Optimize-Offline Guide - Windows Debloating Tool, Windows 1803, 1903, 19H2, 1909, 20H1 and LTSC 2019

You may already know this or have already tried this, but to directly optimize an install.wim: remove the comma after the second to last bracket and set "NetFx3": false since NetFx3 requires a source ISO.

Spoiler: Configuration.json

Code:

  "SourcePath": "F:\\Build\\19042.450\\install.wim",
  "WindowsApps": "Whitelist",
  "SystemApps": true,
  "Capabilities": false,
  "Packages": false,
  "Features": false,
  "DeveloperMode": false,
  "WindowsStore": false,
  "MicrosoftEdge": true,
  "Win32Calc": true,
  "Dedup": false,
  "DaRT": [
  ],
  "Registry": true,
  "Additional": {
    "Setup": true,
    "Wallpaper": false,
    "SystemLogo": true,
    "LockScreen": true,
    "RegistryTemplates": true,
    "LayoutModification": false,
    "Unattend": false,
    "Drivers": false,
    "NetFx3": false
  }
}

 

A caution for users who remove System Applications with Optimize-Offline!
Sep 09 2020 "patch Tuesday" is nearing and it's time to prepare. If you use this project to remove System Applications, than there is some chance that the upcoming September patch will behave the same as the August patch and install all your removed System Applications.

As reported weeks ago (mydigitallife.net Post #536 ), applying the August 2020 patch "fixes" your OS by installing all your "missing" System Applications!

In post Post #538, I've tested some basic ideas to allow the August 11, 2020—KB4566782 CU patch to upgrade a 20H1 Build 19041.388 virtual machine to 19041.450 without screwing up all the System Applications. So far, I haven't found a proper solution.

The only suggestion I can make is to avoid performing a cumulative update until the GitHub project developer arrives at a proper solution.

If you decide to block Windows update, there are many solutions available at mydigitallife.net:
Sledgehammer - Windows 10 Update Control is useful since you can safely check each month for updates you know are safe to apply or hide updates you want to block.

Toggle Windows Update - this uses the celebrated "WindowsUpdateSysprepInProgress" reg value. I checked this out recently and it works very well.

StopWinUpdates I've used this in the past and it works good.

 

Code:

Name                                      InstallLocation
----                                      ---------------
E2A4F912-2574-4A75-9BB0-0D023378592B      C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy
Microsoft.CredDialogHost                  C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy
Microsoft.Windows.Apprep.ChxApp           C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy
Microsoft.Windows.CallingShellApp         C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy
Microsoft.Windows.ContentDeliveryManager  C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
Microsoft.Windows.Search                  C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy
Microsoft.Windows.SecHealthUI             C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy
Microsoft.Windows.ShellExperienceHost     C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy
Microsoft.Windows.StartMenuExperienceHost C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
windows.immersivecontrolpanel             C:\Windows\ImmersiveControlPanel

A workaround would be to Set WU to notify and choose when to download
download latest build from UUP Dump (including updates), Optimize the image and upgrade using latest image
takes a little longer, achieves the same end, without any issues regarding changed security settings or returning apps

 

Thanks for your advice.

Thanks for reminding me of this solution. Not what I call an easy answer for the average O-O user, but maybe I underestimate who the average O-O user is? This solution still requires you to apply some type of WU blocking solution so your base build doesn't get trashed.
I may need to do this UUP Dump update since I accidentally downloaded and installed onto real hardware 20H2 rather than 20H1 (oops!). So I either I re-install using 20H1 or keep moving forward with build 19042.

This might work short-term, but just to warn you there are heaps of people reporting that Microsoft doesn't consistently respect Group Policy WU settings.

Ideally, Microsoft has heard a heap of corporate people complaining about the August CU trashing there tailored OS builds and the September patch respects our optimized System Application designs. In other words, the August 2020 patch was a one-off Microsoft mistake.

 

@spanishfly thanks for the heads up, WU is not an issue for me normally as updates usually hit here first and are generally applied manually (almost immediately by myself)
also have settings backed up and re-applied each boot, Firewall is set to OFF (by Default) until I manually start it..... we can but try our best to stop the bad boys from disregarding our rights

... got an addendum to my previous post coming

 

... Continuing from my previous post(s), offering this as a clarification of how easy the process is

Example using 19041 (My Method)

Download the latest 19042.xxx creation file from UUP Dump

Extract the contents to D:\ Drive (your choice - I just prefer not to use C:\)
I name it WF01_19042.xxx_amd64_en-gb - This becomes my First Work Folder
Edit your ConvertConfig.ini (contained within), now run create_virtual_editions.cmd

Spoiler: ConvertConfig.ini - that I use

[convert-UUP]
AutoStart =1
AddUpdates =1
Cleanup =0
ResetBase =0
NetFx3 =1 <== May need to have a look at this, May have misunderstood this post https://forums.mydigitallife.net/th...20h1-and-ltsc-2019.80038/page-29#post-1616298
StartVirtual =1
wim2esd =0
SkipISO =1
SkipWinRE =0
ForceDism =1
RefESD =1

[create_virtual_editions]
vAutoStart =1
vDeleteSource=1
vPreserve =1
vwim2esd =0
vSkipISO =1
vAutoEditions=Enterprise
[/CCODE]

Process normally takes about 3 to 3.5 minutes to completeion
Produces Two distribution folders Pro (All included Indicies) and Enterprise (1 Index) with included WIM files
Space is not a premium for me, so don't see the point of ESDs or ISOs, gonna service the image anyway.
Further Info 20206 Post #21

I also have 2 other folders on the same drive WF02_Optimize-Offline-4.0.1.4.en-GB.19042 and WF03_Optimize-Offline-4.0.1.4.en-GB

Contents of the 3 Work Folders and Instructions + notes

Spoiler: WF01_19042.xxx_amd64_en-gb

Code:

(01_Latest_Updates)                    <== Create and Maintain - Will Contain all Updates needed for up to date Image, obviously my list below is not up to date
                                           Naming structure is my own.. Latest updates can be gleaned from here: @Enthousiast's Overview  https://forums.mydigitallife.net/threads/discussion-windows-10-final-build-19041-2-1-208-264-329-pc-20h1-2-vb_release.80763/page-16#post-1571109
    Windows10.0-KB4557964-x64_DUB_19041.260.cab < Dynamic Update (boot.wim, winre.wim) - not currently needed, here for reference
    Windows10.0-KB4561600-x64_FSU_19041.329.cab < Flash Security Update -- soon to be no more I believe
    Windows10.0-KB4562830-x64_H2E_19041.479.cab < 19042 Enablement Package + Edge Chromium
    Windows10.0-KB4566781-x64_DUS_19041.450.cab < Dynamic Update Sources
    Windows10.0-KB4569745-x64_NFU_19200.170.cab < .NET Framework Update
    Windows10.0-KB4570334-x64_SSU_19041.441.cab < Service Stack Update
    Windows10.0-KB4571744-x64_CCU_19041.487.cab < Complete Cumulative Update (as opposed to Express)
(CLIENTENTERPRISE_VOL_X64FRE_EN-GB)    <== O-O Optimized install.wim is copied to sources directory here - I upgrade from here directly, You can also copy entire contents to bootable USB for clean/fresh installation
(CLIENTPRO_OEMRET_X64FRE_EN-GB)        <== Contains further indicies (for family and friends)
(bin)
(files)
(UUPs)                                 <== On first download it will contain updates, with each new CU +, replace with updates from above
                                           and run convert-UUP.cmd to create newly updated image, no need to download archive again
                                           Previous Distribution folders can be deleted once new ones are created
                                           Note: The removal/deletion of all updates from here leaves the original 19041.1 base
   ConvertConfig.ini
   ReadMe.html
   aria2_download.log
   aria2_download_windows.cmd
   convert-UUP.cmd
   create_virtual_editions.cmd
   multi_arch_iso.cmd

Spoiler: WF02_Optimize-Offline-4.0.1.4.en-GB.19042

CODE]
ENTERPRISE_install.wim <== Point your O-O script to this - Original WIM (never changes - Until replaced with updated Source after each new CU), O-O uses this but saves the Optimized WIM to Script Directory
[/CODE]

Spoiler: WF03_Optimize-Offline-4.0.1.4.en-GB

Code:

(.github)
(Content)
(docs)
(en-GB)
(Optimize-Offline_2020-09-03T01.34.48) <== Timestamped directory (created after running script) contains O-O Image + Log Files - install WIM from here is copied to Enterprise distribution folders for use
(Packages)
(Src)
   LICENSE
   .gitmore
   Configuration.json
   ChangeLog.md
   README.mdUpcoming.md               <== Worth looking at
   Start-Optimize.ps1
   Changes Required.txt               <== (MY) Notes on Changes needed to allow other than en-US culture + other ammendments
   Optimize-Offline.psd1
   Optimize-Offline.psm1

... will more than likely add to this if questions arise, but basically once initial work is done, you:
(1) download latest updates to updates folder (replacing older ones)
(2) copy updates to UUPs folder and run convert-UUP.cmd to create new Distribution Folder (updates should be deleted from UUPs folder after)
(3) copy install.wim from Distribution Folder to install.wim Work Folder
(4) optimize your WIM
(5) copy newly created WIM from O-O Work Folder back to Distribution Folder and you are good to go

 

Wow! thanks!! Seems pretty clear.
I'll have a go at following your very nicely described "OO image making pipeline" and let you know if run into any road blocks...

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

Something like that ...
I think you've added all the required code.
I don't actually use "Set-Additional.ps1" I noticed the error when I was comparing my own online scripts with "Set-Additional.ps1" to see if there was anything new.
The developer has on line 20/21:

Code:

# Get the current build number for the Windows 10 version.
$Build = Get-CimInstance -ClassName Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber

So when the developer corrects this (and you could polish your code) with something like ...

Code:

If ($Build -ge 19041)
{
or
If Build -le 18363
{

 

I'll take a closer look at your code later today. Yesterday, I was using my spare time to take one final stab at doing an online registry lock-down to see if it's possible to then perform an in-place windows update. I did crack-it, but had to resort to using a third-party app for the solution. I wasn't able to get either PowerShell or DOS code to change permissions of the TrustedInstaller owned "InboxApplications" reg key. I'll provide my in-place Windows Update solution, when I get a chance either later today or tomorrow.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

@spanishfly

Thanks for your post. The search feature has indeed worked a little bit differently under 4.0.1.3 compared to 4.0.1.2. E.g. Outlook complained about search indexing being disabled, even though I didn't disable anything.

 

You need to login to view this posts content.

 

Thanks for the heads up ..I don't actually code, but can usually adapt stuff based on what has gone before
Noticed that Keys that don't exist weren't imported/copied to the "reg to be edited file" so logic suggested leaving both addresses should cover old and new OSs

(1) Copy/Paste and forgot to change
(2) Missed.. not paying attention... have edited original post accordingly
(3) Hadn't really noticed this before.. but in my case, would like to know what the value '4' actually represents.

Edit: the first value instance '0' appears to be whether the service starts (1) or not (0)
....... the second value instance '4' appears to refer to the service startup type Disabled (4) ... eg. Automatic (2)


Re: Function Harden-OS, .. nice

 

thanks!
I'm absolutely not a coder!! Nor do I offer definitive answers. My school is the internet. I just search, read, and test.
I agree about "value instance '4' appears to refer to the service startup type Disabled (4)" I could be wrong, but I think it's a typo. AFAIK, these log-tracers aren't services.
Here is an easy test. Change the order of how the developer script applies changes.
(1) Run the "# Disable automatic Event Tracker Logs from Services that can use them as telemetry." section and look in the registry. You'll see that the values for "Start" are '4'
(2) Next run the official cmdlet

Code:

Get-AutologgerConfig -Name DiagLog, Diagtrack-Listener, LwtNetLog, WdiContextLog | Set-AutologgerConfig -Start 0 

and you'll see that the values for "Start" are now '0' . . . officially and also efficiently. That one line cmdlet replaces the fancy array of html changes.
If you want to match the fancy array, you can add all the other supposed trace logs to the cmdlet: 'AITEventLog', 'AutoLogger-Diagtrack-Listener', 'DiagLog', 'Diagtrack-Listener', 'EventLog-Microsoft-RMS-MSIPC-Debug', 'EventLog-Microsoft-Windows-WorkFolders-WHC', 'FamilySafetyAOT', 'LwtNetLog', 'Microsoft-Windows-Setup', 'NBSMBLOGGER', 'PEAuthLog', 'RdrLog', 'ReadyBoot', 'SetupPlatform', 'SQMLogger', 'TCPIPLOGGER', 'Tpm', 'WdiContextLog' I've only ever seen the four tracers I kept in the code I shared above on any system I've ever built (PowerShell console: logman query -ets).

One correction (that I edited into my above script).
"Stop-EtwTraceSession" works with a piped list of names. (Get-EtwTraceSession -Name DiagLog, Diagtrack-Listener, LwtNetLog, WdiContextLog | Stop-EtwTraceSession), but
if any one of the tracer apps aren't running, then this method needs "try" "catch" to stop it from spitting red errors.
I hate red errors and I suck at making "try" "catch" work, so the 'script kiddie' answer is to run a separate line of code for each tracer.

Code:

        # Turn off running Event telemetry tracers for this session     
        Stop-EtwTraceSession -Name DiagLog -ea 0
        Stop-EtwTraceSession -Name Diagtrack-Listener -ea 0
        Stop-EtwTraceSession -Name LwtNetLog -ea 0
        Stop-EtwTraceSession -Name WdiContextLog -ea 0

 

# Remove any Event Tracker Logs and Security Health (Windows Defender) scan files.
@("$Env:SystemRoot\System32\LogFiles\WMI\AutoLogger-Diagtrack-Listener.etl", @("$Env:SystemRoot\System32\LogFiles\WMI\Diagtrack-Listener.etl", "$EnvrogramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\*.etl", "$EnvrogramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\*.etl", "$EnvrogramData\Microsoft\Diagnosis\*.rbs", "$EnvrogramData\Microsoft\Windows Defender\Scans\*") | Remove-Item -Recurse -Force
error
modify
# Remove any Event Tracker Logs and Security Health (Windows Defender) scan files.
@("$Env:SystemRoot\System32\LogFiles\WMI\AutoLogger-Diagtrack-Listener.etl","$Env:SystemRoot\System32\LogFiles\WMI\Diagtrack-Listener.etl", "$EnvrogramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\*.etl", "$EnvrogramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\*.etl", "$EnvrogramData\Microsoft\Diagnosis\*.rbs", "$EnvrogramData\Microsoft\Windows Defender\Scans\*") | Remove-Item -Recurse -Force

 

... thanks, just another copy/paste error