Windows 11 24h2
VitaleyUsa opened this issue ยท 43 comments
Hello and thank you for this great project.
Seems like on 24h2 windows 11 some options are not work like it should.
For example, section "Remove bloatware" not removing apps.
Defender still persist in system even if i tick option to disable it.
Tried on win11 24h2 download from microsoft site.
Did you by any chance edit the autounattend.xml
after downloading it? If so, you must make sure that the file is saved without a byte-order mark โ Windows 24H2 Setup could otherwise not process the file.
The bloatware removal scripts write output and errors to three log files:
C:\Windows\Temp\remove-caps.log
C:\Windows\Temp\remove-features.log
C:\Windows\Temp\remove-packages.log
To inspect those files, launch an elevated PowerShell session and type this command:
Get-ChildItem -LiteralPath C:\Windows\Temp -Force -Filter remove*.log | Get-Content | ConvertFrom-Json
Disabling Windows Defender on 24H2 will fail when Windows is not installed to the C:
drive, see #29.
I also use this wonderful tool to customise 24H2 and it works perfectly fine. All bloatware gone, all customisations done. I'm not entirely sure that Defender is fully removed as I still see the icon, and the hyper-annoying SmartSreen is still active. I then use the wonderful Defender removal tool included in AnWave to actually and completely nuke Defender from orbit. It's the only tool that I have ever found that does it properly, without issue, and it's not even its primary function!
You are correct to observe that the Windows Security notification icon is still there:
However, that's not a bad thing, as this also means that Windows will not complain about Defender not running. The relevant Defender services and the MsMpEng.exe
process are indeed disabled:
PS C:\> Get-Service -Name Sense, WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend
Status Name DisplayName
------ ---- -----------
Stopped Sense Windows Defender Advanced Threat Pr...
Stopped WdBoot Microsoft Defender Antivirus Boot D...
Stopped WdFilter Microsoft Defender Antivirus Mini-F...
Stopped WdNisDrv Microsoft Defender Antivirus Networ...
Stopped WdNisSvc Microsoft Defender Antivirus Networ...
Stopped WinDefend Microsoft Defender Antivirus Service
PS C:\> Get-Process -Name MsMpEng
Get-Process : Cannot find a process with the name "MsMpEng". Verify the process name and call the cmdlet again.
Furthermore, I have just added a new option Disable Smart App Control for Windows 11, based on Shawn Brink's .reg files. Feel free to check it out.
You are a hero! Thank you for your hard work and effort with your generator, It's a lifesaver!
Kudos for the Smart App Control option! I am really not a fan of SmartScreen either, do you think you could add an option to remove that? It's an awful system that nobody wants as it's so intrusive and confusing.
I made my own script to remove it, as many Defender removers don't remove it, or don't remove all of it, and it comes back after a reboot or two.
It's made up of years of research by me, because I'm no coder/scripter finding out all the best settings that actually work, don't upset Windows, leaves Windows Update fully working, as well as not coming back later. Obviously, a big upgrade may bring it back, but that happens to Defender too.
Here's my .BAT file. It's amateur, but it works... You're also more intelligent than I, so don't laugh at some of the code. But these registry settings are 100%
@echo off
:: BatchGotAdmin
:-------------------------------------
REM --> Check for permissions
IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" (
>nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SYSTEMROOT%\SysWOW64\config\system"
) ELSE (
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
)
REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
set params= %*
echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params:"=""%", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs"
exit /B
:gotAdmin
pushd "%CD%"
CD /D "%~dp0"
set Policies=HKEY_LOCAL_MACHINE\SOFTWARE\Policies
echo == Disabling SmartScreen
REG ADD "%Policies%\Microsoft\Windows\System" /f /v EnableSmartScreen /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Windows Defender\SmartScreen" /f /v ConfigureAppInstallControlEnabled /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Windows Defender\SmartScreen" /f /v ConfigureAppInstallControl /t REG_SZ /d "Anywhere"
REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v Enabled /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v EnabledV8 /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v EnabledV9 /t REG_DWORD /d "0"
REG ADD "%Policies%\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /f /v 2301 /t REG_DWORD /d "3"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen" /f /v value /t REG_DWORD /d "0"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /f /v SmartScreenEnabled /t REG_SZ /d "Off"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /f /v EnableSmartScreen /t REG_DWORD /d "0"
echo == Disabling SmartScreen for Store and Apps
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /f /v EnableWebContentEvaluation /t REG_DWORD /d "0"
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /f /v PreventOverride /t REG_DWORD /d "0"
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State" /f /v AppAndBrowser_StoreAppsSmartScreenOff /t REG_DWORD /d "0"
REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /f /v "EnabledV9" /t REG_DWORD /d "0"
echo == Disabling SmartScreen for Microsoft Edge
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge" /f /v SmartScreenEnabled /t REG_DWORD /d "0"
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge" /f /v SmartScreenPuaEnabled /t REG_DWORD /d "0"
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State" /f /v AppAndBrowser_EdgeSmartScreenOff /t REG_DWORD /d "0"
echo == Disabling Smart App Control
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy" /f /v VerifiedAndReputablePolicyState /t REG_DWORD /d "0"
echo == Stopping SmartScreen and Cleaning Up
takeown /s %computername% /u %username% /f "%WinDir%\System32\smartscreen.exe"
icacls "%WinDir%\System32\smartscreen.exe" /grant:r %username%:F
taskkill /im smartscreen.exe /f
del "%WinDir%\System32\smartscreen.exe" /s /f /q
takeown /s %computername% /u %username% /f "%WinDir%\System32\smartscreen.dll"
icacls "%WinDir%\System32\smartscreen.dll" /grant:r %username%:F
del "%WinDir%\System32\smartscreen.dll" /s /f /q
takeown /s %computername% /u %username% /f "%WinDir%\System32\smartscreenps.dll"
icacls "%WinDir%\System32\smartscreenps.dll" /grant:r %username%:F
del "%WinDir%\System32\smartscreenps.dll" /s /f /q
pause
Did you by any chance edit the
autounattend.xml
after downloading it? If so, you must make sure that the file is saved without a byte-order mark โ Windows 24H2 Setup could otherwise not process the file.The bloatware removal scripts write output and errors to three log files:
C:\Windows\Temp\remove-caps.log
C:\Windows\Temp\remove-features.log
C:\Windows\Temp\remove-packages.log
To inspect those files, launch an elevated PowerShell session and type this command:
Get-ChildItem -LiteralPath C:\Windows\Temp -Force -Filter remove*.log | Get-Content | ConvertFrom-Json
Disabling Windows Defender on 24H2 will fail when Windows is not installed to the
C:
drive, see #29.
thank you in advanced for this great utility
yes, you are right - there are only icon from defender, however, all apps still persists, everything other works
i'm not editing *.xml neither install it on other disk
tried both 24h2 and 23h2 in hyper-v downloaded from ms site
dunno why it not work, maybe some language/locale issue?
Did you by any chance edit the
autounattend.xml
after downloading it? If so, you must make sure that the file is saved without a byte-order mark โ Windows 24H2 Setup could otherwise not process the file.
The bloatware removal scripts write output and errors to three log files:
C:\Windows\Temp\remove-caps.log
C:\Windows\Temp\remove-features.log
C:\Windows\Temp\remove-packages.log
To inspect those files, launch an elevated PowerShell session and type this command:
Get-ChildItem -LiteralPath C:\Windows\Temp -Force -Filter remove*.log | Get-Content | ConvertFrom-Json
Disabling Windows Defender on 24H2 will fail when Windows is not installed to theC:
drive, see #29.thank you in advanced for this great utility yes, you are right - there are only icon from defender, however, all apps still persists, everything other works i'm not editing *.xml neither install it on other disk
tried both 24h2 and 23h2 in hyper-v downloaded from ms site dunno why it not work, maybe some language/locale issue?
Where did you get the Windows .ISO file that you are using from, and which build number is it? Also is the .ISO file altered in anyway?
Mine is 26100.1301.240725-1635.GE_RELEASE_SVC_PROD3_CLIENTMULTI_X64FRE_EN-GB.iso and I built it myself from UUPdump, and works flawlessly with the autounattend.xml file generated from here on 4 different computers.
The bloatware removal scripts write output and errors to three log files:
C:\Windows\Temp\remove-caps.log
C:\Windows\Temp\remove-features.log
C:\Windows\Temp\remove-packages.log
To inspect those files, launch an elevated PowerShell session and type this command:
Get-ChildItem -LiteralPath C:\Windows\Temp -Force -Filter remove*.log | Get-Content | ConvertFrom-Json
thank you in advanced for this great utility yes, you are right - there are only icon from defender, however, all apps still persists, everything other works i'm not editing *.xml neither install it on other disk
You really need to check the log files.
I am really not a fan of SmartScreen either, do you think you could add an option to remove that? It's an awful system that nobody wants as it's so intrusive and confusing.
Compared to other Windows security settings, SmartScreen really seems to be a nightmare to configure. For example, Shawn Brink has at least four tutorials to cover this topic:
- Enable or Disable Microsoft Defender SmartScreen Check Apps and Files from Web in Windows 11
- Enable or Disable Microsoft Defender SmartScreen for Microsoft Edge in Windows 11
- Enable or Disable Microsoft Defender SmartScreen for Microsoft Store Apps in Windows 11
- Enable or Disable Microsoft Defender SmartScreen Phishing Protection Windows 11
His .reg files are usually very good, but I simply cannot guarantee they all work as intended on both Windows 10 and 11. Also, there might be interdependencies with other settings offered by my service (like Disable Windows Defender), and testing all combinations is not possible for me. Furthermore, since I use Google Chrome, I have never experienced that much problems with SmartScreen.
For the time being, I do not intend to add SmartScreen settings to my service. However, I will look into the possibility to use Group Policies with autounattend.xml files โ these seem to be much more manageable than .reg files.
As far as I'm aware, there is no difference between 10 & 11. I posted the script many months ago over on My Digital Life and I've had zero issues reported, but obviously that's no guarantee. I did use Shawns work as some of the reference for my script, but it's very simplistic and does not stay disabled for long, but most of it came from manually digging through the registry and a few other sources too - A compilation of greatest hits if you will!
SmartScreen is more of an annoyance than anything. It's what is responsible, among other things, for those annoying blue dialog boxes that ask if you are sure you want to install and application or not, and the one that you have to click a link to actually run it. It's reliant on an Internet connection, as it sends a file hash to Microsoft and compares it to their own database before allowing the user to run the installation or not. It can be very slow, but it's mostly confusing for those that don't really understand that they have to click the "more info" link to actually run something that Microsoft does not have in its database...
But I totally understand your point and appreciate you looking into the group policy option.
It turned out that SmartScreen configuration is not that hard after all โ 355cad9 consists of only 9 registry values.
This is how the SmartScreen settings page looks in Windows 11 immediately after installation with the new Disable SmartScreen in Windows and Edge setting enabled:
Thank you so much!