param( [object]$Config, [string]$LogFile ) $ErrorActionPreference = "Continue" function Write-Log { param([string]$Message, [string]$Level = "INFO") $line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message" Add-Content -Path $LogFile -Value $line -Encoding UTF8 } function Set-Reg { param( [string]$Path, [string]$Name, $Value, [string]$Type = "DWord" ) try { if (-not (Test-Path $Path)) { New-Item -Path $Path -Force | Out-Null } Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force Write-Log " SET $Path\$Name = $Value" -Level OK } catch { Write-Log " FAILED $Path\$Name - $_" -Level ERROR } } function Remove-Reg { param([string]$Path, [string]$Name) try { if (Test-Path $Path) { Remove-ItemProperty -Path $Path -Name $Name -Force -ErrorAction SilentlyContinue Write-Log " REMOVED $Path\$Name" -Level OK } } catch { Write-Log " FAILED removing $Path\$Name - $_" -Level ERROR } } Write-Log "3 - Applying HKLM system registry tweaks" -Level STEP # ----------------------------------------------------------------------- # Bypass Network Requirement on OOBE (BypassNRO) # ----------------------------------------------------------------------- Set-Reg -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" ` -Name "BypassNRO" -Value 1 # ----------------------------------------------------------------------- # Disable auto-install of Teams (Chat) # ----------------------------------------------------------------------- Set-Reg -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Communications" ` -Name "ConfigureChatAutoInstall" -Value 0 # ----------------------------------------------------------------------- # Disable Cloud Optimized Content (ads in Start menu etc.) # ----------------------------------------------------------------------- Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` -Name "DisableCloudOptimizedContent" -Value 1 Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` -Name "DisableWindowsConsumerFeatures" -Value 1 # ----------------------------------------------------------------------- # Disable Widgets (News and Interests) # ----------------------------------------------------------------------- Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Dsh" ` -Name "AllowNewsAndInterests" -Value 0 # ----------------------------------------------------------------------- # Microsoft Edge - hide First Run Experience # ----------------------------------------------------------------------- Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" ` -Name "HideFirstRunExperience" -Value 1 # Also disable Edge desktop shortcut creation after install Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate" ` -Name "CreateDesktopShortcutDefault" -Value 0 # ----------------------------------------------------------------------- # Password - no expiration # ----------------------------------------------------------------------- Write-Log " Setting password max age to UNLIMITED" -Level INFO $pwResult = & net accounts /maxpwage:UNLIMITED 2>&1 if ($LASTEXITCODE -eq 0) { Write-Log " Password max age set to UNLIMITED" -Level OK } else { Write-Log " Failed to set password max age: $pwResult" -Level ERROR } # ----------------------------------------------------------------------- # Time zone # ----------------------------------------------------------------------- $tz = "Central Europe Standard Time" if ($Config -and $Config.deployment -and $Config.deployment.timezone) { $tz = $Config.deployment.timezone } Write-Log " Setting time zone: $tz" -Level INFO try { Set-TimeZone -Id $tz -ErrorAction Stop Write-Log " Time zone set: $tz" -Level OK } catch { Write-Log " Failed to set time zone: $_" -Level ERROR } # ----------------------------------------------------------------------- # OneDrive - prevent setup and remove shortcuts # ----------------------------------------------------------------------- Write-Log " Disabling OneDrive" -Level INFO # Disable OneDrive via policy Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" ` -Name "DisableFileSyncNGSC" -Value 1 # Remove OneDriveSetup.exe if present $oneDrivePaths = @( "$env:SystemRoot\System32\OneDriveSetup.exe" "$env:SystemRoot\SysWOW64\OneDriveSetup.exe" ) foreach ($odPath in $oneDrivePaths) { if (Test-Path $odPath) { try { # Uninstall first & $odPath /uninstall 2>&1 | Out-Null Write-Log " OneDrive uninstalled via $odPath" -Level OK } catch { Write-Log " OneDrive uninstall failed: $_" -Level WARN } } } # Remove OneDrive Start Menu shortcut $odLnk = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" if (Test-Path $odLnk) { Remove-Item $odLnk -Force -ErrorAction SilentlyContinue Write-Log " Removed OneDrive Start Menu shortcut" -Level OK } # ----------------------------------------------------------------------- # Outlook (new) - disable auto-install via UScheduler # ----------------------------------------------------------------------- Write-Log " Disabling Outlook (new) auto-install" -Level INFO $uschedulerPaths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler_Oobe\OutlookUpdate" "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\OutlookUpdate" ) foreach ($uPath in $uschedulerPaths) { if (Test-Path $uPath) { try { Remove-Item -Path $uPath -Recurse -Force Write-Log " Removed UScheduler key: $uPath" -Level OK } catch { Write-Log " Failed to remove UScheduler key: $_" -Level WARN } } } # ----------------------------------------------------------------------- # Disable GameDVR # ----------------------------------------------------------------------- Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` -Name "AllowGameDVR" -Value 0 # ----------------------------------------------------------------------- # Disable Recall (Windows AI feature) # ----------------------------------------------------------------------- Set-Reg -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" ` -Name "DisableAIDataAnalysis" -Value 1 Write-Log "Step 3 complete" -Level OK