Installation process | Essential programs | Privacy tweaks with GPEDIT | PowerShell commands to remove Provisioned apps | General tweaks
Made for: Windows 11 22H2 | Updated for W11 24H2
Last update: 2024-10-03 (Disabling Copilot has been added; some new/extra user/system apps have also now removed with PowerShell)
This covers all the steps I personally go though when performing a clean install of Windows 11. My aims are the following:
- As much automation as possible (portable programs, quick import of settings)
- A clean UI/UX (I disable/uninstall most of the bloat that comes with Windows)
- As much privacy as possible (see my Group Policy edits)
- Prioritizing native software (to break as little things as possible) or FOSS
Thanks to Duttyend for the tips and suggestions!
- Download the official iso file from Microsoft
- Create bootable USB with Rufus, leave everything as default (GPT, UEFI, NTFS), and customize the Windows User Experience: tick everything
- Benefits: faster than Microsoft's tool, makes the use of a local account easier, skips privacy questions (all will be off)
- Naviagate to /sources in and add the ei.cfg attached to this repo.
- Benefits: it will bypass your current Windows key and allow you to choose Windows Education/Enterprise instead of Windows Home.
- Education edition is my favorite as it has all the features from Enterprise but is also included in the multi-edition iso available from Windows without an account, unlike the enterprise iso that is hard to get. You can fin a comparison of all versions here:
- Benefits: it will bypass your current Windows key and allow you to choose Windows Education/Enterprise instead of Windows Home.
- Reboot and install Windows. Make sure to delete all your partitions (except the data one, if you have one) and to choose the Education/Enterprise/Professional edition.
- Platform tools - ADB/Fastboot - mandatory to tinker with my Android phones
- Audacity - Tool to analyse/edit audio files (last update that doesn't include telemetry)
- Calibre - Management of my Kindle library
- chrlauncher - Portable Chromium and updater - macchrome and RobRich999 are both up to date and reliable.
- Easy Audio Sync - Synchronization of my main music library with the one for my phone. It automatically mirrors my main folder and transcodes on-the-fly my .flac files to .opus ones. Works great and it's very fast.
- Everything - Locate files and folders by name instantly
- Foobar2000 - My favorite music player by far
- HandBrake - Favorite video converter
- JPEGView - extremely fast and lightweight image viewer (fork)
- KeePassXC - Cross-Platform Password Manager
- LameXP - Multi-format audio file converter
- LanXchange - Configuration-free, cross-platform file transfers for your local network
- MP3TAG - One of my favorite tag editor for music
- MPC-HC - One of my favorite video player (fork)
- MPV - My favorite video player
- Nicotine+ - open source client four Soulseek.
- Notepad++ - My favorite text editor
- OBS - Best screen recording / broadcasting software
- paint.NET - great easy-to-use image editor
- PDFsam - nice tool for basic PDF manipulations
- qBittorrent - Favorite torrent client
- ShareX - Favorite screen capture tools, many other features
- simplewall - great firewall
- Spek - Acoustic spectrum analyser (fork)
- SumatraPDF - My favorite PDF viewer
- Syncthing - Wireless sync of my images, music, etc. in between my computer & Android Phone
- TagScanner - Another one of my favorite tag editor for music
- WinCDEmu - CD/DVD/BD emulator
- yt-dlp - Easily download video/audio files from YouTube (fork)
- BleachBit - Disk space cleaner, privacy manager, and computer system optimizer
- Caesium Image Compressor - image compression software, very impressive
- HWiNFO - System Information
- Real-ESRGAN - AFAIK, best image upscaler
- Driver Store Explorer [RAPR] - Manage drivers
- Package managers
- Chocolatey - see packages here
- Installation (PowerShell with admin rights)
Set-ExecutionPolicy AllSigned
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
- Command to install all programs:
choco install XX YY
- See installed programs:
choco list --localonly
- Installation (PowerShell with admin rights)
- Winget - see packages here
- Command to search packages:
winget search XXX
(save the package ID to install programs, it's more accurate and reliable) - Command to install all programs: winget upgrade --all --silent
winget install 7zip.7zip && winget install File-New-Project.EarTrumpet && winget install Mozilla.Firefox && winget install flux.flux && winget install Oracle.JavaRuntimeEnvironment && winget install Nextcloud.NextcloudDesktop&& winget install geeksoftwareGmbH.PDF24Creator && winget install Microsoft.PowerToys && winget install RustDesk.RustDesk && winget install xanderfrangos.twinkletray
- Command to update all programs: (you can also download the shortcut I created, "Winget Update.ink")
- Command to search packages:
- Chocolatey - see packages here
- 7-zip - Favorite file archiver
- EarTrumpet - Volume Control for Windows (Windows Store)
- Firefox - Main browser
- Add-ons:
- uBlock Origin
- Bypass Paywalls Clean
- SponsorBlock
- Firefox Multi-Account Containers
- A working twitch adblocker, see TwitchAdSolutions
- Add-ons:
- f.lux - My favorite nightlight software on Windows
- Java - Needed for some programs
- NextCloud - Cloud Client
- PDF24 - PDF tools
- PDFsam Basic - PDF tools
- PowerToys - Useful system utilities
- RustDesk - best open source TeamViewer alternative (which has become awful lately by the way)
- Twinkle Tray - Easily manage the brightness of your monitors in Windows from the system tray
- Battery Percentage Icon - See your battery percentage in the system tray (Windows Store)
- ExplorerPatcher - Enhance the working environment on Windows (available on Winget)
- FreeFileSync - My favorite file synchronization tool
- Microsoft Office - Office suite (direct link - Mass Gravel is a very good website to get original download links too)
- Sublte - Subtitles downloader
- Sources: 1, 2, 3
- Abbreviations:
- (D) = disabled
- (E) = enabled
- (E+C) = enabled, configuration is necessary
- Benefits of using GPE instead of third-party programs or regedit
- Easier to setup after a clean install (no need to tick all boxes one by one).
- All GP edits are up to date, so there's no risk to mess with regedit by adding unnecessary keys.
- Changes are easier to track than on regedit.
- No third-party software = more reliable, more secure, more private.
- GPE includes meaningful descriptions, wheras regedit doesn't offer any. Third-party softwares' are usually not very accurate or up to date.
-
Backup: copy all files/folders from
C:\Windows\System32\GroupPolicy
-
Restore/import:
- Paste these files to your new installation in the same folder
- You can also directly import my config that is attached to this repository
- If you want to update policies without restarting, run this command in CMD (it's not necessary to run it as administrator):
gpupdate /force
-
Screenshots of Group Policy changes:
- List of entries written down (these are slightly outdated as I may have been modified/added some, but are still relevant and are kept for referencing purposes).
(slightly outdated, check screenshots) Privacy settings
(slightly outdated, check screenshots) UI/UX settings
- Uninstall all unnecessary preinstalled provisioned user apps
- Add some essential CLI programs to PATH with CMD (administrator mode) so they are always available when opening CMD or PowerShell:
setx /m PATH ""YourProgramPath";%PATH%"
- e.g.:
setx /m PATH ""C:\ffmpeg\bin";%PATH%"
- Notes:
- "/m" = all users
- "setx" instead of "set" = permanent change
- adding "" at the beginning and end of path is useful if you have spaces in your path)
- Programs I add to path: StreamRip, yt-dlp, ADB/Fastboot.
- Local Security Policy
- Ask for password for administrator rights: Local Policies → Security Options → User Account Control: Behavior of the elevation prompt for administrators in Admin Approval mode → Prompt for credentials.
- services.msc: services to disable
- Connected User Experiences and Telemetry
- Other services that can be disabled safely
- Change default app for different file types
- Video player: mp4, mov, avi, mkv, webm, flv, html5
- Music player: mp3, aac, flac, ogg, opus
- PDF reader: pdf
- image viewer: png, jpg, jpeg, gif, webp, tiff, bmp, heif, xvg
- Text viewer: txt
- Torrent client: .torrent
- Optional features
- Facial Recognition
- Math Recognizer
- Internet Explorer mode
- Steps recorder
- WMIC
- Windows Media Player Legacy
- Windows PowerShell ISE
- WordPad
- Delete OneNote printer through
printmanagement.msc
- Most important Windows Settings
- System → Power
- System → Multitasking
- System → Clipboard
- Bluetooth & devices → Mouse → Additional mouse settings → pointer options → disable enhance pointer precision
- Bluetooth & devices → Touchpad
- Network & interent → Wi-Fi / Ethernet → Hardware properties → Edit DNS (e.g.
1.1.1.1
&1.0.0.1
encrypted) - Turn on BitLocker
- Privacy & security → open Windows Security → disable Tamper Protection
- Language & Region → Regional format: English (World) (allows to use DD/MM/YYYY format and programs will be installed in English instead of your local language)
- Performance tips:
- Settings → Accessiblity → Disable transparency effects
- Windows Security → Device Security → Disable core isolation (note: weakens security)
- Windows Security → Searching Windows → Find my files: enhanced
- Device Manager → System Devices → High precision event timer (HPET) → disable device (note: improve performance with most hardware - some people say it's snake oil)
- Firefox:
- make sure in about:support that compositing is rendered by
WebRender
(note: and not WebRender (software)) - about:config tweaks:
browser.tabs.loadBookmarksInBackground
→ truebrowser.bookmarks.openInTabClosesMenu
→ falsedom.ipc.processPriorityManager.backgroundUsesEcoQoS
→ falsefull-screen-api.transition-duration.leave
→ 50 50full-screen-api.transition-duration.enter
→ 50 50full-screen-api.warning.timeout
→ 0browser.compactmode.show
→ truebrowser.tabs.tabmanager.enabled
→ falseextensions.pocket.enabled
→ falseextensions.screenshots.disabled
→ truereader.parse-on-load.enabled
→ falsebrowser.cache.disk.enable
→ falseaccessibility.force_disabled
→ 1browser.tabs.firefox-view
→ falsetoolkit.telemetry.unified
→ false
- make sure in about:support that compositing is rendered by
- Change "model" name under PC's name: regedit → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation → string: Model → data: model