(translated via google translate)
Do I have to do this in the setup.ins file or create a file specifically for CA for each application?
How can I proceed to also perform restrictions, configurations for Windows?
You do this in setup.ins, no need to create a seperate file.
Please view this example of a windows thing I am using:
Code: Alles auswählen
; Copyright (c) uib gmbh (www.uib.de)
; This sourcecode is owned by uib
; and published under the Terms of the General Public License.
; credits: http://www.opsi.org/en/credits/
;
; License Management removed
encoding=utf8
; system package
;
; disable defragmentation done
; enable ssd trim support
; prefetch/superfetch done
; fsutil settings done
; pagefile settings
; network settings? -> https://docs.microsoft.com/en-us/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics
; indexing options done
; system restore
; power management?
; defender settings?
; related tasks
; device manager settings -> of interface
; worker threads
; wmi logging settings
; readyboot
[Actions]
SetLogLevel=9
requiredWinstVersion >= "4.11.5.14"
;DefVar $MsiId32$
;DefVar $UninstallProgram32$
;DefVar $MsiId64$
;DefVar $UninstallProgram64$
DefVar $LogDir$
DefVar $ProductId$
DefVar $MinimumSpace$
;DefVar $InstallDir32$
;DefVar $InstallDir64$
DefVar $ExitCode$
DefVar $INST_SystemType$
;DefVar $INST_architecture$
DefVar $INST_MsVersion$
DefStringList $result$
DefVar $RegistryKey$
DefVar $testName$
DefVar $firstrun$
DefVar $firstrun_override$
set $firstrun_override$ = GetProductProperty("firstrun_override","False")
DefVar $wireless_networking$
Set $wireless_networking$ = GetProductProperty("wireless_networking_disable","false")
DefVar $bluetooth_disable$
Set $bluetooth_disable$ = GetProductProperty("bluetooth_disable","false")
DefVar $ntp_server$
Set $ntp_server$ = GetProductProperty("ntp_server","nl.pool.ntp.org")
DefVar $ntp_servers$
DefVar $ntp_index$
DefVar $ntp_index1$
DefVar $ntp_server_entry$
DefStringList $ntp_serverlist$
DefStringList $ntp_serverlist2$
DefStringList $ProductInfo$
DefVar $DisplayVersion$
DefVar $DisplayName$
set $ProductInfo$ = getProductMap
set $DisplayVersion$ = getValue("productversion", $ProductInfo$)
set $DisplayName$ = getValue("name", $ProductInfo$)
set $INST_MsVersion$ = GetMsVersionInfo
Set $INST_SystemType$ = GetSystemType
;set $INST_architecture$ = GetProductProperty("install_architecture","system specific")
Set $LogDir$ = "%opsiLogDir%"
; ----------------------------------------------------------------
; - Please edit the following values -
; ----------------------------------------------------------------
;$ProductId$ should be the name of the product in opsi
; therefore please: only lower letters, no umlauts,
; no white space use '-' as a seperator
Set $ProductId$ = "win10-settings-system"
Set $MinimumSpace$ = "500 MB"
; the path were we find the product after the installation
;Set $InstallDir32$ = "%ProgramFiles32Dir%\<path to the product>"
;Set $InstallDir64$ = "%ProgramFiles64Dir%\<path to the product>"
; ----------------------------------------------------------------
if not(HasMinimumSpace ("%SystemDrive%", $MinimumSpace$))
LogError "Not enough space on %SystemDrive%, " + $MinimumSpace$ + " on drive %SystemDrive% needed for " + $ProductId$
isFatalError
; Stop process and set installation status to failed
endif
if not(CompareDotSeparatedNumbers($INST_MsVersion$, "=", "10.0"))
LogError "Windows 10 is required for " + $ProductId$
isFatalError
endif
comment "Show product picture"
ShowBitmap "%ScriptPath%\" + $ProductId$ + ".png" $ProductId$
Message "Installing " + $ProductId$ + "..."
comment "Disable automatic defragmentation"
WinBatch_defragmentation /SysNative
Registry_defragmentation /SysNative
comment "Disable readyboot WMI logging"
Registry_readyboot /SysNative
comment "Disable prefetch and superfetch"
WinBatch_prefetch /SysNative
Registry_prefetch /SysNative
Files_prefetch /SysNative
comment "Disable NTFS last access timestamps"
WinBatch_last_access /SysNative
comment "Disable 8dot3 filenames on all volumes"
WinBatch_8dot3 /SysNative
Registry_8dot3 /SysNative
comment "Disable LLMNR name resolution"
Registry_llmnr /SysNative
comment "Prefer DNS responses to LLMNR and NetBT"
Registry_prefer_dns /SysNative
comment "Disable windows search indexing"
WinBatch_indexing /SysNative
Files_indexing /SysNative
Registry_indexing /SysNative
comment "Disable windows web search"
Registry_disable_websearch_AllProfiles /AllNTUserDats
comment "Disable experimental features"
Registry_disable_experimentation /SysNative
comment "Disable windows insider, hide options in settings"
Registry_disable_windows_insider /SysNative
comment "Disable peer to peer updates"
Registry_disable_peer_to_peer_updates /SysNative
Registry_disable_peer_to_peer_updates_AllProfiles /AllNTUserDats
comment "Disable updates to speech engine"
Registry_disable_speech_updates /SysNative
comment "Disable onedrive network access before login"
Registry_disable_onedrive_prelogin /SysNative
comment "Defender: Disable sending infection information"
Registry_disable_reporting_infection /SysNative
comment "Defender: Disable reporting changes in files"
Registry_disable_spynet_reporting /SysNative
comment "Defender: Disable sending samples of threats"
Registry_disable_sending_threat_samples /SysNative
comment "Disable unwanted network traffic on offline maps settings page"
Registry_disable_maps_network_traffic /SysNative
comment "Disable automatic update of map data"
Registry_disable_maps_auto_update /SysNative
comment "Launch explorer in a seperate process"
Registry_seperate_explorer_process_AllProfiles /AllNTUserDats
comment "Disable Autoplay"
Registry_disable_autoplay_AllProfiles /AllNTUserDats
comment "Disable windows remote shell access (WinRM)"
Registry_disable_windows_remote_shell /SysNative
comment "Disable edge pre-loading before login"
Registry_disable_edge_preloading /SysNative
comment "Disable windows ink workspace"
Registry_disable_windows_ink /SysNative
comment "Disable login with microsoft accounts"
Registry_disable_microsoft_account /SysNative
comment "Disable login with picture password"
Registry_disable_picture_password /SysNative
comment "Disable login with pin"
Registry_disable_hello_pin /SysNative
comment "Disable login with biometrics"
Registry_disable_hello_biometrics /SysNative
comment "Disable windows hello for business"
Registry_disable_hello_for_business /SysNative
comment "Disable use sign-in info to auto finish setting up device"
Registry_disable_automatic_logon /SysNative
comment "Disable synching of settings"
Registry_disable_settings_sync /SysNative
Registry_disable_settings_sync_AllProfiles /AllNTUserDats
comment "Disable linking phone"
Registry_disable_phone_linking /SysNative
comment "Disable windows timeline"
Registry_disable_timeline /SysNative
comment "Disable offline files"
Winbatch_disable_offline_files /SysNative
Registry_disable_offline_files /SysNative
comment "Disable cortana on lock screen"
Registry_disable_cortana_lock_screen /SysNative
comment "Disable customer experience improvement program"
Registry_disable_customer_improvement /SysNative
comment "Disable uploading text messages to cloud"
Registry_disable_cloud_text_messages /SysNative
comment "Disable transmission of typing information"
Registry_disable_typing_information_AllProfiles /AllNTUserDats
comment "Disable inventory collector"
Registry_disable_inventory_collector /SysNative
comment "Disable camera on lock screen"
Registry_disable_lock_screen_camera /SysNative
comment "Disable bluetooth advertisements"
Registry_disable_bluetooth_advertisements /SysNative
comment "Block access to local language list for browsers"
Registry_block_language_list_AllProfiles /AllNTUserDats
comment "Disable find my device"
Registry_disable_find_my_device /SysNative
comment "Enable/Disable wireless networking services on client"
if ($wireless_networking$ = "true")
Registry_wireless_disable /SysNative
else
Registry_wireless_enable /SysNative
endif
comment "Enable/Disable bluetooth services on client"
if ($bluetooth_disable$ = "true")
Registry_bluetooth_disable /SysNative
else
Registry_bluetooth_enable /SysNative
endif
comment "Disable netbios over tcp/ip"
; Do not disable "TCP/IP netbios helper" service!
Set $result$ = getRegistryKeyListSysnative("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces")
for $value$ in $result$ do sub_disable_netbios
comment "Remove various network protocols"
Files_uninstall_runfromtoken /SysNative
PatchTextFile_networksettings $LogDir$ + "\" + $ProductId$ + ".bat"
; Texan write is nodig, anders werkt het niet.
if ($INST_SystemType$ = "64 Bit System")
Dosbatch_runfromtoken_64 WINST /SysNative
Dosbatch_runfromtoken_64 WINST /SysNative
else
Dosbatch_runfromtoken_32 WINST /SysNative
Dosbatch_runfromtoken_32 WINST /SysNative
endif
Files_uninstall_runfromtoken /SysNative
comment "Set ntp server(s)"
set $ntp_serverlist$ = splitString ($ntp_server$, ",")
; write to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers
for %index1% = "1" to count($ntp_serverlist$) do sub_ntp_datetime_servers
; prepare for winbatch
for $line$ in $ntp_serverlist$ do sub_ntp_serverlist
set $ntp_servers$ = composeString ($ntp_serverlist2$, " ")
WinBatch_ntp_server /SysNative
Registry_ntp_server /SysNative
comment "Firstrun section"
Set $firstrun$ = GetRegistryValue("HKEY_LOCAL_MACHINE\SOFTWARE\OPSI-Home", $ProductId$)
if (not ($firstrun$ = "1")) or ($firstrun_override$ = "True")
Set $firstrun$ = "1"
comment "Save firstrun setting"
Registry_save_firstrun /SysNative
if ($firstrun_override$ = "True")
opsiservicecall_reset_firstrun_override
endif
; ExitWindows /Reboot
endif
[Registry_save_firstrun]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\OPSI-Home]
set "$ProductId$" = "$firstrun$"
[WinBatch_ntp_server]
"%SystemRoot%\system32\net.exe" start "W32Time"
"%SystemRoot%\system32\w32tm.exe" /config /manualpeerlist:"$ntp_servers$" /syncfromflags:manual /update
[sub_ntp_serverlist]
set $ntp_server_entry$ = stringReplace("$line$", "$line$", "$line$,0x9")
set $ntp_serverlist2$ = addtolist($ntp_serverlist2$,$ntp_server_entry$)
[sub_ntp_datetime_servers]
set $ntp_index1$ = "%index1%"
set $ntp_index$ = calculate($ntp_index1$+"-1")
set $ntp_server_entry$ = takestring($ntp_index$, $ntp_serverlist$)
Registry_set_ntp_datetime_servers /SysNative
[Registry_set_ntp_datetime_servers]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
set "$ntp_index1$" = "$ntp_server_entry$"
[WinBatch_defragmentation]
"%SystemRoot%\system32\net.exe" start "Schedule"
; Delete defragmentation tasks (when not using a SSD, use ultradefrag)
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Defrag" /F
; Disable defrag service, which is never needed
"%SystemRoot%\system32\sc.exe" config defragsvc start= disabled
"%SystemRoot%\system32\net.exe" stop defragsvc
[Registry_defragmentation]
; https://docs.microsoft.com/en-us/previous-versions/windows/embedded/ms932871(v=winembedded.5)?redirectedfrom=MSDN
; The disk defragmentation service rearranges data on the disk to create contiguous sections of data. Additionally, the auto-layout service moves the most-used data closer to the center of the disk to expedite boot time.
; Disable Boot-Time defragmentation
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]
set "Enable" = "N"
; Disable Background auto-layout
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]
set "EnableAutoLayout" = REG_DWORD:00000000
[WinBatch_prefetch]
"%SystemRoot%\system32\net.exe" start "Schedule"
; Delete superfetch tasks
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\ResPriStaticDbSync" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain" /F
; Disable prefetch service
"%SystemRoot%\system32\sc.exe" config SysMain start= disabled
"%SystemRoot%\system32\net.exe" stop SysMain
[Registry_prefetch]
; Disable prefetching/superfetch, not only for SSDs
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
set "EnablePrefetcher" = REG_DWORD:00000000
set "EnableSuperfetch" = REG_DWORD:00000000
[Files_prefetch]
delete -sf "%SystemRoot%\Prefetch\"
[WinBatch_last_access]
; https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior
; Disable last access times, registry key not needed!
"%SystemRoot%\system32\fsutil.exe" behavior set DisableLastAccess 1
[WinBatch_8dot3]
; Disable 8.3 file names
"%SystemRoot%\system32\fsutil.exe" behavior set Disable8dot3 1
[Registry_8dot3]
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
set "NtfsDisable8dot3NameCreation" = REG_DWORD:00000001
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies]
set "NtfsDisable8dot3NameCreation" = REG_DWORD:00000001
[WinBatch_indexing]
; Disable indexing service
"%SystemRoot%\system32\sc.exe" config WSearch start= disabled
"%SystemRoot%\system32\net.exe" stop WSearch
[Registry_indexing]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
set "DisableRemovableDriveIndexing" = REG_DWORD:00000001
openkey [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer]
set "DisableIndexedLibraryExperience" = REG_DWORD:00000001
[Registry_disable_websearch_AllProfiles]
openkey [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer]
set "DisableSearchBoxSuggestions" = REG_DWORD:00000001
[Registry_disable_maps_network_traffic]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps]
set "AllowUntriggeredNetworkTrafficOnSettingsPage" = REG_DWORD:00000000
[Registry_disable_maps_auto_update]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps]
set "AutoDownloadAndUpdateMapData" = REG_DWORD:00000000
[Registry_disable_reporting_infection]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
set "DontReportInfectionInformation" = REG_DWORD:00000001
[Registry_disable_spynet_reporting]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
set "SpyNetReporting" = REG_DWORD:00000000
[Registry_disable_sending_threat_samples]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
set "SubmitSamplesConsent" = REG_DWORD:00000002
[Registry_disable_onedrive_prelogin]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OneDrive]
set "PreventNetworkTrafficPreUserSignIn" = REG_DWORD:00000001
[Registry_disable_experimentation]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System]
set "AllowExperimentation" = REG_DWORD:00000000
[Registry_disable_windows_insider]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
set "ManagePreviewBuilds" = REG_DWORD:00000001
set "ManagePreviewBuildsPolicyValue" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility]
set "HideInsiderPage" = REG_DWORD:00000001
[Registry_disable_hello_pin]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "AllowDomainPINLogon" = REG_DWORD:00000001
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions]
set "value" = REG_DWORD:00000000
[Registry_disable_microsoft_account]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount]
set "DisableUserAuth" = REG_DWORD:00000001
; https://www.tenforums.com/tutorials/97556-allow-block-microsoft-accounts-windows-10-a.html
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
set "NoConnectedUser" = REG_DWORD:00000003
[Registry_disable_cortana_lock_screen]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
set "AllowCortanaAboveLock" = REG_DWORD:00000000
[Registry_disable_customer_improvement]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows]
set "CEIPEnable" = REG_DWORD:00000000
[Registry_disable_settings_sync]
; Dit is hier, ipv privacy, want een microsoft account is nodig voor dit, en die is hier gedisabled.
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync]
set "DisableSettingSync" = REG_DWORD:00000002
set "DisableSettingSyncUserOverride" = REG_DWORD:00000001
[Registry_disable_settings_sync_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync]
set "SyncPolicy" = REG_DWORD:00000005
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows]
set "Enabled" = REG_DWORD:00000000
[Winbatch_disable_offline_files]
; Disable indexing service
"%SystemRoot%\system32\sc.exe" config CscService start= disabled
"%SystemRoot%\system32\net.exe" stop CscService
[Registry_disable_offline_files]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetCache]
set "Enabled" = REG_DWORD:00000000
[Registry_disable_timeline]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "EnableActivityFeed" = REG_DWORD:00000000
[Registry_disable_phone_linking]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "EnableMmx" = REG_DWORD:00000000
[Registry_ntp_server]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
set "" = "1"
[Registry_disable_picture_password]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "BlockDomainPicturePassword" = REG_DWORD:00000001
[Registry_disable_hello_biometrics]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics]
set "Enabled" = REG_DWORD:00000000
[Registry_disable_hello_for_business]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork]
set "Enabled" = REG_DWORD:00000000
set "DisablePostLogonProvisioning" = REG_DWORD:00000000
[Registry_disable_automatic_logon]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
set "DisableAutomaticRestartSignOn" = REG_DWORD:00000001
[Registry_disable_windows_ink]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace]
set "AllowSuggestedAppsInWindowsInkWorkspace" = REG_DWORD:00000000
set "AllowWindowsInkWorkspace" = REG_DWORD:00000000
[Registry_disable_edge_preloading]
; Do not allow edge to pre-launch at windows startup, and do not load the start and new tab pages
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge]
set "AllowPrelaunch" = REG_DWORD:00000000
set "AllowTabPreloading" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main]
set "AllowPrelaunch" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader]
set "AllowTabPreloading" = REG_DWORD:00000000
[Registry_disable_device_history_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search]
set "DeviceHistoryEnabled" = REG_DWORD:00000000
[Registry_disable_cloud_text_messages]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging]
set "AllowMessageSync" = REG_DWORD:00000000
[Registry_disable_inventory_collector]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\AppCompat]
set "DisableInventory" = REG_DWORD:00000001
[Registry_disable_lock_screen_camera]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization]
set "NoLockScreenCamera" = REG_DWORD:00000001
[Registry_disable_bluetooth_advertisements]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Bluetooth]
set "AllowAdvertising" = REG_DWORD:00000000
[Registry_block_language_list_AllProfiles]
openkey [HKEY_CURRENT_USER\Control Panel\International\User Profile]
set "HttpAcceptLanguageOptOut" = REG_DWORD:00000001
[Registry_disable_typing_information_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC]
set "Enabled" = REG_DWORD:00000000
[Registry_disable_autoplay_AllProfiles]
; Disable Autoplay
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers]
set "DisableAutoplay" = REG_DWORD:00000001
[Registry_seperate_explorer_process_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
; Launch explorer in a seperate process, saves about 30 MB when no explorer windows are opened.
set "SeparateProcess" = REG_DWORD:00000001
[Registry_disable_peer_to_peer_updates_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization]
set "SystemSettingsDownloadMode" = REG_DWORD:00000000
[Registry_disable_peer_to_peer_updates]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config]
set "DODownloadMode" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]
set "DODownloadMode" = REG_DWORD:00000000
[Registry_disable_speech_updates]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Speech]
set "AllowSpeechModelUpdate" = REG_DWORD:00000000
[Files_indexing]
; De hele directory kan weg
delete -sf "%CommonAppdataDir%\Microsoft\Search\"
[Registry_readyboot]
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot]
set "Start" = REG_DWORD:00000000
[Registry_network]
; Disable IGMP multicasting, do not add .com to unqualified domain names
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
set "IGMPLevel" = REG_DWORD:00000000
set "UseDomainNameDevolution" = REG_DWORD:00000000
[Registry_llmnr]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
set "EnableMulticast" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters]
set "EnableMulticast" = REG_DWORD:00000000
[Registry_prefer_dns]
; Prefer DNS answers to LLMNR and/or NetBT
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
set "DisableSmartProtocolReordering" = REG_DWORD:00000001
[Registry_disable_windows_remote_shell]
; Do not allow remote shell access
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service]
set "AllowAutoConfig" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS]
set "AllowRemoteShellAccess" = REG_DWORD:00000000
[PatchTextFile_networksettings]
GoToTop
; Remove QoS Packet Scheduler
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_pacer'
; Remove Link-Layer Topology Discovery Mapper I/O Driver
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_lltdio'
; Remove Link-Layer Topology Discovery Responder
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_rspndr'
; Remove Microsoft Network Adapter Multiplexor Protocol
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_implat'
; Remove Link-Layer Topology Discovery Driver
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_lldp'
[Dosbatch_runfromtoken_32]
; Start TrustedInstaller to be able to use that token
"%SystemRoot%\system32\net.exe" start trustedinstaller
"%SystemRoot%\system32\timeout.exe" /t 5 /nobreak
"%ScriptPath%\files\RunFromToken32.exe" trustedinstaller.exe 1 "$LogDir$\$ProductId$.bat"
[Dosbatch_runfromtoken_64]
; Start TrustedInstaller to be able to use that token
"%SystemRoot%\system32\net.exe" start trustedinstaller
"%SystemRoot%\system32\timeout.exe" /t 5 /nobreak
"%ScriptPath%\files\RunFromToken64.exe" trustedinstaller.exe 1 "$LogDir$\$ProductId$.bat"
[Files_uninstall_runfromtoken]
delete -f "$LogDir$\$ProductId$.bat"
[Registry_wireless_disable]
; WLAN AutoConfig
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wlansvc]
set "Start" = REG_DWORD:00000004
[Registry_wireless_enable]
; WLAN AutoConfig
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wlansvc]
set "Start" = REG_DWORD:00000002
[Registry_bluetooth_disable]
; AVCTP Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthAvctpSvc]
set "Start" = REG_DWORD:00000004
; Bluetooth Audio Gateway Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService]
set "Start" = REG_DWORD:00000004
; Bluetooth Support Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv]
set "Start" = REG_DWORD:00000004
; Bluetooth User Support Service (met per-user service)
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluetoothUserService]
set "Start" = REG_DWORD:00000004
[Registry_bluetooth_enable]
; AVCTP Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthAvctpSvc]
set "Start" = REG_DWORD:00000003
; Bluetooth Audio Gateway Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService]
set "Start" = REG_DWORD:00000003
; Bluetooth Support Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv]
set "Start" = REG_DWORD:00000003
; Bluetooth User Support Service (met per-user service)
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluetoothUserService]
set "Start" = REG_DWORD:00000003
[Registry_disable_find_my_device]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice]
set "AllowFindMyDevice" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Settings\FindMyDevice]
set "LocationSyncEnabled" = REG_DWORD:00000000
[Winbatch_harddisk_settings]
; SSD Trim support aanzetten
"%SystemRoot%\system32\fsutil.exe" behavior set DisableDeleteNotify 0
[sub_disable_netbios]
Set $result$ = getRegistryKeyListSysnative("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces")
set $RegistryKey$ = "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\" + "$value$" + "]"
Set $testName$ = GetRegistryStringValueSysNative($RegistryKey$ + "NetbiosOptions")
if not($testName$ = "")
Registry_disable_netbios /SysNative
endif
[Registry_disable_netbios]
openkey $RegistryKey$
set "NetbiosOptions" = REG_DWORD:00000002
[opsiservicecall_reset_firstrun_override]
"method": "productPropertyState_create"
"params": [
"%installingProdName%"
"firstrun_override"
"%HostID%"
"false"
]
It is not entirely complete or 'finished' but you
must be able to follow some parts. Especially the registry stuff. I am not sure how I can explain it easier than an example like this. Otherwise give me a working setup.ins with a registry setting you want set in there.
I find policy and other registry settings either on the internets, or I use a program like systracer to make a snapshot of the registry before and after the change.