Windows 11 Installation

1. License key policy

From Dean on date 2022-08-25 08:05

Hi Dah,

Please have everyone who will have access to the Windows 11 Enterprise volume license review this email and reply back that you understand and will comply with this policy.

SMRU IT will not share, distribute, or abuse software license keys with anyone except the IT person responsible for installing the software. The impact of doing so could cause ALL major overseas programmes to lose the benefit of Oxford licensing plus SMRU/Oxford could incur very expensive monetary fines.
Software media will not be given to users for installation outside SMRU premises unless authorized by the Head of IT at MORU in which case the "SMRU Software Media Request Log Form" must be completed.
In cases where a software installation key must be used to remotely activate the software then a remote control support session must be arranged so that SMRU IT may remotely enter the key for the person.
In no cases may these keys be shared with anyone unless approved by MORU CIO.
Keys are to be stored in an encrypted password manager (like Keepass, password safe, etc) and never stored within SOPs are other documents (word, excel, text files, etc)

Additional information

-Oxford "windows" license keys may only be used on computers that already have a valid and legal license. Computers must have a "windows certificate of authenticity" sticker affixed to it. -Windows running in a virtual machine (Fusion, parralells, vmware workstation, ect) and computers purchased with DOS/Linux do NOT have valid licenses and therefore cannot use Oxford Windows licenses (until a valid license is purchased) -Oxford licenses (Windows, Office, Endnote, etc) may only be used on computers that SMRU owns and are used for SMRU activities -Oxford licenses and all other MORU/SMRU software (media and license keys) cannot be shared with anyone ever at any time

I have copied the license key to \\SMRU-SRV\home$\Surachard\Win11.txt. Please save this key to Keepass or other secure password manager and delete this file.

Best regards,

Dean

2. Installation

Install 64-bit Windows 11 Enterprise 22H2 in a VirtualBox vm.
Install 64-bit Windows 11 Pro 22H2 in a VirtualBox vm.

3. Boot Media

3.1. Microsoft SHA1 checksums

Browse to https://www.heidoc.net/php/myvsdump.php.
Select the W Microsoft download directory.
Select Windows 11, version 22H2.
Select Windows 11 (business editions), version 22H2.

3.2. Download

Browse to https://www.google.com/ncr and search on the SHA1 checksums.

3.3. Bootable USB

MBR

Creation of a bootable custom Windows 11 Enterprise USB device with MBR partition table

Attach an empty external USB device.
Enter the following commands at a Command Line.

diskpart
list disk
select disk #                                   (1)
clean
clean                                           (2)
create partition primary
select partition 1
format fs=ntfs quick
active
exit

label X: Windows-11-Enterprise-2009-x86         (3)
label X: Windows-11-Enterprise-2009-x64         (4)

1	Replace # by the appropriate disk nr.
2	If previous command failed.
3	32-bit.
4	64-bit.

Start Windows Explorer.
Select the W:\Images\Windows\Windows 11\22H2 folder.
Extract the en-us_windows_11_business_editions_version_22h2_x64_dvd_17a08ce3.iso image to the X:\ folder.
Close Windows Explorer.
Detach the external USB device.

GPT

Creation of a bootable custom Windows 11 Enterprise USB device with GPT partition table

Most computers with the BIOS set to UEFI can only boot from a GPT USB device with a FAT32 file system. However, the SMRU custom created Windows image is typically 10 GB or larger. The FAT32 file system has a 4 GB file size limit, meaning it cannot hold any install.wim file that exceeds 4 GB. Therefore we do need a GPT USB device with an NTFS file system.

Rufus to the rescue. From https://github.com/pbatard/uefi-ntfs.

Rufus creates 2 partitions on the target USB disk (these can be MBR or GPT partitions). The first one is an NTFS partition occupying almost all the drive, that contains the Windows files (for Windows To Go, or for regular installation), and the second is a very small FAT partition, located at the very end, that contains an NTFS UEFI driver (see https://efi.akeo.ie) as well as the UEFI:NTFS bootloader.
When the USB drive boots in UEFI mode, the first NTFS partition gets ignored by the UEFI firmware (unless that firmware already includes an NTFS driver, in which case 2 boot options will be available, that perform the same thing) and the UEFI:NTFS bootloader from the bootable FAT partition is executed.
UEFI:NTFS then loads the relevant NTFS UEFI driver, locates the existing NTFS partition on the same media, and executes the /efi/boot/bootia32.efi, /efi/boot/bootx64.efi, /efi/boot/bootarm.efi or /efi/boot/bootaa64.efi that resides there. This achieves the exact same outcome as if the UEFI firmware had native support for NTFS and could boot straight from it.

Note: Copy the Windows 11 iso file from the network share to the local drive because Rufus does not recognise network drives.

Start Rufus with administrative privileges.
Attach an empty external USB device.
Select the external USB device.
Click SELECT.
Select the W:\Images\Windows\Windows 11\22H2 folder.
Select the en-us_windows_11_business_editions_version_22h2_x64_dvd_17a08ce3.iso file.
Click Open.
Type Windows-11-Enterprise-22H2-x64 for the Volume label.

Device                                  Windows-11-Enterprise-22H2-x64
Boot selection                          en_windows_11_business_editions_version_...
Image option                            Standard Windows installation
Partition scheme                        GPT
Target system                           UEFI (non CSM)

- List USB Hard Drives
- Add fixes for old BIOSes (extra partition, align, etc.)
- Use Rufus MBR with BIOS ID

Volume label                            Windows-11-Enterprise-22H2-x64
File system                             NTFS
Cluster size                            4096 bytes (Default)

+ Quick format
+ Create extended label and icon files
- Check device for bad blocks           1 pass

Click START.
Click OK to confirm.
Wait about 5 minutes for Rufus to finish.
Detach the external USB device.
Click CLOSE to close Rufus.

3.4. SMRU Reference Image

Create Windows Reference Image.

3.4.1. Bootable ISO (64-bit)

Creation of bootable custom Windows 11 Enterprise and Windows 11 Pro iso files.

Install Windows Assessment and Deployment Kit (ADK) on 64-bit Windows 11.
Select Start > All apps > Windows Kits > Deployment and Imaging Tools Environment with administrative privileges.

Windows 11 Enterprise

Contents of the C:\Users\Administrator\Make-ISO-File.bat file.

@echo off
setlocal EnableDelayedExpansion
set "BootFile1=W:\Windows-11-Enterprise-x64\boot\etfsboot.com"
set "BootFile2=W:\Windows-11-Enterprise-x64\efi\microsoft\boot\efisys.bin"
set "Label=Windows-11-Enterprise-22H2-x64"
set "SourceRoot=W:\Windows-11-Enterprise-x64"
set "TargetFile=W:\Windows-11-Enterprise-22H2-x64.iso"
oscdimg.exe -l%Label% -m -o -u2 -udfver102 -bootdata:2#p0,e,b%BootFile1%#pEF,e,b%BootFile2% %SourceRoot% %TargetFile%

Windows 11 Pro

Contents of the C:\Users\Administrator\Make-ISO-File.bat file.

@echo off
setlocal EnableDelayedExpansion
set "BootFile1=W:\Windows-11-Pro-x64\boot\etfsboot.com"
set "BootFile2=W:\Windows-11-Pro-x64\efi\microsoft\boot\efisys.bin"
set "Label=Windows-11-Pro-22H2-x64"
set "SourceRoot=W:\Windows-11-Pro-x64"
set "TargetFile=W:\Windows-11-Pro-22H2-x64.iso"
oscdimg.exe -l%Label% -m -o -u2 -udfver102 -bootdata:2#p0,e,b%BootFile1%#pEF,e,b%BootFile2% %SourceRoot% %TargetFile%

Enter the following commands at the ADK Command Prompt.

net use W: \\SMRU-HyperV01\Windows$ /P:No
cd C:\Users\Administrator
Make-ISO-File.bat

3.4.2. Bootable USB

Update of the bootable custom Windows 11 Enterprise and Windows 11 Pro USB devices

Windows 11 Enterprise

Attach the custom Windows 11 Enterprise external USB device.
Copy the W:\Partition-Disk.cmd file to the X:\ folder.
Copy the W:\Create-BIOS-MBR-Partitions-On-Disk-0.txt file to the X:\ folder.
Copy the W:\Create-BIOS-MBR-Partitions-On-Disk-1.txt file to the X:\ folder.
Copy the W:\Create-UEFI-GPT-Partitions-On-Disk-0.txt file to the X:\ folder.
Copy the W:\Create-UEFI-GPT-Partitions-On-Disk-1.txt file to the X:\ folder.
Delete the X:\sources\install.wim file.
Copy the W:\Windows-11-Enterprise-x64\sources\install.wim file to the X:\sources folder.
Wait about 15 minutes for the copy to finish.
Detach the custom Windows 11 Enterprise external USB device.

Windows 11 Pro

Attach the custom Windows 11 Pro external USB device.
Copy the W:\Partition-Disk.cmd file to the X:\ folder.
Copy the W:\Create-BIOS-MBR-Partitions-On-Disk-0.txt file to the X:\ folder.
Copy the W:\Create-BIOS-MBR-Partitions-On-Disk-1.txt file to the X:\ folder.
Copy the W:\Create-UEFI-GPT-Partitions-On-Disk-0.txt file to the X:\ folder.
Copy the W:\Create-UEFI-GPT-Partitions-On-Disk-1.txt file to the X:\ folder.
Delete the X:\sources\install.wim file.
Copy the W:\Windows-11-Pro-x64\sources\install.wim file to the X:\sources folder.
Wait about 15 minutes for the copy to finish.
Detach the custom Windows 11 Pro external USB device.

4. Setup

4.1. Real Machine

4.1.1. Requirements

Note: Make sure that the BIOS system time is set to local time.
Note: Make sure that the BIOS is configured to AC power off after AC power loss.
Note: Make sure that the BIOS is configured to boot from the 1st hard disk.
Note: Make sure that the computer has a solid state disk of at least 200 GB.
Note: Make sure that the solid state disk have no SMART errors.

4.2. Hyper-V

4.2.1. Create Hyper-V vm

4.2.2. Configure Hyper-V vm

4.3. VirtualBox

4.3.1. Create VirtualBox vm

Start VirtualBox.
Select the Windows 11 group.
Select Group > New Machine.
Enterprise: Type Windows 11 Enterprise 22H2 64-bit - Reference for the Name.
Pro: Type Windows 11 Pro 22H2 64-bit - Reference for the Name.
Select Machine Folder | Other.
Select the V:\VirtualBox Quick\VirtualBox VMs folder.
Click Select Folder.
Select Type | Microsoft Windows.

Select Version | Windows 11 (64-bit).

Name:                   Windows 11 Enterprise 22H2 64-bit - Reference
Machine Folder:         V:\VirtualBox Quick\VirtualBox VMs
Type:                   Microsoft Windows
Version:                Windows 11 (64 bit)

Name:                   Windows 11 Pro 22H2 64-bit - Reference
Machine Folder:         V:\VirtualBox Quick\VirtualBox VMs
Type:                   Microsoft Windows
Version:                Windows 11 (64 bit)

Click Next.
```
Memory size:            4096 MB
```
Click Next.
Choose Create a virtual hard disk now.
Click Create.
Choose VDI (VirtualBox Disk Image).
Click Next.
Choose Dynamically allocated.

Click Next.

File Location:          V:\VirtualBox Quick\VirtualBox VMs\Windows 11\Windows 11 Enterprise 2009 64-bit\Windows 11 Enterprise 2009 64-bit.vdi
Size:                   200.00 GB

Click Create.
Close VirtualBox.

4.3.2. Configure VirtualBox vm

Start VirtualBox.
Select the Windows 11 > Windows 11 Enterprise 22H2 64-bit - Reference virtual machine.
Click Settings.
Select the General page.
- Select the Advanced tab.
- Select Shared Clipboard | Bidirectional.
Select the System page.
- Select the Motherboard tab.
- Uncheck Boot Order | Floppy.
- Move Floppy down to the bottom.
- Check Enable IO APIC.
- Optional: Check Enable EFI (special OSes only).
- Uncheck Hardware Clock in UTC Time.
- Select the Processor tab.
- Select Processor(s) | 2.
Select the Storage page.
- Select Controller: SATA > Windows 11 Enterprise 22H2 64-bit - Reference.vdi.
- Check Solid-state Drive.
Select the Shared Folders page.
- Click the Adds new shared folder button.
- Select Folder Path | Other.
- Select the D:\ folder.
- Click Select Folder.
- Check Auto-mount.
- Type D:\ for the Mount point.
```
Folder Path:            D:\
Folder Name:            D_DRIVE
                        □ Read-only
                        ■ Auto-mount
Mount point:            D:\
```
- Click OK.
Click OK.
Close VirtualBox.

4.3.3. Prepare VirtualBox vm

Start VirtualBox.
Select the Windows 11 > Windows 11 Enterprise 22H2 64-bit - Reference virtual machine.
Click Settings.
Select the Storage page.
- Select Controller: SATA > Empty.
- Click the Choose a virtual optical disk button.
- Select Choose a disk file.
- Microsoft: Select the W:\Images\Windows\Windows 11 folder.
- Microsoft: Select the en-us_windows_11_business_editions_version_22h2_x64_dvd_17a08ce3.iso file.
- SMRU: Select the W:\ folder.
- SMRU: Select the Windows-11-Enterprise-22H2-x64.iso file.
- Click Open.
Click OK.
Close VirtualBox.

5. Installation

5.1. Official Microsoft Windows

Mount the en-us_windows_11_business_editions_version_22h2_x64_dvd_17a08ce3.iso file.

Boot the computer from the CD/DVD drive.

Language to install:            English (United States)
Time and currency format:       English (United States)
Keyboard or input method:       US

Press Shift+F10 to open a Command Prompt.

Enter the following commands at the Command Line.


wpeutil InitializeNetwork
ipconfig
net use W: \\SMRU-HyperV01\Windows$ /Persistent:No
W:\Fix-Windows-11-Minimum-Requirements.cmd

UEFI + GPT.
- Enter the following commands at the Command Line.
  diskpart.exe list disk list volume select volume # (1) assign letter=U select volume # (2) assign letter=V list disk list volume exit
  1 Select the UEFI_NTFS volume.
  
  2 Select the Windows-11- volume.
- Note: M.2 SSD disks may not be assigned as disk 0.
- Note: The next commands will wipe the disk.
- Note: This partitioning does not work for Advanced Format drives with 4096 sector size disks.
  Because for 4Kn disks the EFI System Partition size needs to be 260 MB.
- Enter the following commands at the Command Line.
```
W:\Partition-Disk.cmd 0 UEFI    (1)
W:\Partition-Disk.cmd 1 UEFI    (2)
```
1 Partition disk 0 for new computers with UEFI.

2 Partition disk 1 for new computers with UEFI.

Enter the following commands at the Command Line.

diskpart.exe
list disk
list volume
select disk #                                                   (1)
list partition
exit

setup.exe /unattend:W:\Unattend-Windows-11-Enterprise-x64.xml   (2)
setup.exe /unattend:W:\Unattend-Windows-11-Pro-x64.xml          (3)

1	Enter the disk number that was partitioned.
2	Windows 11 Enterprise
3	Windows 11 Pro

Language to install:            English (United States)
Time and currency format:       English (United States)
Keyboard or input method:       US

Click Next.

Windows 11 Enterprise: Select Windows 11 Enterprise | x64 | 11/4/2021.

Operating system                Architecture    Date modified
-------------------------       ------------    -------------
Windows 11 Enterprise           x64             11/4/2021

Windows 11 Pro: Select Windows 11 Pro | x64 | 11/4/2021.

Operating system                Architecture    Date modified
-------------------------       ------------    -------------
Windows 11 Pro                  x64             11/4/2021

Click Next.
Check I accept the Microsoft Software License Terms.
Click Next.
Select the System64 | Primary partition.
Click Next.
Wait about 7 minutes for the installation to finish.

Select Thailand for the region.
Click Yes.
Select US for the keyboard layout.
Click Yes.
Click Skip to skip adding a second keyboard layout.
Wait for the Windows to do a restart.

Select Location > No.
Select Find my device > No.
Select Diagnostic data > Required only.
Select Inking & typing > No.
Select Tailored experiences > No.

Select Advertising ID > No.

Location                        No
Find my device                  No
Diagnostic data                 Required only
Inking & typing                 No
Tailored experiences            No
Advertising ID                  No

Click Accept.
Click Yes at the Networks dialog to allow this PC to be discoverable by other devices on this network.
Unmount the en-us_windows_11_business_editions_version_22h2_x64_dvd_17a08ce3.iso file.
Right-click on Desktop and select View > Small icons.
Shutdown the computer.

5.2. Customized SMRU Windows

Preparations.
- Make sure that the hard disk is connected.
- Make sure that BIOS Date/Time is set to local time.
- Make Sure that BIOS SATA Operation is AHCI.
- Make sure that Secure Boot is disabled.
- Make sure that TPM chip is enabled and activated.
- Make sure that Wake on LAN is LAN Only.
- Make sure to enable Secure Boot after the Windows installation has finished.
- Optional: The following may be needed to prevent the installation from failing.
  - Make sure to power off the computer (remove battery from notebook).
  - Make sure to power off the computer (remove CMOS battery).
  - Make sure to power off the computer (reseat RAM modules).
```
Windows could not parse or process the unattend answer file for pass
[specialize]. The settings specified in the answer file cannot be applied.
The error was detected while processing settings for component
[Microsoft-Windows-Shell-Setup]
```
Attach the custom Windows 11 Enterprise USB device.

Boot the computer from the USB device.

Language to install:            English (United States)
Time and currency format:       English (United States)
Keyboard or input method:       US

Press Shift+F10 to open a Command Prompt.

Optional: Network.

Enter the following commands at the Command Line.

wpeutil InitializeNetwork
ipconfig
net use W: \\SMRU-HyperV01\Windows$ /Persistent:No
W:\Fix-Windows-11-Minimum-Requirements.cmd                      #Optional

Enter the following commands at the Command Line.

diskpart.exe
list disk
list volume
select volume #         (1)
assign letter=U
select volume #         (2)
assign letter=W
list disk
list volume
exit

1	Select the UEFI_NTFS volume.
2	Select the Windows-11- volume.

Note: M.2 SSD disks may not be assigned as disk 0.
Note: The next commands will wipe the disk.
Note: This partitioning does not work for Advanced Format drives with 4096 sector size disks.
Because for 4Kn disks the EFI System Partition size needs to be 260 MB.
Enter the following commands at the Command Line.
```
W:\Partition-Disk.cmd 0 UEFI    (1)
W:\Partition-Disk.cmd 1 UEFI    (2)
```
1 Partition disk 0 for new computers with UEFI.

2 Partition disk 1 for new computers with UEFI.

Enter the following commands at the Command Line.

diskpart.exe
list disk
list volume
select disk #                   (1)
list partition
exit

exit

1	Enter the disk number that was partitioned.

Click Next.
Click Install now.
Check I accept the Microsoft Software License Terms.
Click Next.
Click Custom: Install Windows only (advanced).

Select the System64 | Primary partition.
Click Next.
Wait about 30 minutes for the installation to finish.

Select Thailand for the region.
Click Yes.
Select US for the keyboard layout.
Click Yes.
Click Skip to skip adding a second keyboard layout.
Optional: Click I don’t have network to skip ethernet connection.
Optional: Click Continue with limited.
Optional: Select Skip for now to skip setting up a wifi connection.

Select Location > No.
Select Find my device > No.
Select Diagnostic data > Required only.
Select Inking & typing > No.
Select Tailored experiences > No.

Select Advertising ID > No.

Location                        No
Find my device                  No
Diagnostic data                 Required only
Inking & typing                 No
Tailored experiences            No
Advertising ID                  No

Click Accept.
Click Yes at the Networks dialog to allow this PC to be discoverable by other devices on this network.

6. Activation

6.1. Microsoft Office

Log on as Administrator.
Make sure to have internet connection.
Start Word.
Choose Install updates only.
Click Accept.
Select the Blank document template.
Select File > Account.

Select Change Product Key.

Product key:            XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Click Install.
Close Word.

6.2. Windows 11 Enterprise

Log on as Administrator.
Make sure to have internet connection.
Open Settings > Update & security > Activation.
Note: When it takes too long, then select several tab and then return to the Activation tab.
Ignore the Windows can’t activate right now. Try activating Windows later. If that doesn’t work, contact your system administrator. Error code: 0x8007232B. error message.

Select Change product key.

Product key:            XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Click Next.
Ignore the Windows can’t activate with this product key. Go to Settings for more information. (0x8004fe33) error message.
Click Close.
Close Settings.
Restart the computer.

6.3. Windows 11 Pro

Note: Computers with Windows 11 Pro do not have any product key with it.
But we can activate online.
Note: Make sure that the computer has direct internet access.

Open System.
- Select Control panel > System.
Click Activation.
Click Troubleshoot.
Wait for the activation.
Click Close on We’ve activated this copy of Windows message.
Close Settings.
Close System.

7. Configuration

7.1. Official Microsoft Windows

7.1.1. Administrator password

PC: Press Ctrl+Alt+Del.
VirtualBox: Select Input > Keyboard > Insert Ctrl+Alt+Del.
Select Change a password.
Leave the old password field empty.
Type Administr@t0r!!! for the new password.
Type Administr@t0r!!! to confirm the password.
Click the → button.
Click OK.

7.1.2. Computer name

Open Settings.
Select System > About.

Click Rename this PC.

WIN11VM-ENT22H2                 # Windows 11 Enterprise
WIN11VM-PRO22H2                 # Windows 11 Pro

Click Next.
Click Restart Later.
Close Settings.
Restart the computer.

7.1.3. Time zone

Open Settings.
Select Time & language.
Select Date & time.
Select the (UTC+07:00) Bangkok. Hanoi, Jakarta time zone.
Close Settings.

7.1.4. Applications

Install Delta Windows Tools.
Optional: Install VirtualBox Guest Additions.
Optional: Install VMware Tools.
Install Clink.

7.1.5. Cleanup

Enter the following commands at a Command Prompt with administrative privileges.

net user
Remove-UserAccount defaultuser0
Remove-UserAccount Default.migrated
dir /a: C:\Users
rmdir /q /s C:\Users\defaultuser0 2> nul
rmdir /q /s C:\Users\Default.migrated 2> nul
Get-ObsoleteSids
Remove-ObsoleteSids

7.1.6. Thai language

Open Settings.
Select Time & language.
Select Language & region.
Select Add a language.
Select ไทย Thai.
Click Next.
Check Install language pack.
Uncheck Text-to-speech (5 MB).

Uncheck Set as my Windows display language.

Optional language features
■ Install language pack
□ Text-to-speech (5 MB)

Language preferences
□ Set as my Windows display language

Required language features
■ Basic typing (1 MB)
■ Supplemental fonts (2 MB)

Click Install.
Wait for the installation to finish.
Close Settings.

7.1.7. Windows updates

Open Services (Control Panel > Administrative Tools > Services) (services.msc).
Right-click Background Intelligent Transfer Service and select Properties.
Select Startup type: > Automatic (Delayed Start).
Click Apply.
Optional: Click Start.
Click OK.
Right-click Windows Update and select Properties.
Select Startup type: > Automatic.
Click Apply.
Optional: Click Start.
Click OK.
Close Services.

Open Settings.
Select Update & Security.
Click Check for updates.
Close Settings.

7.1.8. File Explorer

Start File Explorer.
Select the C:\ folder.
Select View > Details.
Move the Size column between the Name and Date modified columns.
Increase the width of the Name column.
Select … to see more and select Options.
Select the View tab.
Click Apply to Folders.
Click Yes to confirm.
Click OK.
Close File Explorer.

7.1.9. Indexing Options

Open Control Panel > Indexing Options.
Click Modify.
Check all local drives.
Click OK.
Wait about 10 minutes for indexing to finish.
Click Close.

7.1.10. System performance

Open Settings > System > About.
Select Advanced system settings.
Select the Advanced tab.
Click Performance > Settings.
Select the Visual Effects tab.
Choose Adjust for best performance.
Choose Custom.
Check Smooth edges of screen fonts.
Click Apply.
Click OK.
Click OK.
Close System.

7.1.11. Programs

7.1.11.1. Install drivers, software and updates

Do not activate Windows 11 Enterprise.
Do not activate Microsoft Office.
Do not install Adobe Flash Player for Internet Explorer (it is already built-in for Windows 11).
Do not install Adobe Flash Player for Plugin-based browsers.
Do not install AVG Free.
Do not install network printers.

Install 7-Zip.
Install Adobe Acrobat Reader DC.
Install Clink (Christopher Antos).
Install Fonts.
- Install Karen and Myanmar fonts.
- Install Thai fonts.
Install LAPS.
Install MicroDicom DICOM Viewer.
Install Microsoft Office Professional Plus 2021.
Not yet install: Install Open-Shell.
Install OpenSSH Server.
Install Oracle VM VirtualBox Guest Additions.
Install Smartmontools.
Install Delta Windows Tools.
Install VLC Media Player (VideoLAN).
Install Zawgyi.

Disable Windows Media Player.
- Open Programs and Features.
- Select Turn Windows features on or off.
- Uncheck Media Features.
- Click OK.
- Click Close.
- Close Programs and Features.

Uninstall Windows Media Player.
- Open Settings.
- Select Apps.
- Select optional features.
- Select Windows Media Player Legacy.
- Click Uninstall.
- Close Settings.

Start System Configuration (msconfig.exe).
Select the Boot tab.
Change the Timeout value from 30 to 10 seconds.
Click Apply.
Click OK.
Click Exit without restart.
Close System Configuration.
Restart the computer.

7.1.11.2. Configuration of default applications

Open Settings.
Select Apps.
Select Default apps.
Close Settings.

Other

Make 7-Zip the default application for .zip files.
Make Notepad the default application for .log and .txt files.

7.2. Customized SMRU Windows

7.2.1. Computer name

Open Settings.
Select System > About.

Click Rename this PC.

WIN11VM-ENT22H2                 # Windows 11 Enterprise
WIN11VM-PRO22H2                 # Windows 11 Pro

Click Next.
Click Restart Later.
Close Settings.
Restart the computer.

7.2.2. Computer

Log on as Administrator.
Press Ctrl+Alt+Delete.
Select Change a password.
Type [kbd]`` in the Old password field.
Type the new password in the New password field.
Retype the new password in the Confirm password field.
Click the → button.
Click OK.
Start Command Prompt.

Enter the following commands at a Command Prompt with administrative privileges.

Remove-UserAccount defaultuser0
Remove-UserAccount Default.migrated
rmdir /q /s C:\Users\defaultuser0
rmdir /q /s C:\Users\Default.migrated
Get-ObsoleteSids
Remove-ObsoleteSids
Set-WindowsConfiguration

7.2.3. Credentials

Enter the following commands at a Command Prompt with administrative privileges.
```
Save-SmruCredentials Inventory-Zip
Save-SmruCredentials PowerShell-Email
```
Shutdown the computer.
Detach the custom Windows 11 Enterprise USB device.

7.2.4. Environment variables

Log on as Administrator instead of Admin.
Wait.
Open Control Panel > System.
Select Advanced system settings.
Select the Advanced tab.
Click Environment Variables.

Double-click a DELTA_* variable from the table below in the System variables panel.
Adjust its value.
Click OK.

Click OK.
Click OK.
Close System.

Variable name	Example values
DELTA_CONDITION	Bad, Good, Poor
DELTA_DEPARTMENT	DM, Finance, HR, IT, TB
DELTA_EMAIL	<user>@bhf-th.org, <user>@shoklo-unit.com
DELTA_GRANT	C-13-0001
DELTA_LOCATION	IT office
DELTA_MORU_TAG	COM-18-0211
DELTA_PHONE	-
DELTA_PRICE	38,000 THB
DELTA_PURCHASE_DATE	2014-07-24
DELTA_REMARK	From AMI, GeneXpert, Gibthai, Slow
DELTA_SITE	HPA, MKT, MLA, MSL, MST, WPA
DELTA_SMRU_TAG	SMRU-AS-COM-NB-0045, SMRU-AS-COM-PC-0045
DELTA_STATUS	Deleted, Donated, In use, Obsolete
DELTA_TBHF_TAG	TBHF-AS-COM-NB-0045, TBHF-AS-COM-PC-0045
DELTA_USER
DELTA_WAKE_ON_LAN	34:17:EB:B4:CA:8C
DELTA_WARRANTY_EXPIRES	2017-07-15
DELTA_WINDOWS_LICENSE_LABEL	No, Pro Windows 8, Windows

Variable name

Example values

DELTA_CONDITION

Bad, Good, Poor

DELTA_DEPARTMENT

DM, Finance, HR, IT, TB

DELTA_EMAIL

<user>@bhf-th.org, <user>@shoklo-unit.com

DELTA_GRANT

C-13-0001

DELTA_LOCATION

IT office

DELTA_MORU_TAG

COM-18-0211

DELTA_PHONE

DELTA_PRICE

38,000 THB

DELTA_PURCHASE_DATE

2014-07-24

DELTA_REMARK

From AMI, GeneXpert, Gibthai, Slow

DELTA_SITE

HPA, MKT, MLA, MSL, MST, WPA

DELTA_SMRU_TAG

SMRU-AS-COM-NB-0045, SMRU-AS-COM-PC-0045

DELTA_STATUS

Deleted, Donated, In use, Obsolete

DELTA_TBHF_TAG

TBHF-AS-COM-NB-0045, TBHF-AS-COM-PC-0045

DELTA_USER

DELTA_WAKE_ON_LAN

34:17:EB:B4:CA:8C

DELTA_WARRANTY_EXPIRES

2017-07-15

DELTA_WINDOWS_LICENSE_LABEL

No, Pro Windows 8, Windows

7.2.5. Time zone

Open Settings.
Select Time & Language.
Select Date & time.
Select the (UTC+07:00) Bangkok. Hanoi, Jakarta time zone.
Disable Set time automatically.
Click Change.
Adjust the date and time.
Click Change.
Enable Set time automatically.
Close Settings.

7.2.6. Microsoft Edge.

Install Microsoft Edge uBlock Origin extension.

7.2.7. SMRU domain

Join the computer to SMRU Domain.

7.2.8. BitLocker Encryption

Encrypt Operating system drive.
Encrypt Fixed data drives.

7.2.9. Printer Drivers

Show-NetworkPrinters
Show-NetworkPrinters | Sort-Object PortName
Install-PrinterDrivers

7.2.10. Inventory

Log on as Administrator.
Start Command Prompt with administrative privileges.
Type Show-Inventory and press Enter.
Close Command Prompt.

7.2.11. IT Helpdesk Computers

7.2.11.1. Endian Firewall

See https://www.instantssl.com/ssl-faqs/ssl-certificate-errors.html.
See https://www.attachmate.com/documentation/gateway-1-1/gateway-admin-guide/data/fxg_add_untrusted_cert.htm.
Prevent the Your connection is not private message in Google Chrome. Not secure
Prevent the This site is not secure message in Internet Explorer. This site isn’t secure
Prevent the This site is not secure message in Microsoft Edge. Certificate error
Prevent the Your connection is not secure message in Mozilla Firefox. Insecure Connection

Mozilla Firefox

Browse to https://10.10.1.170:10443.
Browse to https://192.168.25.170:10443.
Click Advanced.

Click Add Exception.

Click View.

Select the General tab.

Could not verify this certificate because it was signed using a signature algorithm that was
disabled because that algorithm is not secure.

Select the Details tab.
Select smru-efw-mrm.smru.shoklo-unit.com > Certificate > certificate Signature Algorithm.

PKCS #1 MD5 With RSA Encryption

Click Close.

Note: The following checkbox is disabled (grayed out).
Check Permanently store this exception.
Click Confirm Security Exception.

7.2.11.2. Remote Desktop Connection

Prevent the Remote Desktop Connection window with the The identity of the remote computer cannot be verified. Do you want to connect anyway? message popping up when using Remote Desktop Connection.

Log on as <IT Helpdesk User>.

Enter the following commands at a Command Line.

set "Key=HKCU\Software\Microsoft\Terminal Server Client"
reg add "%Key%" /v "AuthenticationLevelOverride" /t REG_DWORD /d "0" /f

Enter the following commands at a Command Line to restore the default behaviour.

set "Key=HKCU\Software\Microsoft\Terminal Server Client"
reg delete "%Key%" /v "AuthenticationLevelOverride" /f

There is also a HKLM\Software\Microsoft\Terminal Server Client registry key. Adding the registry value for that key prevents the popup message for all users logged on to the computer using Remote Desktop Connection.

7.2.11.3. Delta Windows Tools

Delta Windows Tools uses the SSH protocol for communication with remote computers. It is assumed that Bitvise SSH Server is installed on all SMRU computers. Only the IT Helpdesk computers should have the private key installed.

Start KeePass Password Safe.
Open the SMRU.kdbx file.
Select the Advanced tab.
Select the id_rsa-auto.pub file.
Click Save to save the Bitvise SSH Server - Private for PuTTY key to the C:\Tmp folder.
Close KeePass Password Safe.

Enter the following commands at a Command Prompt with administrative privileges.
```
move C:\Tmp\id_rsa* C:\Users\Administrator
```

7.2.12. Verification

TODO:

15) TeamViewer. -→ Check when 2 target computers are running TeamViewer. 17) Windows Updates - Download updates but let me choose whether to install them. Test Microsoft Update enable script.

OK 31) Network Adapter - Power Management. OK 32) Thai language (ink correction + thai language + language bar settings). OK 33) WinMerge settings. 35) Symantec Endpoint Protection. OK 36) Network printers. OK 39) Log on with domain user account. OK 40) Check Disk Cleanup. OK 42) Check ping from remote computer. OK 43) Check SSH from remote computer. 44) Test TeamViewer. 45) Open Control Panel > Administrative Tools > Services.

7.2.13. Issues

Installing AVG Free on the reference computer, gives many problems during installation of the deployment image on the target computer.
Note: Do not panic when the installation fails. Restart the computer and start Windows in Safe Mode. It will fail again, restart the computer once more, but this time it will finish the installation without any further errors. Just follow the instructions below.
Fail: Install Windows Windows could not finish configuring the system. To attempt to resume configuration, restart the computer.
Start Command Prompt (Shift+F10).

Enter the following commands at a Command Prompt with administrative privileges.

dir c:\windows\system32\sysprep\panther         <????>
dir c:\windows\panther                          <????>
dir c:\windows\panther\unattendgc               <????>

Optional: Start Notepad (notepad.exe)?
Optional: Open the c:\windows\panther\setupact.log file?
Optional: Close Notepad?
Click OK to restart the computer.
Press F8 while Windows restarts.
Select Safe Mode and press Enter.
Fail: Install Windows Windows cannot complete installation in Safe Mode. To continue installing Windows, restart the computer.
Click OK to restart the computer.
Wait.
Fail: Install Windows Windows could not parse or process the unattend answer file for pass [specialize]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].

See C:\Windows\Panther\unattendGC\setupact.log.

_FindLatestProfile failed (0x80070003) [gle=0x00000003]
CopyProfile failed (0x80070003) [gle=0x00000003]

See http://support.microsoft.com/kb/2530664.    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Press Shift+F10 when sysprep message comes up with the error and it will open
a command prompt. Open up taskmgr, and then open up eventvwr.msc.
You might see copy profile errors.

Optional: Start Command Prompt (Shift+F10)?

dir c:\windows\system32\sysprep\panther         <????>
dir c:\windows\panther                          <????>
dir c:\windows\panther\unattendgc               <????>

Optional: Start Notepad (notepad.exe)?
Optional: Open the c:\windows\panther\setupact.log file?
Optional: Open the c:\windows\panther\unattendgc\setuperr.log file?

Optional: Close Notepad?

Start Command Prompt (Shift+F10).                                       <????>
Start Registry Editor (regedit.exe).                                    <????>
Select the *HKLM > System > Setup > Status > ChildCompletion* key.      <????>
Right-click *setup.exe* and select *Modify*.                            <????>
Change the value from 1 into 3 and select *OK*.                         <????>
Close Registry Editor.                                                  <????>
Press Ctrl+Shift+F3 to continue.                                        <????>
Close Command Prompt.                                                   <????>

A fatal error occurred while trying to sysprep the machine.
- Click *OK*.

set "Key=HKLM\System\Setup\Status\SysprepStatus"
reg query "%Key%"
# Make sure that the "GeneralizationState" value is set to "0x7".
reg add "%Key%" /v "GeneralizationState" /t REG_DWORD /d "7" /f
reg query "%Key%"
set "Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"
msdtc -uninstall
msdtc -install

http://www.msfn.org/board/topic/170405-windows-81-failed-after-re-image

Start Command Prompt (Alt+F10).
Enter the following commands at a Command Prompt with administrative privileges.
```
cd c:\windows\system32\sysprep\panther
dir
type setuperr.log
```

8. Upgrade Widows

8.1. Upgrade from Windows 11 Home to Windows 11 Pro

Log on as Administrator.
Make sure to have internet connection.
Open Settings>System>Activation.
Expand Upgrade your edition of Windows.
Click Change.
Enter the product key.
Click Next.
Click Start.
Wait Preparing for upgrade about 10 minutes.
Log on as Administrator.
Click Opt-out of backup.
Click Skip for now.

Open Settings.
Select Update & Security.
Click Check for updates.
Close Settings.

1	Partition disk 0 for new computers with UEFI.
2	Partition disk 1 for new computers with UEFI.