Create Debloated Windows 11 ISO + Intune Win32 Cleanup for Resets

Problem

Two reset paths can produce inconsistent results if image and reset workflows are not aligned.

When local support used USB, we could control the image. When users used Reset this PC or we sent an Intune wipe, the device came back with stock Windows. That brought back unwanted apps and settings.

The outcome was inconsistent. Some devices were clean while others returned with consumer apps. That created avoidable tickets and extra operational overhead.

Constraints

• Windows 11 24H2
• HP laptops across multiple sites
• Intune standalone + Windows Autopilot
• Local IT staff handling first-line device reset

Decision

1. Compared outcomes from USB reset, local reset, and Intune wipe.
2. Verified which apps reappeared after stock reinstall.
3. Reviewed Autopilot flow in Windows enrollment.
4. Verified app deployment timing in Apps.
5. Confirmed required OOBE settings from Microsoft guidance.

Implementation

1. Build one custom ISO for USB resets using Build-ISO.ps1.
2. Remove known consumer apps at image level.
3. Inject only needed drivers (WiFi, touchpad, audio) for OOBE reliability.
4. Keep Autopilot-safe OOBE behavior (stop at network/sign-in).
5. Deploy a Win32 detection/remediation package for stock reset paths.
6. Assign the Win32 app as required so cleanup runs during enrollment.

Outcome

.\Build-ISO.ps1 -SourceISO "C:\\ISO\\Win11_24H2.iso" -OutputFolder "C:\\ISO\\Output" -Edition Both

# Full script: https://github.com/Thugney/eriteach-scripts/blob/main/deployment/Build-ISO.ps1

# Win32 detection (short example)
$apps = @("Microsoft.BingNews", "Clipchamp.Clipchamp", "MicrosoftTeams")
if ($apps | Where-Object { Get-AppxPackage -Name "*$_*" -AllUsers }) { exit 1 } else { exit 0 }

# Full script set:
# https://github.com/Thugney/eriteach-scripts/blob/main/intune/win32/Detect-Bloatware.ps1
# https://github.com/Thugney/eriteach-scripts/blob/main/intune/win32/Remove-Bloatware.ps1

Trade-offs

• Do not hide online account screens in unattend if you want Autopilot sign-in.
• Keep detection logic focused on key apps. Huge lists slow down enrollment.
• If -Edition Both gives wrong output, clear old build folders before rerun.
• Use model-targeted drivers. Full packs can bloat ISO size quickly.

Related Links

• Inject HP Drivers into Windows ISO for Autopilot Resets
• Overview of Windows Autopilot (Microsoft Learn)
• Set up the Enrollment Status Page (Microsoft Learn)
• Wipe devices in Intune (Microsoft Learn)
• Add and Remove Driver packages to an Offline Windows Image (Microsoft Learn)