Windows 11 installation and tune up
Installation
*************************************************
Before install
new windows 11 or 10 into existing system, backup drivers from existing system
\windows\system32\driverstore
*************************************************
Fresh Installation Windows 11 failed due
to TPM security check:
1. Cntl-Shift-F10
2. Type notepad
3. In notepad, click File>Open and go to bootable drive.
4. Select ALL Files from the Files of type dropdown.
5. Right click file bypass.reg, then select Merge.
If Error code : 0X80300024
Installer unable determines the boot device.
Or installation failure to complete:
***** Disconnect other internal drive*****
Skip network and configure local account
only
1.
Shift-F10
2. Type OOBE\BYPASSNRO
3. Setup will be reset and restart the computer to previous screen, and the message
"I don’t have Internet" will be on screen while ask network connection
Inline Upgrade Windows 11 failed. This
might not work after version build 25977 on Windows 11 24H2.
1 Mount windows ISO file to drive by right click the ISO file and select mount
2 Type cmd in search bar and press Shift-Control-Enter, open cmd admin not powershell
3 CD to mount drive
4 type "setup /product server"
5 Following instruction and proceed to install
*************************************************
Post Installation system tune up
*************************************************
Post installation Powershell
Script
Run this script as Administrator
Remove OneDrive
taskkill /f /im OneDrive.exe
winget uninstall Microsoft.onedrive
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v DisableFileSyncNGSC /t REG_DWORD /d 1 /f
REG
DELETE “HKCU\Software\Microsoft\OneDrive”
REG
DELETE “HKLM\Software\Microsoft\OneDrive”
#After
remove OneDrive, check and remove and OneDrive folders at:
#C:\programData
#C:\Program
Files
#C:\Program Files (x86)
Uninstall built-in apps (example list,
can be adjusted)
List installed apps: Get-AppxPackage |
Sort-Object Name | Select-Object Name, PackageFullName
Remove installed apps:
Get-AppxPackage -Name *AppName*
-Allusers | Remove-AppxPackage
$appsToRemove = @(
"*WebExperience*", #Widget removal
"*Xbox*",
"Microsoft.MicrosoftSolitaireCollection",
“Microsoft.GamingApp”
"Microsoft.Todos",
"Microsoft.GetHelp",
"Microsoft.ZuneMusic",
"Microsoft.MicrosoftOfficeHub",
"Microsoft.Windows.PeopleExperienceHost",
“MSteams”
"Microsoft.WindowsAlarms",
"Microsoft.BingNews",
“Microsoft.BingWeather”
"Microsoft.MicrosoftStickyNotes",
“Microsoft.Windows.ParentalControls”,
“Microsoft.OutlookForWindows”,
“Microsoft.WindowsFeedbackHub”,
“Microsoft.WindowsSoundRecorder”,
“Microsoft.WindowsCalculator”,
“Clipchamp.Clipchamp”,
“Microsoft.StorePurchaseApp”,
“Microsoft.WindowsCamera”
)
foreach ($app in $appsToRemove) {
Get-AppxPackage -Name $app -AllUsers | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxProvisionedPackage -Online | Where-Object DisplayName -EQ $app | Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue
}
Write-Host "Widget disabled and selected built-in apps removed." -ForegroundColor Yellow
# Disable Windows Recall
dism /online /get-featureinfo
/featurename:recall
dism /online /disable-feature /featurename:recall
# Disable suggestions in Start Menu
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-338388Enabled" -Value 0
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-310093Enabled" -Value 0
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-338389Enabled" -Value 0
# Disable tips and suggestions in notifications
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SoftLandingEnabled" -Value 0
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Value 0
# Disable ads on Lock screen
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Lock Screen" -Name "CreativeId" -Value ""
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Lock Screen" -Name "RotatingLockScreenOverlayEnabled" -Value 0
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Lock Screen" -Name "StatusAppId" -Value ""
# Disable tips in Windows Spotlight
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "RotatingLockScreenEnabled" -Value 0
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "RotatingLockScreenOverlayEnabled" -Value 0
# Disable suggested apps in Start menu
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Start_Recommendations" -Value 0
Write-Host "All done! You may need to restart your computer for changes to fully apply." -ForegroundColor Green
# Disable Telemetry (for Pro users)
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
# Disable Bing Search in Start Menu
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f
# Disable Auto-install Suggested Apps
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
Write-Host "Advanced tweaks applied: telemetry disabled, background apps off, Cortana & Bing search off, OneDrive removed, and more." -ForegroundColor Cyan
# Disable Volume Shadow Copy - can save lots of space from
hidden folder "System Volume Information
get-service -name vss
vssadmin delete shadows /for=C: /all
Set-Service -Name VSS -StartupType Disabled
Disable notification and other options
Win
+ I -> System
->Notification Off, keep DO NOT Disturb ON
Win
+ I -> Accessibility -> Transparency effects Off
Win
+ I -> Personalisation -> Off all options
Uninstall all games related app from installed apps
Prevent Microsoft Edge Launch at startup
1. Via Group Policy Editor gpedit
2.
Computer
Configuration > Administrative Templates > Windows Components >
Microsoft Edge
3.
Find
"Prevent Microsoft Edge from being the default browser" and enable
it.
4.
Under
Option: Select Prevent pre-launching
5. Apply the policy by running gpupdate /force in Command Prompt.
Remove startup tasks
msconfig -> startup
msconfig -> service (Hide all Microsoft services)
Disable Windows Auto update
Via GPO windows 11
Pro Only
1. Run gpedit.msc
2. Computer Configuration -> Administrative Template -> Windows Components -> Windows Update
3. Click Configure Automatic Updates
4. Click disable
6. Click OK and reboot the computer
Via Registry table Windows 11 Home
REG ADD “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU” /v NoAutoUpdate /t REG_dword /d 1 /f
******************************************************************************************************************
DISM
Script – Disable & Remove Unneeded Features in Windows 11 Pro
Use
following to
display features:
$features = dism /online /get-features | Where { $_ -match "Feature Name|State" }
$parsed = @()
for ($i = 0; $i -lt $features.Count; $i += 2) {
$name = $features[$i] -replace "Feature Name : ", ""
$state = $features[$i+1] -replace "State : ", ""
$parsed += [PSCustomObject]@{ FeatureName = $name; State = $state }
}
$parsed | Sort-Object State | Format-Table -AutoSize
Use
following to
display enabled features to be selected to disable:
dism /online /Get-Features
|Select-String "Feature Name :|State :" |ForEach-Object {
if ($_ -match "Feature Name : (.+)") {
$fname = $matches[1]
} elseif ($_ -match "State : Enabled") {
"$fname : Enabled"
}
}
# Do the following dism command
separately by entering below unwanted features
dism /online /disable-feature /featurename:” MediaPlayback” /NoRestart
dism /online /disable-feature /featurename:” WorkFolders-Client” /NoRestart
dism /online /disable-feature /featurename:” Containers-DisposableClientVM” /NoRestart
dism /online /disable-feature /featurename:” SearchEngine-Client-Package” /NoRestart
After disable unwanted features, left
the following on Windows 11 24H2 are enabled
WCF-Services45 : Enabled
WCF-TCP-PortSharing45 : Enabled
SmbDirect : Enabled
Printing-PrintToPDFServices-Features :
Enabled
Printing-Foundation-Features : Enabled
Printing-Foundation-InternetPrinting-Client : Enabled
MSRDC-Infrastructure : Enabled
NetFx4-AdvSrvs : Enabled
*************************************************
Ongoing Windows 11 System Performance and tunning
Basic Cleanup - Use administrator right
CCCleaner
Disk cleanup #Cleanup Windows.old
%temp%
Temp folders
Old windows update files at: /windows/softwaredistrubution\download
Sfc /scannow to validate and repair system files
DISM /Online /Cleanup-Image /RestoreHealth #Fix deeper corruptions.
Cleanup Winsxs (Windows Side by Side) folder
Dism.exe /Online /Cleanup-Image /AnalyzeComponentStore
Dism.exe /online /Cleanup-Image /StartComponentCleanup
Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
Remove 5 Caches
1.
Temp
file – cleanup
2. wsreset.exe - microsoft shop cache
3. DNS cache - cmd - ipconfig /flushdns
4. check /system32/drive/etc/hosts
5. Browser cache – firefox, chrome and edge
6. File explorer history - file explorer -view - option - clear at privacy
*************************************************
Useful shortcut key
Win + I (Setting)
Win + L (Lock Screen)
Win + X (Execute Admin Side Bar)
Win
+
R (Run open program)
Win
+ D (Hide open apps,
Redisplay open apps)
Win
+ W Open Widget (Test
for removal)
Alt
+ Space Quick open Copilot
Setup: Open copilot full windows, Click Sign In at bottom left corner, Click setting to enable shortcut key
Cntl V, Cntl C Cut & Paste
CTL-Shift Click cmd icon to
open inAdmin mode, type powershell
or cmd to toggle between two mode
CTL-Z Undo
Reset windows password before login
Press “Shift” and click restart at login window (Will bring to debug mode in
next reboot)
-> Troubleshoot -> Advanced
Option -> Command Prompt
Type Notepad
Open file at windows\system32\ (Select files of type = All Files)
File the file sethc ( right click and rename to sethc-user, press enter but do not press Open, the file
would be renamed but display unchanged)
Similar, find the file cmd and rename to sethc
Close the notepad and cmd window, then click continue
System will be rebooted
Under the password box Press “Shift”
key FIVE times slowly to bring up the cmd windows.
C:\windows\system32>net localgroup administrators
Will display accounts
C:\windows\system32>net user
siueric *
Then change password and exit cmd
Use new password to login windows
Change back above renamed files to
its original name.
Obtain current windows 10/11 OEM key
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SoftwareProtectionPlatform BackupProductKeyDefault
Windows 11 network security
Public
Network , Private network different only network discovery enable by default, doing nothing on the network security
unless user modifies afterward.
Public
network and private network share the same firewall security by default
ICMP
V4 inbound does not enable therefore unable to be pinged in
Google
Mesh WIFI router :
Downstream
subnet can make connection to upstream subnet but not vice versa due to
built-in NAT restriction.
RDP:
Remote
Desktop Inbound
Not
enabled by default, turn on the remote desktop via WIN I -> remote desktop
will change firewall following inbound rule:
Remote Desktop - Shadow
(TCP-In)
Remote Desktop - User
Mode (TCP-In)
Remote Desktop - User
Mode (UDP-In)
Then allow RDP in
Remote
Desktop Outbound enabled by default
Installed
zerotier:
Enable
icmp and rdp before zerotier installation, ping and rdp
and work on both direction of upstream and downstream subnets
Zerotier will bypass Google Mesh router NAT
restriction.
During
perform above configuration change, to troubleshoot network connection problem:
Ipconfig /renew
Arp -d
To refresh machine network database
To enable RDP and File Sharing after Norton installed
Open Norton main menu
Setting at top bar
Firewall
Configure the Public Network Exceptions
Disable local user to login windows but map shared disk
Use Local Security Policy
Run secpol.msc
Local Policies > User Right Assignment
Open Deny log on locally
Add user or group
Add Lock at right click menu on the bitlocker drive
1. Copy the file lock-bde.cmd to c:\windows\system32
2. Run reg file “Add Lock Drive Bitlocker Context Menu.reg” to add to register table
3. Reboot computer
***************************************************************************************
Hyper-V virtualization
*****************************************************************************************
Enable Hyper-V virtualization
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
Change Firefox font size
about:config
Search: type devp
Chnage layout.css.devPixelsPerPx value
ViceVersa
Bypass and fix long folder name exceed 256 characters add \\?\ before drive name
Use \\?\C:\ rather c:\
VVScheduler task will not execute without or wrong task username and password
Click VVScheduler
Click Edit task
Check Run as: username and password are correct
Remove uninstalled old device driver
cmd: SET DEVMGR_SHOW_NONPRESENT_DEVICES=1
under device manager to show hidden device and
uninstall them
Repair outlook
Run "C:\Program Files\Microsoft
Office\Office12\Outlook.exe" /resetnavpane
Outlook POP setting
info:
https://www.howto-outlook.com/howto/accountsettings.htm#outlookcom
Old program in Windows 10
Right click program -> properties -> Compatibility -> select mode for old windows, Windows XP SP3
Close laptop lid and keep windows 11 running
Win -I -> System -> Power & Battery
-> Lid, power & sleep button control
Install Q9, to display non-unicode big 5 in Q9 under Windows 11
Control Panel -> Region -> Administrative -> Change system Locale -> Chinese HKSAR
Right click program -> properties -> Compatibility -> select mode for old windows, Windows XP SP3 for Q9
Select and test font PMingLiu-ExtB or other chinese fonts from menu of Q9 -> Select Display font
Secure Erase disk
Use Drive Wiper in CCCLeaner (>1Hr / 100GB in one pass)
Ping with
time stamp display
ping -t 192.168.1.12 | ForEach {"{0} - {1}" -f (Get-Date),$_} > desktop\test.txt