Automated Windows 11 provisioning — from bare metal to ready-to-use in one boot. No clicking through OOBE, no OEM bloat, no Microsoft account required.
This project gives you two ways to provision a fresh Windows 11 machine with apps, security settings, VPN, and user accounts — all scripted, all repeatable.
| Option A — Full Reinstall | Option B — Existing Install | |
|---|---|---|
| When to use | New machine, wipe OEM image | Machine already has Windows 11 |
| OOBE bypass | ✅ Fully automated | |
| Hands-on time | ~5 min setup, walk away | ~10 min |
| OEM bloat | ❌ Gone | |
| What you need | USB drive + Windows 11 ISO | USB/network share |
win11AutomadeSetup/
├── autounattend.xml # Unattended answer file (Option A — USB reinstall)
├── Setup/
│ ├── Setup.ps1 # Provisioning script (both options)
│ ├── packages.json # App list for winget
│ ├── config.example.ps1 # Config template — copy to config.ps1 and fill in
│ └── config.ps1 # Your local secrets (gitignored, never committed)
└── README.md
This wipes the drive and installs a clean Windows 11 with zero interaction. Boot the USB, walk away, come back to a provisioned machine.
- Download the Windows 11 ISO from Microsoft
- Download Rufus and write the ISO to a USB drive (8 GB+)
- Partition scheme: GPT
- Target system: UEFI (non-CSM)
- Leave all other defaults, click START
- When prompted, choose "Write in ISO image mode"
- Once done, copy these files to the root of the USB:
USB root/
├── autounattend.xml ← copy here
└── Setup/ ← copy this folder
├── Setup.ps1
├── packages.json
├── config.example.ps1
└── config.ps1 ← your secrets (filled in, never committed)
Open autounattend.xml and change:
| Setting | What to change | Search for |
|---|---|---|
| 🔑 ITAdmin password | Set a real temporary password | CHANGEME_AdminPassword1! (×3) |
| 🌍 Time zone | Match your region | Eastern Standard Time |
| 🏢 Organization | Your company name | Zaboka Systems |
| 💿 Windows edition | Home vs Pro | Windows 11 Pro |
⚠️ Security note: The answer file stores the password in plain text on the USB. Use a temporary password and rotate it after setup. Never commit real credentials to Git — use a.gitignoreor a separateautounattend.local.xml.
Add or remove apps from the winget package list to match what you want installed. Each entry needs a valid winget Package Identifier.
# To find the right ID for an app:
winget search <appname>- Plug the USB into the target machine
- Power on and boot from USB (F12 on Dell for boot menu)
- Windows installs automatically — no interaction needed
- Machine reboots and logs in as
ITAdmin - Open PowerShell as Administrator and run Setup.ps1 directly from the USB:
# Replace E: with the actual USB drive letter
powershell.exe -ExecutionPolicy Bypass -File "E:\Setup\Setup.ps1"- Follow the prompts in the PowerShell window:
- 📦 Choose package file name
- 🔒 Enter Tailscale auth key (optional)
- 💻 Rename the computer
- 👤 Create the end-user account
- 🛡️ Security settings apply automatically
Use this when the machine already has Windows 11 and you just want to run the provisioning script.
When the machine first boots into the Windows 11 setup wizard:
Windows 11 Pro:
Setup screen → "Sign in with Microsoft" → click "Sign-in options" → "Domain join instead" → create a local account
Windows 11 Home:
Press
Shift + F10to open a command prompt → typeoobe\bypassnro→ press Enter → PC restarts → choose "I don't have internet" → "Continue with limited setup" → create a local account
- Copy the
Setup/folder to the machine (USB, network share, etc.) - Open PowerShell as Administrator
- Run:
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine -Force
cd C:\path\to\Setup
.\Setup.ps1| Phase | Action |
|---|---|
| 1️⃣ Config | Collects package file name and Tailscale auth key |
| 2️⃣ Logging | Creates a timestamped log in %USERPROFILE% |
| 3️⃣ Pre-flight | Verifies Windows 11 build, admin rights, winget |
| 4️⃣ Packages | Updates winget sources |
| 5️⃣ VPN | Installs and authenticates Tailscale (if key provided) |
| 6️⃣ Apps | Installs all apps from packages.json |
| 7️⃣ Users | Hides IT admin, renames computer, creates end-user account |
| 8️⃣ Security | Auto-updates, firewall, screen lock, disables RDP, disables SMBv1, BitLocker (Pro) |
| 9️⃣ Cleanup | Displays summary, optionally deletes setup folder, prompts restart |
| Model | Status | Driver notes |
|---|---|---|
| Dell OptiPlex 3070 MFF | ✅ Supported | No injection needed — Windows Update covers Intel I219 NIC, UHD 630, Realtek audio. Dell Command Update handles the rest. |
| Dell OptiPlex 5070 MFF | ✅ Supported | Same as above |
💡 Dell users:
Dell.CommandUpdateis included inpackages.json. Run it after provisioning to pull BIOS updates and any remaining drivers.
| Category | Apps |
|---|---|
| 🌐 Browser | Google Chrome, Mozilla Firefox |
| 💬 Comms | Slack, Zoom, Microsoft Teams |
| 🕐 Productivity | Hubstaff |
| 🖥️ Remote Access | AnyDesk |
| 🔧 Utilities | 7-Zip, Notepad++, VLC |
| 🔒 Security | Bitdefender, Tailscale |
| 🖥️ Hardware | Dell Command Update |
Edit packages.json freely — add or remove packages to match your environment.
- ✅ Windows Update set to auto-download and install
- ✅ Firewall enabled on all profiles (Domain, Public, Private)
- ✅ Password required on wake / screen lock
- ✅ Remote Desktop enabled (with firewall rule)
- ✅ SMBv1 disabled
- ✅ BitLocker enabled on C: (Windows Pro/Enterprise only)
- ✅ IT admin account hidden from login screen
- ✅ Log file permissions restricted to owner only
Pull requests are welcome! If you test on new hardware or add support for additional Dell models, open a PR with your results.
- Fork the repo
- Create a branch:
git checkout -b feature/your-feature - Commit and push
- Open a Pull Request
MIT License — free to use, modify, and distribute.
Made with