Example: Use the ADK for Windows 10 / 11 to Create an ISO Image with Anti-Malware Services Disabled
NOTE: The following requires either the 64-bit Windows 10 2004 ADK, or the 64-bit Windows 11 23H2 ADK, and the accompanying WinPE Add-On to be installed. (1.) Download the Windows 10 / 11 ISO Image ( 32-bit / 64-bit ) and place in the following folder: C:\ISO Download Windows 10 / 11 Disk Image (ISO) -> Select Download -> Windows 10 / 11 (multi-edition ISO) -> Download Select the product language -> English (United States) -> Confirm Windows 10 / 11 English -> 32-bit Download / 64-bit Download NOTE: When Downloading the ISO Images on Windows 10 / 11, you must use a User-Agent Switching Addon, like in the examples below: User-Agent Switcher and Manager: https://chrome.google.com/webstore/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg ( Firefox: https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/ ) NOTE: Right-click on the batch file after extracting it from the archive, and click "Run as administrator". (2.) Unzip / extract the archive ( Win10_11_ISO_Image_Generator.zip ), which contains the following batch file: Win10_11_ISO_Image_Generator.bat NOTE: The following text documents organize each stage of the ISO image creation process: WINDOWS 10 22H2 32-BIT: C:\Patches\Win10\CheckList_W10_x86.txt WINDOWS 10 22H2 64-BIT: C:\Patches\Win10\CheckList_W10_x64.txt WINDOWS 11 24H2 64-BIT: C:\Patches\Win11\CheckList_W11_x64.txt NOTE: Currently no official download sources exist for Windows 10 / 11 64-bit ARM ISO Images: WINDOWS 10 22H2 ARM 64-BIT: "C:\Patches\Win10\CheckList_W10_x64_ARM.txt" WINDOWS 11 24H2 ARM 64-BIT: "C:\Patches\Win11\CheckList_W11_x64_ARM.txt" (3.) After installing the operating system, you will have to reset the DACL, which requires Sdelete / Sdelete64 /Sdelete64a (Sysinternals ) This should only be run from a bootable WinPE ISO Image: C:\Patches\Batch_Files\ACL\WinPE_8_3_Reset_C_Drive_Wipe_ACL_Disable_ELAM_SmartScreen.bat This batch file is best used, from within the WinPE environment, to reset file permissions to default on any drive that isn't a system volume: C:\Patches\Batch_Files\ACL\WinPE_8_3_Reset_Drive_Wipe_ACL.bat Open the Command Prompt -> Start Menu -> Run -> taskmgr -> File -> Run new Task -> %SystemRoot%\System32\cmd.exe -> Select "Create this task with administrative privileges." -> Click OK. (4.) After rebooting, the default Windows Apps have to be reset on Windows 11, and reinstalled on Windows 10, due to the removal of Orphaned SIDs and the DACL being reset: CMD /Q /C START /MIN /REALTIME /WAIT /B C:\Patches\Batch_Files\Reset_Apps_Win10_11.bat (5A.) Configure the Firewall and Network Stack: CMD /Q /C START /MIN /REALTIME /WAIT /B C:\Patches\Batch_Files\Firewall\Generic_Win10_11_Firewall_Settings.bat (5B.) Alternate: My current setup looks similar to this, aside from the folder layout. I have hardened the network stack, and replaced the built-in unicast / multicast DNS with an Encrypted Stub Resolver: CMD /Q /C START /MIN /REALTIME /WAIT /B C:\Patches\Batch_Files\Post_Install_Win10_11.bat CMD /Q /C START /MIN /REALTIME /WAIT /B C:\Patches\Batch_Files\Post_Activation_CMD_PowerShell_UI_Configuration_Win10_11.bat The following script enables Windows Update / Microsoft Store Updates: CMD /Q /C START /MIN /REALTIME /WAIT /B C:\Patches\Batch_Files\Firewall\Enable_Windows_App_Update_Firewall.bat The following script disables Windows Update / Microsoft Store Updates: CMD /Q /C START /MIN /REALTIME /WAIT /B C:\Patches\Batch_Files\Firewall\Disable_Windows_App_Update_Firewall.bat The following script creates temporary firewall rules for installing software, which expire after approximately thirty seconds of no activity: CMD /Q /C START /MIN /REALTIME C:\Patches\Batch_Files\Firewall\Temp_Firewall_Rule_Generator.bat The most common problem after patching / updating Windows, is the fact that you often have to modify / delete any new registry entries the patches or services create, that bypass security rules / security policies you have set in place: CMD /Q /C START /MIN /REALTIME C:\Patches\Batch_Files\Registry_Patch_Win10_11.bat To remove unwanted apps, edit this batch file based on your needs: CMD /Q /C START /MIN /REALTIME /WAIT /B C:\Patches\Batch_Files\Selective_Removal_Win10_11_Apps.bat The following batch file erases the Command Line history, MUI Cache, Jumplists, as well as most Temporary Files on the System Drive: CMD /Q /C START /MIN /REALTIME C:\Patches\Batch_Files\Clear_Default_Cache_Win10_11.bat