142 строки
10 KiB
XML
142 строки
10 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<unattend xmlns="urn:schemas-microsoft-com:unattend">
|
|
<settings pass="generalize">
|
|
<component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
|
<PersistAllDeviceInstalls>false</PersistAllDeviceInstalls>
|
|
</component>
|
|
</settings>
|
|
<settings pass="specialize">
|
|
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="AMD64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
|
|
<ConvertibleSlateModePromptPreference>0</ConvertibleSlateModePromptPreference>
|
|
</component>
|
|
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
|
<RunSynchronous>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>1</Order>
|
|
<Description>PowerShell Execution Policy</Description>
|
|
<Path>powershell.exe -noprofile -command "Set-ExecutionPolicy Restricted -Force"</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>2</Order>
|
|
<Description>EnableAdmin</Description>
|
|
<Path>cmd /c net user Administrator /active:yes</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>3</Order>
|
|
<Description>Enable use of Bitlocker authentication requiring preboot keyboard input on slates</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSEnablePrebootInputProtectorsOnSlates /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>4</Order>
|
|
<Description>Require Additional Authentication at startup for Bitlocker</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>5</Order>
|
|
<Description>Allow TPM</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /d 2 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>6</Order>
|
|
<Description>Allow Startup Key with TPM</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /d 2 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>7</Order>
|
|
<Description>Allow startup key and PIN with TPM</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /d 2 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>8</Order>
|
|
<Description>Allow startup PIN with TPM</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /d 2 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>11</Order>
|
|
<Description>Enable Virtualization-based Security features</Description>
|
|
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>12</Order>
|
|
<Description>Require Secure Boot with DMA for Virtualization-based Security features</Description>
|
|
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v RequirePlatformSecurityFeatures /d 3 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>13</Order>
|
|
<Description>Enable Virtualization-based Security with UEFI lock</Description>
|
|
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v Locked /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>14</Order>
|
|
<Description>Protect Code Integrity policies using Virtualization-based Security with UEFI lock</Description>
|
|
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>15</Order>
|
|
<Description>Protect Code Integrity policies using Virtualization-based Security with UEFI lock</Description>
|
|
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Locked /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>16</Order>
|
|
<Description>Protect Credentials using Virtualization-based Security</Description>
|
|
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" /v Enabled /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>17</Order>
|
|
<Description>Enable Credential Guard with UEFI lock</Description>
|
|
<Path>cmd /c reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>18</Order>
|
|
<Description>Spectre/Meltdown mitigation</Description>
|
|
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>19</Order>
|
|
<Description>Spectre/Meltdown mitigation</Description>
|
|
<Path>cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>20</Order>
|
|
<Description>Spectre/Meltdown mitigation</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>23</Order>
|
|
<Description>Disable Microsoft Edge first-run popup</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" /v PreventFirstRunPage /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>24</Order>
|
|
<Description>Disable Consumer Features</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
<RunSynchronousCommand wcm:action="add">
|
|
<Order>25</Order>
|
|
<Description>Disable "How to use Windows" popups</Description>
|
|
<Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableSoftLanding /d 1 /t REG_DWORD /f</Path>
|
|
</RunSynchronousCommand>
|
|
</RunSynchronous>
|
|
</component>
|
|
</settings>
|
|
<settings pass="oobeSystem">
|
|
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="AMD64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
|
|
<FirstLogonCommands>
|
|
<SynchronousCommand>
|
|
<Order>1</Order>
|
|
<Description>Customize Device</Description>
|
|
<CommandLine><![CDATA[%ProgramFiles%\Surface\PosterCustomization.cmd]]></CommandLine>
|
|
</SynchronousCommand>
|
|
<SynchronousCommand>
|
|
<Order>2</Order>
|
|
<Description>Office Culture Refresh - X64</Description>
|
|
<CommandLine><![CDATA["%CommonProgramFiles%\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=CULTUREREFRESH RemoveNonClientCultures=True displaylevel=False]]></CommandLine>
|
|
</SynchronousCommand>
|
|
</FirstLogonCommands>
|
|
</component>
|
|
<component name="Microsoft-Windows-TabletPC-Platform-Input-Core" processorArchitecture="AMD64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
|
<TouchKeyboardAutoInvokeEnabled>True</TouchKeyboardAutoInvokeEnabled>
|
|
</component>
|
|
</settings>
|
|
</unattend>
|