Tiny11 Builder 25H2: Build a lean Windows 11 ISO with Copilot and Outlook removed

Tiny11 Builder’s refresh for Windows 11 version 25H2 quietly rewrites one of the community’s most pragmatic responses to Windows bloat: a single PowerShell-driven workflow that rebuilds an official Microsoft ISO into a smaller, more privacy‑minded and user‑controlled installer — but it does so by forcing a set of tradeoffs that any responsible user or admin must understand before touching production hardware.

Background​

Windows has steadily shifted toward a richer out‑of‑the‑box experience that bundles inbox apps, cloud‑centric features and, most recently, AI‑driven components such as Copilot and a redesigned Outlook client. For users who prize a tight, predictable install image — whether to run Windows on older hardware, create repeatable lab images, or reduce surface area and update churn — community projects have long offered alternatives. Tiny11 Builder (the PowerShell successor to the original Tiny11) is one of the most mature of these: it performs offline servicing of an official Windows ISO using Microsoft’s own tools, removes or blocks a curated list of inbox components, injects unattended OOBE tweaks, recompresses the image and repackages a bootable ISO.
The NTDEV maintainer’s 25H2‑targeted refresh adds three headline capabilities that make the project particularly relevant today:

• Explicit removal routines for Copilot, the new Outlook for Windows client, and consumer Microsoft Teams, reflecting Microsoft’s recent push to integrate AI and cloud services into the default desktop.
• A single PowerShell pipeline script (commonly tiny11maker.ps1) that is language‑ and architecture‑agnostic, simplifying the build process.
• Switching to DISM’s recovery compression (LZX/LZMS) to dramatically reduce final ISO size — with higher RAM/CPU requirements during the build.

Those changes are not purely cosmetic. They materially alter what a fresh Windows 11 install contains and how feasible it is to maintain such systems over time.

---

What Tiny11 Builder actually does​

The technical workflow (short form)​

• Download an official Windows 11 25H2 ISO from Microsoft and verify checksums.
• Extract or clone the Tiny11 Builder repository (tiny11maker.ps1) and run the script from an elevated PowerShell session.
• The script mounts the WIM/ESD inside the ISO and performs offline servicing with DISM to remove Appx packages, optional Windows features, scheduled tasks and selected registry entries.
• It injects an autounattend.xml to tweak OOBE behavior (commonly used to bypass the Microsoft Account requirement and preconfigure a local account).
• The image is recompressed with DISM /Compress:recovery (LZX/LZMS) and repackaged to a bootable ISO using oscdimg.exe from the Windows ADK when needed.

This is not a third‑party image being redistributed; the builder starts from Microsoft media and uses Microsoft utilities (DISM, and optionally oscdimg.exe) to perform offline servicing. That design reduces the supply‑chain surface compared with unknown prebuilt ISOs, though it does not eliminate the consequences of removing system components.

What the standard “serviceable” Tiny profile removes​

• Consumer inbox apps such as Clipchamp, Media Player, News, Weather, Xbox family apps, Solitaire and the Office Hub.
• Communication and cloud integrations: OneDrive, Phone Link (Your Phone), and the classic Mail & Calendar (depending on profile).
• Microsoft’s newer push features: Copilot, the new Outlook client, and consumer Microsoft Teams.
• Optional telemetry/feedback tasks and select scheduled services (configurable).

The standard profile aims to remain serviceable — meaning it preserves the ability to receive Windows Update and later add or reinstall many removed features via normal Microsoft servicing paths. That contrasts with the project’s more radical variants (Core / Nano), which remove servicing components and are explicitly intended only for isolated VMs and single‑purpose devices.

---

What’s new in the 25H2 refresh and why it matters​

Copilot, new Outlook, Teams — and the cultural context​

Microsoft’s recent moves to embed AI features and cloud‑first apps into the default Windows experience have been polarizing. For administrators and privacy‑conscious users, having a clean base image that omits those components is valuable: it reduces background services, eliminates in‑box prompts that steer users to cloud flows, and lowers the attack surface. Tiny11 Builder’s explicit routines for Copilot, Outlook and Teams reflect that demand.

Recovery compression: smaller ISOs with heavier builds​

The move to DISM’s recovery compression can reduce final ISOs into the 3–4 GB range for many configurations, which is a practical win for constrained media or fast VM deployment. However, recovery compression requires more RAM and CPU during the build phase and increases build time. Plan to run the builder on a reasonably provisioned machine — the compression tradeoff is CPU/memory now for distribution size later.

Unattended OOBE tweaks and Microsoft Account bypass​

Tiny11 Builder exposes an autounattend.xml to configure setup behavior, including the ability to create a local account at first sign‑in rather than forcing a Microsoft Account during OOBE. With Microsoft tightening MSA requirements in some channels, this is a convenience for those who need a deterministic local‑account outcome. Use it responsibly — the unattended file modifies the installer’s behavior and should be audited before use.

---

Strengths: why Tiny11 Builder is compelling​

• Transparency and auditability. The builder publishes readable PowerShell scripts and relies primarily on Microsoft tooling, making the process inspectable and adjustable by an administrator. That reduces the “mystery binary” risk associated with unknown prebuilt ISOs.
• Meaningful size and surface‑area reductions. Removing modern inbox apps and using recovery compression yields measurable reductions in on‑disk footprint and ISO size, which benefits older hardware and constrained VMs.
• Configurable profiles (serviceable vs core). The two‑profile model is deliberate: it gives users a clear tradeoff between maintainability and minimality. The recommended “standard/serviceable” profile preserves updateability for most real‑world uses.
• Reproducibility for labs and kiosks. Administrators who need repeatable images — for testing, media centers, or kiosks — can build and version a deterministic installer that enforces their organization’s baseline.
• Selective reclaimability. For the standard profile, removed inbox apps such as Clipchamp or OneDrive can later be reinstalled through normal Microsoft channels (Store, Winget or offline packages) if the user changes their mind. That flexibility reduces some of the risk of “what if I want X later?” after installing.

---

Real and material risks you cannot ignore​

1) Serviceability and security updates​

The single largest long‑term risk is serviceability. Aggressive “core” profiles explicitly remove parts of the servicing stack (WinSxS, Windows Update hooks, Defender) and thereby make it impossible to receive cumulative security updates through standard channels. Systems built with those profiles require manual maintenance strategies — and for internet‑exposed devices, that is a non‑starter. The standard Tiny profile aims to preserve updates, but even it can require vigilance because Microsoft periodically changes how inbox apps are reintroduced.

2) Compatibility and subtle breakage​

Removing inbox components can break expected behaviors in third‑party apps or UWP/WPF integrations that rely on those components. Examples include file‑type associations, preview handlers, or expectations around default mail handlers. Those regressions are often subtle and only show up under real workloads after deployment. Test thoroughly.

3) Activation, licensing and support​

Modifying installation media does not change license obligations. Activation still requires valid entitlement or keys; Microsoft support will not cover problems caused by a modified OS image. Enterprises must evaluate compliance and support impacts before mass deployment.

4) Supply‑chain and distribution pitfalls​

While Tiny11’s emphasis on Microsoft tooling reduces one class of supply‑chain risk, distributing custom ISOs still creates operational questions: who signs off on the image, where are checksums stored, how are updates applied to deployed systems? Treat image distribution as a formal change that requires documentation and controlled rollouts.

5) False economy for production fleets​

For large fleets or mission‑critical endpoints, the small size and lack of inbox apps may be attractive, but the long‑term maintenance burden and inability to receive vendor support for modified images often outweigh the immediate benefits. The conservative recommendation remains: pilot thoroughly, favor serviceable profiles, and keep official upgrade paths available.

---

Practical, conservative workflow (recommended)​

Below is a step‑by‑step that prioritizes safety and reproducibility. This is the workflow used by administrators who need to evaluate Tiny11 Builder but still require predictable, maintainable outcomes.

• Use a separate build machine that is well‑spec’d (16+ GB RAM recommended for heavy compression builds).
• Download the official Windows 11 25H2 ISO directly from Microsoft and verify SHA256 checksums before proceeding. Never use an untrusted prebuilt ISO.
• Clone or download tiny11builder from NTDEV’s repository and review the PowerShell script (tiny11maker.ps1) — audit the removal list and the autounattend.xml content.
• Choose the standard/serviceable profile for daily drivers. Reserve Core/Nano only for isolated test VMs or single‑purpose appliances.
• Build the ISO, test the installer in a VM (validate driver loading, Windows Update behavior, Defender status and application compatibility).
• If deploying to physical hardware, snapshot and backup existing systems and store BitLocker recovery keys before wiping drives — image modifications and TPM/BitLocker interactions can cause recovery prompts.
• Maintain a documented build pipeline (checksums, build logs, script versions) and a process to rebuild updated images when Microsoft integrates changes into future updates.

---

How Tiny11 compares to post‑install debloat utilities​

There are two common approaches to reducing Windows bloat: rebuild the installer (Tiny11) or run a debloat script against an installed system. Each has pros and cons.

• Tiny11 (installer rebuild)
• Pros: produces a deterministic, repeatable image; removes components before first boot; can bypass the MSA requirement in OOBE.
• Cons: requires a clean install; riskier for existing user data and managed environments; may require building new ISOs for each Windows feature update.
• Post‑install debloat utilities
• Pros: do not require reinstalling the OS; easier to apply to many existing systems.
• Cons: can leave behind remnants, may not reduce initial install footprint, and can be more fragile if the system is already patched or configured.

For labs and fresh‑image deployments, Tiny11’s approach is superior for repeatability and initial surface‑area reduction. For large, heterogeneous fleets already in production, post‑install tooling combined with official configuration management (SCCM/Intune) is usually the safer operational choice.

---

Use cases where Tiny11 is the right tool​

• Hobbyists and power users who want a lean desktop on older or low‑spec hardware.
• VM and lab builders who need small, repeatable images for test automation.
• Kiosk or single‑purpose devices where the device is offline or tightly controlled and you can accept manual update workflows for maintenance.

Do not use Tiny11 for unmanaged production desktops that require regular security patching, vendor support, or centralized management — unless you have the operational processes and personnel to manually maintain non‑serviceable images.

---

A note on unverifiable or variable claims​

Some claims circulating in community commentary — for example, precise ISO sizes after compression (the project reports examples in the low 3–4 GB range) or exact app removal lists — will vary depending on the Windows 11 SKU, language packs, and options you choose in the builder. Treat single‑system anecdotes (e.g., “this laptop’s final ISO was X GB”) as illustrative, not guaranteed. Always validate with your own builds and test hardware.

---

Final analysis and recommendations​

Tiny11 Builder’s 25H2 refresh is an important, pragmatic tool in the Windows enthusiast and admin toolbox. It restores choice at the installer level and gives skilled users an auditable path to a smaller, less cloud‑oriented Windows 11 experience. The project’s strengths — transparency, Microsoft tooling, and configurable profiles — make it attractive for constrained hardware, test labs, and kiosk scenarios.
That said, these strengths come with real operational costs. Removing servicing components or Defender in the ultra‑aggressive profiles is a form of technical debt: you reduce immediate surface area but also remove the mechanisms that allow Microsoft’s security updates and supported servicing to reach those devices. For most users and organizations, the conservative, serviceable profile is the only responsible path; the core/nano variants should remain experimental lab tools only.
If preserving user choice and reducing unwanted cloud‑centric features in Windows 11 matters to you, Tiny11 Builder is a powerful option — but it must be treated like any image‑management tool: with audits, formal change control, documented build artifacts, and a clear plan for patching and recovery. Build from official ISOs, test in VMs, prefer the serviceable profile, and keep your rollback and activation keys at hand. Those are the basic guardrails that separate a clever tweak from a risky operational decision.

---

Tiny11 Builder is neither an answer to every Windows complaint nor a shortcut to long‑term security. It is, instead, a pragmatic workshop tool: use it to shape an installer that suits a specific, well‑scoped purpose — but do not mistake a smaller ISO for a solved update and support lifecycle.

---

Source: Thurrott.com De-Enshittifing Windows 11 Version 25H2: Tiny11 Builder