秒级绕过Win11硬件限制检测

秒级绕过Win11硬件限制检测

2022.2.22更新
最近我在科学上网的时候，发现老外写了一个脚本，秒杀同类工具千里之外。话不多说，入正题。

一、操作方法

1.1、复制以下源码保存为bat

@(echo off% <#%) &color 07 &title Quick 11 iso esd wim TPM toggle by AveYo - with SendTo menu entry
set "0=%~f0" &set "1=%~f1"&set "2=%~2"& powershell -nop -c iex ([io.file]::ReadAllText($env:0)) &pause &exit/b ||#>)[1]
#:: what's new in v1.1: fixed relative seek, should now work on all iso's 
$timer = $(get-date)
#:: Install to SendTo menu when run from another location
if (!$env:1) { write-host "`n No input iso / esd / wim file to patch! use 'Send to' context menu ...`n" -fore Yellow }
$SendTo = [Environment]::GetFolderPath('ApplicationData') + '\Microsoft\Windows\SendTo'
if (!$env:1 -and $env:0 -and $(Split-Path $env:0) -ne $SendTo) {copy $env:0 "$SendTo\Quick_11_iso_esd_wim_TPM_toggle.bat" -force}
if (!$env:1) { return }
#:: Can force either patch or undo via second commandline parameter: 1 to patch 0 to undo
if (1 -eq $env:2) {$toggle = 1} elseif (0 -eq $env:2) {$toggle = 0} else {$toggle = 2}
#:: Verify extension is .iso .esd or .wim
$input = get-item -lit $env:1; $invalid = '.iso','.esd','.wim' -notcontains $input.Extension
if ($invalid) {write-host "`n Input is not a iso / esd / wim file ...`n" -fore Yellow; return } 
try {[io.file]::OpenWrite($input).close()} catch {write-host "`n ERROR! $input read-only or in use ...`n" -fore Red; return }
#:: TPM patch via InstallationType Server
$typeC = '<INSTALLATIONTYPE>Client'; $typeS = '<INSTALLATIONTYPE>Server'
$block = 1048576; $chunk = 2097152; $count = [uint64]([IO.FileInfo]$input).Length / $chunk - 1
$bytes = new-object "Byte[]" ($chunk); $begin = [uint64]0; $final = [uint64]0; $limit = [uint64]0
function tochars {return [Text.Encoding]::GetEncoding(28591).GetString([Text.Encoding]::Unicode.GetBytes($args[0]))}
$find1 = tochars "</INSTALLATIONTYPE>"; $find2 = tochars "</WIM>"; $cli = tochars $typeC; $srv = tochars $typeS
$f = new-object IO.FileStream ($input, 3, 3, 1); $p = 0; $p = $f.Seek(0, 2)
write-host "$input`nsearching $p bytes, please wait ...`n"
for ($o = 1; $o -le $count; $o++) { 
  $p = $f.Seek(-$chunk, 1); $r = $f.Read($bytes, 0, $chunk); if ($r -ne $chunk) {write-host invalid block $r; break}
  $u = [Text.Encoding]::GetEncoding(28591).GetString($bytes); $t = $u.LastIndexOf($find1, [StringComparison]4) 
  if ($t -ge 0) {
    $f.Seek(($t -$chunk), 1) >''
    for ($o = 1; $o -le $chunk; $o++) { $f.Seek(-2, 1) >''; if ($f.ReadByte() -eq 0xfe) {$begin = $f.Position; break} }
    $limit = $f.Length - $begin; if ($limit -lt $chunk) {$x = $limit} else {$x = $chunk}
    $bytes = new-object "Byte[]" ($x); $r = $f.Read($bytes, 0, $x); 
    $u = [Text.Encoding]::GetEncoding(28591).GetString($bytes); $t = $u.IndexOf($find2, [StringComparison]4)
    if ($t -ge 0) {$f.Seek(($t + 12 -$x), 1) >''; $final = $f.Position} ; break
  } else { $p = $f.Seek(-$chunk, 1)} 
}
if ($begin -gt 0 -and $final -gt $begin) {
  $x = $final - $begin; $f.Seek(-$x, 1) >''; $bytes = new-object "Byte[]" ($x); $r = $f.Read($bytes, 0, $x)
  if ($r -ne $x) {break}
  $t =  [Text.Encoding]::GetEncoding(28591).GetString($bytes)
  if ($t.IndexOf($cli, [StringComparison]4) -ge 0) {$src = 0} else {$src = 1} 
  if ($src -eq 0 -and $toggle -ne 0) {$old = $cli; $new = $srv} elseif ($src -eq 1 -and $toggle -ne 1) {$old = $srv; $new = $cli}
  else {write-host "`n:) $input already has TPM patch $toggle"; $f.Dispose(); return}
  $t = $t.Replace($old, $new); $t; $b = [Text.Encoding]::GetEncoding(28591).GetBytes($t); $f.Seek(-$x, 1) >''; $f.Write($b, 0, $x)
  if ($src -eq 1) {write-host "`n :D TPM patch removed" -fore Green} else {write-host "`n:D TPM patch added" -fore Green} 
  $f.Dispose(); [GC]::Collect()
} else {write-host "`n;( TPM patch failed" -fore Red; $f.Dispose()}
#:: how quick was that??
$(get-date) - $script:timer
#:: done

或者从以下下载
Quick_11_iso_esd_wim_TPM_toggle

1.2、将Win11原版ISO拖动到上述批处理上面，瞬间完成改造！

说明：上述改造好的ISO即可绕过所有硬件限制。更厉害的地方在于，再次把改造后的ISO拖动到批处理上面，ISO又恢复原貌了，且原版的哈希值不变。该脚本不仅支持ISO镜像，还支持install.wim和install.esd。直接拖动到批处理上面，即可瞬间完成改造。

二、该方法小缺陷

在几乎所有场景下，这种方法改造出来的ISO，均非常完美。然而针对Win11的消费者版，改造后，双击setup.exe安装的时候，会出现“输入产品密钥”的界面，且无法跳过。出现上面这个问题，仅仅在上面这一种场景中会出现。也就是说，如果ISO是商业版，即批量版（VL版），那么就不会出现这个问题。因此，这一点缺陷也不算大问题。

三、小缺陷解决方法

对于做网管的技术人来说或多或少都有一些强迫症习惯，强迫症患者一旦发现了缺陷，是不允许有一点瑕疵的。所以，解决方案也非常简单：只需在ISO的sources目录下放入一个名为ei.cfg的文件，即可完美跳过密钥输入的界面。

下载地址

不想下载的，自己新建一个txt文档，将下述内容复制进去，然后保存为ei.cfg文件即可：

[Channel]
_Default
[VL]
0