Windows 10 AME – Make Windows Suck Less!

September 7, 2020

Screenshot

Please refer to the official AME documentation for an up-to-date version

https://ameliorated.info/documentation.html

Downloading and verifying Windows 10 ISO

Download the Windows 10 ISO using Fido (Windows-only) or TechBench. Choose a version that is officially supported by AME Project for the most stable experience, or alternatively, try your luck with the latest version. Make sure to choose the correct UI language, you can't change it after the installation.

Calcualte the SHA1 sum of the ISO using sha1sum.

Updated 08.09.2020: You can also use this PowerShell commmand to calculate the SHA1 sum on Windows without any third party tools (Thank you, @GezeikVan)

Get-FileHash -Algorithm SHA1 Windows_2004.iso

Use AdGuard SHA1 catalog to verify the ISO checksum against the MSDN image database.

ISO Verification

Downloading updates

Use Windows 10 Update History page to determinte the KBs of the newest Cumulative update and the SSU for your Windows version. Look up the KBs in the Microsoft Update Catalog and download the update packages for your architecture.

Windows 10 Update History

Creating a bootable media

Use Rufus to create a bootable USB drive from the Windows 10 ISO. On Linux you can use WoeUSB instead. Copy the update packages and Rufus executable to the flash drive. Download a Debian-based Linux LiveUSB image, for example Xubuntu and copy it to the USB drive as well. You might also want to add drivers for your PC.

You will also need the newest version of the Amelioration script from the AME website

Installing Windows

Disconnect from the Ethernet/Wi-Fi and don't connect back until we run the Linux AME script.

Install Windows as usual and make sure to answer “No” to every question about telemetry/data collection/geolocation/etc.

After the installation/setup process is complete, do the following things:

These settings might not be available after the “amelioration” process is finished.

Installing updates

Open the PowerShell as Administrator and type the following commands: mkdir C:/SSU mkdir C:/Cumulative Go to the flash drive, open the folder with the update packages, Shift+Right click on the empty space in Explorer and click “Open PowerShell window here”.

Unpack the updates. You can tell the SSU apart from the Cumulative update by comparing the package sizes: the SSU file is much smaller than the one for the Cumulative update.

expand -F:* name_of_the_ssu_package.msu C:\SSU
expand -F:* name_of_the_cumulative_package.msu C:\Cumulative

Install the SSU update first. Copy the filename of the CAB package from Explorer, since you won't be able to utilize auto-completion for the DISM command:

dism /online /add-package /packagepath=C:\SSU\name_of_the_ssu.cab

Reboot after applying the SSU and install the Cumulative update:

dism /online /add-package /packagepath=C:\Cumulative\name_of_the_cumulative.cab

Reboot twice after the Cumulative update has been installed.

Finally, launch the cleanup task to get rid of the update cache:

dism /online /Cleanup-Image /StartComponentCleanup

Running the amelioration script

Open the flash drive folder and run the AME script as Administrator. Choose 1. Run Pre-Amelioration in the menu and wait for the process to finish

Afterwards, choose 3. User Permissions. Reset the Administrator password and change your user privileges from “Administrator” to “Standard User”.

Log out when asked to, use the Ctrl+Alt+Del menu to log out manually if necessary.

After logging back in, run PowerShell as Administrator and reset your password:

net user username *

Enter the password twice. The symbols won't appear in the command line as you type.

Creating a Linux bootable media

Copy the flash drive folder to your desktop and use Rufus to wipe the Windows bootable flash drive and create a Linux USB drive. Reboot into BIOS, re-enable the Internet connection and then boot into Linux

Running the Linux amelioration script

Mount the Windows drive. Then, navigate to ameliorated.info and copy the download link for the Linux AME script.

Go to the Windows drive, open the terminal in the root folder. Type sudo su and then type wget <paste the download link>. This will give you root privileges and download the AME script to the root of the Windows drive.

As of writing this, running the script produces an error due to incompatible newline symbols:

-bash: '\r': command not found

You can either use a sed script to convert the newline symbols to UNIX ones:

sed -i 's/\r$//' filename

Alternatively, use dos2unix:

apt-get update && apt-get install dos2unix
dos2unix filename

Now you can run the script by typing bash filename.

After the script is finished with no errors, you can now reboot into Windows with the Internet connection enabled.

Post-Amelioration

Since most of the default Windows applications, including Internet Explorer, Windows Media Player, Photos, etc. are eliminated, we need to install something to replace them.

Edit the AME script that we ran for pre-amelioration and go to the following line:

choco install -y --force --allow-empty-checksums firefox thunderbird vlc youtube-dl 7zip open-shell jpegview vcredist-all directx onlyoffice

Add the -installArgs ADDLOCAL=StartMenu after the open-shell text in order to opt out of “Classic Explorer” part of the OpenShell (doesn't work on the current version of Windows as of writing this).

By default, the following applications are installed:

Feel free to replace or remove the applications in this list depending on your personal preferences.

After making the adjustments, run the script as Administrator and choose 2. Run Post-Amelioration

Hardening Windows settings

Download Hardentools by Security Without Borders. Run the script as Administrator, reboot after the process is finished.

Changing input language

You can remove/add a new input language using PowerShell.

$List = Get-WinUserLanguageList
$List.add(<language-code>)
$List.remove(<language-code>)
Set-WinUserLanguageList $List

Replace <language_code> with your language code (e.g. “ru” for Russian or “de-DE” for German)

Installing drivers

The drivers can be installed by downloading the driver package (sometimes called “SCCM”) for your machine, unpacking it in a folder and executing this command in an elevated shell:

pnputil.exe /add-driver C:\MyDrivers\*.inf /subdirs /install /reboot