Can tweaks be applied to the default user account? about win10-initial-setup-script HOT 4 CLOSED

I'm gonna use this issue to cover possible scenarios how the script can be used in multi-user environments and installation images, so I can be mean to other people having the same question afterwards. Note that this list is not exhaustive, just several ways off the top of my head. Also note that they weren't tested.

First of all, trust the FAQ. If there would be any noncomplicated way how to achieve application of the tweaks system-wide for all accounts, it's already in the script. That being said, you are still left with several complicated ways how to at least partially achieve it. It all depends on your environment and user setup. And of course your understanding of Windows ecosystem.

Option 1. Create custom presets for admin and user part. In the admin part, set the stuff which is common for the whole machine - HKLM registry keys, services, Windows features etc. - in the user part, set UI tweaks and other stuff in HKCU which doesn't require elevation via RequireAdmin. Admin part then can be run only once right after the installation (and possibly again after some major updates), user part can be run either on every login or just once after the user logs in for the first time.

Option 2. Bypass UAC. You can do that either via Task Scheduler (recommended) or using some other shady technique as described eg. here. You don't have to feel bad. According to Microsoft, UAC is not a security boundary and some applications (eg. CCleaner) are already using such technique for a long time.

Option 3. Target user's registry hives directly. This requires overhauling the HKCU parts in the script. The idea basically is, that instead of HKCU:\Some\Registry\Key\ you'll access HKU:\S-1-5-21-<UUID>\Some\Registry\Key\. Ideally, that user has to log in at least once before using this method to populate their hive properly.

Option 4. Use group policies. I imagine that this might be a stupid advice, but don't use the script at all. :) Pretty much every registry path in the script containing Policies is just ripped off of a GPO. There might not be a policy for everything, but for most of the tweaks, there is (including some tweaks where I don't use policies in my script). However this requires much deeper knowledge of Windows then ordinary power user has, so this might be more suitable for domain admins.

List of the places where you can put your script to run automatically:

• Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
• Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• Folder %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
• Folder %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp
• Group policy Configuration -> Windows Settings -> Scripts (Logon/Logoff)
• Task Scheduler - At startup / At log on event-based triggers. Required for option 2.
• Active Setup
• WinPE winpeshl.ini - This would be the way how to run the script directly as part of an installation image, although I suggest wrapping the script to a *.bat file.

As for the default accounts in OPs question - The closest method how to achieve it would suggest option 3, but unfortunately there is no way how the tweaks can be implicitly applied to accounts which are yet to be created, as lot of values are populated during the first logon.

from win10-initial-setup-script.

trust the FAQ. If there would be any noncomplicated way how to achieve application of the tweaks system-wide for all accounts, it's already in the script.

Not exactly ;)

Remove-AppxPackage -AllUsers

https://docs.microsoft.com/en-us/powershell/module/appx/remove-appxpackage?view=win10-ps

from win10-initial-setup-script.

Not exactly ;)

Remove-AppxPackage -AllUsers

True, however that's just for apps, not for other registry tweaks. The AppX packages are not removed for all users so it's possible to install them back easily. The hard way is too hard for most users. And yeah, I'm aware that the apps can be reinstalled from Windows Store, but if you remove also Windows Store for all users, you're out of options.

from win10-initial-setup-script.

Running this in an OSD Task Sequence (SYSTEM), my hope is to disable certain features for all future users, without having to wait for a user-based software deployment to kick in, or (worse) implementing this as a login script for all users. As it stands, tons of these throw errors referencing a non-existent HKCU.

I understand the requirement to break out a user part, but it would be nice if most of the user-facing changes were adapted to run as admin (or at least apply to the default user profile, if possible).

from win10-initial-setup-script.