Run as a file.
Scripts to run whenever a user logs on for the first time
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
  4. Run as a file.

Your scripts will be run as follows:

.cmd cmd.exe /c "C:\Windows\Setup\Scripts\unattend-01.cmd >>"C:\Windows\Setup\Scripts\unattend-01.log" 2>&1"
.ps1 cmd.exe /c "powershell.exe -NoProfile -Command "Get-Content -LiteralPath 'C:\Windows\Setup\Scripts\unattend-02.ps1' -Raw | Invoke-Expression;" >>"C:\Windows\Setup\Scripts\unattend-02.log" 2>&1"
.reg cmd.exe /c "reg.exe import "C:\Windows\Setup\Scripts\unattend-03.reg" >>"C:\Windows\Setup\Scripts\unattend-03.log" 2>&1"
.vbs cmd.exe /c "cscript.exe //E:vbscript "C:\Windows\Setup\Scripts\unattend-04.vbs" >>"C:\Windows\Setup\Scripts\unattend-04.log" 2>&1"
.js cmd.exe /c "cscript.exe //E:jscript "C:\Windows\Setup\Scripts\unattend-05.js" >>"C:\Windows\Setup\Scripts\unattend-05.log" 2>&1"
Windows Defender Application Control:

Applications in C:\Windows, C:\Program Files and C:\Program Files (x86) are allowed to run. Applications stored elsewhere and those in known user-writable folders such as C:\Windows\Temp or C:\Windows\Debug\WIA are not allowed to run. To disable this WDAC policy later, simply delete the file C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{d26bff32-33a2-48a3-b037-10357ee48427}.cip and reboot. To create a more customized policy, see my online WDAC generator.

Choose how to enforce the policy Logs drivers and applications that would have been blocked. When the policy blocks a system driver and thus would prevent Windows from booting, use audit mode. Otherwise, use enforcement mode. Drivers and applications will be blocked unless allowed by the policy.
Choose script enforcement PowerShell will run in Constrained Language Mode. See Script Enforcement for details. PowerShell will run in Full Language Mode.
Placeholders for more components:

You can optionally generate templates for all available components, with respect to their valid configuration passes. Look for <!--Placeholder--> comments in the generated autounattend.xml file and fill in the desired settings yourself.

Microsoft-Windows-Audio-AudioCore
Microsoft-Windows-Audio-VolumeControl
Microsoft-Windows-Authentication-AuthUI
Microsoft-Windows-BLB-WSB-Online-Main
Microsoft-Windows-BrowserService
Microsoft-Windows-CodeIntegrity
Microsoft-Windows-CoreMmRes
Microsoft-Windows-Deployment
Microsoft-Windows-DeviceAccess
Microsoft-Windows-DeviceGuard-Unattend
Microsoft-Windows-DiagCpl
Microsoft-Windows-Disk-Failure-Diagnostic-Module
Microsoft-Windows-DNS-Client
Microsoft-Windows-Embedded-BootExp
Microsoft-Windows-Embedded-EmbeddedLogon
Microsoft-Windows-Embedded-KeyboardFilterService
Microsoft-Windows-Embedded-ShellLauncher
Microsoft-Windows-Embedded-UnifiedWriteFilter
Microsoft-Windows-EnhancedStorage-Adm
Microsoft-Windows-ErrorReportingCore
Microsoft-Windows-Fax-Service
Microsoft-Windows-GPIOButtons
Microsoft-Windows-HelpAndSupport
Microsoft-Windows-IE-ClientNetworkProtocolImplementation
Microsoft-Windows-IE-ESC
Microsoft-Windows-IE-InternetExplorer
Microsoft-Windows-International-Core
Microsoft-Windows-International-Core-WinPE
Microsoft-Windows-LUA-Settings
Microsoft-Windows-MapControl-Desktop
Microsoft-Windows-MediaPlayer-Core
Microsoft-Windows-MicrosoftEdgeBrowser
Microsoft-Windows-MobilePC-Sensors-API
Microsoft-Windows-NetBT
Microsoft-Windows-NetworkBridge
Microsoft-Windows-NetworkLoadBalancing-Core
Microsoft-Windows-OutOfBoxExperience
Microsoft-Windows-PartitionManager
Microsoft-Windows-PnpCustomizationsNonWinPE
Microsoft-Windows-PnpCustomizationsWinPE
Microsoft-Windows-PnpSysprep
Microsoft-Windows-PowerCPL
Microsoft-Windows-Printing-Spooler-Core
Microsoft-Windows-RasServer
Microsoft-Windows-RemoteAssistance-Exe
Microsoft-Windows-SecureStartup-FilterDriver
Microsoft-Windows-Security-SPP
Microsoft-Windows-Security-SPP-UX
Microsoft-Windows-ServerManager-SvrMgrNc
Microsoft-Windows-Setup
Microsoft-Windows-SharedAccess
Microsoft-Windows-Shell-Setup
Microsoft-Windows-SHWebSVC
Microsoft-Windows-SMBServer
Microsoft-Windows-SNMP-Agent-Service
Microsoft-Windows-SQMAPI
Microsoft-Windows-STObject
Microsoft-Windows-StorPort-RegistrySettings
Microsoft-Windows-SystemMaintenanceService
Microsoft-Windows-SystemRestore-Main
Microsoft-Windows-SystemSettingsThreshold
Microsoft-Windows-TabletPC-Platform-Input-Core
Microsoft-Windows-TapiSetup
Microsoft-Windows-TCPIP
Microsoft-Windows-TerminalServices-CentralPublishing
Microsoft-Windows-TerminalServices-LicenseServer
Microsoft-Windows-TerminalServices-LocalSessionManager
Microsoft-Windows-TerminalServices-Publishing-WMIProvider
Microsoft-Windows-TerminalServices-RDP-WinStationExtensions
Microsoft-Windows-TerminalServices-RemoteConnectionManager
Microsoft-Windows-Tpm-Tasks
Microsoft-Windows-TwinUI
Microsoft-Windows-UnattendedJoin
Microsoft-Windows-WDF-KernelLibrary
Microsoft-Windows-WiFiNetworkManager
Microsoft-Windows-WinRE-RecoveryAgent
Microsoft-Windows-WLANSVC
Microsoft-Windows-WorkstationService
Microsoft-Windows-WPD-BusEnumService
Microsoft-Windows-WWANUI
Networking-MPSSVC-Svc
Security-Malware-Windows-Defender
Submit form:

See the usage notes to learn how to use the autounattend.xml file when installing Windows.