Professional workstations

Information

Windows 11 installation for professional workstations

This is a short bullet point list of settings and commands that we execute when we install a new Windows 11 machine for professional use.
Some of the settings are system-wide, some are user specific.

Windows Settings

	Steps to take or Settings location (most of the time you can just typ the settings page name into the start menu)	Description
No Microsoft Account	This has to be done during installation: Once the setup starts, select your language and then your keyboard layout Press Shift+F10 to open Command Prompt Type in oobe\bypassnro, press Enter, and wait for your computer to restart Continue through with setup and click on "I don't have internet" and "continue with limited setup" this time. Deny each option in the Privacy section.	We use the Microsoft account to transfer or re-validate a Windows license only. But we do not need that for test installations. (Note that you can not see a list of your MS software licenses online...) If you do not add an MS account as the main user at installation, then you can create a new user after installation to validate your Windows license.
Disable Bing Search in Start Menu	Privacy & Security / Search permissions / all off	In the start menu I search for an installed app or setting. If I want a web search, I start a web browser.
Lock Screen	Lock Screen settings: Personalise: Picture Disable "Fun Facts"
TaskBar	TaskBar settings: Search Off Task View Off Chat Off Widgets Off Group Apps if taskbar is full only (I want to see the app title!) Start menu icon on the left	See 3rd party app "Explorer Patcher" as well
Windows Explorer	Setting: Start with "This PC" To remove some of the shortcuts like "movies", start regedit.exe and paste this path HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Desktop\NameSpace Check the contents of each subfolders for information which shortcut it is. Delete the folders you do not want. We removed last time: {e88865ea-0e1c-4e20-9aa6-edcd0212c87c} {f874310e-b6b7-47dc-bc84-b9e6b38f5903} {031E4825-7B94-4dc3-B131-E946B44C8DD5} {1CF1260C-4DD0-4ebb-811F-33C572699FDE} {3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA} {450D8FBA-AD25-11D0-98A8-0800361B1103} {A0953C92-50DC-43bf-BE83-3742FED03C9C} {A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}
OneDrive	Right-click on tray icon, Settings, Settings Click on "Unlink this PC"
App Execution Aliases	App Execution Aliases Disable "App Installer" for Python 2 and 3.	I do not want to auto-install some version if someone types "python" into shell.
Pagefile/Hiberfil	Set Pagefile to a fixed size. E.g. 8192 Disable hibernation (C:\HiberFil.sys) with command "powercfg -h off"
Sign-In Options	Disable "use my sign in to automatocally finish up after an update"	If enabled, this automatically logs in your account and if some other wants to shut down, it asks to terminate some users apps. "Did someone else log in before?? May I shut down?"
Disable Local Account Security Questions	Two ways to disable them: Start gpedit.msc . Computer Configuration > Administrative Templates > Windows Components > Credential User Interface Enable "Prevent the use of security questions for local accounts" Start regedit. Browse to folder HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\System. Right-click the System key on the left and select new DWORD 32-bit value. Name it NoLocalPasswordResetQuestions . Set the value data to 1.	They are just a security risk and I hate to type in something when adding a new user.
Remote Desktop	Remote Desktop Settings: Enable
Public to private network	Network and Internet Settings Private Network
File/Printer sharing	Advanced Sharing Settings: Enable File and printer sharing
Allow "ping"	Windows Defender Firewall with Advanced Features: Inbound Rules / File and printer sharing -Echo Request Rule should be "disabled" or "enabled + allow"
Network	View Network connections Double-click on your connection. Open TCP/IPc4, then Advanced Disable NetBIOS in TCPIP (try to enable if Linux cannot mount your machine via SMB/CIFS) Disable Microsoft-LLDP Disable Link Layer Topology Disconvery Disable QoS Packet Scheduler

Services

Set services to disabled

Windows Error Reporting Service
Geolocation
Display Enhancement Service (not required for remote machines. optional for machines with display (e.g. brightness control))
Radio Management Service (Might be needed for Wi-Fi and Bluetooth)
SSDP Discovery (use for network devices with this protocol)
Windows Search
Connected User Experiences and Telemetry
(Microsoft Data Collection)

Set services to manual

Downloaded Maps Manager
Connected Devices Platform Service
(network smart speakers, wireless printers, and phones)
Connected Devices Platform User Service_737c6
(May only be disabled in registry by setting HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_*\Start = 0x4)
Data Usage
(Shows the "last 30 days" section in Settings › Network & Internet. When disabled, the Windows 11 Settings home screen will always say Disconnected.)
Sync Host
(synchronizes mail, contacts, calendar, and various other user data. Mail and other applications dependent on this functionality. May only be disabled in registry by setting HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_*\Start = 0x4)
Web Account Manager
(required for Settings > Accounts > Sign-in Options to load)

Windows Apps

Disable app install for new user accounts via powershell

Run

Get-AppXProvisionedPackage -Online | Select PackageName >C:\temp\apppacks.txt
This lists all apps that will be installed on login.

Edit the file. Remove apps you want to keep.

Keep for example:

Microsoft (and nothing else in the name)
Microsoft.HEIFImageExtension
Microsoft.HEVCVideoExtension
Microsoft.MicrosoftEdge
Microsoft.Paint
Microsoft.PowerAutomateDesktop
Microsoft.RawImageExtension
Microsoft.StorePurchaseApp
Microsoft.WindowsStore
Microsoft.VCLibs
Microsoft.VP9VideoExtensions
Microsoft.WebMediaExtensions
Microsoft.WebpImageExtension
Microsoft.WindowsCalculator
Microsoft.WindowsNotepad
Microsoft.WindowsTerminal
Microsoft.SecHealthUI
Microsoft.DesktopAppInstaller

Then change all remaining lines that they look like this:

Remove-AppXProvisionedPackage -Online -PackageName "<Packname>"

If you use the Notepad, then copy this first: Remove-AppXProvisionedPackage -Online -PackageName "
Now use the keys Pos1, Ctrl-V, ArrowDown in a loop.
Then enable caps lock. And these these keys in a loop: End, 2, ArrowDown

Copy-Paste everything into Powershell and press Return (Return is required for the last line only)

Uninstall apps for the current user via powershell

Paste these lines into powershell and press Return:

Get-AppxPackage *windowscamera* | Remove-AppxPackage -AllUsers

Get-AppxPackage *windowsmaps* | Remove-AppxPackage -AllUsers

Get-AppxPackage *xboxapp* | Remove-AppxPackage -AllUsers

Get-AppxPackage *XboxGaming* | Remove-AppxPackage -AllUsers

Get-AppxPackage *phone* | Remove-AppxPackage -AllUsers

Get-AppxPackage *XboxIdentityProvider* | Remove-AppxPackage -AllUsers

Get-AppxPackage *WidgetsPlatformRuntime* | Remove-AppxPackage -AllUsers

Get-AppxPackage *ZuneMusic* | Remove-AppxPackage -AllUsers

Get-AppxPackage *ScreenSketch* | Remove-AppxPackage -AllUsers

Get-AppxPackage *LockApp* | Remove-AppxPackage -AllUsers

Get-AppxPackage *XboxGameCallableUI* | Remove-AppxPackage -AllUsers

Get-AppxPackage *AsyncTextService* | Remove-AppxPackage -AllUsers

Get-AppxPackage *Windows.PeopleExperienceHost* | Remove-AppxPackage -AllUsers

Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage -AllUsers

Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage -AllUsers

Get-AppxPackage *Todos* | Remove-AppxPackage -AllUsers

Get-AppxPackage *MicrosoftCorporationII.QuickAssist* | Remove-AppxPackage -AllUsers

Get-AppxPackage *ZuneVideo* | Remove-AppxPackage -AllUsers

Get-AppxPackage *XboxSpeechToTextOverlay* | Remove-AppxPackage -AllUsers

Get-AppxPackage *XboxGameOverlay* | Remove-AppxPackage -AllUsers

Get-AppxPackage *Xbox.TCUI* | Remove-AppxPackage -AllUsers

Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage -AllUsers

Get-AppxPackage *WindowsFeedbackHub* | Remove-AppxPackage -AllUsers

Get-AppxPackage *Windows.Photos* | Remove-AppxPackage -AllUsers

Get-AppxPackage *Windows.DevHome* | Remove-AppxPackage -AllUsers

Get-AppxPackage *People* | Remove-AppxPackage -AllUsers

Get-AppxPackage *OutlookForWindows* | Remove-AppxPackage -AllUsers

Get-AppxPackage *MicrosoftStickyNotes* | Remove-AppxPackage -AllUsers

Get-AppxPackage *MicrosoftSolitaireCollection* | Remove-AppxPackage -AllUsers

Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage -AllUsers

Get-AppxPackage *GetHelp* | Remove-AppxPackage -AllUsers

Get-AppxPackage *GamingApp* | Remove-AppxPackage -AllUsers

Get-AppxPackage *BingWeather* | Remove-AppxPackage -AllUsers

Get-AppxPackage *BingNews* | Remove-AppxPackage -AllUsers

Get-AppxPackage *Clipchamp.Clipchamp* | Remove-AppxPackage -AllUsers

If MS decided to add new apps, you can get a list with this command:

Get-AppxPackage | Select Name >C:\temp\apps.txt

Manual uninstall:

Check "Add or remove Programs" to see if some app is left.
e.g. the apps Cortana and People

3rd party apps

O&O Shutup	https://www.oo-software.com/en/shutup10 Disable Windows data collection. Note that you should read the settings carefully. e.g. this tool recommends to disable "Remote Desktop". On the other side it does not recommend to disable "OneDrive" (if still installed...)
Notepad++	Open Settings: Backup\ Disable "Remember session" (otherwise it does not save on close!) Indentation\ Use Spaces
Firefox/Chrome
Total Commander	Open Settings: Display - Show Hidden Files, Show System files Color - BG gray Color - Use Inverted Cursor Operation- Move to tray Operation- Left Button Windows Standard Quick search - Letters with search dialog Edit/View: Editor: Notepad++ Icons: Show Overlay Icons Download Plugin file 7zip and open it with Total Commander to install it.
Explorer Patcher	Download via https://github.com/valinet/ExplorerPatcher Open Settings: Start menu style: Win10 File Explorer: Disable Windows 11 context menu After install: Right-click on Task bar. Add New Tool bar: %USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch (Way better than the new pinned apps...) Note: Some new Windows version has now blocked this application because Microsoft does not like it. It is an "unwanted application". But if you get the warning, just click on the message to continue installation.