Generate autounattend.xml files for Windows 10/11

This service lets you create answer files (typically named unattend.xml or autounattend.xml) to perform unattended installations of both Windows 10 and Windows 11, including 24H2.

Usage · GitHub · Donate via PayPal

Import a file generated by this service:
Region and language settings:
Choose language preferences and keyboard layouts Select one or more languages in order of preference. The first language will also determine the initial regional format, which defines how numbers, dates, times and currency are formatted. You can change the regional format later.
Processor architectures:

When you select multiple processor architectures, a single autounattend.xml file will be created that is applicable to all of these architectures.

Setup settings:
This effectively runs the oobe\BypassNRO.cmd command, which was discovered by Reddit user AveYo. You still have to click the I don't have internet button during Windows Setup.

Only check this option if your computer really does not have internet access. If you just want to create local (“offline”) user accounts in Windows 11, you can always do so in the User accounts section of this form.

Computer name:

Your script will be evaluated at runtime. The script must return a single string, which must be a valid computer name. You can also use a script such as return Read-Host -Prompt 'Enter computer name'; to create an interactive prompt.

Compact OS:
Time zone:
This is useful when your country or region spans multiple time zones, like Australia or the United States.
Partitioning and formatting:
Choose partition layout
The GPT partition layout must be used for UEFI systems. Set the size of the EFI System Partition (ESP) to MB.
MBR The MBR-based partition layout must be used for legacy BIOS systems.
Choose how to install Windows RE
Create a separate partition with a size of MB and install Windows RE to it.
This will install Windows RE in C:\Recovery. No recovery partition will be created. This will delete the C:\Recovery folder and thus free about 600 MB of disk space. No recovery partition will be created. Windows 24H2 seems to ignore this setting and will always create a recovery partition with a minimum size of 600 MB.

If your disk is already partitioned and formatted, enter a diskpart command that has no effect, like REM or SELECT DISK=0. Also note that drive letter assignments (e.g. ASSIGN LETTER=R) will not persist.

Choose partition to install Windows to after script has run
Windows edition:
Such a key can be used to install Windows, but will not activate it. You can change the product key later.
You can also enter your key in the autounattend.xml file. To do this, find the <Key>00000-00000-00000-00000-00000</Key> element and replace the text with your key. Also use this if you plan to install an Enterprise edition of Windows.
User accounts:
Account name Password Group
First logon

Some settings might not be applied until an administrator logs on for the first time. You should therefore let Windows log you on to an administrator account once – this does not affect subsequent logons. Choose which account to use for this:

The installation ends with the sign-in screen being shown.
Password expiration: This is in accordance to NIST guidelines that no longer recommend password expiration. Passwords expire after 42 days.
Passwords expire after days.

These settings only apply to local accounts. Also, the password of the built-in account Administrator never expires.

Account Lockout policy: By default, Windows will lock out an account after 10 failed logon attempts (threshold) within 10 minutes (window). After 10 minutes (duration), the account is unlocked automatically. Disabling Account Lockout might leave your computer vulnerable to brute-force attacks.
Lock out an account after failed logon attempts within minutes. After minutes, unlock the account automatically.
Windows Explorer tweaks:
Choose which files are hidden in Windows Explorer This will hide any file that has the Hidden attribute set. This will only hide files that have both the Hidden and the System attribute set. This setting is recommended for advanced users.
Choose how to display the search box in the taskbar
By default, Windows Explorer would hide extensions for known file types. This hides the news and weather widget in the lower-left corner in Windows 11. You can pin your preferred apps to the taskbar later. On Windows 10, this will simply set the EnableAutoTray registry value. On Windows 11, this will create a scheduled task that runs periodically in the background and sets all tray icons visible.
System tweaks:
This disables certain services (Sense, WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend) during Windows Setup and thus prevents the MsMpEng.exe process from running. This method was adapted from an article by Rudy Mens.
This will create a scheduled task that pauses updates for one week again and again.
This turns Smart App Control off in Windows 11. Note that you will not be able to turn it back on. Windows will not create restore points for drive C: and thus use less disk space. This sets the LongPathsEnabled registry value, which enables several programs (including PowerShell, 7-Zip and TreeSize) to use long paths with up to 32,767 characters without resorting to the \\?\ prefix. This removes write permissions on C:\ for the Authenticated Users group. In particular, this prevents unprivileged users from creating bogus folders such as C:\Windows . This runs the command Set-ExecutionPolicy -ExecutionPolicy 'RemoteSigned', which allows the execution of unsigned .ps1 files. This runs the command fsutil.exe behavior set disableLastAccess 1, which can improve file system performance. This prevents Windows Update from rebooting when a user is signed in. This changes the sound scheme from Windows Default to No sounds for all users. This sets several registry values that prevent the silent download and installation of suggested apps. Windows 11 would otherwise enable BitLocker encryption automatically. This will modify the C:\Windows\System32\IntegratedServicesRegionPolicySet.json file such that Edge can be uninstalled even outside the European Economic Area. Note that Windows updates will reset the file to its original state. Therefore, if you want to uninstall Edge, do so right after Windows has been installed.
Each time a new process is created, Windows writes an event to the Security log. This is a powerful tool for troubleshooting.
Virtual machine support:

Make sure to check the usage notes for how to properly configure your VM.

WLAN / Wi-Fi setup: Choose this if you have a wired connection to the internet.

If both your Wi-Fi router and your computer's Wi-Fi adapter support it, make sure to select WPA3. Otherwise, Windows Setup will try to switch from WPA2 to WPA3 and require manual interaction.

You should not enter your actual Wi-Fi password here. Once you have downloaded the autounattend.xml file, find the password enclosed in <keyMaterial>…</keyMaterial> and adjust it.

Express settings: Windows will not send diagnostic data, personalized input or your location history to Microsoft. Choose this if you value privacy. Windows will send data to Microsoft to provide location-based services, improve language recognition, and show personalized ads. This lets you enable some settings while disabling others.
Lock key settings:
Key Initial state When pressed
Caps Lock
Num Lock
Scroll Lock

This will affect all users and also the login screen.

Personalization settings:

These settings are particularly useful if you want to use Windows without activation when the Personalization settings page is not available.

Colors
Desktop wallpaper
Remove bloatware:

Windows comes with several apps that many users do not want or do not need. Check all the apps you want removed during Windows Setup:

Bloatware removal works best with the original Windows 10 and 11 .iso images downloaded from Microsoft. I did not perform any tests with custom images.

Start menu customization:
Windows 10

Configure the tiles that are initially shown in the Windows 10 start menu. You can add or remove tiles later. On Windows 11, this setting is simply ignored.

If you select apps in the Remove bloatware section above, Windows 10 will automatically remove their tiles from the start menu.
Windows 11

Configure the pins that are initially shown in the Windows 11 start menu. You can add or remove pins later. On Windows 10, this setting is simply ignored.

Avoid this setting if you select apps in the Remove bloatware section above, as Windows 11 will deceptively retain their pins in the start menu.
Run custom scripts:
Scripts to run in the system context, before user accounts are created
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
  4. Run as a file.
Scripts to modify the default user's registry hive

This will automatically mount the C:\Users\Default\NTUSER.DAT hive, run your scripts and unmount the hive again. Your scripts will be run before user accounts are created – hence, they will affect all user accounts, including the built-in account Administrator. You must access the keys in this hive as follows:

.reg [HKEY_USERS\DefaultUser\…
.cmd HKU\DefaultUser\…
.ps1 Registry::HKU\DefaultUser\…
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
Scripts to run when the first user logs on after Windows has been installed

The first user to log on is typically an administrator. In this case, these scripts will run with elevated privileges.

  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
  4. Run as a file.
Scripts to run whenever a user logs on for the first time
  1. Run as a file.
  2. Run as a file.
  3. Run as a file.
  4. Run as a file.

Your scripts will be run as follows:

.cmd cmd.exe /c "C:\Windows\Setup\Scripts\unattend-01.cmd >>"C:\Windows\Setup\Scripts\unattend-01.log" 2>&1"
.ps1 cmd.exe /c "powershell.exe -NoProfile -Command "Get-Content -LiteralPath 'C:\Windows\Setup\Scripts\unattend-02.ps1' -Raw | Invoke-Expression;" >>"C:\Windows\Setup\Scripts\unattend-02.log" 2>&1"
.reg cmd.exe /c "reg.exe import "C:\Windows\Setup\Scripts\unattend-03.reg" >>"C:\Windows\Setup\Scripts\unattend-03.log" 2>&1"
.vbs cmd.exe /c "cscript.exe //E:vbscript "C:\Windows\Setup\Scripts\unattend-04.vbs" >>"C:\Windows\Setup\Scripts\unattend-04.log" 2>&1"
.js cmd.exe /c "cscript.exe //E:jscript "C:\Windows\Setup\Scripts\unattend-05.js" >>"C:\Windows\Setup\Scripts\unattend-05.log" 2>&1"
Windows Defender Application Control:

Applications in C:\Windows, C:\Program Files and C:\Program Files (x86) are allowed to run. Applications stored elsewhere and those in known user-writable folders such as C:\Windows\Temp or C:\Windows\Debug\WIA are not allowed to run. To disable this WDAC policy later, simply delete the file C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{d26bff32-33a2-48a3-b037-10357ee48427}.cip and reboot. To create a more customized policy, see my online WDAC generator.

Choose how to enforce the policy Logs drivers and applications that would have been blocked. When the policy blocks a system driver and thus would prevent Windows from booting, use audit mode. Otherwise, use enforcement mode. Drivers and applications will be blocked unless allowed by the policy.
Choose script enforcement PowerShell will run in Constrained Language Mode. See Script Enforcement for details. PowerShell will run in Full Language Mode.
Placeholders for more components:

You can optionally generate templates for all available components, with respect to their valid configuration passes. Look for <!--Placeholder--> comments in the generated autounattend.xml file and fill in the desired settings yourself.

Microsoft-Windows-Audio-AudioCore
Microsoft-Windows-Audio-VolumeControl
Microsoft-Windows-Authentication-AuthUI
Microsoft-Windows-BLB-WSB-Online-Main
Microsoft-Windows-BrowserService
Microsoft-Windows-CodeIntegrity
Microsoft-Windows-CoreMmRes
Microsoft-Windows-Deployment
Microsoft-Windows-DeviceAccess
Microsoft-Windows-DeviceGuard-Unattend
Microsoft-Windows-DiagCpl
Microsoft-Windows-Disk-Failure-Diagnostic-Module
Microsoft-Windows-DNS-Client
Microsoft-Windows-Embedded-BootExp
Microsoft-Windows-Embedded-EmbeddedLogon
Microsoft-Windows-Embedded-KeyboardFilterService
Microsoft-Windows-Embedded-ShellLauncher
Microsoft-Windows-Embedded-UnifiedWriteFilter
Microsoft-Windows-EnhancedStorage-Adm
Microsoft-Windows-ErrorReportingCore
Microsoft-Windows-Fax-Service
Microsoft-Windows-GPIOButtons
Microsoft-Windows-HelpAndSupport
Microsoft-Windows-IE-ClientNetworkProtocolImplementation
Microsoft-Windows-IE-ESC
Microsoft-Windows-IE-InternetExplorer
Microsoft-Windows-International-Core
Microsoft-Windows-International-Core-WinPE
Microsoft-Windows-LUA-Settings
Microsoft-Windows-MapControl-Desktop
Microsoft-Windows-MediaPlayer-Core
Microsoft-Windows-MicrosoftEdgeBrowser
Microsoft-Windows-MobilePC-Sensors-API
Microsoft-Windows-NetBT
Microsoft-Windows-NetworkBridge
Microsoft-Windows-NetworkLoadBalancing-Core
Microsoft-Windows-OutOfBoxExperience
Microsoft-Windows-PartitionManager
Microsoft-Windows-PnpCustomizationsNonWinPE
Microsoft-Windows-PnpCustomizationsWinPE
Microsoft-Windows-PnpSysprep
Microsoft-Windows-PowerCPL
Microsoft-Windows-Printing-Spooler-Core
Microsoft-Windows-RasServer
Microsoft-Windows-RemoteAssistance-Exe
Microsoft-Windows-SecureStartup-FilterDriver
Microsoft-Windows-Security-SPP
Microsoft-Windows-Security-SPP-UX
Microsoft-Windows-ServerManager-SvrMgrNc
Microsoft-Windows-Setup
Microsoft-Windows-SharedAccess
Microsoft-Windows-Shell-Setup
Microsoft-Windows-SHWebSVC
Microsoft-Windows-SMBServer
Microsoft-Windows-SNMP-Agent-Service
Microsoft-Windows-SQMAPI
Microsoft-Windows-STObject
Microsoft-Windows-StorPort-RegistrySettings
Microsoft-Windows-SystemMaintenanceService
Microsoft-Windows-SystemRestore-Main
Microsoft-Windows-SystemSettingsThreshold
Microsoft-Windows-TabletPC-Platform-Input-Core
Microsoft-Windows-TapiSetup
Microsoft-Windows-TCPIP
Microsoft-Windows-TerminalServices-CentralPublishing
Microsoft-Windows-TerminalServices-LicenseServer
Microsoft-Windows-TerminalServices-LocalSessionManager
Microsoft-Windows-TerminalServices-Publishing-WMIProvider
Microsoft-Windows-TerminalServices-RDP-WinStationExtensions
Microsoft-Windows-TerminalServices-RemoteConnectionManager
Microsoft-Windows-Tpm-Tasks
Microsoft-Windows-TwinUI
Microsoft-Windows-UnattendedJoin
Microsoft-Windows-WDF-KernelLibrary
Microsoft-Windows-WiFiNetworkManager
Microsoft-Windows-WinRE-RecoveryAgent
Microsoft-Windows-WLANSVC
Microsoft-Windows-WorkstationService
Microsoft-Windows-WPD-BusEnumService
Microsoft-Windows-WWANUI
Networking-MPSSVC-Svc
Security-Malware-Windows-Defender
Download settings: Windows Setup will not process the notautounattend.xml file automatically. Instead, you need to run a command such as setup.exe /Unattend:D:\notautounattend.xml. This is useful to prevent Windows Setup from inadvertently wiping your hard drive, and lets you specify additional parameters such as /NoReboot. In particular, calling setup.exe /NoReboot /Unattend:D:\notautounattend.xml offers a great opportunity to remove 8.3 file names during Windows Setup while still using an answer file.
Submit form: