You're very welcome! 😀👍

I really don't think so, because in that case the Windows installation is being pre-installed and sent out directly to your staff members. You're kind of stuck with shipping them Windows as Microsoft sees fit, and then using Intune to customize it out later.

That's a decent thought--cheers!

For any new machine I touch (work or personal), I start by erasing whatever's already on it. If you don't have to worry about multiple users on the machine, or if you don't need to create a master image to be cloned to multiple machines, then you probably don't need to muck around in Audit mode. Definitely prepare your installation media first by deprovisioning junk apps and inserting some registry settings, but then you can take the settings from unattend.xml and merge them into Autounattend.xml. If you do it right, it should automatically wipe the disk, boot through OOBE, and create a new user account for you. You can also use the "OEMkey.ps1" script I provided to reactivate your copy of Windows, using the OEM license already burned into the BIOS.

@@NextDoorNetAdmin so this solution is not advise for a laptop that will have 2-3 users. Thanks for the answer.

It'll work fine for a laptop with multiple users! If you're doing that, just follow the whole process, Audit mode and all. :) Uncomment the section in deploy1.cmd to allow the OEMkey.ps1 script to run, and you should be good to go.

The machine isn't (and shouldn't!) be attached to any domain while it's in audit mode, so group policies won't apply. Once you've created the image and it's booting into OOBE, that's when you join the domain and get group policy applied! On the other hand, if you're talking about Local Group Policy... it's a bit more complicated. First, remember that group policies are just a more user-friendly way of inserting values into the Windows registry. Most user-specific registry entries will be persisted into the default profile if you're using CopyProfile. Most machine-specific registry entries will also be persisted... but some won't. When Sysprep comes through and resets the machine in preparation for capture and cloning, some parts of the registry are cleaned up, and changes may be lost. This is something you may need to test a fair amount. I've spent weeks testing and re-testing things, sometimes. If your desired changes are cleaned up during sysprep, you may be able to re-load and modify the registry hives offline, or you may be able to re-insert the desired values on first boot via a command script... there's always ways to get things done! :)

1. If Autounattend.xml is present on the root directory of any drive attached when Windows Setup starts, it will be used. So, if you boot off a setup DVD, but Autounattend.xml is present in the root of a connected USB drive, Setup will still use it. 2. When any unattend file is being used (auto or regular), Setup will copy it into the filesystem of the new operating system. (Specifically, C:\Windows\Panther.) This allows Setup to go through multiple reboots to process the different phases of setup, while still using the same unattend file. (edit)2a. If you were to copy an unattend.xml file into C:\Windows\Panther during initial setup, Setup will start using the settings as if it was an "in-progress" unattend file after it reboots. Rufus uses this method to insert any custom settings chosen by the user. 3. When we sysprep the image out of audit mode and into OOBE, we'll pass an argument telling sysprep exactly which unattend file we want it to use. I also prep the filesystem manually, as a belt-and-suspenders approach. 4. All the slipstreaming is done in Audit mode! That's what we're going to see in the next video. :) 5. The default profile copy does work for domain users... with a slight catch. If domain users are using local profiles or a roaming profile which hasn't been instantiated yet, the default profile will be used to provision their new profile. But if domain users are using an existing roaming profile, then their existing roaming profile will be used (as you would expect).

I do not and would not sell these images. I'm happy to share them, but I suspect that selling them would put me immediately at odds with Microsoft. There's a lot of difference, after all, between using Microsoft's available tools to customize their software (and telling other people how to do the same thing themselves), versus reselling their software without authorization.

@@NextDoorNetAdmin do you have a place we can contact you up?

Not yet. I haven't built out a website or email just yet (though I do have plans for that), so for now the best way to reach me is right here in the comments! That being said, I intend to put much of the details for this online, so other people can access it more freely. I haven't exactly figured out how I want to do that, but in the next couple weeks I should have something for everybody as we wrap up the series. :) I just need to get enough time to sit down and figure it all out!

The BypassNRO registry key set here removes the requirement to use a Microsoft account in Windows 11. The use of local accounts is re-enabled, and a Microsoft account becomes optional.

That's a different discussion altogether. :) I use Linux, and as I've said in other comments, I personally have chosen to move to Linux instead of using Windows 11 on my personal systems. But that doesn't mean I can tell all of my business clients that I refuse to install Windows any more--that's a complete non-starter. So I still need to know how to do this for work purposes.

@@NextDoorNetAdmin and for businesses that need to use excel amd office etc. hell even i use office

I can't think of any use for hardware RAID anymore. It's expensive, slower and risks data corruption.

It concerns me that the website simply redirects me to a RU-vid channel. If I'm going to use something created by somebody else, I want to know EXACTLY what has been done--and ideally, I want to use that process myself to replicate their work, rather than take it on trust. Windows is opaque enough as it is. If I'm going to modify it, I want to be able to start from an official download from Microsoft and then do the modifications myself, so I know exactly what has been done and what (if anything) has been added. That's just my personal preference, though. I'm sure lots of people have had nothing but good experiences with it, but I haven't had experience with it at all, good or bad! Most of my work focuses on cleaning up Windows 10/11 for a business environment, which is a different target. I need stability, support from Microsoft, and the ability to be able to enable telemetry for business purposes if needed; I can't afford to strip everything out like some of those builds do. (I just need to learn to control it.)

@@NextDoorNetAdmin what kind of telemetry is useful for business

Think of a business application, developed and written in-house rather than purchased. A new update to the application is pushed out, and people start to report that it crashes sometimes. But it doesn't crash all the time, and it doesn't crash on every machine, so troubleshooting it is taking some time... Or, think of pushing out a critical security update. It installs properly on most machines, but it's failing on a few machines here and there. What's different about the machines where it fails? Maybe your business pays for some very expensive applications, and you'd like to know which application(s) you should focus on trying to eliminate--which departments use which applications, and how often? Telemetry is useful for these kinds of problems. If there's a crash, Windows error reporting can log it and send some of the details needed to help fix the issue. If an update fails, diagnostic data can help shed light on what's different about the hardware or software on the problem PCs, so you can adjust the details of which machines are assigned which updates--or which machines you might need to fix in another fashion. Microsoft's telemetry functions are primarily intended to help spot issues like these, particularly as Windows grows more complex. But Microsoft also has settings to allow the business to store the telemetry data for their own in-house reporting needs, in which case Microsoft only collects and forwards the data. You can also turn off Windows error reporting completely without having to remove it--there's a setting for that. (Microsoft used to have a service that allowed businesses to examine and use the telemetry from the Windows PCs in their own fleet, but a lot of the data is now available through the use of Intune or other such agents, some of which still use the built-in data collection functionality in order to provide the needed information.)

I think it is. At the moment, I consider somebody with a CCNA to be "entry-level". I know Cisco has added additional certifications below CCNA these days... I personally have my CCNP, and I consider myself to be a mid-level networking guy in the grand scheme of things. Might get up to CCIE eventually. :) Cisco certifications spend entirely too much time on the Cisco-specific marketing stuff. Learn it to pass the test, forget it afterwards. The important parts are the general networking principles, yes, but because Cisco is one of the big granddaddies of the Internet, I have found that learning more of the Cisco-specific CLI commands is a massive benefit as well--a lot of other networking gear echoes the Cisco design and command structure!

@@NextDoorNetAdmin i hear ccnp is quite hard

There are lots of programs out there. :) For cleaning up an installation file, specifically, there is a program to do this... but it went further than I thought was beneficial, so I went through it all myself to choose what to get rid of and what to keep. It's also worth pointing out that sometimes programs to do this automatically can have negative effects--some previous versions rendered Windows unable to install any security updates, making them quite vulnerable to exploitation. I'm going to show you all one of those tools at the end of this series, but I thought it would be important for people to know how it works and why, so they can make their own decisions about whether they want to go through it manually (like I have).

@@NextDoorNetAdmin i just want a safe and non monitoring version that plays games and works with Office suite

Indeed! I've had some success using Procexp to find the offending handle and force it closed, but I've found that when it's System holding it open, force-closing the handle leads to system instability. Usually, though, a System file handle is the result of an anti-virus scanner, a file opened remotely via SMB, or something else of that nature. Makes me go on a bit of a hunt!

@@NextDoorNetAdmin Yep, I've had Procexp fail a few times too. Sometimes the offending process just re-spawns the handle. On rare cases, it just fails with an error. Rather than trying to force it at that point, most people would give up and just reboot the system to clear the issue. My end run around an inclosable file handle is to simply unplug the drive in sleep mode. When the system wakes up, the offending process just has to deal with the file error...for a file it never should have kept open anyway. Technically, it was done with the file. If the system successfully goes to sleep, any pending file operations and cached versions of the file should have been committed to disk. Of course, I wouldn't do that with a complex file system, such as a database or enterprise-level system. For the average PC, I hadn't had any issues with that trick. If I keep having the same problem with the same app/process, it's still preferable to actually find and correct the issue.

I decided I would rather switch to Linux than run Windows 11 on my personal systems. But that doesn't stop me from having to deploy Windows 11 for work purposes, so I needed to figure out how to clean this all up anyway. :)

​@@NextDoorNetAdminthere is no workaround for Office/Excel users and gamers right?

@@NextDoorNetAdmin I don't want to do it, but I'll be running Windoze 10 until May, and then I'll have the summer to figure something else out.

We're definitely going to be taking a look at disabling the requirement for a Microsoft account in order to use your computer! There's also going to be some more settings that we can toggle to reduce the amount of "cloud" prompting we have to deal with. Stay tuned!

​@@NextDoorNetAdmincan we buy a "cleaned" installation file from you sir? Of course i would pay the key + the technical work done

Wonder if with every new update all this laborious work goes to waste. Microsoft can just reinstall everything and more😢

This is (mostly) protected from being changed in future updates. Microsoft wouldn't make any friends if classified government networks suddenly had new stuff showing up on their secured PCs, after all! These registry keys exist specifically to disable this behaviour, and for that reason, you can expect them to work through all versions of Windows 11. (And even if Microsoft did add new provisioned applications, it would affect any existing user accounts on the machine. Provisioned apps only install themselves for brand-new users on the machine, so you're fairly safe from that, too!)

You're very welcome!

You should find the bits about SPF records are still useful to you, since that applies whether you're running an SMTP server or setting up an SMTP relay. I don't have any information about hmail specifically. But it looks like that's an actual server. I'm not clear on whether you're attempting to send directly from that machine (from the SMTP server), or whether you're setting up a Windows 10 machine to send outbound email via the server (SMTP relay, from sending machine to server to Internet). If you're doing relay, then there's nothing special for Windows 10. Just point it at your SMTP server, and as long as you've configured the server correctly to allow relay from that machine, you should be able to send outbound. :)

@@NextDoorNetAdmin hmail is the mailserver I have running on a windows 10 machine. I'd need a relay service to actually enable the server to send mail. Receiving works perfectly. I found that it isn't maintained anymore since 2021, so I'm going to look for a complete solution. Might as well go for a linux server for everything, since I'll need web hosting, file server, chat server etc. anyway. And I have an old HP proliant lying around anyway. Thank you for your quick reply! I'll definitely watch the entire video too. There's no such thing as learning too much after all ;)

I'm not sure I would agree that Heartbleed disproved the aphorism you mention. If anything, I think Heartbleed proved the general point that those who use a product commercially should contribute to its development. Crypto in general is a hard subject to do well, and the OpenSSL devs were chronically short on money and people who were both skilled enough and had sufficient free time to contribute. They didn't have the "many eyes" they needed to make the bugs shallow, nor did they have the resources to hire more. I don't think Itanium created any sort of a monoculture. Other RISC lines (including SPARC, ARM, and the IBM Power series) continued for decades after Itanium's introduction. They may not be especially common (certainly not as common as the x86-64 CISC microarchitecture), but they're still out there, and many are still being actively developed and sold today. Itanium, on the other hand, has itself been discontinued.

That's a great tip, thanks! :D

@@NextDoorNetAdmin You are very welcome! I appreciate your video, it assisted me today!

I would leave it enabled. Certainly won't hurt anything! Then if something tries to use multicast and you happen to have a router which supports it, and all the stars align... it should work! If you disable IGMP snooping, that might end up being the piece which breaks it.

I do! Use a business connection. :) Not to be glib about it, but residential connections often have port 25 blocked in order to combat spam being sent from unaware customers infected with malware. Customers accessing their remote email accounts will usually use a different port--sending directly to port 25 (with or without STARTTLS) is indicative of a server-to-server (relay) connection. Conversely, since a business connection is expected to be running business applications (including email servers), all ports are generally left unblocked. Since you would need a static IP to add into the SPF record to permit the relay, that's also something typically available on a business connection.

@@NextDoorNetAdmin Sorry to say, Comcast in Florida is blocking port 25, even for businesses (which is why I asked). Many companies are dealing with this. To get around it, I set up an SMTP relay server with postfix. It connects to Office 365 using TLS and an account with SMTP authentication enabled.

@@JavierDiaz-zh2jo Ouch! That boggles my mind, honestly. Business connections should be unfiltered, in my mind--it's one of the main reasons to even get a business connection in the first place! I'm going to guess that switching ISPs is likewise not a feasible option. If so, then I would honestly next look at ways of proxying the connection. First thing I would try is probably setting up an SSH tunnel to another endpoint where port 25 isn't blocked. If you had a way to SOCKSify the outbound connection, so much the better--you could use dynamic port forwarding instead of local port forwarding. But I'm afraid that I don't have a ready-made solution at hand for that problem... just ideas that would need more work.

If there are multiple public ip that need to be added, because of multiple locations, would you just add all of them to the spf record? Also, does that not create some other security concerns public the companies public ip on the spf record?

@TheTF01 Every IP address that needs to be allowed to send mail does need to be added... but there's different ways of doing that, depending on the exact circumstances. If they're just single IPs that aren't connected to each other, you can use multiple ip4: entries. If the IPs can be summarized into a CIDR range, you can also enter that. (Example: "ip4:192.168.2.36/30") Does it create a security concern? I don't think it does. For one thing, there's nothing saying that these IP addresses belong to your company. Let's say you have a rule sending all outbound email to a third-party service that adds a signature. (My company does this!) You need to add the third-party service to your SPF record, and they'll typically have documentation telling you what you can put in (it's usually an "include:service.com" entry). But you could just as easily put in the actual IP addresses if you wanted, and it would work the same way. The actual SMTP headers on the email message also include a record of all the machines the email has passed through (using SMTP), including their IP addresses, from start to finish. This not only reveals the sender's IP address (if they used SMTP), but all servers along the mail path. This is standard because it helps to diagnose mail flow issues, as well as allowing things such as SPF to function correctly. And it's been that way since the very beginning of email! As a general security rule, you never want to rely on "security through obscurity"--keeping things safe by keeping them secret. You definitely want to make sure you have a firewall to protect the network, whether you publish the external IPs in an SPF record or not. And if you do have a firewall in place, I think any additional security risk created by an SPF record is minimal, if not negligible.