Overview

This is my personal post-install runbook for Windows 11. Sequential phases: do them in order. Estimated time: 2–4 hours, ~3 reboots required. Target: clean, lean, focused workstation for dev and security research.

All PowerShell blocks require an Admin shell unless noted otherwise.

---

Phase 00 — Pre-Flight & Install Options

Do this before or during install. Decisions made here affect everything downstream.

Use a local account, not a Microsoft account

During OOBE when it asks to connect to the internet: disconnect ethernet/WiFi, or when prompted for a Microsoft account click Sign-in options → Offline account → Limited experience. On Win11 Home the trick is entering a bad email like a@a.com with a bad password — it'll offer a local account. Or use Rufus to bypass this entirely before install.

Use Rufus to create install media with tweaks pre-applied

Rufus 3.19+ can bypass TPM, Secure Boot, RAM checks and skip the Microsoft account requirement before you even boot.

• Remove TPM/Secure Boot requirement
• Remove Microsoft online account requirement
• Disable data collection

This bakes it into the installer so you never hit the nag screens.

Choose Windows 11 Pro, not Home

Pro gives you: Group Policy editor, Hyper-V, BitLocker, domain join, RDP host, and finer telemetry controls. If you already have Home you can upgrade in-place. Pro is non-negotiable for a serious dev/security workstation — Group Policy alone is worth it.

Run Windows Update fully before doing anything else

Get to a known-good state. Debloat scripts run against a partial-update state can cause issues.

Settings → Windows Update → Check for updates → Reboot → repeat until nothing pending
Settings → Optional Updates → install driver updates

---

Phase 01 — Debloat & AppX Removal

Chris Titus Tech WinUtil (recommended)

The most complete, actively maintained Win11 debloat/tweak toolkit. GUI-driven.

# Run as Admin in PowerShell
irm christitus.com/win | iex
# Launches GUI. In "Tweaks" tab:
# - Standard or Desktop preset as base
# - Customize: disable telemetry, remove bloatware
# - Create Restore Point FIRST (checkbox in UI)
# In "WinGet" tab: install your tools from here too

Warning: Review what each toggle does. Don't blindly apply "Ultimate" preset — it disables things like Windows Defender which you may want for AMSI research.

Remove specific AppX packages

Surgical removal of the worst offenders: Cortana, Teams, Xbox, Widgets, etc.

$bloat = @(
    "Microsoft.3DBuilder",
    "Microsoft.BingWeather",
    "Microsoft.BingNews",
    "Microsoft.BingSearch",
    "Microsoft.Copilot",
    "Microsoft.GamingApp",
    "Microsoft.GetHelp",
    "Microsoft.Getstarted",
    "Microsoft.MicrosoftOfficeHub",
    "Microsoft.MicrosoftSolitaireCollection",
    "Microsoft.MicrosoftTeams",
    "Microsoft.MixedReality.Portal",
    "Microsoft.People",
    "Microsoft.PowerAutomateDesktop",
    "Microsoft.SkypeApp",
    "Microsoft.Todo",
    "Microsoft.Wallet",
    "Microsoft.WindowsCommunicationsApps",
    "Microsoft.WindowsFeedbackHub",
    "Microsoft.WindowsMaps",
    "Microsoft.Xbox.TCUI",
    "Microsoft.XboxApp",
    "Microsoft.XboxGameOverlay",
    "Microsoft.XboxGamingOverlay",
    "Microsoft.XboxIdentityProvider",
    "Microsoft.XboxSpeechToTextOverlay",
    "Microsoft.YourPhone",
    "Microsoft.ZuneMusic",
    "Microsoft.ZuneVideo",
    "MicrosoftCorporationII.MicrosoftFamily",
    "MicrosoftTeams",
    "Clipchamp.Clipchamp"
)
foreach ($app in $bloat) {
    Get-AppxPackage -Name $app -AllUsers | Remove-AppxPackage
    Get-AppxProvisionedPackage -Online | Where-Object DisplayName -eq $app | Remove-AppxProvisionedPackage -Online
}

Disable Cortana and Copilot

They survive AppX removal and respawn without these registry entries.

# Disable Cortana
reg add "HKLMSOFTWAREPoliciesMicrosoftWindowsWindows Search" /v AllowCortana /t REG_DWORD /d 0 /f
Disable Copilot
reg add "HKCUSoftwarePoliciesMicrosoftWindowsWindowsCopilot" /v TurnOffWindowsCopilot /t REG_DWORD /d 1 /f
reg add "HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsCopilot" /v TurnOffWindowsCopilot /t REG_DWORD /d 1 /f
Remove Copilot from taskbar
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v ShowCopilotButton /t REG_DWORD /d 0 /f

Disable Windows Widgets

The Widgets process (WebExperienceHost) runs constantly and phones home.

winget uninstall "Windows web experience Pack"
reg add "HKLMSOFTWAREPoliciesMicrosoftDsh" /v AllowNewsAndInterests /t REG_DWORD /d 0 /f

Remove OneDrive

taskkill /f /im OneDrive.exe
%SystemRoot%SysWOW64OneDriveSetup.exe /uninstall
reg add "HKLMSOFTWAREPoliciesMicrosoftWindowsOneDrive" /v DisableFileSyncNGSC /t REG_DWORD /d 1 /f

---

Phase 02 — Telemetry & Privacy Hardening

Set telemetry to minimum

Pro only: Group Policy lets you set it to "Security" (0). Home is limited to "Basic" (1) minimum.

# 0 = Security (Pro only), 1 = Basic, 3 = Full (default)
reg add "HKLMSOFTWAREPoliciesMicrosoftWindowsDataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesDataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
Disable telemetry scheduled tasks
schtasks /Change /TN "MicrosoftWindowsApplication ExperienceMicrosoft Compatibility Appraiser" /Disable
schtasks /Change /TN "MicrosoftWindowsApplication ExperienceProgramDataUpdater" /Disable
schtasks /Change /TN "MicrosoftWindowsCustomer Experience Improvement ProgramConsolidator" /Disable
schtasks /Change /TN "MicrosoftWindowsCustomer Experience Improvement ProgramUsbCeip" /Disable

Disable the DiagTrack service

The primary data upload service.

sc stop DiagTrack
sc config DiagTrack start=disabled
sc stop dmwappushservice
sc config dmwappushservice start=disabled

Disable advertising ID and app tracking

# Advertising ID
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionAdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f
Activity history
reg add "HKLMSOFTWAREPoliciesMicrosoftWindowsSystem" /v EnableActivityFeed /t REG_DWORD /d 0 /f
reg add "HKLMSOFTWAREPoliciesMicrosoftWindowsSystem" /v PublishUserActivities /t REG_DWORD /d 0 /f
App launch tracking
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v Start_TrackProgs /t REG_DWORD /d 0 /f

Block telemetry endpoints via hosts file

Belt-and-suspenders: even if a service survives, it can't reach home. Use [WindowsSpyBlocker](https://github.com/crazy-max/WindowsSpyBlocker) to generate a hosts file with all known MS telemetry domains blocked. Or use Pi-hole on your RPi as your DNS resolver with the telemetry blocklist — add the stevenblack/hosts list for broad coverage.

If you run Fiddler/Burp/Wireshark for traffic analysis, verify nothing breaks your proxy chains before deploying hosts blocks.

Manual privacy settings

Go through every category in Settings → Privacy & Security: Location, Camera, Microphone, Voice activation, Notifications, Account info, Contacts, Calendar, Calls, Call history, Email, Tasks, Messaging, Radios, App diagnostics, and per-app folder access (Documents/Pictures/Videos/Downloads).

---

Phase 03 — Performance & Services

Disable unnecessary services

$services = @(
    "DiagTrack",           # Telemetry
    "WSearch",             # Windows Search indexing (use Everything instead)
    "SysMain",             # Superfetch — disable if SSD
    "XblAuthManager",      # Xbox
    "XblGameSave",
    "XboxNetApiSvc",
    "XboxGipSvc",
    "MapsBroker",          # Downloaded Maps Manager
    "RemoteRegistry",      # Remote Registry (security risk)
    "Fax",
    "PrintNotify",         # If no printer
    "WbioSrvc"             # Biometrics — if not using Windows Hello
)
foreach ($svc in $services) {
    Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
    Set-Service -Name $svc -StartupType Disabled -ErrorAction SilentlyContinue
    Write-Host "Disabled: $svc"
}

Do NOT disable: Windows Defender (even for research — use exclusions), Cryptographic Services, DCOM, RPC, Windows Update (pause, don't disable).

Unlock Ultimate Performance power plan

Balanced plan introduces CPU parking and latency — bad for dev builds and packet analysis.

# Unlock Ultimate Performance (hidden by default)
powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61
# Then set active — copy GUID from output above
powercfg /setactive SCHEME_GUID_HERE
Or just set High Performance
powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Disable visual effects

Right-click Start → System → Advanced system settings → Performance Settings → "Adjust for best performance", then re-enable only: Smooth edges of screen fonts and Show thumbnails instead of icons. Keeps it sharp without looking like Win95.

Disable hibernation

powercfg /hibernate off
# Also disable Fast Startup (causes stale network state issues)
reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerPower" /v HiberbootEnabled /t REG_DWORD /d 0 /f

Replace Windows Search with Everything

Instant file search, zero indexing overhead, supports regex and advanced filters.

winget install voidtools.Everything
winget install lin-ycv.EverythingToolbar  # Replaces search in taskbar

Disable the WSearch service after install. Everything runs its own lightweight indexer.

---

Phase 04 — Look & Feel

Left-align the taskbar

reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v TaskbarAl /t REG_DWORD /d 0 /f
taskkill /f /im explorer.exe && start explorer.exe

ExplorerPatcher — restore Win10-style shell

[github.com/valinet/ExplorerPatcher](https://github.com/valinet/ExplorerPatcher) — installs as a shell extension DLL. Key settings: Taskbar style = Windows 10, Start menu = Windows 10, Disable recommended section, Old right-click context menus. This alone removes 80% of the Win11 UI annoyances.

Update carefully — major Windows updates can break it temporarily. Watch the GitHub releases.

Apply dark theme properly

Settings → Personalization → Colors → Dark mode. For deeper theming: [Mica for Everyone](https://github.com/MicaForEveryone/MicaForEveryone) applies Mica/Acrylic effects to all win32 windows. For custom .msstyles themes, use [niivu's theme collection](https://github.com/niivu/Windows-11-themes) with UltraUXThemePatcher.

Clean up the taskbar

# Hide Task View, Search, Chat
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionSearch" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v TaskbarMn /t REG_DWORD /d 0 /f

Fix File Explorer defaults

# Show file extensions
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v HideFileExt /t REG_DWORD /d 0 /f
# Show hidden files
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v Hidden /t REG_DWORD /d 1 /f
# Show protected OS files
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v ShowSuperHidden /t REG_DWORD /d 1 /f
# Open to This PC, not Quick Access
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v LaunchTo /t REG_DWORD /d 1 /f
# Compact view (removes huge row spacing)
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v UseCompactMode /t REG_DWORD /d 1 /f

Install a proper font stack

winget install Microsoft.CascadiaCode
# Or for Nerd Font variant (icons in terminal):
winget install DEVCOM.JetBrainsMonoNerdFont
# Good picks: FiraCode Nerd Font, JetBrainsMono NF, CaskaydiaCove NF

---

Phase 05 — Dev Stack Setup

Enable WSL2

# Enable WSL2 (Admin)
wsl --install
# Or specify distro:
wsl --install -d Ubuntu-24.04
wsl --install -d kali-linux
# Set WSL2 as default
wsl --set-default-version 2

Allocate resources in %USERPROFILE%\.wslconfig:

[wsl2]
memory=8GB
processors=6
swap=0

WSL2 + Windows Terminal + VS Code Remote-WSL = near-native Linux dev experience without a dual-boot.

Core dev tools via winget

winget install --silent `
    Git.Git `
    Microsoft.VisualStudioCode `
    Python.Python.3.12 `
    OpenJS.NodeJS.LTS `
    Docker.DockerDesktop `
    Microsoft.WindowsTerminal `
    Rustlang.Rustup `
    GoLang.Go `
    7zip.7zip `
    BurntSushi.ripgrep.MSVC `
    sharkdp.fd `
    junegunn.fzf `
    ajeetdsouza.zoxide

Enable Hyper-V

Pro only. Better performance than VirtualBox for Windows guests. Required for some CTF environments.

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -All
# Reboot required
# Note: Hyper-V + VirtualBox conflict at the hypervisor level.
# If using VBox, disable Hyper-V or use VBox 7+ with Hyper-V backend.

Git global config + SSH key

git config --global user.name "yourname"
git config --global user.email "you@email.com"
git config --global core.autocrlf false  # CRITICAL for cross-platform
git config --global init.defaultBranch main
git config --global core.editor "code --wait"
SSH key
ssh-keygen -t ed25519 -C "you@email.com"
# Add public key to GitHub/GitLab
cat ~/.ssh/id_ed25519.pub | clip

Windows Defender exclusions for dev directories

Without this, Defender scans every Python venv activation, git operation, and node_modules install — brutal latency.

# Adjust paths to yours
Add-MpPreference -ExclusionPath "C:UsersYOUdev"
Add-MpPreference -ExclusionPath "C:UsersYOUprojects"
Add-MpPreference -ExclusionPath "C:	ools"
Add-MpPreference -ExclusionProcess "python.exe"
Add-MpPreference -ExclusionProcess "node.exe"
Add-MpPreference -ExclusionProcess "git.exe"
Add-MpPreference -ExclusionProcess "cargo.exe"

Security research: add your malware samples/analysis dir here only if it's isolated. Keep Defender active for general system protection.

---

Phase 06 — Security Hardening

Enable BitLocker on system drive

Settings → Privacy & Security → Device Encryption, or Control Panel → BitLocker Drive Encryption. Use TPM+PIN for real security. Save recovery key to a USB/KeePass — not to your Microsoft account. For USB drives: enable BitLocker To Go.

Before enabling: make sure you have your recovery key stored somewhere safe. BitLocker + firmware update without key = brick risk.

Configure Windows Firewall

# Enable on all profiles
netsh advfirewall set allprofiles state on
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
Enable logging
netsh advfirewall set allprofiles logging filename "%systemroot%system32LogFilesFirewallpfirewall.log"
netsh advfirewall set allprofiles logging maxfilesize 32767
netsh advfirewall set allprofiles logging droppedconnections enable
For Caido/Burp proxy — allow inbound on proxy port
netsh advfirewall firewall add rule name="Proxy" dir=in action=allow protocol=TCP localport=8080

Disable RDP (if not using it)

RDP is attack surface. Disable if unused; enable and harden if you need it.

# Disable RDP
reg add "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
# If enabling: restrict to specific IPs via firewall rule + require NLA
reg add "HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f

Disable LLMNR and NetBIOS

These are Responder's primary attack vector. Kill them on your own box.

# Disable LLMNR via registry
reg add "HKLMSOFTWAREPoliciesMicrosoftWindows NTDNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
Disable NetBIOS over TCP/IP for all adapters
$adapters = Get-WmiObject -Class Win32_NetworkAdapterConfiguration
foreach ($a in $adapters) { $a.SetTcpipNetbios(2) }  # 2 = Disable

KeePassXC — local password manager

Local, open source, no cloud dependency. Browser integration via KeePassXC-Browser plugin.

winget install KeePassXCTeam.KeePassXC

Store the .kdbx on an encrypted USB with a cloud backup. Use Argon2id KDF with 1s+ unlock time.

---

Phase 07 — Essential Tools

Bulk install via winget

# Security / Network
winget install --silent `
    WiresharkFoundation.Wireshark `
    nmap.nmap `
    Insecure.Npcap `
    BurpSuite.CommunityEdition `
    Postman.Postman `
    GnuPG.GnuPG
Utilities
winget install --silent `
    voidtools.Everything `
    Microsoft.PowerToys `
    VideoLAN.VLC `
    Rufus.Rufus `
    CrystalDewWorld.CrystalDiskInfo `
    REALiX.HWiNFO `
    CPUID.CPU-Z `
    ShareX.ShareX
File tools
winget install --silent `
    7zip.7zip `
    Notepad++.Notepad++ `
    HexEditor.HxD
Browser
winget install Mozilla.Firefox

PowerToys configuration

The one Microsoft tool actually worth using. Key modules:

• PowerToys Run (Alt+Space) — Spotlight-style launcher with calculator, unit converter, registry search, process kill
• FancyZones — multi-monitor tiling WM
• File Locksmith — shows which process is locking a file
• Hosts File Editor — GUI for the hosts file
• Environment Variables — dedicated module for managing env vars

Sysinternals Suite

Essential for Windows internals research and malware analysis.

winget install Microsoft.Sysinternals.Suite
# Or individual tools:
winget install Microsoft.Sysinternals.ProcessMonitor
winget install Microsoft.Sysinternals.ProcessExplorer
winget install Microsoft.Sysinternals.TCPView
winget install Microsoft.Sysinternals.Autoruns  # Critical for persistence analysis

Set ProcExp as the default Task Manager: Options → Replace Task Manager.

Python environment

# pyenv-win for version management
Invoke-WebRequest -UseBasicParsing -Uri "https://raw.githubusercontent.com/pyenv-win/pyenv-win/master/pyenv-win/install-pyenv-win.ps1" -OutFile "./install-pyenv-win.ps1"
& "./install-pyenv-win.ps1"
uv — replaces pip + venv, extremely fast
winget install astral-sh.uv
pipx for global CLI tools
pip install pipx
pipx install black ruff httpx ansible
Common security Python packages
pip install requests pwntools scapy impacket cryptography

---

Phase 08 — Terminal & Shell Setup

Windows Terminal as default

Settings → Privacy & Security → For Developers → Terminal: Windows Terminal. Set default profile to PowerShell 7 (not 5). Key settings.json defaults:

{
  "defaultProfile": "{PS7_GUID}",
  "copyOnSelect": false,
  "copyFormatting": "none",
  "profiles": {
    "defaults": {
      "font": { "face": "CaskaydiaCove Nerd Font", "size": 12 },
      "opacity": 90,
      "useAcrylic": true,
      "colorScheme": "One Half Dark",
      "cursorShape": "bar",
      "padding": "8"
    }
  }
}

PowerShell 7 + Oh My Posh

PS7 is cross-platform and actively maintained. PS5 ships with Windows but is legacy.

winget install Microsoft.PowerShell
winget install JanDeDobbeleer.OhMyPosh
Add to $PROFILE (PS7):
oh-my-posh init pwsh --config "$env:POSH_THEMES_PATHcatppuccin.omp.json" | Invoke-Expression
Useful PS modules:
Install-Module PSReadLine -Force           # Better history, completion
Install-Module Terminal-Icons -Force       # File type icons in ls
Install-Module z -Force                    # Zoxide-style directory jumping

WSL shell: Zsh + Oh My Zsh

# In WSL:
sudo apt install zsh -y
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
Essential plugins (add to .zshrc plugins array):
# git z fzf sudo web-search extract docker python
Syntax highlighting + autosuggestions (external):
git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions
git clone https://github.com/zsh-users/zsh-syntax-highlighting ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting
Theme: powerlevel10k
git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/themes/powerlevel10k
# Set ZSH_THEME="powerlevel10k/powerlevel10k" then run: p10k configure

Set execution policy

# RemoteSigned is the right balance — allows local scripts, blocks unsigned remote ones
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# For all users:
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine

PowerShell profile aliases

# Add to $PROFILE
Set-Alias -Name which -Value Get-Command
Set-Alias -Name grep -Value Select-String
function ll { Get-ChildItem -Force @args | Format-Wide }
function lsl { Get-ChildItem -Force @args }
function .. { Set-Location .. }
function ... { Set-Location ../.. }
function hosts { notepad C:\Windows\System32\drivers\etc\hosts }
function myip { (Invoke-WebRequest ifconfig.me/ip).Content.Trim() }
Import modules
Import-Module Terminal-Icons
Import-Module PSReadLine
Set-PSReadLineOption -PredictionSource History
Set-PSReadLineOption -PredictionViewStyle ListView

---

Phase 09 — Final Touches & Persistence

Create a restore point

Even with all precautions, keep a golden image snapshot.

Checkpoint-Computer -Description "Post-hardening baseline" -RestorePointType "MODIFY_SETTINGS"

Audit & test

Run this to confirm services are off and policies are set:

Get-Service DiagTrack, dmwappushservice, WSearch | Select-Object Name, StartType
Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess
netsh advfirewall show allprofiles state

Backup your settings

Export Windows Terminal, PowerShell profile, and dotfiles to a git repo. System reimages are inevitable — make recovery fast.

---

Closing Notes

This is a living runbook. Windows updates will undo some changes (especially UI tweaks and service disables). Run the core debloat + telemetry blocks every 6 months. For scripted, hands-off redeployment, save all the PowerShell blocks to a single .ps1 and run it fresh on new installs.

The goal: a clean, snappy, privacy-respecting workstation that stays out of your way while you work.