Skip to main content

Windows Workstations MSA Standard Configuration

This document provides a comprehensive overview of the workstation configuration and optimization scripts in the enhancement/workstation-standards feature branch.

Overview

These PowerShell scripts are designed for MSP deployment via RMM platforms to standardize Windows workstation configurations. All scripts follow the standard template with dual execution modes (interactive and RMM).

Script Categories

1. Configuration Scripts

msft-windows-config-bitlocker-enable.ps1

Purpose: Enables BitLocker encryption on Windows workstations

Features:

  • Checks for TPM 2.0 requirement
  • Enables BitLocker on OS drive with TPM protector
  • Adds recovery password protector
  • Optionally encrypts fixed data drives with auto-unlock
  • Saves recovery keys to local file for RMM collection
  • Uses XtsAes256 encryption method

RMM Variables:

  • $EncryptDataDrives (default: $true)
  • $UseUsedSpaceOnly (default: $true)

msft-windows-config-features.ps1

Purpose: Installs optional Windows features during workstation setup

Features Installed:

  • .NET Framework 3.5 (for legacy applications)
  • Windows Sandbox (Pro/Enterprise only, for safe app testing)
  • Hyper-V (optional, requires compatible hardware)

RMM Variables:

  • $InstallNetFx3 (default: $true)
  • $InstallSandbox (default: $true)
  • $InstallHyperV (default: $false)

msft-windows-config-performance-ssd.ps1

Purpose: Applies SSD performance optimizations

Actions:

  • Detects SSD presence before applying optimizations
  • Disables SysMain (Superfetch) service
  • Disables Prefetch via registry
  • Disables telemetry/diagnostic scheduled tasks

RMM Variables:

  • $DisableScheduledTasks (default: $true)

msft-windows-config-registry-backup.ps1

Purpose: Enables periodic Windows registry backup

Actions:

  • Enables EnablePeriodicBackup registry key
  • Windows automatically backs up registry hives to %SystemRoot%\System32\config\RegBack
  • Backs up: SAM, SECURITY, SOFTWARE, SYSTEM, DEFAULT

msft-windows-config-system-restore.ps1

Purpose: Enables System Restore and creates initial restore point

Actions:

  • Enables System Restore on system drive
  • Enables periodic registry backup
  • Creates initial restore point (subject to 24-hour throttle)

msft-windows-power-management-config.ps1

Purpose: Configures comprehensive power management settings for optimal performance

Settings Applied (across all power plans):

  • Disables hybrid sleep
  • Disables fast startup globally
  • Disables hibernation completely
  • Disables hard disk turn-off
  • Disables automatic sleep
  • Sets lid close action to sleep (laptops)
  • Sets critical battery action to shutdown
  • Disables USB selective suspend
  • Disables PCIe Link State Power Management
  • Enables wake timers
  • Sets wireless adapters to maximum performance
  • Optimizes video playback and multimedia settings

2. Debloat Scripts

msft-windows-debloat-apps.ps1

Purpose: Removes default Windows apps (bloatware) not needed in business environments

App Categories Removed:

Category

Apps

Xbox

Xbox.TCUI, XboxApp, GamingOverlay, GamingApp, etc.

Communications

People, Mail, Calendar, Skype, Messaging

Maps

WindowsMaps

Entertainment

Zune Music/Video, Solitaire, Mixed Reality Portal

Misc Bloat

3D Builder, Print3D, Bing apps, Feedback Hub, YourPhone, Clipchamp, Teams (consumer), etc.

RMM Variables:

  • $RemoveXbox (default: $true)
  • $RemoveCommunications (default: $true)
  • $RemoveMaps (default: $true)
  • $RemoveEntertainment (default: $true)
  • $RemoveMiscBloat (default: $true)

msft-windows-debloat-services.ps1

Purpose: Disables unnecessary Windows services

Services Disabled:

Service

Description

HomeGroupListener/Provider

Deprecated HomeGroup services

lfsvc

Geolocation Service

MapsBroker

Downloaded Maps Manager

NetTcpPortSharing

Net.Tcp Port Sharing

RemoteRegistry

Remote Registry (security risk)

SharedAccess

Internet Connection Sharing

TrkWks

Distributed Link Tracking Client

WMPNetworkSvc

Windows Media Player Network Sharing

wisvc

Windows Insider Service

wercplsupport

Problem Reports Control Panel

msft-windows-debloat-telemetry-privacy.ps1

Purpose: Configures Windows telemetry and privacy settings

Settings Applied:

Category

Actions

Telemetry

Sets AllowTelemetry to 0 (Security/Off), disables feedback notifications

Data Collection

Disables diagnostic data, CEIP, Windows Error Reporting

Advertising

Disables Advertising ID, tailored experiences, app suggestions

Location

Disables location tracking and scripting

Activity History

Disables activity feed, timeline, activity upload

Cortana/Search

Disables Cortana, web search

Network

Disables WiFi Sense, SmartScreen for Store apps

3. Disable Scripts

msft-windows-disable-core-isolation.ps1

Purpose: Disables Core Isolation (Memory Integrity/HVCI) for performance

Use Case: Systems experiencing:

  • 10-15% CPU performance overhead
  • Driver/software incompatibility
  • Virtualization software conflicts
  • Blue screens with certain hardware

Actions:

  • Disables Memory Integrity (HVCI)
  • Disables Virtualization Based Security (VBS)
  • Disables Credential Guard
  • Relaxes Kernel DMA Protection policy
  • Sets VSM/Hypervisor launch type to Off

⚠️ Warning: Disables Hyper-V, WSL2, and Windows Sandbox. Requires restart.

msft-windows-disable-mpo.ps1

Purpose: Disables Multiplane Overlay (MPO) to fix gaming issues

Use Case: Systems experiencing:

  • Game stuttering and microstutter
  • Frame drops and inconsistent frame times
  • Screen flickering in fullscreen games
  • Black screen issues
  • Multi-monitor gaming problems

Action: Sets OverlayTestMode = 5 in DWM registry

msft-windows-disable-offline-files.ps1

Purpose: Completely disables Windows Offline Files (Client-Side Caching)

Actions:

  • Stops and disables CSC service
  • Sets registry keys to disable Offline Files
  • Marks cache database for deletion on reboot
  • Clears Offline Files cache

⚠️ Warning: Requires system reboot for full effect.

msft-windows-disable-xbox-services.ps1

Purpose: Disables Xbox-related services and Game Bar

Services Disabled:

  • XboxGipSvc (Xbox Accessory Management)
  • XblAuthManager (Xbox Live Auth Manager)
  • XblGameSave (Xbox Live Game Save)
  • XboxNetApiSvc (Xbox Live Networking)
  • BcastDVRUserService (Game Bar Presence Writer)

Registry Settings:

  • Disables Game Bar and Game DVR
  • Disables Game Mode
  • Disables Xbox Game Monitoring
  • Disables Xbox scheduled tasks

4. Utility Scripts

msft-windows-install-apps-winget.ps1

Purpose: Installs applications using WinGet package manager

Default Apps:

  • 7-Zip
  • VLC Media Player
  • Notepad++
  • Microsoft Visual C++ Redistributable 2015+

RMM Variables:

  • $AppList - Comma-separated WinGet app IDs (overrides defaults)
  • $CleanDesktopShortcuts (default: $true)

Deployment Recommendations

  1. Initial Setup Phase:
    • msft-windows-config-system-restore.ps1
    • msft-windows-config-registry-backup.ps1
    • msft-windows-config-features.ps1
  2. Debloat Phase:
    • msft-windows-debloat-apps.ps1
    • msft-windows-debloat-services.ps1
    • msft-windows-debloat-telemetry-privacy.ps1
  3. Performance Optimization:
    • msft-windows-config-performance-ssd.ps1
    • msft-windows-power-management-config.ps1
    • msft-windows-disable-xbox-services.ps1
  4. Optional/Situational:
    • msft-windows-disable-offline-files.ps1 (if not using offline files)
    • msft-windows-disable-core-isolation.ps1 (only if performance/compatibility issues)
    • msft-windows-disable-mpo.ps1 (only if gaming/display issues)
    • msft-windows-config-bitlocker-enable.ps1 (encryption policy)
  5. Application Deployment:
    • msft-windows-install-apps-winget.ps1

Reboot Requirements

Script

Reboot Required

config-bitlocker-enable

Sometimes

config-features

Yes

config-performance-ssd

No

config-registry-backup

No

config-system-restore

No

power-management-config

Recommended

debloat-apps

No

debloat-services

No

debloat-telemetry-privacy

Recommended

disable-core-isolation

Yes (Required)

disable-mpo

Yes

disable-offline-files

Yes (Required)

disable-xbox-services

Recommended

install-apps-winget

No

Script Count Summary

Category

Count

Configuration

6

Debloat

3

Disable

4

Utility

2

Total

15


Back to top