Workstation Setup for Windows 11

This is a best practice guide for setting up and hardening a new Workstation from scratch. It will cover all steps in preparing a Workstation for the use of IPFusion, however, it will not cover how to download and install IPFusion. This guide will have 9 steps:

  1. Windows 11 Install
  2. Drivers and Updates
  3. Basic Configuration
  4. Group Policy Editor
  5. Control Panel Configuration
  6. Windows 11 Settings Menu
  7. Services
  8. Windows Media Player
  9. Project Specific Tasks

A bootable USB with a Windows 11 image on it will be required.

1. Windows 11 Install

Check Internet Connection

If not already connected to the internet, follow these steps:
  1. In the Let's connect you to a network screen, press Shift+F10 to launch Command Prompt.
  2. Type in the following command: OOBE\BYPASSNRO
  3. After successful execution, the system will restart the OOBE session box. When you reach the Let's connect you to a network screen, click I don't have Internet, continue to click limited setup, accept the license agreement and continue to create a local user account.

Check and Install the latest System Bios

Install the latest Windows 11 through USB following these steps

  1. Choose the following Settings:
    • Language to Install: English (United States)
    • Time and Currency Format: English (United States)
    • Keyboard or input method: US

    Click Next.

  2. Click Install Now, and then install Windows 11 Enterprise.
  3. Enter the product key or choose: I don’t have a product key to license Windows after install.
  4. Select Windows 11 (Pro/Enterprise).
  5. Accept the user agreement.
  6. Choose Custom Install.
  7. Delete all existing partitions (if present).
  8. Select Drive 0 Unallocated Space and press Next.
  9. Windows will now install. The computer may restart during this process.
  10. Choose Region: select the current location.
  11. Keyboard Layout: US and skip second keyboard layout.
  12. Click Skip for now button on the Let's Name your Device page.
  13. Select Set up for work or school and click Next.
  14. Click Sign-in options.
  15. Select Domain join instead.
  16. Default User: Operator; Default Password: Operator
  17. For the next options, choose the following:
    • Click No for Let Microsoft and apps use your location
    • Select Required only for Send diagnostic data to Microsoft
    • For Improving inking and typing select No
    • For Get tailored experiences with diagnostic data click No
    • For Let apps use advertising ID click No

Set Time Zone according to your location

Note: If the computer is not connected to internet, continue with the Drivers and Updates Guide and return to set up the time zone after the internet is connected.

Select 'Private Type' network

In the Windows search bar, type in Network and Internet. Click on Properties and select Private under Network Profile Type.

2. Drivers and Updates

Obtain the Latest Drivers from the Manufacturer Website

Download drivers for:
  • Motherboard
  • Graphics card (if present)
    Note: If the computer does not have internet, use a separate computer that is connected to the internet and transfer over the drivers using a USB drive.

Download and Install Drivers into their Respective Folders as Follows:

  1. C:\Drivers\Audio
  2. C:\Drivers\Chipset
  3. C:\Drivers\LAN
  4. C:\Drivers\Video
  5. Any other categories

Install Drivers in the Following Order Restarting the Computer After Each Install:

  1. Chipset
  2. Video
  3. Any other drivers
    Note: Installation of drivers out of order can result in significant performance and stability issues.

Check the Device Manager for any Driver-Related Issues

Install Windows Updates

Warning: Do not install driver updates delivered through Windows Update.

3. Basic Configuration

Create a C:\IPFusion folder. Enable sharing and disable Read Only

Right click the IPFusion folder and click Properties. Find the Sharing tab and select Operator under Name and click Share. Afterwards, under the General tab find Attributes and click Read Only to disable it.

  1. Inside the folder create a folder named Installs and place a copy of all installed software.
  2. Inside the folder create a folder named Tools and place the desktop background image.

Delete any Windows Desktop shortcuts, but keep Recycle Bin

Depending on the graphic card brand, find out how to disable any graphics card Hot Keys such as screen rotation

Unpin Microsoft Edge, and Microsoft Store from the Taskbar

Right click on the Taskbar and select Taskbar setting:

Taskbar settings:
  • Select Hide for Search options
  • Toggle off Copilot in windows (if present)
  • Toggle off Task View
  • Toggle off Widgets
  • Toggle off Pen Menu
  • Select Never for Touch Keyboard (if not using touchscreen)
  • Toggle off Virtual Touchpad

In the BIOS, set after power failure: Restore Last State

Install Notepad++

  1. Install Notepad++
  2. In the application, go to Settings and then Preferences:
    • Backup → Uncheck Remember current session for next launch
    • MISC. → Uncheck Enable Notepad++ auto-updater
  3. Go to Plugins and click on Plugins Admin
    • Install the XML Tools Plug-In
    • Install the Compare Plug-In

Uninstall the following Programs (if present):

  • Camera
  • Copilot
  • Cortana
  • Films & TV
  • Feedback Hub
  • Maps
  • Microsoft 365 (Office)
  • Microsoft Clipchamp
  • Microsoft To Do
  • Movies & TV
  • News
  • People
  • Photos
  • Power Automate
  • Sports
  • Solitaire & Casual Games
  • Sound Recorder
  • Weather
  • Xbox
  • Xbox Live
  • Note: Use the following PowerShell command to uninstall native Windows feature tiles:
    • Get-AppxPackage *AppName* | Remove-AppxPackage

4. Group Policy Editor

→ Start → Search → gpedit.msc

OneDrive

  1. Computer Configuration → Administrative Templates → Windows Components → OneDrive
  2. Prevent the usage of OneDrive for File Storage
    • Set it to Enabled
    • Next, open the Task Manager and click on Startup apps in the menu
    • Select OneDrive and set it to Disabled

Customer Experience Improvement Program

The following steps will prevent users from opening and using Windows Store.

  1. Computer Configuration → Administrative Templates → System → Internet Communication Management → Internet Communication Settings
    • Right click → New Software Restriction Policy
  2. Turn off Windows Customer Experience Improvement Program
    • Set it to Enabled

Microsoft Store

The following steps will prevent users from opening and using Windows Store.

  1. Computer Configuration → Windows Settings → Security Settings → Software restriction policies
    • Right click → New Software Restriction Policy
  2. Additional Rules

    • Right click → New Path Rule

    • Enter the Microsoft Store path: %programfiles%\WindowsApps\Microsoft.WindowsStore*

      Note: Be sure to include the * wildcard at the end of the path.

5. Control Panel Configuration

The following configuration is all done through the control panel. Each subsection heading is an option that can be selected in the control panel. Set control panel to → View by: Small Icons.

Power Options

Set these options based on the desired use of the computer. The following is recommended:

First ensure that hibernate is completely disabled
  1. Click Start, and then type cmd in the Start Search box.
  2. In the search results list, right-click Command Prompt, and then click Run as Administrator.
  3. When you are prompted by User Account Control, click Continue.
  4. At the command prompt, type powercfg.exe /hibernate off, and then press Enter.
  5. Type powercfg /a to see all available power states.
  6. Type exit, and then press enter to close the Command Prompt window.
  7. Reboot the computer. Then return to the Control Panel → Power Options.
  8. Set the Power Plan to High performance, then select Change Plan Settings and then click Change advanced power settings (Make sure High performance is selected from the drop-down).
    • Turn off all power saving
    • Set the Hard Disk to Never
    • Set the USB selective suspend settings to Disabled
    • Set turn off Display to Never
    • Set Hibernate to Never (if present)
    • Set Sleep button to Do Nothing (if present)
    • Set the Lid Close action to Do Nothing (if present)

Start → Turn Windows features on or off

  1. Turn Windows features on or off
    • Remove any unnecessary bundled Windows software (Games, Windows DVD Maker, etc.)
    • Turn ON Media Features (Required for IPFusion to play sound)
    • Turn ON the Telnet Client
    • Turn ON the Telnet if the project is going to use Windows Backup Images

Security and Maintenance

  1. Type in Security and Maintenance and then click on Change Security and Maintenance settings
    • Uncheck everything under Security messages and Maintenance messages
  2. Next, go back to Security and Maintenance and click on Change User Account Control settings
    • Set to Never Notify and disable messages about User Account Control
  3. In the Security and Maintenance page expand the Security tab
    • Turn off all messages about Network Firewall, Virus Protection, Internet Security Settings, User Account Control, etc.
  4. In the Security and Maintenance page expand the Maintenance tab
    • Turn off messages about Report Problems

Sound

In Sound → under All sound devices → select the device which will bring you to the Properties page.
  • Switch Enable audio enhancements to Off

System

Type in Remote Desktop Settings in the search bar.
  • Switch Remote Desktop to On

Windows Firewall

Turn Windows Firewall On or Off
  • Turn off Windows Firewall for all networks

6. Windows 11 Settings Menu

The following configuration is all done through the → Start → Settings menu. Each subsection heading is a selectable option in the settings menu.

System

Set these options based on the desired use of the computer. The following is recommended:

  1. Under System go to Notifications
    • Set all Notifications to Off
      1. Notifications
        • Uncheck all boxes under Additional Settings
  2. Under System go to Multitasking
    • Set all Snap settings to OFF

Personalization

  1. Start settings
    • Show recently added apps: Off
    • Show most used apps: Off
    • Occasionally show suggestions in start: Off (if present)
    • Show recently opened Jump Lists: Off
    • Show recommendation for tips: Off (if present)
    • Show account related notifications: Off
  2. PersonalizationTaskbar
    • Set all to Off except maybe value or other project useful icons.

Privacy & Security

  1. General
    • Set these privacy settings all to Off
  2. Diagnostics & Feedback
    • Set Feedback frequency to Never

Windows Update

  1. Windows Update
    • Select Check for updates
    • Install updates and reboot until there are no more updates
  2. Windows Update→ Advanced Options
    • Toggle On Notify me when a restart is required to finish updating
  3. Virus & threat protection settingsManage Settings
    • Turn Off the Real-time protection, turn Off the Cloud-delivered Protection, and turn Off the Automatic sample submission

7. Services

Services

  1. Device Setup Manager service should be stopped and disabled because it will try and fail to connect to the internet.
  2. Windows Time service either should be enabled or disabled depending on if windows time sync or an external time sync program will be used for this project.
  3. Windows Update service should be stopped and disabled after all updates are complete because it will try and fail to connect to the internet.

8. Windows Media Player

Windows Media Player

Windows Media Player is required to be installed for IPFusion to play sound. Start WMP to configure the first-time run settings.
  • Choose Custom Settings
  • Uncheck all options and then select to make WMP as the default player

9. Project Specific Tasks

Install Touchscreen Drivers

  • Get the latest touchscreen drivers from the internet and install.
    Note: At this point, complete any other tasks or configurations required for the specific project.