From d49f516b16214a13b5d8347bd3428a7fef3c092a Mon Sep 17 00:00:00 2001
From: cproudlock <cproudlock@localhost>
Date: Wed, 22 Apr 2026 16:55:16 -0400
Subject: [PATCH] FlatUnattendW10: catch repo up to deployed state +
 Win10/Win11 search cleanup

Two things in one pass because the repo copy was 162 lines behind the
deployed one already:

1. Sync repo to the currently-deployed FlatUnattendW10.xml baseline
   (Java JRE 8 u441 + Java auto-update pins + Cortana/Bing/Search
   disable block that had been added on-server but never committed).

2. Prune three ineffective registry entries and replace the Bing
   suppression with a documented equivalent that works on both Win10
   and Win11:
   - DROP #32  HKLM\...\Search\CortanaEnabled=0
               Undocumented at HKLM (the real key is HKCU). No effect.
   - DROP #37  AllowCortanaAboveLock=0
               Deprecated per AboveLock Policy CSP. Cortana app was
               removed from Win11 in Canary 25967 anyway.
   - REPLACE #34  BingSearchEnabled (HKLM, undocumented) with
                  DisableSearchBoxSuggestions=1 written into the
                  Default User hive so every new account inherits it.
                  This is the Microsoft-documented kill-switch for
                  Bing / web results in Start-menu search on both
                  Win10 and Win11.

Validated XML well-formed (xmllint + Python ET). RunSynchronous orders
remain unique and ascending after the deletions. Deployed to both PXE
servers under /srv/samba/winpeapps/{gea-engineer,gea-standard}/Deploy/
with timestamped .pre-winsearch-cleanup-* backups.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 playbook/FlatUnattendW10.xml | 145 +++++++++++++++++++++++++++--------
 1 file changed, 115 insertions(+), 30 deletions(-)

diff --git a/playbook/FlatUnattendW10.xml b/playbook/FlatUnattendW10.xml
index 4a0b18d..3f4f5fc 100644
--- a/playbook/FlatUnattendW10.xml
+++ b/playbook/FlatUnattendW10.xml
@@ -176,7 +176,88 @@
           <Order>23</Order>
           <Path>msiexec /p "C:\Deploy\Applications\extra\adobe\AcroRdrDCUpd2500120531.msp" /quiet /norestart</Path>
           <Description>Apply Adobe Reader Update</Description>
-        </RunSynchronousCommand>         
+        </RunSynchronousCommand> 
+        
+        <!-- Java JRE 8 Enterprise Installation -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>26</Order>
+          <Path>C:\Deploy\Applications\extra\java\jre-8u441-windows-i586.exe /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_441" STATIC=1 AUTO_UPDATE=0 REBOOT=0 SPONSORS=0 WEB_JAVA=0 /L "C:\Windows\Logs\java-install.log"</Path>
+          <Description>Install Java JRE 8 Update 441 with Enterprise Settings and Logging</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Java Auto Updates via Registry (64-bit) -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>27</Order>
+          <Path>cmd /c reg add "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v EnableJavaUpdate /t REG_DWORD /d 0 /f</Path>
+          <Description>Disable Java Auto Updates (64-bit)</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Java Auto Updates via Registry (32-bit) -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>28</Order>
+          <Path>cmd /c reg add "HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy" /v EnableJavaUpdate /t REG_DWORD /d 0 /f</Path>
+          <Description>Disable Java Auto Updates (32-bit)</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Java Auto Update Check (64-bit) -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>29</Order>
+          <Path>cmd /c reg add "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v EnableAutoUpdateCheck /t REG_DWORD /d 0 /f</Path>
+          <Description>Disable Java Auto Update Check (64-bit)</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Java Auto Update Check (32-bit) -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>30</Order>
+          <Path>cmd /c reg add "HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy" /v EnableAutoUpdateCheck /t REG_DWORD /d 0 /f</Path>
+          <Description>Disable Java Auto Update Check (32-bit)</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Cortana -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>31</Order>
+          <Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f</Path>
+          <Description>Disable Cortana</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Web Search in Start Menu -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>33</Order>
+          <Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v DisableWebSearch /t REG_DWORD /d 1 /f</Path>
+          <Description>Disable Web Search in Start Menu</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Bing / web search suggestions in Start menu.
+             BingSearchEnabled is documented at HKCU\Software\Microsoft\Windows\CurrentVersion\Search
+             (not HKLM), so the old HKLM policy placement was a no-op. The current documented
+             suppression is DisableSearchBoxSuggestions=1 at Software\Policies\Microsoft\Windows\Explorer.
+             Writing it into the Default User hive so every newly-created account inherits it. -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>34</Order>
+          <Path>cmd /c reg load HKU\TempDU C:\Users\Default\NTUSER.DAT &amp; reg add "HKU\TempDU\Software\Policies\Microsoft\Windows\Explorer" /v DisableSearchBoxSuggestions /t REG_DWORD /d 1 /f &amp; reg unload HKU\TempDU</Path>
+          <Description>Disable Bing/web search suggestions (Default User hive)</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Search Web when searching Windows -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>35</Order>
+          <Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v ConnectedSearchUseWeb /t REG_DWORD /d 0 /f</Path>
+          <Description>Disable Connected Search Use Web</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Cortana Speech Recognition -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>36</Order>
+          <Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v AllowInputPersonalization /t REG_DWORD /d 0 /f</Path>
+          <Description>Disable Cortana Speech Recognition</Description>
+        </RunSynchronousCommand>
+
+        <!-- Disable Search Highlights (news/trending) -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>38</Order>
+          <Path>cmd /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v EnableDynamicContentInWSB /t REG_DWORD /d 0 /f</Path>
+          <Description>Disable Search Highlights</Description>
+        </RunSynchronousCommand>
       </RunSynchronous>
     </component>
   </settings>
@@ -188,35 +269,39 @@
                publicKeyToken="31bf3856ad364e35"
                language="neutral"
                versionScope="nonSxS">
-      <OOBE>
-        <HideEULAPage>true</HideEULAPage>
-        <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
-        <HideOnlineAccountScreens>false</HideOnlineAccountScreens>
-        <HideWirelessSetupInOOBE>false</HideWirelessSetupInOOBE>
-        <HideLocalAccountScreen>true</HideLocalAccountScreen>
-        <NetworkLocation>Work</NetworkLocation>
-        <ProtectYourPC>3</ProtectYourPC>
-        <SkipUserOOBE>false</SkipUserOOBE>
-        <SkipMachineOOBE>false</SkipMachineOOBE>
-      </OOBE>
-      <FirstLogonCommands>
-          <SynchronousCommand wcm:action="add">
-              <Order>1</Order>
-              <CommandLine>C:\Deploy\Applications\extra\zscaler\zscaler.bat</CommandLine>
-              <Description>Install Zscaler Client Connector</Description>
-          </SynchronousCommand>
-          <SynchronousCommand wcm:action="add">
-              <Order>2</Order>
-              <CommandLine>shutdown -a</CommandLine>
-              <Description>Cancel any scheduled shutdown from Office installation</Description>
-          </SynchronousCommand>
-          <SynchronousCommand wcm:action="add">
-              <Order>3</Order>
-              <CommandLine>cmd /c cd C:\Deploy\Applications\extra\office &amp;&amp; install.bat</CommandLine>
-              <Description>Install Office</Description>
-          </SynchronousCommand>
-      </FirstLogonCommands>
+        <OOBE>
+          <HideEULAPage>true</HideEULAPage>
+          <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
+          <HideOnlineAccountScreens>false</HideOnlineAccountScreens>
+          <HideWirelessSetupInOOBE>false</HideWirelessSetupInOOBE>
+          <HideLocalAccountScreen>true</HideLocalAccountScreen>
+          <NetworkLocation>Work</NetworkLocation>
+          <ProtectYourPC>3</ProtectYourPC>
+          <SkipUserOOBE>false</SkipUserOOBE>
+          <SkipMachineOOBE>false</SkipMachineOOBE>
+        </OOBE>
+        <FirstLogonCommands>
+            <SynchronousCommand wcm:action="add">
+                <Order>1</Order>
+                <CommandLine>shutdown -a</CommandLine>
+                <Description>Cancel any scheduled shutdown from Office installation</Description>
+            </SynchronousCommand>
+            
+            <!-- Install Zscaler -->
+            <SynchronousCommand wcm:action="add">
+                <Order>2</Order>
+                <CommandLine>C:\Deploy\Applications\extra\zscaler\zscaler.bat</CommandLine>
+                <Description>Install Zscaler Client Connector</Description>
+            </SynchronousCommand>
+            
+            <!-- Install Microsoft Office -->
+            <SynchronousCommand wcm:action="add">
+                <Order>3</Order>
+                <CommandLine>cmd /c "cd /d C:\Deploy\Applications\extra\office\ &amp;&amp; install.bat"</CommandLine>
+                <Description>Install Microsoft Office</Description>
+            </SynchronousCommand>
+        </FirstLogonCommands>
     </component>
   </settings>
 
-</unattend>
\ No newline at end of file
+</unattend>