v2.5, 2017-06-13, WinServer2016 support added

- Add "Disable obsolete SMB 1.0 protocol" - Add "Hide Server Manager after login" (Server, disabled by default) - Add "Disable Shutdown Event Tracker" (Server, disabled by default) - Add "Disable password complexity and maximum age requirements" (Server, disabled by default) - Add "Disable Ctrl+Alt+Del requirement before login" (Server, disabled by default) - Add "Disable Internet Explorer Enhanced Security Configuration" (Server, disabled by default) - Update multiple tweaks to work properly (or at least not throw error) on Windows Server 2016
2026-04-23 03:00:50 -04:00 · 2017-06-13 23:14:04 +02:00
parent 65a27e5ca1
commit a7f3ced7e4
12 changed files with 513 additions and 194 deletions
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ To supply a customized preset, you can either pass the function names directly a

    powershell.exe -NoProfile -ExecutionPolicy Bypass -File Win10.ps1 EnableFirewall EnableDefender

-Or you can create a file where you write the function names (one function name per line, no commas, whitespaces allowed, comments on separate lines starting with `#`) and then pass the filename using *-preset* parameter. Don't forget that the script will try to run with elevated privileges and will use different working directory, therefore use of absolute paths is recommended.  
+Or you can create a file where you write the function names (one function name per line, no commas, whitespaces allowed, comments on separate lines starting with `#`) and then pass the filename using *-preset* parameter.  
 Example of a preset file `mypreset.txt`:

    # Security tweaks
@@ -27,7 +27,7 @@ Example of a preset file `mypreset.txt`:

 Command using the preset file above:

-    powershell.exe -NoProfile -ExecutionPolicy Bypass -File Win10.ps1 -preset D:\Install\mypreset.txt
+    powershell.exe -NoProfile -ExecutionPolicy Bypass -File Win10.ps1 -preset mypreset.txt

 ## FAQ

@@ -40,6 +40,12 @@ Command using the preset file above:
 **Q:** Can I run the script in multi-user environment?  
 **A:** Yes, to certain extent. Some tweaks (most notably UI tweaks) are set only for the user currently executing the script. As stated above, the script can be run repeatedly; therefore it's possible to run it multiple times, each time as different user. Due to the nature of authentication and privilege escalation mechanisms in Windows, the script can be successfully applied only for users belonging to *Administrators* group. Standard users will get an UAC prompt asking for admin credentials which then causes the tweaks to be applied to the given admin account instead of the original non-privileged one. To circumvent this, add the standard user to the *Administrators* group, run the script, and then remove the user from *Administrators* group again. There are a few ways how the same functionality can be achieved programmatically, but I'm not planning to include any of them as it would negatively impact code complexity and readability.

+**Q:** Can I run the script on Windows Server 2016?  
+**A:** Yes. Starting from version 2.5, Windows Server 2016 is supported. There are even few tweaks specific to Server environment. Keep in mind though, that the script is still primarily designed for Windows 10, so you have to create your own preset for Windows Server 2016.
+
+**Q:** Can I run the script on Windows 7, 8, 8.1 or other versions of Windows?  
+**A:** No. Although some tweaks may work also on older versions of Windows, the script is developed only for Windows 10 and Windows Server 2016. There are no plans to add support for older versions.
+
 **Q:** Did you test the script?  
 **A:** Yes. I'm testing new additions on up-to-date Home and Enterprise editions in VMs. I'm also regularly using it for all my home installations after all bigger updates.

--- a/Win10.ps1
+++ b/Win10.ps1
@@ -1,7 +1,7 @@
 ##########
-# Win10 Initial Setup Script
+# Win10 / WinServer2016 Initial Setup Script
 # Author: Disassembler <disassembler@dasm.cz>
-# Version: development, do not use
+# Version: 2.5, 2017-06-13
 # Source: https://github.com/Disassembler0/Win10-Initial-Setup-Script
 ##########

@@ -27,6 +27,7 @@ $tweaks = @(
 	# "LowerUAC",                   # "RaiseUAC",
 	# "EnableSharingMappedDrives",  # "DisableSharingMappedDrives",
 	"DisableAdminShares",           # "EnableAdminShares",
+	"DisableSMB1",                  # "EnableSMB1",
 	"SetCurrentNetworkPrivate",     # "SetCurrentNetworkPublic",
 	# "SetUnknownNetworksPrivate",  # "SetUnknownNetworksPublic",
 	# "DisableFirewall",            # "EnableFirewall",
@@ -79,8 +80,8 @@ $tweaks = @(
 	"DisableXboxFeatures",          # "EnableXboxFeatures",
 	# "UninstallMediaPlayer",       # "InstallMediaPlayer",
 	# "UninstallWorkFolders",       # "InstallWorkFolders",
-	# "InstallHyperV",              # "UninstallHyperV",
 	# "InstallLinuxSubsystem",      # "UninstallLinuxSubsystem",
+	# "InstallHyperV",              # "UninstallHyperV",
 	"SetPhotoViewerAssociation",    # "UnsetPhotoViewerAssociation",
 	"AddPhotoViewerOpenWith",       # "RemovePhotoViewerOpenWith",
 	"DisableSearchAppInStore",      # "EnableSearchAppInStore",
@@ -88,6 +89,13 @@ $tweaks = @(
 	"EnableF8BootMenu",             # "DisableF8BootMenu",
 	# "SetDEPOptOut",               # "SetDEPOptIn",

+	### Server Specific Tweaks ###
+	# "HideServerManagerOnLogin",   # "ShowServerManagerOnLogin",
+	# "DisableShutdownTracker",     # "EnableShutdownTracker",
+	# "DisablePasswordPolicy",      # "EnablePasswordPolicy",
+	# "DisableCtrlAltDelLogin",     # "EnableCtrlAltDelLogin",
+	# "DisableIEEnhancedSecurity",  # "EnableIEEnhancedSecurity",
+
 	### Auxiliary Functions ###
 	"WaitForKey",
 	"Restart"
@@ -277,6 +285,9 @@ Function EnableErrorReporting {
 # Restrict Windows Update P2P only to local network
 Function RestrictUpdateP2P {
 	Write-Host "Restricting Windows Update P2P only to local network..."
+	If (!(Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config")) {
+		New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" | Out-Null
+	}
 	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 1
 	If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
 		New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" | Out-Null
@@ -381,6 +392,18 @@ Function EnableAdminShares {
 	Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "AutoShareWks" -ErrorAction SilentlyContinue
 }

+# Disable obsolete SMB 1.0 protocol
+Function DisableSMB1 {
+	Write-Host "Disabling SMB 1.0 protocol..."
+	Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
+}
+
+# Enable obsolete SMB 1.0 protocol
+Function EnableSMB1 {
+	Write-Host "Enabling SMB 1.0 protocol..."
+	Set-SmbServerConfiguration -EnableSMB1Protocol $true -Force
+}
+
 # Set current network profile to private (allow file sharing, device discovery, etc.)
 Function SetCurrentNetworkPrivate {
 	Write-Host "Setting current network profile to private..."
@@ -426,6 +449,9 @@ Function EnableFirewall {
 # Disable Windows Defender
 Function DisableDefender {
 	Write-Host "Disabling Windows Defender..."
+	If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")) {
+		New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Force | Out-Null
+	}
 	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 1
 	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "SecurityHealth" -ErrorAction SilentlyContinue
 }
@@ -486,7 +512,7 @@ Function EnableUpdateRestart {
 	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoRebootWithLoggedOnUsers" -ErrorAction SilentlyContinue
 }

-# Stop and disable Home Groups services
+# Stop and disable Home Groups services - Not applicable to Server
 Function DisableHomeGroups {
 	Write-Host "Stopping and disabling Home Groups services..."
 	Stop-Service "HomeGroupListener"
@@ -495,7 +521,7 @@ Function DisableHomeGroups {
 	Set-Service "HomeGroupProvider" -StartupType Disabled
 }

-# Enable and start Home Groups services
+# Enable and start Home Groups services - Not applicable to Server
 Function EnableHomeGroups {
 	Write-Host "Starting and enabling Home Groups services..."
 	Set-Service "HomeGroupListener" -StartupType Manual
@@ -503,13 +529,13 @@ Function EnableHomeGroups {
 	Start-Service "HomeGroupProvider"
 }

-# Disable Remote Assistance
+# Disable Remote Assistance - Not applicable to Server (unless Remote Assistance is explicitly installed)
 Function DisableRemoteAssistance {
 	Write-Host "Disabling Remote Assistance..."
 	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 0
 }

-# Enable Remote Assistance
+# Enable Remote Assistance - Not applicable to Server (unless Remote Assistance is explicitly installed)
 Function EnableRemoteAssistance {
 	Write-Host "Enabling Remote Assistance..."
 	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 1
@@ -837,9 +863,12 @@ Function ExplorerQuickAccess {
 Function ShowThisPCOnDesktop {
 	Write-Host "Showing This PC shortcut on desktop..."
 	If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu")) {
-		New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" | Out-Null
+		New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" -Force | Out-Null
 	}
 	Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Type DWord -Value 0
+	If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel")) {
+		New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" -Force | Out-Null
+	}
 	Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Type DWord -Value 0
 }

@@ -998,7 +1027,7 @@ Function EnableOneDrive {
 	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC" -ErrorAction SilentlyContinue
 }

-# Uninstall OneDrive
+# Uninstall OneDrive - Not applicable to Server
 Function UninstallOneDrive {
 	Write-Host "Uninstalling OneDrive..."
 	Stop-Process -Name OneDrive -ErrorAction SilentlyContinue
@@ -1022,7 +1051,7 @@ Function UninstallOneDrive {
 	Remove-Item -Path "HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue
 }

-# Install OneDrive
+# Install OneDrive - Not applicable to Server
 Function InstallOneDrive {
 	Write-Host "Installing OneDrive..."
 	$onedrive = "$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe"
@@ -1208,31 +1237,19 @@ Function InstallMediaPlayer {
 	Enable-WindowsOptionalFeature -Online -FeatureName "WindowsMediaPlayer" -NoRestart -WarningAction SilentlyContinue | Out-Null
 }

-# Uninstall Work Folders Client
+# Uninstall Work Folders Client - Not applicable to Server
 Function UninstallWorkFolders {
 	Write-Host "Uninstalling Work Folders Client..."
 	Disable-WindowsOptionalFeature -Online -FeatureName "WorkFolders-Client" -NoRestart -WarningAction SilentlyContinue | Out-Null
 }

-# Install Work Folders Client
+# Install Work Folders Client - Not applicable to Server
 Function InstallWorkFolders {
 	Write-Host "Installing Work Folders Client..."
 	Enable-WindowsOptionalFeature -Online -FeatureName "WorkFolders-Client" -NoRestart -WarningAction SilentlyContinue | Out-Null
 }

-# Install Hyper-V - Applicable to Pro, Ent, Edu editions
-Function InstallHyperV {
-	Write-Host "Installing Hyper-V..."
-	Enable-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V" -All -NoRestart -WarningAction SilentlyContinue | Out-Null
-}
-
-# Uninstall Hyper-V
-Function UninstallHyperV {
-	Write-Host "Uninstalling Hyper-V..."
-	Disable-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V-All" -NoRestart -WarningAction SilentlyContinue | Out-Null
-}
-
-# Install Linux Subsystem - Applicable to RS1 or newer
+# Install Linux Subsystem - Applicable to RS1 or newer, not applicable to Server yet
 Function InstallLinuxSubsystem {
 	Write-Host "Installing Linux Subsystem..."
 	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" -Name "AllowDevelopmentWithoutDevLicense" -Type DWord -Value 1
@@ -1240,7 +1257,7 @@ Function InstallLinuxSubsystem {
 	Enable-WindowsOptionalFeature -Online -FeatureName "Microsoft-Windows-Subsystem-Linux" -NoRestart -WarningAction SilentlyContinue | Out-Null
 }

-# Uninstall Linux Subsystem - Applicable to RS1 or newer
+# Uninstall Linux Subsystem - Applicable to RS1 or newer, not applicable to Server yet
 Function UninstallLinuxSubsystem {
 	Write-Host "Uninstalling Linux Subsystem..."
 	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" -Name "AllowDevelopmentWithoutDevLicense" -Type DWord -Value 0
@@ -1248,6 +1265,26 @@ Function UninstallLinuxSubsystem {
 	Disable-WindowsOptionalFeature -Online -FeatureName "Microsoft-Windows-Subsystem-Linux" -NoRestart -WarningAction SilentlyContinue | Out-Null
 }

+# Install Hyper-V - Not applicable to Home
+Function InstallHyperV {
+	Write-Host "Installing Hyper-V..."
+	If ((Get-WmiObject -Class "Win32_OperatingSystem").Caption -like "*Server*") {
+		Install-WindowsFeature -Name "Hyper-V" -IncludeManagementTools -WarningAction SilentlyContinue | Out-Null
+	} Else {
+		Enable-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V-All" -NoRestart -WarningAction SilentlyContinue | Out-Null
+	}
+}
+
+# Uninstall Hyper-V - Not applicable to Home
+Function UninstallHyperV {
+	Write-Host "Uninstalling Hyper-V..."
+	If ((Get-WmiObject -Class "Win32_OperatingSystem").Caption -like "*Server*") {
+		Uninstall-WindowsFeature -Name "Hyper-V" -IncludeManagementTools -WarningAction SilentlyContinue | Out-Null
+	} Else {
+		Disable-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V-All" -NoRestart -WarningAction SilentlyContinue | Out-Null
+	}
+}
+
 # Set Photo Viewer association for bmp, gif, jpg, png and tif
 Function SetPhotoViewerAssociation {
 	Write-Host "Setting Photo Viewer association for bmp, gif, jpg, png and tif..."
@@ -1355,6 +1392,88 @@ Function SetDEPOptIn {



+##########
+# Server specific Tweaks
+##########
+
+# Hide Server Manager after login
+Function HideServerManagerOnLogin {
+	Write-Host "Hiding Server Manager after login..."
+	If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Server\ServerManager")) {
+		New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Server\ServerManager" -Force | Out-Null
+	}
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Server\ServerManager" -Name "DoNotOpenAtLogon" -Type DWord -Value 1
+}
+
+# Hide Server Manager after login
+Function ShowServerManagerOnLogin {
+	Write-Host "Showing Server Manager after login..."
+	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Server\ServerManager" -Name "DoNotOpenAtLogon" -ErrorAction SilentlyContinue
+}
+
+# Disable Shutdown Event Tracker
+Function DisableShutdownTracker {
+	Write-Host "Disabling Shutdown Event Tracker..."
+	If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability")) {
+		New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability" -Force | Out-Null
+	}
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability" -Name "ShutdownReasonOn" -Type DWord -Value 0
+}
+
+# Enable Shutdown Event Tracker
+Function EnableShutdownTracker {
+	Write-Host "Enabling Shutdown Event Tracker..."
+	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability" -Name "ShutdownReasonOn" -ErrorAction SilentlyContinue
+}
+
+# Disable password complexity and maximum age requirements
+Function DisablePasswordPolicy {
+	Write-Host "Disabling password complexity and maximum age requirements..."
+	$tmpfile = New-TemporaryFile
+	secedit /export /cfg $tmpfile /quiet
+	(Get-Content $tmpfile).Replace("PasswordComplexity = 1", "PasswordComplexity = 0").Replace("MaximumPasswordAge = 42", "MaximumPasswordAge = -1") | Out-File $tmpfile
+	secedit /configure /db "$env:SYSTEMROOT\security\database\local.sdb" /cfg $tmpfile /areas SECURITYPOLICY | Out-Null
+	Remove-Item -Path $tmpfile
+}
+
+# Enable password complexity and maximum age requirements
+Function EnablePasswordPolicy {
+	Write-Host "Enabling password complexity and maximum age requirements..."
+	$tmpfile = New-TemporaryFile
+	secedit /export /cfg $tmpfile /quiet
+	(Get-Content $tmpfile).Replace("PasswordComplexity = 0", "PasswordComplexity = 1").Replace("MaximumPasswordAge = -1", "MaximumPasswordAge = 42") | Out-File $tmpfile
+	secedit /configure /db "$env:SYSTEMROOT\security\database\local.sdb" /cfg $tmpfile /areas SECURITYPOLICY | Out-Null
+	Remove-Item -Path $tmpfile
+}
+
+# Disable Ctrl+Alt+Del requirement before login
+Function DisableCtrlAltDelLogin {
+	Write-Host "Disabling Ctrl+Alt+Del requirement before login..."
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Type DWord -Value 1
+}
+
+# Enable Ctrl+Alt+Del requirement before login
+Function EnableCtrlAltDelLogin {
+	Write-Host "Enabling Ctrl+Alt+Del requirement before login..."
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Type DWord -Value 0
+}
+
+# Disable Internet Explorer Enhanced Security Configuration (IE ESC)
+Function DisableIEEnhancedSecurity {
+	Write-Host "Disabling Internet Explorer Enhanced Security Configuration (IE ESC)..."
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Type DWord -Value 0
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Type DWord -Value 0
+}
+
+# Enable Internet Explorer Enhanced Security Configuration (IE ESC)
+Function EnableIEEnhancedSecurity {
+	Write-Host "Enabling Internet Explorer Enhanced Security Configuration (IE ESC)..."
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Type DWord -Value 1
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Type DWord -Value 1
+}
+
+
+
 ##########
 # Auxiliary Functions
 ##########
--- a/test/Win10-ApplyAll.bat
+++ b/test/Win10-ApplyAll.bat
@@ -1,3 +1,3 @@
@ECHO OFF

-powershell.exe -NoProfile -ExecutionPolicy Bypass -File %~dp0..\Win10.ps1 -preset "%~dp0applyall.preset"
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File %~dp0..\Win10.ps1 -preset "%~dp0Win10-ApplyAll.preset"
--- a/test/Win10-ApplyAll.preset
+++ b/test/Win10-ApplyAll.preset
@@ -0,0 +1,88 @@
+# Windows 10 - Apply all
+
+DisableTelemetry
+DisableWiFiSense
+DisableSmartScreen
+DisableWebSearch
+DisableStartSuggestions
+DisableLocationTracking
+DisableFeedback
+DisableAdvertisingID
+DisableCortana
+DisableErrorReporting
+RestrictUpdateP2P
+DisableAutoLogger
+DisableDiagTrack
+DisableWAPPush
+
+LowerUAC
+EnableSharingMappedDrives
+DisableAdminShares
+DisableSMB1
+SetCurrentNetworkPrivate
+SetUnknownNetworksPrivate
+DisableFirewall
+DisableDefender
+DisableUpdateMSRT
+DisableUpdateDriver
+DisableUpdateRestart
+DisableHomeGroups
+DisableRemoteAssistance
+EnableRemoteDesktop
+DisableAutoplay
+DisableAutorun
+DisableDefragmentation
+SetBIOSTimeUTC
+
+DisableActionCenter
+DisableLockScreen
+DisableLockScreenRS1
+DisableStickyKeys
+ShowTaskManagerDetails
+ShowFileOperationsDetails
+HideTaskbarSearchBox
+HideTaskView
+ShowSmallTaskbarIcons
+ShowTaskbarTitles
+HideTaskbarPeopleIcon
+ShowTrayIcons
+ShowKnownExtensions
+ShowHiddenFiles
+HideSyncNotifications
+HideRecentShortcuts
+ExplorerThisPC
+ShowThisPCOnDesktop
+HideDesktopFromThisPC
+HideDocumentsFromThisPC
+HideDownloadsFromThisPC
+HideMusicFromThisPC
+HidePicturesFromThisPC
+HideVideosFromThisPC
+AddENKeyboard
+EnableNumlock
+
+DisableOneDrive
+UninstallOneDrive
+UninstallBloatware
+UninstallWindowsStore
+DisableConsumerApps
+DisableXboxFeatures
+UninstallMediaPlayer
+UninstallWorkFolders
+InstallLinuxSubsystem
+InstallHyperV
+SetPhotoViewerAssociation
+AddPhotoViewerOpenWith
+DisableSearchAppInStore
+DisableNewAppPrompt
+EnableF8BootMenu
+SetDEPOptOut
+
+# HideServerManagerOnLogin
+# DisableShutdownTracker
+# DisablePasswordPolicy
+# DisableCtrlAltDelLogin
+# DisableIEEnhancedSecurity
+
+WaitForKey
+Restart
--- a/test/Win10-RestoreAll.bat
+++ b/test/Win10-RestoreAll.bat
@@ -1,3 +1,3 @@
@ECHO OFF

-powershell.exe -NoProfile -ExecutionPolicy Bypass -File %~dp0..\Win10.ps1 -preset "%~dp0restoreall.preset"
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File %~dp0..\Win10.ps1 -preset "%~dp0Win10-RestoreAll.preset"
--- a/test/Win10-RestoreAll.preset
+++ b/test/Win10-RestoreAll.preset
@@ -0,0 +1,88 @@
+# Windows 10 - Restore all
+
+EnableTelemetry
+EnableWiFiSense
+EnableSmartScreen
+EnableWebSearch
+EnableStartSuggestions
+EnableLocationTracking
+EnableFeedback
+EnableAdvertisingID
+EnableCortana
+EnableErrorReporting
+UnrestrictUpdateP2P
+EnableAutoLogger
+EnableDiagTrack
+EnableWAPPush
+
+RaiseUAC
+DisableSharingMappedDrives
+EnableAdminShares
+EnableSMB1
+SetCurrentNetworkPublic
+SetUnknownNetworksPublic
+EnableFirewall
+EnableDefender
+EnableUpdateMSRT
+EnableUpdateDriver
+EnableUpdateRestart
+EnableHomeGroups
+EnableRemoteAssistance
+DisableRemoteDesktop
+EnableAutoplay
+EnableAutorun
+EnableDefragmentation
+SetBIOSTimeLocal
+
+EnableActionCenter
+EnableLockScreen
+EnableLockScreenRS1
+EnableStickyKeys
+HideTaskManagerDetails
+HideFileOperationsDetails
+ShowTaskbarSearchBox
+ShowTaskView
+ShowLargeTaskbarIcons
+HideTaskbarTitles
+ShowTaskbarPeopleIcon
+HideTrayIcons
+HideKnownExtensions
+HideHiddenFiles
+ShowSyncNotifications
+ShowRecentShortcuts
+ExplorerQuickAccess
+HideThisPCFromDesktop
+ShowDesktopInThisPC
+ShowDocumentsInThisPC
+ShowDownloadsInThisPC
+ShowMusicInThisPC
+ShowPicturesInThisPC
+ShowVideosInThisPC
+RemoveENKeyboard
+DisableNumlock
+
+EnableOneDrive
+InstallOneDrive
+InstallBloatware
+InstallWindowsStore
+EnableConsumerApps
+EnableXboxFeatures
+InstallMediaPlayer
+InstallWorkFolders
+UninstallLinuxSubsystem
+UninstallHyperV
+UnsetPhotoViewerAssociation
+RemovePhotoViewerOpenWith
+EnableSearchAppInStore
+EnableNewAppPrompt
+DisableF8BootMenu
+SetDEPOptIn
+
+# ShowServerManagerOnLogin
+# EnableShutdownTracker
+# EnablePasswordPolicy
+# EnableCtrlAltDelLogin
+# EnableIEEnhancedSecurity
+
+WaitForKey
+Restart
--- a/test/WinServer2016-ApplyAll.bat
+++ b/test/WinServer2016-ApplyAll.bat
@@ -0,0 +1,3 @@
+@ECHO OFF
+
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File %~dp0..\Win10.ps1 -preset "%~dp0WinServer2016-ApplyAll.preset"
--- a/test/WinServer2016-ApplyAll.preset
+++ b/test/WinServer2016-ApplyAll.preset
@@ -0,0 +1,88 @@
+# Windows Server 2016 - Apply all
+
+DisableTelemetry
+DisableWiFiSense
+DisableSmartScreen
+DisableWebSearch
+DisableStartSuggestions
+DisableLocationTracking
+DisableFeedback
+DisableAdvertisingID
+DisableCortana
+DisableErrorReporting
+RestrictUpdateP2P
+DisableAutoLogger
+DisableDiagTrack
+DisableWAPPush
+
+LowerUAC
+EnableSharingMappedDrives
+DisableAdminShares
+DisableSMB1
+SetCurrentNetworkPrivate
+SetUnknownNetworksPrivate
+DisableFirewall
+DisableDefender
+DisableUpdateMSRT
+DisableUpdateDriver
+DisableUpdateRestart
+# DisableHomeGroups
+# DisableRemoteAssistance
+EnableRemoteDesktop
+DisableAutoplay
+DisableAutorun
+DisableDefragmentation
+SetBIOSTimeUTC
+
+DisableActionCenter
+DisableLockScreen
+DisableLockScreenRS1
+DisableStickyKeys
+ShowTaskManagerDetails
+ShowFileOperationsDetails
+HideTaskbarSearchBox
+HideTaskView
+ShowSmallTaskbarIcons
+ShowTaskbarTitles
+HideTaskbarPeopleIcon
+ShowTrayIcons
+ShowKnownExtensions
+ShowHiddenFiles
+HideSyncNotifications
+HideRecentShortcuts
+ExplorerThisPC
+ShowThisPCOnDesktop
+HideDesktopFromThisPC
+HideDocumentsFromThisPC
+HideDownloadsFromThisPC
+HideMusicFromThisPC
+HidePicturesFromThisPC
+HideVideosFromThisPC
+AddENKeyboard
+EnableNumlock
+
+DisableOneDrive
+# UninstallOneDrive
+UninstallBloatware
+UninstallWindowsStore
+DisableConsumerApps
+DisableXboxFeatures
+UninstallMediaPlayer
+# UninstallWorkFolders
+# InstallLinuxSubsystem
+InstallHyperV
+SetPhotoViewerAssociation
+AddPhotoViewerOpenWith
+DisableSearchAppInStore
+DisableNewAppPrompt
+EnableF8BootMenu
+SetDEPOptOut
+
+HideServerManagerOnLogin
+DisableShutdownTracker
+DisablePasswordPolicy
+DisableCtrlAltDelLogin
+DisableIEEnhancedSecurity
+
+WaitForKey
+Restart
--- a/test/WinServer2016-RestoreAll.bat
+++ b/test/WinServer2016-RestoreAll.bat
@@ -0,0 +1,3 @@
+@ECHO OFF
+
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File %~dp0..\Win10.ps1 -preset "%~dp0WinServer2016-RestoreAll.preset"
--- a/test/WinServer2016-RestoreAll.preset
+++ b/test/WinServer2016-RestoreAll.preset
@@ -0,0 +1,88 @@
+# Windows Server 2016 - Restore all
+
+EnableTelemetry
+EnableWiFiSense
+EnableSmartScreen
+EnableWebSearch
+EnableStartSuggestions
+EnableLocationTracking
+EnableFeedback
+EnableAdvertisingID
+EnableCortana
+EnableErrorReporting
+UnrestrictUpdateP2P
+EnableAutoLogger
+EnableDiagTrack
+EnableWAPPush
+
+RaiseUAC
+DisableSharingMappedDrives
+EnableAdminShares
+EnableSMB1
+SetCurrentNetworkPublic
+SetUnknownNetworksPublic
+EnableFirewall
+EnableDefender
+EnableUpdateMSRT
+EnableUpdateDriver
+EnableUpdateRestart
+# EnableHomeGroups
+# EnableRemoteAssistance
+DisableRemoteDesktop
+EnableAutoplay
+EnableAutorun
+EnableDefragmentation
+SetBIOSTimeLocal
+
+EnableActionCenter
+EnableLockScreen
+EnableLockScreenRS1
+EnableStickyKeys
+HideTaskManagerDetails
+HideFileOperationsDetails
+ShowTaskbarSearchBox
+ShowTaskView
+ShowLargeTaskbarIcons
+HideTaskbarTitles
+ShowTaskbarPeopleIcon
+HideTrayIcons
+HideKnownExtensions
+HideHiddenFiles
+ShowSyncNotifications
+ShowRecentShortcuts
+ExplorerQuickAccess
+HideThisPCFromDesktop
+ShowDesktopInThisPC
+ShowDocumentsInThisPC
+ShowDownloadsInThisPC
+ShowMusicInThisPC
+ShowPicturesInThisPC
+ShowVideosInThisPC
+RemoveENKeyboard
+DisableNumlock
+
+EnableOneDrive
+# InstallOneDrive
+InstallBloatware
+InstallWindowsStore
+EnableConsumerApps
+EnableXboxFeatures
+InstallMediaPlayer
+# InstallWorkFolders
+# UninstallLinuxSubsystem
+UninstallHyperV
+UnsetPhotoViewerAssociation
+RemovePhotoViewerOpenWith
+EnableSearchAppInStore
+EnableNewAppPrompt
+DisableF8BootMenu
+SetDEPOptIn
+
+ShowServerManagerOnLogin
+EnableShutdownTracker
+EnablePasswordPolicy
+EnableCtrlAltDelLogin
+EnableIEEnhancedSecurity
+
+WaitForKey
+Restart
--- a/test/applyall.preset
+++ b/test/applyall.preset
@@ -1,82 +0,0 @@
-
-	# Apply all
-
-	DisableTelemetry
-	DisableWiFiSense
-	DisableSmartScreen
-	DisableWebSearch
-	DisableStartSuggestions
-	DisableLocationTracking
-	DisableFeedback
-	DisableAdvertisingID
-	DisableCortana
-	DisableErrorReporting
-	RestrictUpdateP2P
-	DisableAutoLogger
-	DisableDiagTrack
-	DisableWAPPush
-	
-	LowerUAC
-	EnableSharingMappedDrives
-	DisableAdminShares
-	SetCurrentNetworkPrivate
-	SetUnknownNetworksPrivate
-	DisableFirewall
-	DisableDefender
-	DisableUpdateMSRT
-	DisableUpdateDriver
-	DisableUpdateRestart
-	DisableHomeGroups
-	DisableRemoteAssistance
-	EnableRemoteDesktop
-	DisableAutoplay
-	DisableAutorun
-	DisableDefragmentation
-	SetBIOSTimeUTC
-
-	DisableActionCenter
-	DisableLockScreen
-	DisableLockScreenRS1
-	DisableStickyKeys
-	ShowTaskManagerDetails
-	ShowFileOperationsDetails
-	HideTaskbarSearchBox
-	HideTaskView
-	ShowSmallTaskbarIcons
-	ShowTaskbarTitles
-	HideTaskbarPeopleIcon
-	ShowTrayIcons
-	ShowKnownExtensions
-	ShowHiddenFiles
-	HideSyncNotifications
-	HideRecentShortcuts
-	ExplorerThisPC
-	ShowThisPCOnDesktop
-	HideDesktopFromThisPC
-	HideDocumentsFromThisPC
-	HideDownloadsFromThisPC
-	HideMusicFromThisPC
-	HidePicturesFromThisPC
-	HideVideosFromThisPC
-	AddENKeyboard
-	EnableNumlock
-
-	DisableOneDrive
-	UninstallOneDrive
-	UninstallBloatware
-	UninstallWindowsStore
-	DisableConsumerApps
-	DisableXboxFeatures
-	UninstallMediaPlayer
-	UninstallWorkFolders
-	InstallHyperV
-	InstallLinuxSubsystem
-	SetPhotoViewerAssociation
-	AddPhotoViewerOpenWith
-	DisableSearchAppInStore
-	DisableNewAppPrompt
-	EnableF8BootMenu
-	SetDEPOptOut
-
-	WaitForKey
-	Restart
--- a/test/restoreall.preset
+++ b/test/restoreall.preset
@@ -1,82 +0,0 @@
-
-	# Restore all
-
-	EnableTelemetry
-	EnableWiFiSense
-	EnableSmartScreen
-	EnableWebSearch
-	EnableStartSuggestions
-	EnableLocationTracking
-	EnableFeedback
-	EnableAdvertisingID
-	EnableCortana
-	EnableErrorReporting
-	UnrestrictUpdateP2P
-	EnableAutoLogger
-	EnableDiagTrack
-	EnableWAPPush
-	
-	RaiseUAC
-	DisableSharingMappedDrives
-	EnableAdminShares
-	SetCurrentNetworkPublic
-	SetUnknownNetworksPublic
-	EnableFirewall
-	EnableDefender
-	EnableUpdateMSRT
-	EnableUpdateDriver
-	EnableUpdateRestart
-	EnableHomeGroups
-	EnableRemoteAssistance
-	DisableRemoteDesktop
-	EnableAutoplay
-	EnableAutorun
-	EnableDefragmentation
-	SetBIOSTimeLocal
-
-	EnableActionCenter
-	EnableLockScreen
-	EnableLockScreenRS1
-	EnableStickyKeys
-	HideTaskManagerDetails
-	HideFileOperationsDetails
-	ShowTaskbarSearchBox
-	ShowTaskView
-	ShowLargeTaskbarIcons
-	HideTaskbarTitles
-	ShowTaskbarPeopleIcon
-	HideTrayIcons
-	HideKnownExtensions
-	HideHiddenFiles
-	ShowSyncNotifications
-	ShowRecentShortcuts
-	ExplorerQuickAccess
-	HideThisPCFromDesktop
-	ShowDesktopInThisPC
-	ShowDocumentsInThisPC
-	ShowDownloadsInThisPC
-	ShowMusicInThisPC
-	ShowPicturesInThisPC
-	ShowVideosInThisPC
-	RemoveENKeyboard
-	DisableNumlock
-
-	EnableOneDrive
-	InstallOneDrive
-	InstallBloatware
-	InstallWindowsStore
-	EnableConsumerApps
-	EnableXboxFeatures
-	InstallMediaPlayer
-	InstallWorkFolders
-	UninstallHyperV
-	UninstallLinuxSubsystem
-	UnsetPhotoViewerAssociation
-	RemovePhotoViewerOpenWith
-	EnableSearchAppInStore
-	EnableNewAppPrompt
-	DisableF8BootMenu
-	SetDEPOptIn
-
-	WaitForKey
-	Restart