Guide to install and optimize Windows 10 LTSC

A more in-depth guide for /g/ to install, debloat and optimize Windows 10 LTSC for a minimal and responsive operating system with no
bloat, no telemetry, no UWP app cancer.

Our goal is to get a Windows 10 system that doesn't connect to remote IPs on its own and only has the useful minimum for a working system.
We want it to be fast, responsive and unobtrusive.

We will begin by optimizing the Windows image and removing unnecessary components, then after installation we take a look at all the
settings we can use to minimize the system's footprint.

This guide is specifically aimed at Windows 10 LTSC.

Note: Some of the optimizations here might not work for you or they might not be useful for the kind of usage you do with your computer.
Simply take them as inspiration for your optimization and pick what's useful for your particular case.

Read the /fwt/ paste for a more general overview of Windows.

Download this guide as PDF.

This guide loads screenshot images from a third-party site: Imgur.

Table of Contents
1. Table of Contents
2. A note on Windows versions
3. Verify the image
4. Prepare and debloat the Windows image
1. Common questions and problems
2. Optimize-Offline
1. Preparation
2. Using the script
3. MSMG Toolkit
1. Preparation
2. Using the script
5. Create a bootable USB disk
6. Before installing Windows
7. Boot into USB
8. Install Windows
1. Out Of Box Experience
2. Common questions and problems
9. Post-install tweaking
1. Install drivers
2. Install and debloat graphics card drivers
3. Install a firewall
1. About Windows Firewall
4. Antivirus & Security
1. How to scan for viruses
2. User Account Control
10. Configure Windows
1. Services
1. Registry files for easy Services configuration
2. Task Scheduler
3. Group Policy
11. Update Windows
1. Update manually
2. Remove Edge
12. Kill Windows Update
1. Disable Windows Update services
2. Disable Windows Update tasks
3. Revoking Windows Update privileges

Backup your important files (browser configs, photos, documents, passwords etc) in a safe place before installing a new
Windows!

A note on Windows versions

You might still be wondering which version of Windows 10 LTSC you should install.
The answer is always Windows 10 IoT Enterprise LTSC and the reason why is because LTSC IoT has longer servicing support, ending in 2032
versus 2027 for non-IoT LTSC. There are no other differences between the two versions, outside of the activation methods.

Although the tweaks will work for other versions of Windows, they require more work and debloating.
LTSC is the best base to start because it doesn't come with a lot of the annoying "features" and Microsoft integration of Windows 10
Home/Pro.

I want to install X language instead of English.

Always get the en-US image, we can install other language packs during optimization or after we're done installing the system.
LTSC IoT only has an English ISO, non-IoT has other languages.

Can LTSC IoT play vidya?

Yes, it can. There are no compatibility differences between versions.

Is LTSC slower than other versions of Windows?

No, and not since version 20H2 (guessing you're talking about the Windows 10 thread scheduler and Ryzen CPUs?).

Tip: Update your BIOS to the latest version your manufacturer provides so you can make full use of new Intel and AMD
improvements. If you bought XMP RAM make sure the XMP profile is enabled in your BIOS to get the full benefits of your
hardware.

Verify the image

This step is one of the most important when we're installing critical software on our system, yet a lot of people skip this.

Do not download weird Windows images off the internet, get your image straight from Microsoft!

After acquiring your LTSC IoT ISO you need to compare the hashes.
If you didn't download from Microsoft then go here and select your ISO version.
Look at the SHA-256 and compare it to the hash of the ISO you downloaded.

How to get hashes on Windows?

It's very simple, there are a few methods:

Open Powershell and type:

get-filehash "C:\PATH\TO\MY-WINDOWS-IMAGE.iso" -Algorithm SHA256

Get a tiny program called HashCheck or OpenHashTab that nests itself inside the Properties menu of files, giving you an extra tab to
easily calculate hashes.

Programs like 7-Zip are also able to generate hashes.

Prepare and debloat the Windows image
This step is where we'll trim the fat off our Windows image so that when installed it will come with our preferences, drivers and more
importantly without Windows components we don't want.
This is one of the best ways to get rid of e.g. Windows Defender, Edge, Cortana, UWP apps like Xbox, Photos, Maps (although LTSC doesn't
ship with those) without breaking the system with sketchy Github scripts.

To do this a few tools exist, some of the more well-known and trusted are:

Optimize-Offline:
Windows image optimization module, can disable (but also remove with additional tweaking) UWP apps, enable/disable services,
enable/disable Windows features and components, integrate drivers, do a lot of optimization and cleaning up.
MSMG Toolkit:
Pajeetware from the MDL forums, interactive, easy to use shell tool, to remove apps, disable settings, integrate Windows updates,
drivers, custom themes and more.
NTLite:
Powerful, non-free (as in beer and as in freedom), GUI utility to completely modify a Windows Image, integrate drivers, Windows updates
and remove any part of the Windows system one could wish. Has a free version with limitations.

I will guide you through Optimize-Offline (click to read) and MSMG Toolkit (click to read), NTLite is out of the scope of this guide.

Common questions and problems

Which tool should I pick? Which one is better?

One tool is not necessarily better or worse than the other as they do similar things with more or less features or more or less convenience.
If you want something that's fairly straight-forward and guides you without too much breakage go with MSMG Toolkit.

Which Windows components should I disable/remove?

Depends entirely on your needs and wants.

Quoting the Optimize-Offline readme here:

Just because something can be removed does not mean it should be removed.
Haphazard removal of packages or features can prevent Windows 10 Setup from completing or cause runtime errors.

Personally, I remove Windows Defender, Edge, all the biometrics apps, anything dealing with printers and so on.
You might think differently and find them useful, so keep them and tailor the optimizations to your needs.

If you play first-party Microsoft Games (i.e. Forza Horizon), pay attention to not remove the Xbox apps, as well as Microsoft
Edge and any UWP apps surrounding the MS Store like AccountsControl, Win32WebViewHost etc.

I will ask a similar question for the tool guides below so we can look at it in detail.

Can I use more than one tool on the image?

No, that isn't recommended.

It's also not recommended to use scripts like PrivateZilla or O&OShutUp10 as they tend to incorrectly detect group policy and registry settings
applied by the optimization process and break things.

How do I backup my Windows drivers?

Open Powershell as Administrator and type:

dism /online /export-driver /destination:"F:\full path of folder to save drivers"

This will dump all the drivers in use by the system into the specified folder.

Help! I'm getting Powershell errors and the scripts don't work.
You might have a restrictive Powershell execution policy. Check the Microsoft documentation.

First, make sure you launched Powershell as Administrator.

Then type Get-ExecutionPolicy -List to get a list of your execution policies.
If it says Undefined for all entries it just means the policy is Restricted, you cannot execute scripts.

You can set the execution policy for your machine permanently with:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine

To revert back after you're done (highly recommended) just type:

Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine

Optimize-Offline
Optimize-Offline is a powerful tool but requires a bit of reading to understand what it's capable of doing to a Windows image.
Please take a look at the Optimize-Offline readme, it's worth reading through everything as you go along.
This particular repository of Optimize-Offline is a fork of the original Optimize-Offline maintained by users of the MDL forums after the
original creator stopped updating, it has additional features and tweaks to disable/enable a lot of Windows components and keeps getting
new ones frequently, as well as support for Windows 11.

Preparation
Download Optimize-Offline from the releases page (Source Code), and unzip the files somewhere safe and with a short path like
D:\Optimize .

Notice the folders Content > Additional and open each one to take a look at what's inside, refer to the README.md every time for
instructions.
If for instance you have registry tweaks you apply after every install, you can drop the .reg files in the RegistryTemplates folder to have them
be applied automatically.
To use the script we first have to configure the Configuration.json file.
The documentation on how to configure this file and what each entry does can be found in Module Help Topics and Optimization Details but
also the readme.

I created a screenshot how I configure mine along with some notes, pay attention to not change the structure of the file (e.g. missing a
comma) or you'll get errors:

Please inform yourself before you integrate the Windows Recovery Tools (DaRT) as this can be a security issue if someone
other than you has access to your computer. Read more.

If you enabled SelectiveRegistryTweaks in the config file, make sure you read the Readme section concerning those settings.

Now that we've configured Configuration.json and added all the additional content to their respective folders we can proceed to do the
actual optimization.

Using the script

Open Powershell as Administrator and navigate to the Optimize-Offline folder.
To call the script type:

.\Start-Optimize.ps1

Help! I get an error when I try to launch the script.

You either don't have the correct execution policy, see above.
Or you typed something wrong in the Configuration.json file, take note of the line where the error occurs.

Optimize-Offline will launch and ask you which version of Windows you want to work on, select IoT:

After some tasks run you will be met with a big list of System Apps to disable, select multiple entries with CTRL + Click.
This is what I typically disable that doesn't break much but your mileage may vary:
 Which System Apps can I safely disable?

Tip: Read about System Apps in the Github readme.

These apps can be disabled without causing problems:

AsyncTextService (messaging service for People and Maps)

BioEnrollment (biometrics)
CallingShellApp (mobile phone link)
MicrosoftECApp (eye control for Mixed Reality)
MicrosoftEdge (classic Edge browser)
MicrosoftEdgeDevToolsClient
SecHealthUI (Windows Defender)
FileExplorer (UWP File Explorer)
FilePicker (UWP File Picker)
NarratorQuickStart
ParentalControls
XGpuEjectDialog (safe removal of external GPUs)
XboxGameCallableUI (Xbox gaming features)
UndockedDevKit
NcsiUwpApp (UWP Networking app)
 Windows.CBSPreview (UWP app to scan barcodes)

These apps are required for certain components to work:

MicrosoftAccountsControl (required for Microsoft accounts and others)

ContentDeliveryManager (required for Windows install afaik)
LockApp (required for the Lock Screen)
OOBE Network Captive Portal (required for Windows install)
OOBE Network Connection Flow (required for Windows install)
Search (breaks search feature in the Start Menu if removed)
ShellExperienceHost (required for the Task Bar)
StartMenuExperienceHost (required for the Start Menu)
Windows.ClientCBS (required for a few things like Settings panel)
ImmersiveControl Panel (required for the Settings panel)

What you remove depends entirely on your goals, if you want a minimal installation then remove everything except the list above, if you want
the Store keep AAD Broker Plugin, Accounts Control, if you use a printer keep the printer apps, if you want to use Xbox features the Xbox app
etc.

For Windows Capabilities I remove the following, we can always re-install them later:

For Optional Features, I disable the following as I don't have a use for SMB and don't use a printer.
For Windows Services we can do a lot of optimization and reduce our system's footprint, but we also have to be careful about which services
we disable as it can easily break features. For this guide, I suggest not disabling anything. We will optimize Services later in the guide in a live
environment so we can have a more granular control over things.
Press Cancel anytime to skip a dialog.

Optimize-Offline will apply further tweaks, do some cleaning and compression and then generate the ISO in a new folder called Optimize-
Offline_CREATIONDATE together with some logs.

We're done and ready to install our optimized ISO image.

MSMG Toolkit
MSMG Toolkit has the ability to integrate Windows updates (i.e. msu files) and MSMG specific Toolkit Packs, that is additional Windows
features like Win32 Calculator, Chromium Edge or old Windows games. Please check the MSMG downloads page.

Preparation
Download MSMG Toolkit and unzip it somewhere safe and with a short path like D:\MSMG (this will prevent headaches later so we don't have
to deal with paths that have spaces in them).

Take notice of the Drivers, Packs and Updates folders where you can drop those specific files to get integrated into the ISO as well as the
Custom folder where you can drop registry tweaks, cursors, fonts, wallpapers and others. Refer to the README.txt files to learn more.

Now copy your Windows ISO image into the ISO folder, rename it to something simple like LTSC.iso and launch Start.cmd .
It will ask you for Administrator rights.

Using the script

Note: Do yourself a favor if you don't want to burn your eyes right away and go into [7] Tools > [3] Options > [1] Set Toolkit Color Settings
and set it to [1] (Black-White).

Much better! First off we're going to extract our ISO by going to [1] Source > [3] Extract Source from DVD ISO Image so we can work on it.

Simply type the name of the ISO image (without extension) like below and it will extract the contents of the ISO to the DVD folder.
After it's done extracting, we need to go back to [1] Source and then into [1] Select Source from <DVD> folder, where you should get a
screen like this to pick the version of LTSC to work on.
Pick 2 for LTSC IoT and press Enter, then type Y for both questions.

Now we can start the optimization process, disabling and integrating the things we want by going through each subsequent menu in order. If
you're not integrating anything like drivers or aren't interested in a section simply skip it and move on to the next but it's important to note
that certain things like Language Packs should ALWAYS be integrated before anything else, follow the /!\ Warnings the script gives you.
In [2] Integrate we will be able to add [3] Windows Features if we downloaded any MSMG Toolkit Packs from the link above.
For this guide I'm going to integrate Powershell 7, which I downloaded as .zip and extracted into D:\MSMG\Packs\PowerShell7\ and the
Win32 Calculator which I put in ...\Win32Calc\ .

Please inform yourself before you integrate the Windows Recovery Tools (DaRT) as this can be a security issue if someone
other than you has access to your computer. Read more.

The menu [3] Remove is what we're most interested in. Here we can remove Windows components and Windows apps:

Navigate into [1] Remove Windows Components > [1] Select Windows Components to select the components and apps we want to
remove by toggling them from + (keep or add) to - (remove or disable).
Go through every section and disable the things you don't want:

After going through each section Go Back and select [2] Start Removing Windows Components for your changes to be applied.

Which components can I safely remove?

You can remove pretty much everything except:

Content Delivery Manager (required for Windows install)

Lock App (breaks lock screen)
OOBE Network Captive Portal (required for Windows install)
OOBE Network Connection Flow (required for Windows install)

The tool will (sometimes) indicate if a component is required for something else to work.

I don't understand what some of these components are for.

Don't remove them!

The most important components are in [7] System Apps, removing something here can prevent you from being able to install Windows or
gets you a subtly broken system later on.

I created an album here with all my settings if you want to copy them.

After you're done selecting components, go back one step and choose [2] Start Removing Windows Components for the tool to apply your
choices.

Once it's done go back to the initial menu and select [4] Customize then [8] Apply Tweaks.
This menu allows you to apply registry tweaks to the system, I highlighted the ones I typically pick:
Next, go back to the initial menu again and navigate to [5] Apply then [1] Clean Source Images to do some final image cleaning.
Once that's done, go back one step and select [2] Apply And Save Changes to Source Images.
Select [Y]es for all the optimizations it asks you.

Finally, we can create the ISO image by going to [6] Target and selecting [1] Make a DVD ISO Image.
It will ask you for a volume label and file name, I named mine MSMGCustomW10 for both but name them whatever you want.
Once it's done, go back all the way and press X to quit MSMG Toolkit. You can find the customized ISO image in the... ISO folder.

Create a bootable USB disk

Required: Some form of bootable media with more than 4 GB of disk space

To create a bootable USB disk and install our Windows image, we will use a tool called Ventoy.

Ventoy is extremely easy to use and most interestingly is re-usable: you don't need to reformat the disk every time you want to try a new
image.
It's as simple as dragging and dropping an image into the Ventoy partition and Ventoy will do all the heavy-lifting for you, you can even keep
multiple images if you have the space for it.

Download the latest Ventoy release and unzip it, then launch Ventoy2Disk.exe.

Select your USB device, click Install and we're done!

Ventoy is now installed on the USB key and a large partition named "Ventoy" is ready for us to put our ISO images in.

ATTENTION: If you're installing a custom Windows image on your main and only machine, I HIGHLY (!!) recommend you keep
an untouched, original Windows 10 ISO in your Ventoy partition as well. Trust me on this one, it'll save your ass if you need to re-
install Windows and the custom image doesn't work correctly.

Before installing Windows

It's important to do some preparation before we boot into the Windows install process.
After backing up all our configs, drivers and files into a safe place, we should download a few tools we will need to configure our system
without an internet connection.

Tools you should have:

Graphics card drivers and driver trimming utility like NvSlimmer for Nvidia or Radeon Software Slimmer for AMD cards
An archive file utility like 7-Zip, WinRAR, PeaZip etc.
A software firewall for WFP (Windows Filtering Platform) such as SimpleWall, TinyWall or one to control the native Windows Firewall
more easily e.g. Windows Firewall Control
Your favorite tool to tweak Windows settings: e.g. Winaero Tweaker, Autoruns
A full package (i.e. not the net installer) browser like Firefox or Chrom* flavor if you fully removed IE and Edge
Other software you commonly install and registry tweaks you like to apply
This guide!

Tip: If you have the space for it, you can put these files in a separate folder in the Ventoy partition.
Boot into USB
After rebooting simply press F10, F12, Delete, Esc or the equivalent for your BIOS to boot into the Ventoy USB key.

I can't boot into my USB.

Disable Secure Boot in your BIOS settings.

Check if you're booting in UEFI mode, alternatively that CSM support is disabled or configured for UEFI.

Install Windows
The installation process should be pretty straight-forward.

Please double, triple check where you are installing Windows and which partitions you are deleting if any.

At this point of the install, I recommend you disconnect your device from the Internet so Windows won't be able to connect
just yet.

Pick Custom Install and delete any partitions on the disk, let Windows fill the whole disk.
We can deal with shrinking or making new partitions later as Windows likes to install a 500 MB recovery partition right after the Windows
partition and this complicates disk management.

Out Of Box Experience

After Windows installs, the system will boot into Out Of Box Experience (OOBE) where you get to select your language, keyboard, user name
and privacy settings.

When it asks you to connect to the Internet (if you're offline), pick Continue with limited setup at the bottom.
When it asks you for a Microsoft account, pick Domain join instead or Use Local Account at the bottom.
Disable everything when it asks you to "Choose your privacy settings".

Proceed with the configuration, let it reboot and you should finally set foot in your shiny new Windows system.
If you did everything correctly, this is how barebones it should look:

Perfection, now on to configuring everything...

Common questions and problems
The initial setup is asking me for a product key.

Choose "I don't have a product key", if you have a genuine key stored on your system it will activate Windows automatically.
If not, then you'll have to use HWID activation with MAS once you login into Windows.

Which operating system should I install?

If you did things right in the guides before it wouldn't be asking that question, but always pick IoT Enterprise LTSC.

The installation crashes during setup (OOBE).

You removed essential Windows install components and the setup can't proceed. Start over.

The installation crashes after setup (OOBE) and doesn't boot into Windows (Why did my PC restart?).

Let it connect to the internet and try to repair itself, if it doesn't and gets stuck in a boot loop you likely removed some essential Windows
component and will need to start over.

Help! I'm getting an error that a media driver is missing during install and can't proceed.

That usually means the ISO is bad, but sometimes the solution is to disconnect all drives except the one you want to install Windows on.
Check your USB settings in the BIOS and try other USB ports.

Everything below (and above, but mostly below) is done at your own risk!

Post-install tweaking
Before connecting to the Internet and launching Windows Update, we have a few tasks to do.

Install drivers
Right after installing we should look for any missing drivers in our system.
Point Windows to the backup folder of your drivers if you have any.
Install and debloat graphics card drivers
Both AMD and Nvidia driver packages have increased tremendously in features and telemetry over the past years, but we don't want any of
that on our system. Using tools like NvSlimmer for Nvidia and Radeon Software Slimmer for AMD cards, we can seriously trim down the
drivers to the bare minimum we need and remove all the phoning home.

AMD:

Disable all packages except for AMD Catalyst Settings and the drivers
Disable all Scheduled Tasks

Nvidia:

Keep only the required packages (bold)

Enable drivers such as USB Type-C port
PhysX is not required in [current year]

Once installed launch their respective control panels and configure everything.
You should disable their background services after so they don't run in the background doing nothing.

Install a firewall
We don't want anything connecting to the internet without our consent, I highly recommend you install one of the firewalls mentioned above
and familiarize yourself with the one that suits you best. They are all lightweight, fairly easy to use and will be your first line of defense.

About Windows Firewall

Even though they can both work together, you don't need Windows Firewall to be enabled to use firewalls like Simplewall or Tinywall
because they use the Windows Filtering Platform (WFP) which is the underlying technology the Windows Firewall rests upon.

You should note however that if you still have Windows Firewall enabled that it can take precedence over the other firewalls, and most
importantly that in its default configuration pretty much any software can introduce and remove rules from it (think of BitTorrent clients for
instance, or Steam), sometimes even without your knowledge. Windows Filtering Platform has several layers that traffic goes through and
some layers have higher priority over others as shown in the documentation ("Network traffic traverses sub-layers from the highest priority to
the lowest priority. "). This is a complicated technical topic, I recommend you read these simplewall issues here and here if you're interested.
If you find the native Windows Firewall too complicated to configure then I can recommend Windows Firewall Control, it's what I personally
use (not a shill, it's been bought out by Malwarebytes recently but it's still excellent software!). This program has the ability to protect
Windows Firewall from external tampering and only firewall rules made through the program are allowed to be set. If you use use this, don't
use Simplewall or TinyWall at the same time of course.

Antivirus & Security

I don't recommend you use an active antivirus (including Windows Defender) unless you're permanently downloading and using files from
dodgy places. They can slow down your computer and introduce stutters and latency when you're doing CPU/GPU intensive tasks.
Anti-viruses continually run in the background and scan your every move, most commercial ones also like to phone home frequently as well.

How to scan for viruses

If you suspect something is wrong, Windows has a native and simple virus scanner for most common infections called Windows Malicious
Software Removal Tool (MRT) that gets updated every once in a while through Windows Update.
You can launch it by simply searching for MRT from the Start menu.

Use an online scan service like VirusTotal before you open a suspicious file or archive.
Keep a portable instance of ClamAV for whenever you need it.

User Account Control

Keep this enabled at the Default setting, it's good to have and keeps you alert even if it can be annoying.

Configure Windows

Services
This is where we can reduce the footprint and resource usage of our system quite a bit. Check the official Microsoft documentation on
disabling services if you want a more safe guide.

This part is a lot more experimental and highly dependent on the usage you make of your system. Disabling the wrong
services for things you need WILL lead to breakage!

The simplest way to disable services is through services.msc tool.

Go into Start Menu and search for the "Services" App.
Expand the Name column and then order everything by Status "Running", you'll see some 80 or more services running.

We're going to reduce this to less than 50 services (ymmv).

Certain services can only be disabled via the registry due to permissions restrictions.
In the Registry (regedit), navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and look for the Start DWORD entry.

From there, you can change their startup configuration with:

1 = System (drivers)
2 = Automatic
3 = Manual
4 = Disabled

You can go through the list and disable stuff manually... but instead of me posting a very long list of services for you to disable, I'm going to
give you .reg Registry files you can apply that will modify the Startup Configuration of your services automatically.
Feel free to open the files in a text editor first and audit for any malicious text, you'll see that the files only touch entries in
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" for the key "Start" as is expected.

Registry files for easy Services configuration

The registry files are best applied in Safe Mode.

Download from Github as .reg and double-click to apply the config. Reboot after.

Default Windows 10 LTSC Configuration:

Everything at default. Use to this restore everything.

Safe:
Recommended. Disables a minimum of services that aren't typically used on most desktop PCs.

Moderate:
Shouldn't break anything major, this config is what I typically use and disable and enable things as I need. Windows Update and WiFi services
are disabled, Bluetooth is working. If you use Ethernet to connect to the Internet and don't care about the icon in the taskbar you can disable
all the network services too, except for Network Store Interface Service (nsi).

Extreme:
Do not use this! The bare minimum for a working desktop system aka just gaymen and browsing teh interwebs. Disables Windows Update,
breaks a few pages in Settings, breaks Night Light, breaks Bluetooth, Printers, WiFi, Mobile Hotspot, breaks anything dealing with
removing or installing UWP apps and bunch of other stuff. Only usable for direct Ethernet connections and wired sound listening.

If you use Bluetooth enable:

AVCTP service
Bluetooth Audio Gateway Service
Bluetooth Support Service
Bluetooth User Service
Device Association Service
DevicesFlow
DevicePicker
Radio Management Service

If you use Night Light enable:

Display Policy Service

Connected Devices Platform User Service (CDPUserSvc)
Connected Devices Platform Service (CDPSvc)
Network Connection Broker

If you use WiFi / Mobile Hotspot enable:

CNG Key Isolation

Extensible Authentication Protocol
Internet Connection Sharing (ICS)
Windows Mobile Hotspot Service
WLAN AutoConfig

If you use Windows Update enable:

Storage Service
Update Orchestrator Service
Windows Modules Installer
Windows Update
Windows Update Medic Service

Fix for Network and System settings pages error, enable:

Connected Devices Platform User Service

Windows Push Notifications System Service
Windows Push Notifications User Service

Task Scheduler
There are few interesting tasks we can take a look at disabling, they mostly involve sending telemetry to Microsoft.
Do a Start menu search for "Task Scheduler" or open Run and type taskschd.msc.

Navigate to Task Scheduler Library > Microsoft > Windows then under each of the following folders disable a task by right-clicking then
selecting Disable:

Application Experience : Microsoft Compatibility Appraiser

Autochk : Proxy
Customer Experience Improvement Program : Consolidator, UsbCeip
Diagnosis : RecommendedTroubleshootingScanner
Disk Diagnostic : Microsoft-Windows-DiskDiagnosticDataCollector
International : Synchronize Language Settings
Windows Error Reporting : QueueReporting

Group Policy
To minimize the damage once we connect to the internet and launch Windows Update, we will configure a few Group Policy Object (GPO)
settings.
Search the Start Menu for "Group Policy" or open Run and launch gpedit.msc.

Navigate to Computer Configuration > Administrative Templates > All Settings .

Press the first column of the list that appears to order everything by name, go through the list and:

Disable the following:

Disabling Windows Updates here makes it so Windows will only check for updates manually when we press the button to do so.

Enable the following:

Pay attention that for some of the options you have to select the correct setting in the drop-down menu after enabling them such as "Prevent
Pre-Launching" for Microsoft Edge or "[0] Security [Enterprise Only]" for Allow Telemetry.

Update Windows
It's finally time to connect to the Internet and launch Windows Update.

I don't want to update, updates only add bloat/bugs, I'll just run this 2019 build of LTSC

First off, that's wrong. Second of all, no sane person should forego updates or run an outdated system if they care about their security.
Even if in this guide we have disabled automatic Windows Updates, it is merely to get better control of when those updates happen and not
have Windows Update routinely pinging outside IP addresses and running in the background.
It is still highly recommended to keep your Windows system up-to-date with the latest security and bug fixes and let Windows Update run on
a monthly basis.

Update manually
If you don't want to connect to Windows Update, or completely disabled it then I suggest you download update packs separately from the
official Microsoft repository by doing a search for "21H2 x64". At the time of writing this guide these are the cumulative updates you're likely
receive for 21H2:

KB5017500
KB5017308
KB5012170
KB5017380
 KB5020613
KB5020030

Remove Edge
If after updating and rebooting you run into the unpleasant surprise of Microsoft Edge being installed on your machine and nagging you
right away, then I suggest you run this handy script to nuke it. Microsoft seems to be ignoring all the registry tweaks to NOT install Edge, as
usual.

Kill Windows Update

You might have noticed when you boot your computer that Windows Update launches automatically in the background and connects to
remote addresses. The WU service is accompanied by a handful of other pesky services like Windows Update Medic Service
(WaaSMedicSvc), Update Orchestrator Service (UsoSvc) or Delivery Optimization (DoSvc). Even though you disabled them in the services
tool, they keep coming back and re-enabling themselves... here's how to deal with them. There might be other, easier ways to do this or more
technically correct ways but this is the way I know how to do.

Warning: This will prevent Windows 10 from updating, I think that's obvious.

Disable Windows Update services

Open a Windows Run Dialog (Win + R). Type in services.msc and press OK.
Sort all the services by Name then right-click on the service and select Properties. Click the Stop button (if the service is running). Change the
Startup type to Disabled. Click OK.

Disable the following services:

Delivery Optimization
Update Orchestrator Service
Windows Update
Windows Update Medic Service

Disable Windows Update tasks

We need to acquire a tool called NSudo. This tool will allows us to easily launch programs with the TrustedInstaller privilege. Download the
latest release ZIP, unpack it and launch NSudoLG.exe as Administrator.
Under Open: type taskschd.msc as seen in the image below and click Run.

In the Task Scheduler navigate to Task Scheduler Library > Microsoft > Windows then under each of the following folders disable a task
by right-clicking then selecting Disable:

UpdateOrchestrator : Disable EVERY task here, Reboot, Scheduled Scan etc.

WaaSMedic : PerformRemediation
WindowsUpdate : Scheduled Start

Revoking Windows Update privileges

Lastly we need to revoke the privileges of SYSTEM so that the tasks aren't re-enabled and the services reset and launched again.
In Explorer, navigate to C:\Windows\System32\Tasks\Microsoft\Windows\ . You will need Administrator privileges, if you can't access a folder
or change a file's privileges you need to take ownership of them. I personally like using the Take Ownership context menu.

Now just as we did in the previous section, we're going to revoke the SYSTEM privileges for executing a task for the same tasks. For instance in
the UpdateOrchestrator folder we right-click a task, select Properties then navigate to the Security tab.

In here we want to select SYSTEM, click Edit... and then untick Read & Execute. Select Yes to confirm in the dialog that appears and then OK to
close the dialogs. Reboot and you're done.

That's it for this guide, you should now have a fairly minimal Windows installation, ready to customize to your needs.

Hope it was helpful!