One issue that I have noticed since I have been testing the latest Windows 11 upgrade, is the automatic installation of the Copilot Progressive Web App (PWA).

The problem with this Copilot Progressive Web App is that it is intended for non-work accounts which makes it pointless on an Enterprise OS. To address this issue, I wrote the following PowerShell script to automate the process of preventing the Copilot PWA from being installed after a Windows 11 upgrade. By running this script before the user gets to their desktop, administrators can ensure that the Copilot PWA is not installed on any user profiles, providing a cleaner and more controlled environment.

NOTE – The script needs to run before the application is installed on any system since it is setting a few registry keys that Microsoft is using as a flag to detect if the application was installed.

This same script has also worked well on Windows 10 since we started noticing a Copilot app appear on some of our Windows 10 desktops. It can run after a Windows 11 upgrade is complete using a Success.cmd file to execute the script as soon as the upgrade is successful (I won’t go into detail on how to set this up since Microsoft has done a great job with documenting this process Run custom actions during a feature update | Microsoft Learn). Last but not least, you can add the script to your Autopilot process or OSD task sequence as well so new systems will not receive the application.

Powershell Script:

Function Write-Log {

    Param (
    [Parameter(Mandatory = $True, ValueFromPipeline = $True,ValueFromPipelinebyPropertyName = $True)]
    Process {

        # Populate the variables to log
        $Time = (Get-Date -Format HH:mm:ss) + ".000+000"
        $Date = Get-Date -Format MM-dd-yyyy
        $TempMsg = "<![LOG[$Message]LOG]!><time=""$Time"" date=""$Date"" component=""$Component"" context="""" type="""" thread="""" file=""$Component"">"
        # Create the component log entry
        Write-Output $TempMsg | Out-File -FilePath $LogFile -Encoding "Default" -Append



# Prep logging
$Logfile = "$env:ProgramData\Logs\Software\CopilotRemoval.log"
If((Test-Path "$env:ProgramData\Logs\Software" ) -eq $False) { New-Item  "$env:ProgramData\Logs\Software" -ItemType Directory -Force }

$SystemProfiles = 'S-1-5-18', 'S-1-5-19', 'S-1-5-20'
$UserProfileRegistryKey = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'
$UserProfilesDirectory = Get-ItemProperty -LiteralPath $UserProfileRegistryKey -Name 'ProfilesDirectory' -ErrorAction 'Stop' | Select-Object -ExpandProperty 'ProfilesDirectory'
$DefaultProfileDirectory = Get-ItemProperty -LiteralPath $UserProfileRegistryKey -Name 'Default' -ErrorAction 'Stop' | Select-Object -ExpandProperty 'Default'

[array]$UserProfiles = @(Get-ChildItem -LiteralPath $UserProfileRegistryKey -ErrorAction 'Stop' | ForEach-Object {

    Get-ItemProperty -LiteralPath $_.PSPath -ErrorAction 'Stop' | Where-Object { $null -ne $_.ProfileImagePath -and $SystemProfiles -notcontains $_.PSChildName } |
    Select-Object  @{ Label = 'SID'; Expression = { $_.PSChildName } }, @{ Label = 'ProfilePath'; Expression = { $_.ProfileImagePath } }

$UserProfiles = $UserProfiles | Where-Object { $_ -like "*\Users\*" }
$UserProfiles += New-Object -TypeName PSObject -Property @{SID="NA"; ProfilePath="$DefaultProfileDirectory" }

ForEach ($script:UserProfile in $UserProfiles) {

    $UserName = $UserProfile.ProfilePath.Replace("$UserProfilesDirectory\","")

    Write-Log "<====== Prepping $UserName to remove Copilot PWA ======>"

    Write-Log "STEP 1 - Attempting to load $UserName's HKCU hive"
    # Expected user registry key if user is logged in
    $HKEY_UserPath = "Registry::HKEY_USERS\$($UserProfile.SID)"

    # Create the path to the user's ntuser.dat
    $NTUserPath = $UserProfile.ProfilePath + '\' + 'NTUSER.DAT'

    # Load ntuser.dat file if user is not logged in (should be expected behavior during the in-place upgrade)
    If((Test-Path -LiteralPath $HKEY_UserPath) -eq $False -or $($UserProfile.SID) -eq "N/A") {
        # Check that the ntuser.dat path is valid
        If(Test-Path $NTUserPath) {

            # Attempt to load the user's registry
            Try {

                Write-Log "Loading $NTUserPath"
                Start-Process "$env:windir\System32\reg.exe" -ArgumentList "load `"HKEY_USERS\$($UserProfile.SID)`" `"$NTUserPath`"" -PassThru -NoNewWindow -Wait

            Catch {
                Write-Log "Failed to load $NTUserPath !"
                Write-Log "Failed Message: $($_.Exception.Message)"
                Write-Log "Failed in Line Number: $($_.InvocationInfo.ScriptLineNumber)"

                Start-Sleep -Seconds 5

                Write-Log "Unloading $NTUserPath"
                Start-Process "$env:windir\System32\reg.exe" -ArgumentList "unload `"HKEY_USERS\$($UserProfile.SID)`"" -PassThru -NoNewWindow -Wait


            # Adding Custom Settings
            Write-Log "STEP 2 - Configure Custom Settings"

            # Disable Copilot PWA
            Try {

                Write-Log "Prevent Copilot PWA from installing"
                If(!(Test-Path -LiteralPath "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs")) {

                    New-Item "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs" -Force

                New-ItemProperty -LiteralPath "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs" -Name 'CopilotPWAPreinstallRetryCount' -Value 1 -PropertyType DWord -Force -ErrorAction Stop
                New-ItemProperty -LiteralPath "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs" -Name 'CopilotPWAPreinstallCompleted' -Value 1 -PropertyType DWord -Force -ErrorAction Stop
                New-ItemProperty -LiteralPath "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs" -Name 'Microsoft.Copilot_8wekyb3d8bbwe' -Value 1 -PropertyType DWord -Force -ErrorAction Stop
            Catch {

                Write-Log "Failed to prevent Copilot PWA from installing"


            # Attempt to unload the user's registry
            Try {

                Start-Sleep -Seconds 5
                Write-Log "Unloading $NTUserPath"
                Start-Process "$env:windir\System32\reg.exe" -ArgumentList "unload `"HKEY_USERS\$($UserProfile.SID)`"" -PassThru -NoNewWindow -Wait

            Catch {

                Write-Log "Failed to unload $NTUserPath !"
                Write-Log "Failed Message: $($_.Exception.Message)"
                Write-Log "Failed in Line Number: $($_.InvocationInfo.ScriptLineNumber)"



    Else {

        # Take care of profiles that are currently loaded and logged in
        Write-Log "$UserName is logged in!  Will skip loading ntuser.dat and make changes directly in HKEY_USERS\$($UserProfile.SID)"

        # Adding additional Windows 11 customizations
        Write-Log "STEP 2 - Configure Custom Settings"

        # Disable Copilot PWA
        Try {

            Write-Log "Prevent Copilot PWA from installing"
            If(!(Test-Path -LiteralPath "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs")) {

                New-Item "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs" -Force

            New-ItemProperty -LiteralPath "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs" -Name 'CopilotPWAPreinstallRetryCount' -Value 1 -PropertyType DWord -Force -ErrorAction Stop
            New-ItemProperty -LiteralPath "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs" -Name 'CopilotPWAPreinstallCompleted' -Value 1 -PropertyType DWord -Force -ErrorAction Stop
            New-ItemProperty -LiteralPath "Registry::HKEY_USERS\$($UserProfile.SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoInstalledPWAs" -Name 'Microsoft.Copilot_8wekyb3d8bbwe' -Value 1 -PropertyType DWord -Force -ErrorAction Stop
        Catch {

            Write-Log "Failed to prevent Copilot PWA from installing"



    Write-Log "<====== $UserName has been updated successfully ======>"


Automatically update your Configuration Manager boot images for CVE-2023-24932

As many of you know, CVE-2023-24932 will require Configuration Manager admins to update their boot media before their organization or Microsoft enforces the revocations. If you do not update your boot images before the revocations are applied, you will not be able to load an unpatched WinPE image. Community members like Gary Blok and Sassan Fanai have already shared some excellent scripts that will automatically update your boot image. I just wanted to take it an extra step by automating some of the manual steps that would have to be performed. Using the ConfigMgr Module, we’re able to query the boot images to determine which updates are needed, find the update source URL for the May CU, then eventually update the boot image and reload the boot image properties so the console shows the correct build number. This will hopefully streamline the process for the community.


Many thanks to Gary Blok for collaborating with me and helping improve the script!



  • The Configuration Manager module needs to be loaded before running the script
  • If you have a Windows 11 boot image, please run the script on a Windows 11 host. DISM fails to apply the update if you do not.


  • WIMFolder
    • Local folder that will be used to store the boot image WIM temporarily
  • MountFolder
    • Local folder where we will mount the boot image.
  • DownloadFolder
    • Local folder that will be used to store the downloaded May 2023 Cumulative Update


An automated solution for KB5006670 that breaks printer installs

Ever since KB5006670 was released, I have been receiving reports from our local support team that users are unable to install printers from our print servers. The specific error they were getting was “Windows cannot connect to the printer.” Operation failed with error 0x000006e4.

Thanks to a user on Reddit (NinjaAmbush), I was able to find the following fix which was to uncheck “Render print jobs on client computers” click apply and then recheck the setting. Since this had to be done for each printer on the server, I decided to find out if I could automate the steps with Powershell. Fortunately it was pretty straight forward and I was able to accomplish this with two native Powershell CMDLETS (Get-Printer and Set-Printer).

Here is the automated solution that needs to run on your print servers:

Get-Printer -Full | ForEach-Object { 

    If($_.RenderingMode -eq "CSR") {
        Set-Printer -Name $_.Name -RenderingMode SSR
        Set-Printer -Name $_.Name -RenderingMode CSR

    If($_.RenderingMode -eq "SSR") {

        Set-Printer -Name $_.Name -RenderingMode CSR
        Set-Printer -Name $_.Name -RenderingMode SSR



How to automatically hide the Widgets and Teams chat button in Windows 11

As many of you know Windows 11 was released yesterday. Right now I’m I’m currently testing the official release and running Procmon to figure out some of the new registry keys that were introduced with Windows 11. Here are the registry keys and values that will automatically hide the Widgets and Teams chat button from the taskbar in Windows 11:

How to hide the widgets button:


How to hide the Teams chat button:


How to bring back the Windows 10 start menu on Windows 11

Update (10/6/2021) – I just tested the official Windows 11 release today and it appears you cannot bring back the Windows 10 start menu anymore. However the following registry key still works to move the start menu to the left side of the screen.


As many of you know, Windows 11 will be introducing a new start menu layout. If you want to keep things consistent for your users you can add the following registry keys to your GPO when your company decides to roll out Windows 11.


The Start_ShowClassicMode registry key will bring back the Windows 10 start layout and the TaskbarAl registry key will move everything to the left like it used to be.

Install-Font Function

Use the Install-Font function to install system fonts on Windows 10 1809 and above. Older scripts may not work with Windows 10 1809 and above since Windows will now try to install fonts in the user’s LOCALAPPDATA directory. This function will get around those issues and allow you to programmatically install fonts for all users again.

How to use the function:

Install Fonts from folder
Install-Font “C:\Temp\Helvetica Neue”

Install one font
Install-Font “C:\Temp\Helvetica Neue\HelveticaNeueLTStd-HvIt.otf”

Function Install-Font {

    .SYNOPSIS Install system fonts for all users
    .PARAMETER FontPath Provide path to a font or a folder containing fonts

    .PARAMETER Recurse Scan subdirectories
    .EXAMPLE - Install Fonts from folder
    Install-Font "C:\Temp\Helvetica Neue"
    .EXAMPLE - Install one font 
    Install-Font "C:\Temp\Helvetica Neue\HelveticaNeueLTStd-HvIt.otf"


    If(Test-Path $FontPath) {
        $FontFile = Get-Item -Path $FontPath

        If($FontFile -is [System.IO.DirectoryInfo]) {

            If($Recurse) {

                $Fonts = Get-ChildItem -Path $FontFile -Include ('*.fon','*.otf','*.ttc','*.ttf') -Recurse

            Else {

                $Fonts = Get-ChildItem -Path "$FontFile\*" -Include ('*.fon','*.otf','*.ttc','*.ttf')

            If(!$Fonts) {

                Throw ("Unable to find any fonts in the folder")


        ElseIf($FontFile -is [IO.FileInfo]) {

            If ($FontFile.Extension -notin ('.fon','.otf','.ttc','.ttf')) {

                Throw ("The file provided does not appear to be a valid font")


            $Fonts = $FontFile

        Else {
            Throw ("Expected font or folder")

    Else {

        Throw [System.IO.FileNotFoundException]::New("Could not find path: $FontPath")

    ForEach ($Font in $Fonts) {

        $FontName = $Font.Basename
        Write-Host "Installing font: $FontName"
        Copy-Item $Font "C:\Windows\Fonts" -Force
        New-ItemProperty -Name $FontName -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Fonts" -PropertyType String -Value $Font.Name -Force | Out-Null



Registry Keys for Windows 10 Application Privacy Settings

The following registry keys in this post control the privacy settings in Windows 10. These settings can be found in the GUI by going to SETTINGS\PRIVACY.
How to reset your start menu layout in Windows 10 1809

Well Microsoft has changed things again since my last post that showed you how to reset the start layout in Windows 10 1709. Now with 1809 there is a new key name and it does look to be slightly random so I am now having to use a wildcard. I’m currently only testing every other build so please keep me updated if this breaks with a spring feature upgrade release.

Remove-Item 'HKCU:\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\*$start.tilegrid$'  -Force -Recurse
Get-Process Explorer | Stop-Process

How to install Office 365 ProPlus updates during your SCCM build and capture task sequence

Have you tried to install Office 365 ProPlus updates during your SCCM build and capture task sequence and it never installed? Well that is most likely due to a registry key that was not updated. The update channel registry key value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration should not be pointing to your ccmcache folder. If it is, then this fix will work for you.

In order to update this key, you should run the following command before the Install Updates step in your task sequence.:
“C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe” /update SCHEDULEDTASK displaylevel=False

Note: This command must run before you attempt to install any Office 365 ProPlus software updates in your task sequence. If it does not then your update channel value will still be pointing to the ccmcache which will stop the updates from running.

SCCM script to identify systems vulnerable to ADV180028

You can run the following script against an SCCM collection to identify a system’s Bitlocker encryption method. This will help you find any computers that may be vulnerable to ADV180028.

Note: Your system may be vulnerable if your encryption method is set to Hardware Encryption!

$EncryptionMethod = manage-bde -status C: | Where-Object {$_ -match "Encryption Method"}

If ($EncryptionMethod -ne $Null) {

    $EncryptionMethod = $EncryptionMethod.Split(":")[1].trim()

Else {

    $EncryptionMethod = "Encryption Method not found"



