Win11Debloat icon indicating copy to clipboard operation
Win11Debloat copied to clipboard
Published 2 weeks ago verified publisher icon Raphire

Add a GPO mode

Open ITaluone opened this issue 3 months ago • 3 comments

Checklist

  • [x] I have searched for existing issues/discussions and didn't find any similar ones.

Describe the feature or improvement

As a system administrator, I want to apply the debloater to every Windows 11 machine in my domain. Not just once, but on every system start and/or user logon, to prevent bloatware from returning or Microsoft from reverting certain settings (such as registry entries).

This isn’t entirely straightforward, because some parts of the debloater won’t run with normal user privileges, while other parts won’t work as NT AUTHORITY\SYSTEM (for example, all user-specific settings like the taskbar, widgets, etc.).

To get it working, we had to do the following:

  1. Deploy a scheduled task via GPO that runs a script located under \\share\gposoftware\. The script copies the Windows 11 debloater to C:\tmp and runs it from there at every user logon (executing as NT AUTHORITY\SYSTEM).

  2. Since running as NT AUTHORITY\SYSTEM prevents user-specific settings from being applied, we extracted all required registry files and imported them manually into the domain group policy as user-specific registry settings.

While this setup works, it feels like a bit of a hack. Perhaps this isn’t really a problem with the debloater itself, but rather with Windows Group Policy.

Anyway, I thought I’d bring it up here in case it can be addressed within this project.

Examples

No response

Additional context

No response

ITaluone avatar Sep 15 '25 10:09 ITaluone

Heya,

I will look into better supporting the mentioned workflow with gpo.

As a workaround, would it work to run the script as the user? This would require you to run it when the user is not logged in, however.

Raphire avatar Sep 15 '25 10:09 Raphire

As a workaround, would it work to run the script as the user? This would require you to run it when the user is not logged in, however.

No, we actually tried this. And every facade of it :)

ITaluone avatar Sep 15 '25 10:09 ITaluone

You can, at least for anything that's using registry keys, create GPOs.

@ITaluone I realize you already created the registry settings manually, but I want to share how I approached the same problem you have.

  1. Grab & install the latest admx templates (i.e. for W11 24H2)
  2. Look for i.e. HiberbootEnabled from Disable_Fast_Startup.reg: Get-ChildItem -Recurse *.admx | Select-String -Pattern "HiberbootEnabled"
  3. If the search turns up empty, check this for manual copy & paste. If not, proceed with the next step.
  4. Open the indicated admx file (in this example WinInit.admx), and scroll to the line with the registry value (35)
  5. Note the ParentCategory, and search for category name="$TheIndicatedParentCategory" (category name="ShutdownOptions")
  6. Repeat this until you have reconstructed the complete path for the gpo editor. (Computer Configurarion\Administrative Templates\System\Shutdown\)
  7. Look in the corresponding adml file for the description of the setting. Step 2 gave us displayName="$(string.Hiberboot)", so we'll have to search for string id="Hiberboot", which gives <string id="Hiberboot">Require use of fast startup</string>.
  8. Now we know which setting to change.

The advantage of this admittedly tedious approach (RIP admx dot help) is, that we don't need to remember what exactly the registry value does, because we get a description in the gpo editor.

@Raphire Maybe could you use the script form step 3 to place an importable xml next to the reg files?

oyxnaut avatar Sep 15 '25 13:09 oyxnaut