Setting up Windows laptops and PCs for virtual and hybrid event production can be a massive chore. There are so many settings and tweaks that need to be applied. One distraction, and a critical setting gets missed.
This blog post (this isn’t a guide - read the caution below!) will document some steps we take when setting up a new physical Windows 11 laptop or PC destined for our live productions. This document assumes you’ll be using some sort of AV over IP setup (e.g. NDI, Dante).
For purposes of this post, I’ll assume you’re working with physical machines that will be used as part of live event production. This includes computers running vMix, OBS, NDI Tools, Multiview for NDI (shameless plug), among others.
We plan to update this post over time.
Before we begin - a caution
The settings and tweaks presented in this post are geared to scenarios where performance and minimal platform changes are preferred. Applying some of the suggestions may result in less security, but better performance.
This blog post is going to provide some scripts, some links to external resources, and some default setting recommendations that have worked for us. This guide should NOT be read as a definitive, “thou shalt set up thine Windows 11 installation this way.” Before following any of these recommendations, you should consider what impact they may have on your productions, your security posture, and verify they don’t cause issues with your own setup.
Also - NEVER directly connect a machine you own to a network you do not trust or own. That includes your client’s networks. We always put a router between us and our client’s network, and treat their network as hostile as the public internet.
Create an Unattended Windows 11 Install USB
Manually clicking through to install Windows can be tedious - especially if you’ve got a whole fleet of machines to maintain. It’s too easy to forget about tweaking a setting too. That’s why we use an autounattend.xml file on our Windows 11 install USB.
Christoph Schneegans’ autounattend file generator is fantastic for tailoring a Windows install to your specific setups.
Think of the autounattend.xml file as a list of instructions for the Windows installer to follow. From language and region to wi-fi settings, you can customize almost everything about the Windows install.
We have a Windows 11 USB for our laptops and mini PCs that will sit on our dedicated AV network. Here’s some of the settings we’ll apply in our autounattend.xml file.
- Choose a computer name. Instead of a random name like
DESKTOP-ZFAH8Z2, the installer can apply a name - either static (e.g.TRACTUSLAPTOP) or from a PowerShell script. - Set time zone (we default to Eastern)
- Create default user accounts with passwords.
- Specify your product key, or use the key stored in UEFI
- Hide the search box in the taskbar
- Disable widgets
- Hide the task view button in the taskbar
- Always show all tray icons
- Use classic right-click menus in Windows 11
- Open Explorer to This PC (so we can see disk drives right away)
- Do not show Bing results in the Start Menu
- Windows 11: Remove all pins from the Start Menu
- Turn off system sound effects
- Disable app suggestions
- Hide Edge First-Run experience
- Disable Edge startup boost
- Show This PC, Files, and Recycle Bin on the desktop
- Skip wi-fi configuration
- Disable all diagnostic data, personalized input, and location history going to Microsoft
- Disable Sticky Keys
- Load desktop wallpaper from a file
- Uninstall some default apps included with Windows (more on this below)
Now, here’s some settings we will disable on certain machines. Do not blindly follow this list without thinking about how it may impact your security posture - especially if that machine may be exposed to the public internet.
- Disable Windows Update
- Disable Smart App Control
- Disable SmartScreen in Windows and Edge
- Disable System Protection/System Restore
- Enable long paths
- Allow execution of PowerShell script files
- Do not update Last Access Time Stamp
- Prevent Windows Update from rebooting your computer
Again - do not blindly follow this list. Unpatched machines are hacker magnets. You should think very carefully about your security posture before disabling any of the above.
Note that if you disable Windows Update, you can still run it manually.
Should I disable Windows Defender and/or Windows Firewall?
I hesitate to say yes to disabling Windows Defender. It’s competent as an anti-virus and anti-malware protection for your PC. Again, consider the risks. If raw performance is critical to your setup and you pinky-swear that you’ll never, ever put a sketchy USB drive into that PC, then disabling Windows Defender may give you a few CPU cycles back.
Same goes for disabling Windows Firewall. The overhead of any firewall on your network stack can cause major CPU spikes - especially on lower-end systems. Remember - every single packet that comes to your computer has to pass through the firewall before it’s delivered to vMix, OBS, or your production software of choice.
Do not disable anti-virus or firewall without considering the security implications. And if you do disable both, be extra careful of what networks that machine will be plugged into.
Remove Bloatware
With the autounattend file generator, you can choose to remove specific apps from your Windows install to slim it down even further. We remove the following apps.
- 3D Viewer
- Bing Search
- Camera
- Clipchamp
- Copilot
- Cortana
- Dev Home
- Family
- Feedback Hub
- Game Assist
- Get Help
- Handwriting (all languages)
- Internet Explorer
- Mail and Calendar
- Maps
- Math Input Panel
- Mixed Reality
- Movies & TV
- News
- Office 365
- OneDrive
- OneNote
- OneSync
- Outlook for Windows
- Paint 3D
- People
- Photos
- Power Automate
- PowerShell 2.0
- Quick Assist
- Recall
- Remote Desktop Client
- Skype
- Snipping Tool
- Solitaire Collection
- Speech (all languages)
- Steps Recorder
- Sticky Notes
- Teams
- Tips
- To Do
- Voice Recorder
- Wallet
- Weather
- Windows Fax and Scan
- Windows Hello
- Windows Media Player (classic)
- Windows Media Player (modern)
- WordPad
- Xbox Apps
- Your Phone / Phone Link
Warning: Partition disks interactively!
On some newer computers with Intel Rapid Storage Technology (RST), Windows may not see the main hard disk/SSD during the install process. That driver has to be loaded during setup. If that’s the case and your autounattend.xml is set to install to the first disk it finds, setup can end up wiping out the installer USB because it’ll be seen as the first hard disk.
RST drivers are sometimes painful to find, so check your manufacturer’s website for the driver download.
Post-Install Tweaks
Once the installation is complete, there are a few machine-specific tweaks that we tend to apply to our systems.
Set network profile to Private
Under Settings - Network & Internet, you’ll want to set your AV over IP network to the Private profile.
Firewall Rules for mDNS and NDI
Thanks to our new AI overlords, nobody needs to write PowerShell scripts manually anymore. These firewall rules will allow mDNS traffic and NDI TCP traffic on any ethernet connection with the network profile set to Private.
New-NetFirewallRule -DisplayName "Allow mDNS (UDP 5353) - Private" `
-Direction Inbound -Protocol UDP -LocalPort 5353 -Action Allow -Profile Private
# (Optional) Allow a narrow NDI control port range on Private
New-NetFirewallRule -DisplayName "Allow NDI Control 5960-5970 TCP - Private" `
-Direction Inbound -Protocol TCP -LocalPort 5960-5970 -Action Allow -Profile Private
Network Card Tweaks
As soon as your install is finished, you’ll want to increase the send & receive buffers of your NIC to their maximum allowed size. Before that, you should grab the latest drivers for your NIC from the manufacturer’s website.
Don’t rely on Windows Update for the latest drivers!
A Note on Realtek NICs
If you have a Realtek NIC in your computer, you should update the drivers using the packages provided on Realtek’s driver download page. These tend to be much more reliable (and newer) than the drivers on Windows Update.
Configuring your NIC
Open Control Panel - Network and Internet - Network Connections. For each network adapter, right-click and click Properties. Click the Configure button.
Under the Advanced tab, set the following options (some options may not be present on your computer):
- Energy Efficient Ethernet/EEE/Advanced EEE: Disabled
- Gigabit Lite: Disabled
- Green Ethernet: Disabled
- Power Saving Mode: Disabled
- Receive Buffers: Increase to the maximum size allowed (Depends on your NIC - hold the up button until it won’t increase anymore)
- Send Buffers: Increase to the maximum size allowed
Under the Power Management tab, uncheck Allow the computer to turn off this device to save power.
If you haven’t already, the Network adapter performance tuning in Windows Server article on MSDN is a fantastic read.
Optional: Increase Default TCP/UDP (AFD) Socket Buffer Size to 8 MB
On Windows, the default receive buffer size for TCP/UDP historically was around 64KB (depending on your computer). For real-time audio and video, we’ve found increasing this to at least 8MB can help resolve frame drops when under load.
While this can be overridden by applications and libraries, programmers aren’t bound to do this. In some of our tests, we’ve found that increasing the default socket send receive buffer size can reduce frame drops with vMix and NDI.
You can either download the following registry tweak file, or apply the following to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
"DefaultSendWindow"=dword:00800000
"DefaultReceiveWindow"=dword:00800000
This setting is separate from the NIC send/receive buffer setting. This applies to any programs running on your computer that open sockets (i.e. communicate with other computers/cameras on your network).
For more details, check out this older, archived article on MSDN about the registry keys.
Set Power Mode to Maximum Performance
Open Settings - System - Power, and apply the following settings.
- Power Mode: High Performance
- Disable all timeouts (Sleep, screen off, shutdown)
More Power Tweaks
Focusrite has a fantastic guide on how to optimize a Windows 11 machine for real-time audio. In particular, you should go into Device Manager and do the following.
- For each USB Controller under
Universal Serial Bus Controllers, uncheck Allow the computer to turn off the device to save power on the Power management tab.
Disable All Notifications
Open Settings - System - Notifications, turn off Notifications, and turn on Do not Disturb.
Install NDI Tools
Grab NDI Tools from the NDI website and install.
Optional: Install the Sysinternals Suite
Sysinternals contains a ton of useful utilities for any Windows install, including Process Explorer, Autologon, and BgInfo.
Bginfo is our favorite. It will create a new desktop background with whatever text you want displayed about your particular system. We use it to add the computer name to the lower-right corner of the screen - that way, we know exactly what computer we’ve remoted into.
Optional: Disable Bluetooth in Device Manager
This might be a me-thing, but I’ve never trusted Bluetooth on Windows. Too many bluescreens from the early days. I always go into Device Manager and disable every single Bluetooth receiver listed there.
Update all Drivers from the Manufacturer’s Website
Windows Update doesn’t always have the latest drivers for your computer. Grab the latest GPU, NIC, chipset, and audio drivers from each manufacturer’s website.
Disable C-States in UEFI
C-states allow your computer to power down your processor (CPU) when it’s not busy doing work. Deeper C-states, like C5, can take a millisecond or two to wake up from. In the world of ProAV, that could cause a machine that’s borderline to appear to drop frames.
Check your motherboard or laptop manufacturer’s documentation on how to disable C-states, or at least disable deep sleep states.
You made it!
Whew! That was a lot of ground to cover. But hopefully you now have a fresh Windows 11 machine with the bloatware trimmed, some good performance defaults, and ready to rock your next production. As always, make sure to test everything!