2020-09-07
Please refer to the official AME documentation for an up-to-date version
https://ameliorated.info/documentation.html
Download the Windows 10 ISO using Fido (Windows-only) or TechBench. Choose a version that is officially supported by AME Project for the most stable experience, or alternatively, try your luck with the latest version. Make sure to choose the correct UI language, you can't change it after the installation.
Calcualte the SHA1 sum of the ISO using sha1sum.
Updated 08.09.2020: You can also use this PowerShell commmand to calculate the SHA1 sum on Windows without any third party tools (Thank you, @GezeikVan)
Get-FileHash -Algorithm SHA1 Windows_2004.iso
Use AdGuard SHA1 catalog to verify the ISO checksum against the MSDN image database.
Use Windows 10 Update History page to determinte the KBs of the newest Cumulative update and the SSU for your Windows version. Look up the KBs in the Microsoft Update Catalog and download the update packages for your architecture.
Use Rufus to create a bootable USB drive from the Windows 10 ISO. On Linux you can use WoeUSB instead. Copy the update packages and Rufus executable to the flash drive. Download a Debian-based Linux LiveUSB image, for example Xubuntu and copy it to the USB drive as well. You might also want to add drivers for your PC.
You will also need the newest version of the Amelioration script from the AME website
Disconnect from the Ethernet/Wi-Fi and don't connect back until we run the Linux AME script.
Install Windows as usual and make sure to answer "No" to every question about telemetry/data collection/geolocation/etc.
After the installation/setup process is complete, do the following things:
These settings might not be available after the "amelioration" process is finished.
Open the PowerShell as Administrator and type the following commands:
mkdir C:/SSU
mkdir C:/Cumulative
Go to the flash drive, open the folder with the update packages, Shift+Right click on the empty space in Explorer and click "Open PowerShell window here".
Unpack the updates. You can tell the SSU apart from the Cumulative update by comparing the package sizes: the SSU file is much smaller than the one for the Cumulative update.
expand -F:* name_of_the_ssu_package.msu C:\SSU
expand -F:* name_of_the_cumulative_package.msu C:\Cumulative
Install the SSU update first. Copy the filename of the CAB package from Explorer, since you won't be able to utilize auto-completion for the DISM command:
dism /online /add-package /packagepath=C:\SSU\name_of_the_ssu.cab
Reboot after applying the SSU and install the Cumulative update:
dism /online /add-package /packagepath=C:\Cumulative\name_of_the_cumulative.cab
Reboot twice after the Cumulative update has been installed.
Finally, launch the cleanup task to get rid of the update cache:
dism /online /Cleanup-Image /StartComponentCleanup
Open the flash drive folder and run the AME script as Administrator. Choose 1. Run Pre-Amelioration
in the menu and wait for the process to finish
Afterwards, choose 3. User Permissions
. Reset the Administrator password and change your user privileges from "Administrator" to "Standard User".
Log out when asked to, use the Ctrl+Alt+Del menu to log out manually if necessary.
After logging back in, run PowerShell as Administrator and reset your password:
net user username *
Enter the password twice. The symbols won't appear in the command line as you type.
Copy the flash drive folder to your desktop and use Rufus to wipe the Windows bootable flash drive and create a Linux USB drive. Reboot into BIOS, re-enable the Internet connection and then boot into Linux
Mount the Windows drive. Then, navigate to ameliorated.info and copy the download link for the Linux AME script.
Go to the Windows drive, open the terminal in the root folder. Type sudo su
and then type wget <paste the download link>
. This will give you root privileges and download the AME script to the root of the Windows drive.
As of writing this, running the script produces an error due to incompatible newline symbols:
bash: '\r': command not found
You can either use a sed script to convert the newline symbols to UNIX ones:
Alternatively, use dos2unix
:
&&
Now you can run the script by typing bash filename
.
After the script is finished with no errors, you can now reboot into Windows with the Internet connection enabled.
Since most of the default Windows applications, including Internet Explorer, Windows Media Player, Photos, etc. are eliminated, we need to install something to replace them.
Edit the AME script that we ran for pre-amelioration and go to the following line:
Add the -installArgs ADDLOCAL=StartMenu
after the open-shell
text in order to opt out of "Classic Explorer" part of the OpenShell (doesn't work on the current version of Windows as of writing this).
By default, the following applications are installed:
Feel free to replace or remove the applications in this list depending on your personal preferences.
After making the adjustments, run the script as Administrator and choose 2. Run Post-Amelioration
Download Hardentools by Security Without Borders. Run the script as Administrator, reboot after the process is finished.
You can remove/add a new input language using PowerShell.
$List = Get-WinUserLanguageList
$List.add(<language-code>)
$List.remove(<language-code>)
Set-WinUserLanguageList $List
Replace <language_code>
with your language code (e.g. "ru" for Russian or "de-DE" for German)
The drivers can be installed by downloading the driver package (sometimes called "SCCM") for your machine, unpacking it in a folder and executing this command in an elevated shell:
pnputil.exe /add-driver C:\MyDrivers\*.inf /subdirs /install /reboot