Optimize-Offline Guide - Windows Debloating Tool, Windows 1803, 1903, 19H2, 1909, 20H1 and LTSC 2019

Discussion in 'Windows 10' started by KedarWolf, Jul 30, 2019.

  1. justintime20

    justintime20 MDL Novice

    Feb 5, 2018
    11
    0
    0
    I tried both, neither would work.
     
  2. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    You may already know this or have already tried this, but to directly optimize an install.wim: remove the comma after the second to last bracket and set "NetFx3": false since NetFx3 requires a source ISO.
    Code:
      "SourcePath": "F:\\Build\\19042.450\\install.wim",
      "WindowsApps": "Whitelist",
      "SystemApps": true,
      "Capabilities": false,
      "Packages": false,
      "Features": false,
      "DeveloperMode": false,
      "WindowsStore": false,
      "MicrosoftEdge": true,
      "Win32Calc": true,
      "Dedup": false,
      "DaRT": [
      ],
      "Registry": true,
      "Additional": {
        "Setup": true,
        "Wallpaper": false,
        "SystemLogo": true,
        "LockScreen": true,
        "RegistryTemplates": true,
        "LayoutModification": false,
        "Unattend": false,
        "Drivers": false,
        "NetFx3": false
      }
    }
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    #563 spanishfly, Sep 4, 2020
    Last edited: Sep 4, 2020
    A caution for users who remove System Applications with Optimize-Offline!
    Sep 09 2020 "patch Tuesday" is nearing and it's time to prepare. If you use this project to remove System Applications, than there is some chance that the upcoming September patch will behave the same as the August patch and install all your removed System Applications.

    As reported weeks ago (mydigitallife.net Post #536 ), applying the August 2020 patch "fixes" your OS by installing all your "missing" System Applications!

    In post Post #538, I've tested some basic ideas to allow the August 11, 2020—KB4566782 CU patch to upgrade a 20H1 Build 19041.388 virtual machine to 19041.450 without screwing up all the System Applications. So far, I haven't found a proper solution.

    The only suggestion I can make is to avoid performing a cumulative update until the GitHub project developer arrives at a proper solution.

    If you decide to block Windows update, there are many solutions available at mydigitallife.net:
    Sledgehammer - Windows 10 Update Control is useful since you can safely check each month for updates you know are safe to apply or hide updates you want to block.

    Toggle Windows Update - this uses the celebrated "WindowsUpdateSysprepInProgress" reg value. I checked this out recently and it works very well.

    StopWinUpdates I've used this in the past and it works good.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. drew84

    drew84 MDL Addicted

    Mar 13, 2014
    697
    1,149
    30
    Code:
    Name                                      InstallLocation
    ----                                      ---------------
    E2A4F912-2574-4A75-9BB0-0D023378592B      C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy
    Microsoft.CredDialogHost                  C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy
    Microsoft.Windows.Apprep.ChxApp           C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy
    Microsoft.Windows.CallingShellApp         C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy
    Microsoft.Windows.ContentDeliveryManager  C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
    Microsoft.Windows.Search                  C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy
    Microsoft.Windows.SecHealthUI             C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy
    Microsoft.Windows.ShellExperienceHost     C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy
    Microsoft.Windows.StartMenuExperienceHost C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
    windows.immersivecontrolpanel             C:\Windows\ImmersiveControlPanel
    
    A workaround would be to Set WU to notify and choose when to download
    download latest build from UUP Dump (including updates), Optimize the image and upgrade using latest image
    takes a little longer, achieves the same end, without any issues regarding changed security settings or returning apps
     
  5. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    Thanks for your advice.
    Thanks for reminding me of this solution. Not what I call an easy answer for the average O-O user, but maybe I underestimate who the average O-O user is? This solution still requires you to apply some type of WU blocking solution so your base build doesn't get trashed.
    I may need to do this UUP Dump update since I accidentally downloaded and installed onto real hardware 20H2 rather than 20H1 (oops!). So I either I re-install using 20H1 or keep moving forward with build 19042.
    This might work short-term, but just to warn you there are heaps of people reporting that Microsoft doesn't consistently respect Group Policy WU settings.

    Ideally, Microsoft has heard a heap of corporate people complaining about the August CU trashing there tailored OS builds and the September patch respects our optimized System Application designs. In other words, the August 2020 patch was a one-off Microsoft mistake.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. drew84

    drew84 MDL Addicted

    Mar 13, 2014
    697
    1,149
    30
    @spanishfly thanks for the heads up, WU is not an issue for me normally as updates usually hit here first and are generally applied manually (almost immediately by myself)
    also have settings backed up and re-applied each boot, Firewall is set to OFF (by Default) until I manually start it..... we can but try our best to stop the bad boys from disregarding our rights

    ... got an addendum to my previous post coming
     
  7. drew84

    drew84 MDL Addicted

    Mar 13, 2014
    697
    1,149
    30
    #567 drew84, Sep 4, 2020
    Last edited: Sep 4, 2020
    ... Continuing from my previous post(s), offering this as a clarification of how easy the process is

    Example using 19041 (My Method)

    Download the latest 19042.xxx creation file from UUP Dump

    Extract the contents to D:\ Drive (your choice - I just prefer not to use C:\)
    I name it WF01_19042.xxx_amd64_en-gb - This becomes my First Work Folder
    Edit your ConvertConfig.ini (contained within), now run create_virtual_editions.cmd
    [convert-UUP]
    AutoStart =1
    AddUpdates =1
    Cleanup =0
    ResetBase =0
    NetFx3 =1 <== May need to have a look at this, May have misunderstood this post https://forums.mydigitallife.net/th...20h1-and-ltsc-2019.80038/page-29#post-1616298
    StartVirtual =1
    wim2esd =0
    SkipISO =1
    SkipWinRE =0
    ForceDism =1
    RefESD =1

    [create_virtual_editions]
    vAutoStart =1
    vDeleteSource=1
    vPreserve =1
    vwim2esd =0
    vSkipISO =1
    vAutoEditions=Enterprise
    [/CCODE]

    Process normally takes about 3 to 3.5 minutes to completeion
    Produces Two distribution folders Pro (All included Indicies) and Enterprise (1 Index) with included WIM files
    Space is not a premium for me, so don't see the point of ESDs or ISOs, gonna service the image anyway.
    Further Info 20206 Post #21

    I also have 2 other folders on the same drive WF02_Optimize-Offline-4.0.1.4.en-GB.19042 and WF03_Optimize-Offline-4.0.1.4.en-GB

    Contents of the 3 Work Folders and Instructions + notes
    Code:
    (01_Latest_Updates)                    <== Create and Maintain - Will Contain all Updates needed for up to date Image, obviously my list below is not up to date
                                               Naming structure is my own.. Latest updates can be gleaned from here: @Enthousiast's Overview  https://forums.mydigitallife.net/threads/discussion-windows-10-final-build-19041-2-1-208-264-329-pc-20h1-2-vb_release.80763/page-16#post-1571109
        Windows10.0-KB4557964-x64_DUB_19041.260.cab < Dynamic Update (boot.wim, winre.wim) - not currently needed, here for reference
        Windows10.0-KB4561600-x64_FSU_19041.329.cab < Flash Security Update -- soon to be no more I believe
        Windows10.0-KB4562830-x64_H2E_19041.479.cab < 19042 Enablement Package + Edge Chromium
        Windows10.0-KB4566781-x64_DUS_19041.450.cab < Dynamic Update Sources
        Windows10.0-KB4569745-x64_NFU_19200.170.cab < .NET Framework Update
        Windows10.0-KB4570334-x64_SSU_19041.441.cab < Service Stack Update
        Windows10.0-KB4571744-x64_CCU_19041.487.cab < Complete Cumulative Update (as opposed to Express)
    (CLIENTENTERPRISE_VOL_X64FRE_EN-GB)    <== O-O Optimized install.wim is copied to sources directory here - I upgrade from here directly, You can also copy entire contents to bootable USB for clean/fresh installation
    (CLIENTPRO_OEMRET_X64FRE_EN-GB)        <== Contains further indicies (for family and friends)
    (bin)
    (files)
    (UUPs)                                 <== On first download it will contain updates, with each new CU +, replace with updates from above
                                               and run convert-UUP.cmd to create newly updated image, no need to download archive again
                                               Previous Distribution folders can be deleted once new ones are created
                                               Note: The removal/deletion of all updates from here leaves the original 19041.1 base
       ConvertConfig.ini
       ReadMe.html
       aria2_download.log
       aria2_download_windows.cmd
       convert-UUP.cmd
       create_virtual_editions.cmd
       multi_arch_iso.cmd
    

    CODE]
    ENTERPRISE_install.wim <== Point your O-O script to this - Original WIM (never changes - Until replaced with updated Source after each new CU), O-O uses this but saves the Optimized WIM to Script Directory
    [/CODE]

    Code:
    (.github)
    (Content)
    (docs)
    (en-GB)
    (Optimize-Offline_2020-09-03T01.34.48) <== Timestamped directory (created after running script) contains O-O Image + Log Files - install WIM from here is copied to Enterprise distribution folders for use
    (Packages)
    (Src)
       LICENSE
       .gitmore
       Configuration.json
       ChangeLog.md
       README.mdUpcoming.md               <== Worth looking at
       Start-Optimize.ps1
       Changes Required.txt               <== (MY) Notes on Changes needed to allow other than en-US culture + other ammendments
       Optimize-Offline.psd1
       Optimize-Offline.psm1
    

    ... will more than likely add to this if questions arise, but basically once initial work is done, you:
    (1) download latest updates to updates folder (replacing older ones)
    (2) copy updates to UUPs folder and run convert-UUP.cmd to create new Distribution Folder (updates should be deleted from UUPs folder after)
    (3) copy install.wim from Distribution Folder to install.wim Work Folder
    (4) optimize your WIM
    (5) copy newly created WIM from O-O Work Folder back to Distribution Folder and you are good to go
     
  8. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    Wow! thanks!! Seems pretty clear.
    I'll have a go at following your very nicely described "OO image making pipeline" and let you know if run into any road blocks...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. drew84

    drew84 MDL Addicted

    Mar 13, 2014
    697
    1,149
    30
  11. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    Something like that ...
    I think you've added all the required code.
    I don't actually use "Set-Additional.ps1" I noticed the error when I was comparing my own online scripts with "Set-Additional.ps1" to see if there was anything new.
    The developer has on line 20/21:
    Code:
    # Get the current build number for the Windows 10 version.
    $Build = Get-CimInstance -ClassName Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber
    So when the developer corrects this (and you could polish your code) with something like ...
    Code:
    If ($Build -ge 19041)
    {
    or
    If Build -le 18363
    {
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    I'll take a closer look at your code later today. Yesterday, I was using my spare time to take one final stab at doing an online registry lock-down to see if it's possible to then perform an in-place windows update. I did crack-it, but had to resort to using a third-party app for the solution. I wasn't able to get either PowerShell or DOS code to change permissions of the TrustedInstaller owned "InboxApplications" reg key. I'll provide my in-place Windows Update solution, when I get a chance either later today or tomorrow.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    #573 spanishfly, Sep 6, 2020
    Last edited: Sep 6, 2020
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Pillendreher

    Pillendreher MDL Novice

    Aug 6, 2013
    3
    0
    0
    @spanishfly

    Thanks for your post. The search feature has indeed worked a little bit differently under 4.0.1.3 compared to 4.0.1.2. E.g. Outlook complained about search indexing being disabled, even though I didn't disable anything.
     
  16. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    #577 spanishfly, Sep 9, 2020
    Last edited: Sep 10, 2020
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. drew84

    drew84 MDL Addicted

    Mar 13, 2014
    697
    1,149
    30
    #578 drew84, Sep 9, 2020
    Last edited: Sep 9, 2020
    Thanks for the heads up ..I don't actually code, but can usually adapt stuff based on what has gone before
    Noticed that Keys that don't exist weren't imported/copied to the "reg to be edited file" so logic suggested leaving both addresses should cover old and new OSs

    (1) Copy/Paste and forgot to change
    (2) Missed.. not paying attention... have edited original post accordingly
    (3) Hadn't really noticed this before.. but in my case, would like to know what the value '4' actually represents.

    Edit
    : the first value instance '0' appears to be whether the service starts (1) or not (0)
    ....... the second value instance '4' appears to refer to the service startup type Disabled (4) ... eg. Automatic (2)


    Re: Function Harden-OS, .. nice
     
  18. spanishfly

    spanishfly MDL Junior Member

    Dec 5, 2018
    62
    71
    0
    thanks!
    I'm absolutely not a coder!! Nor do I offer definitive answers. My school is the internet. I just search, read, and test.
    I agree about "value instance '4' appears to refer to the service startup type Disabled (4)" I could be wrong, but I think it's a typo. AFAIK, these log-tracers aren't services.
    Here is an easy test. Change the order of how the developer script applies changes.
    (1) Run the "# Disable automatic Event Tracker Logs from Services that can use them as telemetry." section and look in the registry. You'll see that the values for "Start" are '4'
    (2) Next run the official cmdlet
    Code:
    Get-AutologgerConfig -Name DiagLog, Diagtrack-Listener, LwtNetLog, WdiContextLog | Set-AutologgerConfig -Start 0 
    and you'll see that the values for "Start" are now '0' . . . officially and also efficiently. That one line cmdlet replaces the fancy array of html changes.
    If you want to match the fancy array, you can add all the other supposed trace logs to the cmdlet: 'AITEventLog', 'AutoLogger-Diagtrack-Listener', 'DiagLog', 'Diagtrack-Listener', 'EventLog-Microsoft-RMS-MSIPC-Debug', 'EventLog-Microsoft-Windows-WorkFolders-WHC', 'FamilySafetyAOT', 'LwtNetLog', 'Microsoft-Windows-Setup', 'NBSMBLOGGER', 'PEAuthLog', 'RdrLog', 'ReadyBoot', 'SetupPlatform', 'SQMLogger', 'TCPIPLOGGER', 'Tpm', 'WdiContextLog' I've only ever seen the four tracers I kept in the code I shared above on any system I've ever built (PowerShell console: logman query -ets).

    One correction (that I edited into my above script).
    "Stop-EtwTraceSession" works with a piped list of names. (Get-EtwTraceSession -Name DiagLog, Diagtrack-Listener, LwtNetLog, WdiContextLog | Stop-EtwTraceSession), but
    if any one of the tracer apps aren't running, then this method needs "try" "catch" to stop it from spitting red errors.
    I hate red errors and I suck at making "try" "catch" work, so the 'script kiddie' answer is to run a separate line of code for each tracer.

    Code:
            # Turn off running Event telemetry tracers for this session     
            Stop-EtwTraceSession -Name DiagLog -ea 0
            Stop-EtwTraceSession -Name Diagtrack-Listener -ea 0
            Stop-EtwTraceSession -Name LwtNetLog -ea 0
            Stop-EtwTraceSession -Name WdiContextLog -ea 0
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. zb9525

    zb9525 MDL Novice

    Apr 24, 2017
    7
    2
    0
    # Remove any Event Tracker Logs and Security Health (Windows Defender) scan files.
    @("$Env:SystemRoot\System32\LogFiles\WMI\AutoLogger-Diagtrack-Listener.etl", @("$Env:SystemRoot\System32\LogFiles\WMI\Diagtrack-Listener.etl", "$Env:programData\Microsoft\Diagnosis\ETLLogs\AutoLogger\*.etl", "$Env:programData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\*.etl", "$Env:programData\Microsoft\Diagnosis\*.rbs", "$Env:programData\Microsoft\Windows Defender\Scans\*") | Remove-Item -Recurse -Force
    error
    modify
    # Remove any Event Tracker Logs and Security Health (Windows Defender) scan files.
    @("$Env:SystemRoot\System32\LogFiles\WMI\AutoLogger-Diagtrack-Listener.etl","$Env:SystemRoot\System32\LogFiles\WMI\Diagtrack-Listener.etl", "$Env:programData\Microsoft\Diagnosis\ETLLogs\AutoLogger\*.etl", "$Env:programData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\*.etl", "$Env:programData\Microsoft\Diagnosis\*.rbs", "$Env:programData\Microsoft\Windows Defender\Scans\*") | Remove-Item -Recurse -Force