Guide to install and optimize Windows 10 LTSC

A more in-depth guide for /g/ to install, debloat and optimize Windows 10 LTSC for a minimal and responsive operating system with no bloat, no telemetry, no UWP app cancer.

We will begin by optimizing the Windows image and removing unnecessary components, then after installation we take a look at all the settings we can use to minimize the system's footprint.

Note: Some of the optimizations here might not work for you or they might not be useful for the kind of usage you do with your computer. Simply take them as inspiration for your optimization and pick what's useful for your particular case.

Read the /fwt/ paste for a more general overview of Windows.

---

---

Table of Contents

---

---

A note on Windows versions

You might still be wondering which version of Windows 10 LTSC you should install.
The answer is always Windows 10 IoT Enterprise LTSC and the reason why is because LTSC IoT has longer servicing support, ending in 2032 versus 2027 for non-IoT LTSC. There are no other differences between the two versions, outside of the activation methods.

Although the tweaks will work for other versions of Windows, they require more work and debloating.
LTSC is the best base to start because it doesn't come with a lot of the annoying "features" and Microsoft integration of Windows 10 Home/Pro.

I want to install X language instead of English.

Always get the en-US image, we can install other language packs during optimization or after we're done installing the system.
LTSC IoT only has an English ISO, non-IoT has other languages.

Can LTSC IoT play vidya?

Yes, it can. There are no compatibility differences between versions.

Is LTSC slower than other versions of Windows?

No, and not since version 20H2 (guessing you're talking about the Windows 10 thread scheduler and Ryzen CPUs?).

---

Verify the image

This step is one of the most important when we're installing critical software on our system, yet a lot of people skip this.

After acquiring your LTSC IoT ISO you need to compare the hashes.
If you didn't download from Microsoft then go here and select your ISO version.
Look at the SHA-256 and compare it to the hash of the ISO you downloaded.

How to get hashes on Windows?

It's very simple, there are a few methods:

• Open Powershell and type:

  get-filehash "C:\PATH\TO\MY-WINDOWS-IMAGE.iso" -Algorithm SHA256

• Get a tiny program called HashCheck or OpenHashTab that nests itself inside the Properties menu of files, giving you an extra tab to easily calculate hashes.
• Programs like 7-Zip are also able to generate hashes.

---

Prepare and debloat the Windows image

This step is where we'll trim the fat off our Windows image so that when installed it will come with our preferences, drivers and more importantly without Windows components we don't want.
This is one of the best ways to get rid of e.g. Windows Defender, Edge, Cortana, UWP apps like Xbox, Photos, Maps (although LTSC doesn't ship with those) without breaking the system with sketchy Github scripts.

To do this a few tools exist, some of the more well-known and trusted are:

• Optimize-Offline:
  Windows image optimization module, can disable (but also remove with additional tweaking) UWP apps, enable/disable services, enable/disable Windows features and components, integrate drivers, do a lot of optimization and cleaning up.
• MSMG Toolkit:
  Pajeetware from the MDL forums, interactive, easy to use shell tool, to remove apps, disable settings, integrate Windows updates, drivers, custom themes and more.
• NTLite:
  Powerful, non-free (as in beer and as in freedom), GUI utility to completely modify a Windows Image, integrate drivers, Windows updates and remove any part of the Windows system one could wish. Has a free version with limitations.

I will guide you through Optimize-Offline (click to read) and MSMG Toolkit (click to read), NTLite is out of the scope of this guide.

Common questions and problems

Which tool should I pick? Which one is better?

One tool is not necessarily better or worse than the other as they do similar things with more or less features or more or less convenience.
If you want something that's fairly straight-forward and guides you without too much breakage go with MSMG Toolkit.

Which Windows components should I disable/remove?

Depends entirely on your needs and wants.

Quoting the Optimize-Offline readme here:

Just because something can be removed does not mean it should be removed.
Haphazard removal of packages or features can prevent Windows 10 Setup from completing or cause runtime errors.

Personally, I remove Windows Defender, Edge, all the biometrics apps, anything dealing with printers and so on.
You might think differently and find them useful, so keep them and tailor the optimizations to your needs.

I will ask a similar question for the tool guides below so we can look at it in detail.

Can I use more than one tool on the image?

No, that isn't recommended.

It's also not recommended to use scripts like PrivateZilla or O&OShutUp10 as they tend to incorrectly detect group policy and registry settings applied by the optimization process and break things.

How do I backup my Windows drivers?

Open Powershell as Administrator and type:

dism /online /export-driver /destination:"F:\full path of folder to save drivers"

This will dump all the drivers in use by the system into the specified folder.

Help! I'm getting Powershell errors and the scripts don't work.

You might have a restrictive Powershell execution policy. Check the Microsoft documentation.

First, make sure you launched Powershell as Administrator.
Then type Get-ExecutionPolicy -List to get a list of your execution policies.
If it says Undefined for all entries it just means the policy is Restricted, you cannot execute scripts.

You can set the execution policy for your machine permanently with:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine

To revert back after you're done (highly recommended) just type:
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine

---

Optimize-Offline

Optimize-Offline is a powerful tool but requires a bit of reading to understand what it's capable of doing to a Windows image.
Please take a look at the Optimize-Offline readme, it's worth reading through everything as you go along.
This particular repository of Optimize-Offline is a fork of the original Optimize-Offline maintained by users of the MDL forums after the original creator stopped updating, it has additional features and tweaks to disable/enable a lot of Windows components and keeps getting new ones frequently.

Preparation

Download Optimize-Offline from the releases page (Source Code), and unzip the files somewhere safe and with a short path like D:\Optimize.

Notice the folders Content > Additional and open each one to take a look at what's inside, refer to the README.md every time for instructions.
If for instance you have registry tweaks you apply after every install, you can drop the .reg files in the RegistryTemplates folder to have them be applied automatically.

To use the script we first have to configure the Configuration.json file.
The documentation on how to configure this file and what each entry does can be found in Module Help Topics and Optimization Details but also the readme.

I created a screenshot how I configure mine along with some notes, pay attention to not change the structure of the file (e.g. missing a comma) or you'll get errors:

If you enabled SelectiveRegistryTweaks in the config file, make sure you read the Readme section concerning those settings.

Now that we've configured Configuration.json and added all the additional content to their respective folders we can proceed to do the actual optimization.

Using the script

Open Powershell as Administrator and navigate to the Optimize-Offline folder.
To call the script type:

.\Start-Optimize.ps1

Help! I get an error when I try to launch the script.

You either don't have the correct execution policy, see above.
Or you typed something wrong in the Configuration.json file, take note of the line where the error occurs.

Optimize-Offline will launch and ask you which version of Windows you want to work on, select IoT:

After some tasks run you will be met with a big list of System Apps to disable, select multiple entries with CTRL + Click.
This is what I typically disable that doesn't break much but your mileage may vary:

Which System Apps can I safely disable?

These apps can be disabled without causing problems:

• AsyncTextService (messaging service for People and Maps)
• BioEnrollment (biometrics)
• CallingShellApp (mobile phone link)
• MicrosoftECApp (eye control for Mixed Reality)
• MicrosoftEdge (classic Edge browser)
• MicrosoftEdgeDevToolsClient
• SecHealthUI (Windows Defender)
• FileExplorer (UWP File Explorer)
• FilePicker (UWP File Picker)
• NarratorQuickStart
• ParentalControls
• XGpuEjectDialog (safe removal of external GPUs)
• XboxGameCallableUI (Xbox gaming features)
• UndockedDevKit
• NcsiUwpApp (UWP Networking app)
• Windows.CBSPreview (UWP app to scan barcodes)

These apps are required for certain components to work:

• MicrosoftAccountsControl (required for Microsoft accounts and others)
• ContentDeliveryManager (required for Windows install afaik)
• LockApp (required for the Lock Screen)
• OOBE Network Captive Portal (required for Windows install)
• OOBE Network Connection Flow (required for Windows install)
• Search (breaks search feature in the Start Menu if removed)
• ShellExperienceHost (required for the Task Bar)
• StartMenuExperienceHost (required for the Start Menu)
• Windows.ClientCBS (required for a few things such as the Settings panel)
• ImmersiveControl Panel (required for the Settings panel)

What you remove depends entirely on your goals, if you want a minimal installation then remove everything except the list above, if you want the Store keep AAD Broker Plugin, Accounts Control, if you use a printer keep the printer apps, if you want to use Xbox features the Xbox app etc.

For Windows Capabilities I remove the following, we can always re-install them later:

For Optional Features, I disable the following as I don't have a use for SMB and don't use a printer.

For Windows Services we can do a lot of optimization and reduce our system's footprint, but we also have to be careful about which services we disable as it can easily break features. For this part, I suggest not disabling any Services yet. We will optimize Services later in the guide in a live environment so we can have a more granular control over things.
Press Cancel anytime to skip a dialog.

Optimize-Offline will apply further tweaks, do some cleaning and compression and then generate the ISO in a new folder called Optimize-Offline_CREATIONDATE together with some logs.

We're done and ready to install our optimized ISO image.

---

MSMG Toolkit

MSMG Toolkit has the ability to integrate Windows updates (i.e. msu files) and MSMG specific Toolkit Packs, that is additional Windows features like Win32 Calculator, Chromium Edge or old Windows games. Please check the MSMG downloads page.

Preparation

Download MSMG Toolkit and unzip it somewhere safe and with a short path like D:\MSMG (this will prevent headaches later so we don't have to deal with paths that have spaces in them).

Take notice of the Drivers, Packs and Updates folders where you can drop those specific files to get integrated into the ISO as well as the Custom folder where you can drop registry tweaks, cursors, fonts, wallpapers and others. Refer to the README.txt files to learn more.

Now copy your Windows ISO image into the ISO folder, rename it to something simple like LTSC.iso and launch Start.cmd.
It will ask you for Administrator rights.

Using the script

Note: Do yourself a favor if you don't want to burn your eyes right away and go into [7] Tools > [3] Options > [1] Set Toolkit Color Settings and set it to [1] (Black-White).

Much better! First off we're going to extract our ISO by going to [1] Source > [3] Extract Source from DVD ISO Image so we can work on it.

Simply type the name of the ISO image (without extension) like below and it will extract the contents of the ISO to the DVD folder.

After it's done extracting, we need to go back to [1] Source and then into [1] Select Source from <DVD> folder, where you should get a screen like this to pick the version of LTSC to work on.
Pick 2 for LTSC IoT and press Enter, then type Y for both questions.

Now we can start the optimization process, disabling and integrating the things we want by going through each subsequent menu in order. If you're not integrating anything like drivers or aren't interested in a section simply skip it and move on to the next but it's important to note that certain things like Language Packs should ALWAYS be integrated before anything else, follow the /!\ Warnings the script gives you.

In [2] Integrate we will be able to add [3] Windows Features if we downloaded any MSMG Toolkit Packs from the link above.
For this guide I'm going to integrate Powershell 7, which I downloaded as .zip and extracted into D:\MSMG\Packs\PowerShell7\ and the Win32 Calculator which I put in ...\Win32Calc\.

The menu [3] Remove is what we're most interested in. Here we can remove Windows components and Windows apps:

Navigate into [1] Remove Windows Components > [1] Select Windows Components to select the components and apps we want to remove by toggling them from + (keep or add) to - (remove or disable).

Go through every section and disable the things you don't want:

After going through each section Go Back and select [2] Start Removing Windows Components for your changes to be applied.

Which components can I safely remove?

You can remove pretty much everything except:

• Content Delivery Manager (required for Windows install)
• Lock App (breaks lock screen)
• OOBE Network Captive Portal (required for Windows install)
• OOBE Network Connection Flow (required for Windows install)

The tool will (sometimes) indicate if a component is required for something else to work.

I don't understand what some of these components are for.

Don't remove them!
The most important components are in [7] System Apps, removing something here can prevent you from being able to install Windows or gets you a subtly broken system later on.

I created an album here with all my settings if you want to copy them.

After you're done selecting components, go back one step and choose [2] Start Removing Windows Components for the tool to apply your choices.

Once it's done go back to the initial menu and select [4] Customize then [8] Apply Tweaks.
This menu allows you to apply registry tweaks to the system, I highlighted the ones I typically pick:

Next, go back to the initial menu again and navigate to [5] Apply then [1] Clean Source Images to do some final image cleaning.
Once that's done, go back one step and select [2] Apply And Save Changes to Source Images.
Select [Y]es for all the optimizations it asks you.

Finally, we can create the ISO image by going to [6] Target and selecting [1] Make a DVD ISO Image.
It will ask you for a volume label and file name, I named mine MSMGCustomW10 for both but name them whatever you want.

Once it's done, go back all the way and press X to quit MSMG Toolkit. You can find the customized ISO image in the... ISO folder.

---

Create a bootable USB disk

To create a bootable USB disk and install our Windows image, we will use a tool called Ventoy.

Ventoy is extremely easy to use and most interestingly is re-usable: you don't need to reformat the disk every time you want to try a new image.
It's as simple as dragging and dropping an image into the Ventoy partition and Ventoy will do all the heavy-lifting for you, you can even keep multiple images if you have the space for it.

Download the latest Ventoy release and unzip it, then launch Ventoy2Disk.exe.

Select your USB device, click Install and we're done!
Ventoy is now installed on the USB key and a large partition named "Ventoy" is ready for us to put our ISO images in.

---

Before installing Windows

It's important to do some preparation before we boot into the Windows install process.
After backing up all our configs, drivers and files into a safe place, we should download a few tools we will need to configure our system without an internet connection.

Tools you should have:

• Graphics card drivers and driver trimming utility like NvCleanstall for Nvidia or Radeon Software Slimmer for AMD cards
• An archive file utility like 7-Zip, WinRAR, PeaZip etc.
• A software firewall for WFP (Windows Filtering Platform) such as SimpleWall, TinyWall or one to control the native Windows Firewall more easily e.g. Windows Firewall Control
• Your favorite tool to tweak Windows settings: e.g. Winaero Tweaker, Autoruns
• A full package (i.e. not the net installer) browser like Firefox or Chrom* flavor if you fully removed IE and Edge
• Other software you commonly install and registry tweaks you like to apply
• This guide!

---

Boot into USB

After rebooting simply press F10, F12, Delete, Esc or the equivalent for your BIOS to boot into the Ventoy USB key.

I can't boot into my USB.

Disable Secure Boot in your BIOS settings.
Check if you're booting in UEFI mode, alternatively that CSM support is disabled or configured for UEFI.

---

Install Windows

The installation process should be pretty straight-forward.

Pick Custom Install and delete any partitions on the disk, let Windows fill the whole disk.
We can deal with shrinking or making new partitions later as Windows likes to install a 500 MB recovery partition right after the Windows partition and this complicates disk management.

Out Of Box Experience

After Windows installs, the system will boot into Out Of Box Experience (OOBE) where you get to select your language, keyboard, user name and privacy settings.

• When it asks you to connect to the Internet (if you're offline), pick Continue with limited setup at the bottom.
• When it asks you for a Microsoft account, pick Domain join instead or Use Local Account at the bottom.
• Disable everything when it asks you to "Choose your privacy settings".

Proceed with the configuration, let it reboot and you should finally set foot in your shiny new Windows system.
If you did everything correctly, this is how barebones it should look:

Perfection, now on to configuring everything...

---

Common questions and problems

The initial setup is asking me for a product key.

Choose "I don't have a product key", if you have a genuine key stored on your system it will activate Windows automatically.
If not, then you'll have to use HWID activation with MAS once you login into Windows.

Which operating system should I install?

If you did things right in the guides before it wouldn't be asking that question, but always pick IoT Enterprise LTSC.

The installation crashes during setup (OOBE).

You removed essential Windows install components and the setup can't proceed. Start over.

The installation crashes after setup (OOBE) and doesn't boot into Windows (Why did my PC restart?).

Let it connect to the internet and try to repair itself, if it doesn't and gets stuck in a boot loop you likely removed some essential Windows component and will need to start over.

Help! I'm getting an error that a media driver is missing during install and can't proceed.

That usually means the ISO is bad, but sometimes the solution is to disconnect all drives except the one you want to install Windows on.
Check your USB settings in the BIOS and try other USB ports.

---

Post-install tweaking

Before connecting to the Internet and launching Windows Update, we have a few tasks to do.

Install drivers

Right after installing we should look for any missing drivers in our system.
Point Windows to the backup folder of your drivers if you have any.

Install and debloat graphics card drivers

Both AMD and Nvidia driver packages have increased tremendously in features and telemetry over the past years, but we don't want any of that on our system. Using tools like NvCleanstall for Nvidia and Radeon Software Slimmer for AMD cards, we can seriously trim down the drivers to the bare minimum we need and remove all the phoning home.

AMD:

• Disable all packages except for AMD Catalyst Settings and the drivers
• Disable all Scheduled Tasks

Nvidia:

• Keep only the required display driver components
• Depending on your needs keep PhysX, HD Audio via HDMI, Optimus (for laptops)
• Disable all types of telemetry
• Enable MSI (leave at default) and any patches

Once installed launch their respective control panels and configure everything.
You should disable their background services after so they don't run in the background doing nothing.

---

Install a firewall

Nowadays, almost all malware tries to phone home so we don't want anything connecting to the internet without our consent, I highly recommend you install one of the firewalls mentioned above and familiarize yourself with the one that suits you best. They are all lightweight, fairly easy to use and will be your first line of defense.

About Windows Firewall

Even though they can both work together, you don't need Windows Firewall to be enabled to use firewalls like Simplewall or Tinywall because they use the Windows Filtering Platform (WFP) which is the underlying technology the Windows Firewall rests upon.

You should note however that if you still have Windows Firewall enabled that it can take precedence over the other firewalls, and most importantly that in its default configuration pretty much any software can introduce and remove rules from it, sometimes even without your knowledge. Windows Filtering Platform has several layers that traffic goes through and some layers have higher priority over others as shown in the documentation ("Network traffic traverses sub-layers from the highest priority to the lowest priority. "). This is a complicated technical topic, I recommend you read these simplewall issues here and here if you're interested.

If you find the native Windows Firewall too complicated to configure then I can recommend Windows Firewall Control, it's what I personally use (not a shill, it's been bought out by Malwarebytes recently but it's still excellent software!). This program has the ability to protect Windows Firewall from external tampering and only firewall rules made through the program are allowed to be set. If you use use this, don't use Simplewall or TinyWall at the same time of course.

---

Antivirus & Security

I don't recommend you use an active antivirus (including Windows Defender) unless you're permanently downloading and using files from dodgy places. They can slow down your computer and introduce stutters and latency when you're doing CPU/GPU intensive tasks.
Anti-viruses continually run in the background and scan your every move, most commercial ones also like to phone home frequently.

How to scan for viruses

If you suspect something is wrong, Windows has a native virus scanner for most common infections called Windows Malicious Software Removal Tool (MRT) that gets updated every month through Windows Update.
You can launch it by simply searching for MRT from the Start menu.

Use an online scan service like VirusTotal before you open a suspicious file or archive.
Keep a portable instance of ClamAV for whenever you need it.

User Account Control

Keep this enabled at the Default setting, it's good to have and keeps you alert even if it can be annoying.

---

Configure Windows

---

Services

This is where we can reduce the footprint and resource usage of our system quite a bit. Check the official Microsoft documentation on disabling services if you want a more safe guide.

The simplest way to disable services is through services.msc tool.
Go into Start Menu and search for the "Services" App.
Expand the Name column and then order everything by Status "Running", you'll see some 80 or more services running.

We're going to reduce this to less than 50 services (ymmv).

Certain services can only be disabled via the registry due to permissions restrictions.
In the Registry (regedit), navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and look for the Start DWORD entry.

From there, you can change their startup configuration with:

• 1 = System (drivers)
• 2 = Automatic
• 3 = Manual
• 4 = Disabled

You can go through the list and disable stuff manually... but instead of me posting a very long list of services for you to disable, I'm going to give you .reg Registry files you can apply that will modify the Startup Configuration of your services automatically.
Feel free to open the files in a text editor first and audit for any malicious text, you'll see that the files only touch entries in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" for the key "Start" as is expected.

Registry files for easy Services configuration

The registry files are best applied in Safe Mode.
Download from Github as .reg and double-click to apply the config. Reboot after.

Default Windows 10 LTSC Configuration:
Everything at default. Use to this restore everything.

Safe:
Recommended. Disables a minimum of services that aren't typically used on most desktop PCs.

Moderate:
Shouldn't break anything major, this config is what I typically use and disable and enable things as I need. Windows Update and WiFi services are disabled, Bluetooth is working. If you use Ethernet to connect to the Internet and don't care about the icon in the taskbar you can disable all the network services too, except for Network Store Interface Service (nsi).

Extreme:
Do not use this! The bare minimum for a working desktop system aka just gaymen and browsing teh interwebs. Disables Windows Update, breaks a few pages in Settings, breaks Night Light, breaks Bluetooth, Printers, WiFi, Mobile Hotspot, breaks anything dealing with removing or installing UWP apps and bunch of other stuff. Only usable for direct Ethernet connections and wired sound listening.

If you use Bluetooth enable:

• AVCTP service
• Bluetooth Audio Gateway Service
• Bluetooth Support Service
• Bluetooth User Service
• Device Association Service
• DevicesFlow
• DevicePicker
• Radio Management Service

If you use Night Light enable:

• Display Policy Service
• Connected Devices Platform User Service (CDPUserSvc)
• Connected Devices Platform Service (CDPSvc)
• Network Connection Broker

If you use WiFi / Mobile Hotspot enable:

• CNG Key Isolation
• Extensible Authentication Protocol
• Internet Connection Sharing (ICS)
• Windows Mobile Hotspot Service
• WLAN AutoConfig

If you use Windows Update enable:

• Storage Service
• Update Orchestrator Service
• Windows Modules Installer
• Windows Update
• Windows Update Medic Service

Fix for Network and System settings pages error, enable:

• Connected Devices Platform User Service
• Windows Push Notifications System Service
• Windows Push Notifications User Service

---

Task Scheduler

There are few interesting tasks we can take a look at disabling, they mostly involve sending telemetry to Microsoft.
Do a Start menu search for "Task Scheduler" or open Run and type taskschd.msc.

Navigate to Task Scheduler Library > Microsoft > Windows then under each of the following folders disable a task by right-clicking then selecting Disable:

• Application Experience : Microsoft Compatibility Appraiser
• Autochk : Proxy
• Customer Experience Improvement Program : Consolidator, UsbCeip
• Diagnosis : RecommendedTroubleshootingScanner
• Disk Diagnostic : Microsoft-Windows-DiskDiagnosticDataCollector
• International : Synchronize Language Settings
• Windows Error Reporting : QueueReporting

---

Group Policy

To minimize the damage once we connect to the internet and launch Windows Update, we will configure a few Group Policy Object (GPO) settings.
Search the Start Menu for "Group Policy" or open Run and launch gpedit.msc.

Navigate to Computer Configuration > Administrative Templates > All Settings.
Press the first column of the list that appears to order everything alphabetically, go through the list and:

Disable the following:
Disabling Windows Updates here makes it so Windows will only check for updates manually when we press the button to do so.

Enable the following:
Pay attention that for some of the options you have to select the correct setting in the drop-down menu after enabling them such as "Prevent Pre-Launching" for Microsoft Edge or "[0] Security [Enterprise Only]" for Allow Telemetry.

---

Update Windows

It's finally time to connect to the Internet and launch Windows Update.

I don't want to update, updates only add bloat/bugs, I'll just run this 2019 build of LTSC

You should still update up to a certain point, unless Microsoft starts doing silly updates to change and break stuff in the future.
Even if in this guide we have disabled automatic Windows Updates, it is merely to get better control of when those updates happen and not have Windows Update routinely pinging outside IP addresses and running in the background. I still recommend to keep your Windows system up-to-date with the latest security and bug fixes.

Update manually

If you don't want to connect to Windows Update, or completely disabled it then I suggest you download update packs separately from the official Microsoft repository by doing a search for "21H2 x64". At the time of writing this guide these are the cumulative updates you're likely receive for 21H2:

• KB5017500
• KB5017308
• KB5012170
• KB5017380
• KB5020613
• KB5020030

Remove Edge

If after updating and rebooting you run into the unpleasant surprise of Microsoft Edge being installed on your machine and nagging you right away, then I suggest you run this handy script to nuke it. Microsoft seems to be ignoring all the registry tweaks to NOT install Edge, as usual.

Kill Windows Update

You might have noticed when you boot your computer that Windows Update launches automatically in the background and connects to remote addresses. The WU service is accompanied by a handful of other pesky services like Windows Update Medic Service (WaaSMedicSvc), Update Orchestrator Service (UsoSvc) or Delivery Optimization (DoSvc). Even though you disabled them in the services tool, they keep coming back and re-enabling themselves... here's how to deal with them. There might be other, easier ways to do this or more technically correct ways but this is the way I know how to do.

Disable Windows Update services

Open a Windows Run Dialog (Win + R). Type in services.msc and press OK.
Sort all the services by Name then right-click on the service and select Properties. Click the Stop button (if the service is running). Change the Startup type to Disabled. Click OK.

Note: Some services may only to be disabled in the registry.

Disable the following services:

• Delivery Optimization
• Update Orchestrator Service
• Windows Update
• Windows Update Medic Service

Disable Windows Update tasks

We need to acquire a tool called NSudo. This tool will allows us to easily launch programs with the TrustedInstaller privilege. Download the latest release ZIP, unpack it and launch NSudoLG.exe as Administrator.
Under Open: type taskschd.msc as seen in the image below and click Run.

In the Task Scheduler navigate to Task Scheduler Library > Microsoft > Windows then under each of the following folders disable a task by right-clicking then selecting Disable:

• UpdateOrchestrator : Disable EVERY task here, Reboot, Scheduled Scan etc.
• WaaSMedic : PerformRemediation
• WindowsUpdate : Scheduled Start

Revoking Windows Update privileges

Lastly we need to revoke the privileges of SYSTEM so the tasks aren't re-enabled and the services reset and launched again.
In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

After checking that the Start key is set to 4 (disabled), right-click the root key (folder) and select Permissions... then Advanced. You may need to disable inheritance to be able to change permissions. In here we want to go into every account by clicking Edit... and then unticking Full Control. Only Read needs to be enabled.

Do this for the following keys:

• UsoSvc
• WaaSMedicSvc
• wuauserv

Reboot and you're done.

---

That's it for this guide, you should now have a fairly minimal Windows installation, ready to customize to your needs.

Hope it was helpful!