[W11 24H2 LTSC] Can't make unattended install, hardware bypasses and copyprofile work together

arrowflash · Monday at 10:44 PM

Since the Windows 8 days and with multiple Windows 10 builds up to 22H2, I've always been building custom sysprepped, generalized install images using answer files and copyprofile feature, always with the same method. Clean install in a VM, enter audit mode with Ctrl+Shift+F3 during OOBE, make all required changes, install and configure software, etc. and then wrap it all up with sysprep.exe /generalize /oobe /shutdown /unattend:c:\windows\deploy_win.xml. Then mount the VM Windows partition, create an install.wim using dism, and throw it in a standard Windows install iso.

Never used autounattend.xml before, I remember I tried, but ran into issues with past versions of Windows, and my method has always worked fine.

But now I'm finally taking the dive into Windows 11, starting with Windows 11 24H2 Enterprise LTSC, and I'm running into issues using this method. The main problem, is that I also want to bypass the system requirements check for TPM, SecureBoot, RAM, etc. during Windows PE stage. And this isn't working alongside my custom answer file (I know it works in schneegans autounattend though), and it's causing me a major headache. I'm stuck.

This is my old unmodified unattend xml that has always worked prior to Windows 11. I apply this xml using sysprep while still in audit mode, with sysprep.exe /generalize /oobe /shutdown /unattend:c:\windows\deploy_win.xml. In this form, it actually works without issues on Windows 11 24H2 (and Windows 2025) as well, but the requirements restrictions obviously aren't bypassed:

Code:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="offlineServicing">
        <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <EnableLUA>true</EnableLUA>
        </component>
    </settings>
    <settings pass="generalize">
        <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <SkipRearm>1</SkipRearm>
        </component>
    </settings>
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <CopyProfile>true</CopyProfile>
            <TimeZone>E. South America Standard Time</TimeZone>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>0416:00000416</InputLocale>
            <SystemLocale>pt-BR</SystemLocale>
            <UILanguage>pt-BR</UILanguage>
            <UILanguageFallback>en-US</UILanguageFallback>
            <UserLocale>pt-BR</UserLocale>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <NetworkLocation>Other</NetworkLocation>
                <ProtectYourPC>3</ProtectYourPC>
                <SkipMachineOOBE>true</SkipMachineOOBE>
                <SkipUserOOBE>true</SkipUserOOBE>
                <UnattendEnableRetailDemo>false</UnattendEnableRetailDemo>
                <HideLocalAccountScreen>true</HideLocalAccountScreen>
            </OOBE>
            <UserAccounts>
                <LocalAccounts>
                    <LocalAccount wcm:action="add">
                        <Name>user01</Name>
                        <DisplayName>user01</DisplayName>
                        <Group>Administrators;Users</Group>
                        <Description>Conta de usuario padrao criada pela instalacao do Windows.</Description>
                        <Password>
                            <PlainText>true</PlainText>
                            <Value></Value>
                        </Password>
                    </LocalAccount>
                </LocalAccounts>
            </UserAccounts>
            <TimeZone>E. South America Standard Time</TimeZone>
            <AutoLogon>
                <Username>user01</Username>
                <Enabled>true</Enabled>
                <LogonCount>2</LogonCount>
                <Password>
                    <PlainText>true</PlainText>
                    <Value></Value>
                </Password>
             </AutoLogon>
        </component>
        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ExtendOSPartition />
            <Reseal />
        </component>
    </settings>
</unattend>

(it's not a fully unattended install, user should be prompted for partitioning and formatting, but otherwise it should be unattended)

My first attempt at fixing the issue, was to add a windowsPE pass copied from schneegan's autounattend.xml files, between offlineServicing and generalize passes:

Code:

    <settings pass="windowsPE">
        <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
            <ImageInstall>
                <OSImage>
                    <Compact>false</Compact>
                </OSImage>
            </ImageInstall>
            <UserData>
                <ProductKey>
                    <Key>00000-00000-00000-00000-00000</Key>
                </ProductKey>
                <AcceptEula>true</AcceptEula>
            </UserData>
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Order>1</Order>
                    <Path>reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassTPMCheck /t REG_DWORD /d 1 /f</Path>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Order>2</Order>
                    <Path>reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassSecureBootCheck /t REG_DWORD /d 1 /f</Path>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Order>3</Order>
                    <Path>reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassRAMCheck /t REG_DWORD /d 1 /f</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>

But this isn't working. When I run the sysprep command, it fails with an error message saying there's a syntax error in the deploy_win.xml file, in the first <RunSynchronousCommand wcm:action="add"> line. After lots of testing, investigation and wasted time, I realized that if I removed wcm:action="add" and left only <RunSynchronousCommand>, sysprep would complete without errors and shut down the machine. However, with this modification the restrictions wouldn't be bypassed. Looks like it doesn't do anything without "wcm:action=add" despite Microsoft documentation claiming it's a valid way to call <RunSynchronousCommand>.

Then, I attempted the following workarounds, without sucess:

First, I didn't modify my install.wim and just copied the .xml as an autounattend.xml in the .iso image root dir (This way I actually managed to complete install and restrictions were apparently disabled, but there were several errors during OOBE, and copyprofile didn't work).

Second, tried a rebuilt install.wim without a xml answer file generated during audit mode (only syspre.exe /generalize /oobe /shutdown), and a full autounattend.xml in the .iso image root dir, with <RunSynchronousCommand wcm:action="add"> lines. When I do this, the system gets stuck in a reboot loop soon after WinPE starts when booting from the .iso. Tried in both a Windows 11 24H2 Enterprise LTSC image, and a Windows Server 2025 image, same result. Besides, later I realized copyprofile isn't supposed to work from autounnatend.xml.

Third, tried the two separate answer files method as described in Problems with CopyProfile - Windows 10 Help Forums

My original xml answer file applied in audit mode without a windowsPE pass, and an autounnatend.xml with only the windowsPE pass. Same result, stuck in a reboot loop.

Also tried forcing the old legacy setup by adding to the beginning of windowsPE pass in autounattend.xml:

Code:

                                <RunSynchronousCommand wcm:action="add">
                                        <Description>Switch to legacy Setup</Description>
                                        <Order>1</Order>
                                        <Path>reg add "HKEY_LOCAL_MACHINE\SYSTEM\Setup" /v CmdLine /t REG_SZ /d "X:\sources\setup.exe" /f</Path>
                                </RunSynchronousCommand>

But this brought no results either.

Now I'm pretty much stuck and without ideas of what else I could do or try. I think the issue could be some deprecated entry in my answer file, but I'm not sure, since the original file works in Windows 11 - only when I try to add the requirements bypasses, everything falls apart. Hoping some expert here could help me or at least give some ideas. Thanks.

garlin · Monday at 11:34 PM

Windows Setup in WinPE phase is the program doing the actual HW compatibility checks.

So you'll need a bare-bones autounattend.xml or \Windows\Panther\unattend.xml.
Continue to enter audit mode as you've done before.

Code:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
        <settings pass="windowsPE">
                <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                        <RunSynchronous>
                                <RunSynchronousCommand wcm:action="add">
                                        <Order>1</Order>
                                        <Path>reg add HKLM\SYSTEM\Setup\LabConfig /v BypassTPMCheck /t REG_DWORD /d 1 /f</Path>
                                </RunSynchronousCommand>
                                <RunSynchronousCommand wcm:action="add">
                                        <Order>2</Order>
                                        <Path>reg add HKLM\SYSTEM\Setup\LabConfig /v BypassSecureBootCheck /t REG_DWORD /d 1 /f</Path>
                                </RunSynchronousCommand>
                                <RunSynchronousCommand wcm:action="add">
                                        <Order>3</Order>
                                        <Path>reg add HKLM\SYSTEM\Setup\LabConfig /v BypassRAMCheck /t REG_DWORD /d 1 /f</Path>
                                </RunSynchronousCommand>
                        </RunSynchronous>
                        <UserData>
                                <ProductKey>
                                        <Key></Key>
                                </ProductKey>
                        </UserData>
                </component>
        </settings>
</unattend>

arrowflash · Monday at 11:54 PM

garlin said:
Windows Setup in WinPE phase is the program doing the actual HW compatibility checks.

So you'll need a bare-bones autounattend.xml or \Windows\Panther\unattend.xml.
Continue to enter audit mode as you've done before.

Thanks, but this is exactly one of the things I already tried, as I detailed in step 3:

Third, tried the two separate answer files method as described in Problems with CopyProfile - Windows 10 Help Forums

My original xml answer file applied in audit mode without a windowsPE pass, and an autounnatend.xml with only the windowsPE pass. Same result, stuck in a reboot loop.

The only thing I haven't tried is moving it to \Windows\Panther\unattend.xml instead of autounattend.xml. I'll give this a try, who knows.

garlin · Tuesday at 12:33 AM

Functionally, either location works the same. When you're saying it's in a reboot loop, are you talking about entering audit mode or exiting it?

24H2's new Setup client treats a clean install as an "upgrade". You'll get an empty Windows.old folder next to the normal Windows folder, this one has to be deleted in audit mode.

The reason for switching back to the legacy Setup client is it doesn't make Windows.old. If you just don't feel like figuring out all the new 24H2 "quirks" and just want to get back to what you did before, follow this procedure:

Problems with 24H2 autounattend install with config set

arrowflash · Tuesday at 12:49 AM

garlin said:
Functionally, either location works the same. When you're saying it's in a reboot loop, are you talking about entering audit mode or exiting it?

24H2's new Setup client treats a clean install as an "upgrade". You'll get an empty Windows.old folder next to the normal Windows folder, this one has to be deleted in audit mode.

The reason for switching back to the legacy Setup client is it doesn't make Windows.old. If you just don't feel like figuring out all the new 24H2 "quirks" and just want to get back to what you did before, follow this procedure:

Problems with 24H2 autounattend install with config set

When I meant reboot loop, I thought I had explained pretty clearly:

When I do this, the system gets stuck in a reboot loop soon after WinPE starts when booting from the .iso.

I mean when booting from a newly created .iso with the autounnatend.xml in its root dir, and the sysprepped install.wim.

After the system completes the BIOS checks and boots the .iso, as soon as WinPE starts, a command prompt window flashes for a second and then it reboots the system. If there's a Windows OS already installed, it boots to the OS installed in the HDD/SSD, otherwise if it's an unpartitioned HDD/SSD, it gets stuck in a reboot loop.

This only happens when autounattend.xml (with Windows 11 checks disabled) is in the root dir of the .iso. Otherwise the setup starts fine. It also starts fine when using an autounattend.xml without compatibility checks disabled (no RunSynchronous tags in windowsPE stage).

garlin · Tuesday at 1:15 AM

Typically if your answer file has some formatting error or an incorrect directive, Setup will halt with an onscreen dialog about line [something] in the XML file.

The command prompt is flashing because it's executing one or more of the RunSynchronous commands. Then something weird breaks Setup. I would just follow the process to change CmdLine in boot.wim, so you're running legacy Setup. That way if you really have a defective autounattend.xml, it will explicitly call it out and pause onscreen (no exiting back to BIOS).

You should be able with the legacy Setup to open a CMD window, and browse the X:\ drive setup logs.

arrowflash · Tuesday at 1:29 AM

garlin said:
Typically if your answer file has some formatting error or an incorrect directive, Setup will halt with an onscreen dialog about line [something] in the XML file.

The command prompt is flashing because it's executing one or more of the RunSynchronous commands. Then something weird breaks Setup. I would just follow the process to change CmdLine in boot.wim, so you're running legacy Setup. That way if you really have a defective autounattend.xml, it will explicitly call it out and pause onscreen (no exiting back to BIOS).

You should be able with the legacy Setup to open a CMD window, and browse the X:\ drive setup logs.

I have tried using the legacy Setup (loading it before the other commands in load order), but same thing happened:

Also tried forcing the old legacy setup by adding to the beginning of windowsPE pass in autounattend.xml:

But this brought no results either.

Either way, I'm also beginning to suspect some formatting or parsing error...

FreeBooter · Tuesday at 1:31 AM

In this guide, I’ll outline the steps to perform the cleanest debloated installation of Windows 11 on unsupported hardware.

garlin · Tuesday at 2:08 AM

arrowflash said:
I have tried using the legacy Setup (loading it before the other commands in load order), but same thing happened:

Either way, I'm also beginning to suspect some formatting or parsing error...

Attach the file as a ZIP file (don't just copy and paste it). Maybe someone can validate it.

arrowflash · Tuesday at 2:49 AM

garlin said:
Attach the file as a ZIP file (don't just copy and paste it). Maybe someone can validate it.

Update:

It really was a parsing or formatting error! Windows is really finicky about this. I decided to use SIM to recreate the answer files, with exactly same config, and the boot issues ceased! Now I can get into Windows 11 Setup with the hard requirements (TPM, Ram, Secure Boot, etc) disabled. However, there are still other problems:

1. Even using this code in autounattend.xml:

Code:

                <RunSynchronousCommand wcm:action="add">
                    <Description>ForceLegacySetup</Description>
                    <Order>1</Order>
                    <Path>reg add "HKLM\SYSTEM\Setup" /v CmdLine /t REG_SZ /d "X:\sources\setup.exe" /f</Path>
                </RunSynchronousCommand>

This command isn't working. My isos are still using the "modern" setup instead of the legacy setup.

2. None of the configs in my internal answer file, including copyprofile, are being applied. I checked the generated install.wim and unattend.xml was copied to C:\Windows\Panther with correct settings. No errors in log files.

3. I'm attaching a .zip with the recently recreated answer files in SIM.

Thank you for all the attention and patience.

garlin · Tuesday at 2:51 AM

arrowflash said:

1. Even using this code in autounattend.xml:

Code:

                <RunSynchronousCommand wcm:action="add">
                    <Description>ForceLegacySetup</Description>
                    <Order>1</Order>
                    <Path>reg add "HKLM\SYSTEM\Setup" /v CmdLine /t REG_SZ /d "X:\sources\setup.exe" /f</Path>
                </RunSynchronousCommand>

Sadly, this only works if you apparently have nothing else in the file. I'm not even going to pretend I understand why it works that way, either.

garlin · Tuesday at 3:01 AM

Just as a reminder (which has been confirmed by Paul Batard of Rufus fame, and Michael Niehaus), the only legitimately working bypasses are:

BypassTPMCheck

BypassSecureBootCheck

BypassRAMCheck

Anything else is urban legend. And endlessly repeated online as "truth".

I thought the standard place for the sysprep unattend.xml was \Windows\System32\sysprep, so you don't need a path argument.

arrowflash · Tuesday at 3:04 AM

garlin said:
Sadly, this only works if you apparently have nothing else in the file. I'm not even going to pretend I understand why it works that way, either.

I see. Looks like I'll have to mess with the boot.wim to force legacy setup then? Bummer.

Wonder if using legacy setup can fix the other issues?

arrowflash · Tuesday at 3:10 AM

garlin said:
Just as a reminder (which has been confirmed by Paul Batard of Rufus fame, and Michael Niehaus), the only legitimately working bypasses are:

BypassTPMCheck
BypassSecureBootCheck
BypassRAMCheck

Anything else is urban legend. And endlessly repeated online as "truth".

Good to know.

garlin said:
I thought the standard place for the sysprep unattend.xml was \Windows\System32\sysprep, so you don't need a path argument.

As for the standard place, unless it's supposed to have been changed, I thought it was \Windows\Panther? At least that's how it's set up in my working install.wim images. When you point an answer file somewhere else in sysprep (like /unattend:c:\deploy_win.xml), it automatically copies and renames the file to %windir%\Panther\unattend.xml.

I think I've read somewhere that %windir%\System32\sysprep\Panther is a valid location too, but not the default one.

garlin · Tuesday at 3:17 AM

/unattend will copy the file into \Windows\Panther, but the problem is if you got other stuff going on (like another Panther file you're using, or autounattend.xml which isn't done, but the remaining part gets copied to Panther... there's an obvious conflict.

Some people just tuck the sysprep unattend into the sysprep folder and eliminate any confusion or overlap.

arrowflash · Tuesday at 3:17 PM

I managed to enable the legacy setup, using the winpeshl.ini in boot.wim method.

Unfortunately, using the legacy setup didn't fix any of the issues I'm having.

The issue is definitely related to the setup process, though. When the image is ready for deployment (after running sysprep /generalize /oobe /shutdown /unattend, building an install.wim and applying it to the iso), I open install.wim, and the proper answer file I created is present as unattend.xml in C:\Windows\Panther.

However, at some point during install (before OOBE stage), if autounattend.xml is present in the .iso root dir, setup overwrites C:\Windows\Panther\unattend.xml with the contents from autounattend.xml in the destination drive. This is happening regardless of using legacy setup or modern setup. I know it's an overwriting issue, because without an autounattend.xml file, everything works.

C:\Windows\System32\Sysprep and C:\Windows\System32\Sysprep\Panther don't contain any answer files, either in the ready for deployment install.wim, or after the botched install. Should I try placing an unattend.xml there?

Anyone ever had a similar issue when trying to use autounattend.xml with another answer file? Is there any way to prevent this from hapenning?

By the way, I think I had exactly the same problem with Windows 10 in the long past. However, since with Windows 10 I didn't need an autounattend.xml answer file, I just placed everything in unattend.xml and didn't bother to keep troubleshooting the issue.

garlin · Tuesday at 3:24 PM

There's a search order for the answer file, which determines which one wins. Normally \autounattend.xml is outranked by \Windows\Panther\unattend.xml.

Windows Setup Automation Overview

learn.microsoft.com

arrowflash · Tuesday at 3:28 PM

Yes, I've seen and even bookmarked this. This is the biggest head-scratcher. According to MS's documentation, this shouldn't be hapenning.

arrowflash · Tuesday at 3:40 PM

By the way, a bit of googling shows other people who had the same issue in the past, as far back as with Windows Server 2008 R2. No clear answers or solutions in any of the cases. I kind of give up and going to look for another workaround.

Since the only thing I really need autounattend.xml for is those BypassTPMCheck, BypassSecureBootCheck and BypassRAMCheck .reg keys, is there another way I could enable this at WinPE boot time without this answer file? I'm open to alternatives. By prepending these reg keys in boot.wim registry hive for example, would this be possible?

garlin · Tuesday at 3:53 PM

The other way is mounting boot.wim's SYSTEM hive and applying the changes locally. Some people don't like that because they want a "pure image" approach which only uses an answer file to manage the install. But the integrated reg key approach works fine.

[W11 24H2 LTSC] Can't make unattended install, hardware bypasses and copyprofile work together

New member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

New member

My Computer

Well-known member

My Computer

Similar threads