The tiny-Windows movement just got a radical new entry. NTDEV, the creator of tiny11, has unveiled nano11, a PowerShell script that ruthlessly strips Windows 11 down to an ISO just over 2 GB and an installed footprint under 3 GB — roughly one-tenth the size of a vanilla installation. Those numbers are eye-popping, but they come at a steep price: the resulting operating system is static, unserviceable, and fundamentally unsafe as a daily driver.

The rise of surgical Windows shrinking

For years, enthusiasts have chiseled away at Microsoft’s ever-expanding default images. The tiny11 project showed that combining Microsoft’s own DISM tools with aggressive LZX compression could produce manageable ISOs in the 3–4 GB range. nano11 takes the same toolkit and pushes it further, stripping away not just inbox apps but entire servicing layers. The result is an image built for a single purpose: short-lived, resource-constrained virtual machines and lab experiments.

The script builds on a well-documented pipeline: mount the official Windows 11 WIM/ESD image, surgically remove packages, prune the component store, and recompress with recovery-style compression. What makes nano11 different is the depth of the cuts. Unlike tiny11’s “regular” profile, which keeps Windows Update intact, nano11 intentionally severs update pathways to squeeze out every last megabyte.

How the shrinking magic works

The nano11 script relies entirely on Microsoft’s own imaging tools — DISM and OSCDIMG — to perform its magic. The process is technically straightforward but aggressively executed:

  • Image servicing: The script mounts the Windows image and uses DISM to uninstall optional features, inbox UWP packages, and language packs that aren’t strictly necessary.
  • Payload reduction: Unused drivers, fonts, wallpapers, IME components, and background services are stripped. Even telemetry and diagnostic pipelines are disabled to reduce the on-disk footprint and runtime memory usage.
  • Component store pruning: The most drastic step involves trimming or removing WinSxS and the servicing stack itself. This is the point of no return — without these components, Windows Update cannot apply cumulative patches or feature updates.
  • Recovery compression: The rebuilt image is compressed using LZX or LZMS algorithms, the same techniques Microsoft uses for its recovery partitions. These achieve a much tighter compression ratio than standard WIM captures, albeit at the cost of higher CPU time during image creation and slightly slower expansion during installation.

LZX compression is the secret sauce behind the dramatic size reduction. When applied to an already gutted image, it can turn a 20 GB+ installation into a 2.8 GB installable footprint. That’s smaller than many Linux distributions and makes nano11 viable even on ancient hardware or in containers where every megabyte counts.

What nano11 removes — and what you lose

nano11’s removals go far beyond the typical debloating scripts. Among the casualties:

  • Windows Update and servicing: The component store and servicing stack are gutted, making the image immune to cumulative updates.
  • Windows Hello and biometrics: All biometric authentication frameworks are removed.
  • IME and language packs: Only a minimal set of input method editors survives; additional language support is discarded.
  • Inbox apps: Copilot, the New Outlook, Teams, OneDrive, Xbox components, Media Player, and other preinstalled UWP/Win32 apps are exorcised.
  • Cosmetic overhead: Default wallpapers, themes, and most fonts are deleted.
  • Telemetry and background services: Diagnostic tracking and several optional services are disabled or removed.

The system that remains can boot, run a shell, and execute basic applications, but it’s a skeleton. You won’t have media playback frameworks, modern camera drivers, or the convenience of Windows Update in the background. This is not a bug; it’s a deliberate design choice to achieve extreme minimalism.

The serviceability cliff

The single most important caveat is serviceability. A nano11 install is frozen in time. Without the servicing stack and component store, Microsoft’s cumulative updates, security patches, and feature upgrades cannot be applied through normal channels. This isn’t a theoretical risk — it’s a deliberate engineering decision that trades maintainability for a smaller footprint.

For any machine connected to a network, this is a non-starter. Security researchers regularly uncover vulnerabilities that require patching; a nano11 system will remain permanently exposed to those flaws unless you manually rebuild the entire image every month. The community explicitly warns against using such images as daily drivers or in production environments. The “core” profile of tiny11 already removes update capabilities, and nano11 doubles down on that philosophy.

Security implications: a double-edged sword

While some users celebrate the removal of telemetry as a privacy win, the security trade-offs are severe:

  • No automatic patches: Without Windows Update, known exploits like PrintNightmare or BlueKeep would remain unpatched indefinitely.
  • Driver and firmware gaps: Stripping drivers to a bare minimum can break support for Wi-Fi chips, GPUs, and other peripherals. Manually installing third-party drivers may be necessary, introducing supply-chain risks.
  • Missing telemetry-driven mitigations: Modern Windows security features occasionally rely on telemetry signals to deploy quick mitigations. Removing those pipelines can leave the system less responsive to emerging threats.
  • Trust in the builder: Users must place trust in the pre-built script or the distributed ISO. Verifying checksums and reviewing PowerShell code is a must before deploying in any security-sensitive context.

For these reasons, nano11 is best confined to air-gapped labs, ephemeral test VMs, or forensic analysis environments where the system will never touch a network.

Where nano11 shines: legitimate use cases

Despite the risks, nano11 fills a genuine niche:

  • Testing and automation: Rapidly spinning up clean Windows environments for CI/CD pipelines, malware analysis, or software validation, where speed and reproducibility matter more than long-term maintenance.
  • Legacy hardware experiments: Booting ancient machines for offline demonstrations, hardware interfacing, or nostalgic gaming.
  • Education and training: Teaching Windows internals, image servicing, or compression techniques without needing large disks.
  • Kiosk and forensic images: Single-purpose appliances that never update and run in isolated networks.

IT administrators should resist the temptation to deploy nano11 on employee workstations. The maintenance burden and security exposure outweigh the disk-space savings by a wide margin.

nano11 starts with an official Microsoft Windows 11 ISO. Redistributing a modified form of that ISO raises licensing questions. The script itself does not include any Microsoft binaries; it operates on the user’s own downloaded media, much like the tiny11 builder. This approach skirts the redistribution problem but does not absolve users of the need to comply with Windows licensing terms. Activating the resulting installation still requires a valid license, and using a heavily modified image may void certain support entitlements.

Organizations should consult legal counsel before introducing modified Windows images into any regulated environment.

Building your own nano11 image safely

If you’re ready to experiment, a methodical approach minimizes risk:

  1. Work in isolation: Use a virtual machine or a dedicated test PC, never your daily driver.
  2. Verify sources: Download the official Windows 11 ISO from Microsoft and confirm its SHA-256 hash.
  3. Audit the script: Review the nano11 PowerShell script thoroughly before execution. Understand every removal.
  4. Stage and test: Build the image, install it in a VM, and verify that every required application and driver works before deploying to physical hardware.
  5. Keep the original: Retain the untouched ISO and the script; you’ll need them to rebuild when the next Windows feature update arrives.
  6. Prefer the regular tiny11 profile if you want a smaller but still serviceable system for anything beyond throwaway VMs.

Community reaction and verifiable claims

Enthusiasts have long tinkered with shrinking Windows. The tiny11 project already demonstrated reproducible reductions to 3–4 GB ISOs. nano11’s claim of a ~2 GB ISO and ~2.8 GB installed size is plausible given the same pipeline applied with even more aggressive deletions, but exact results vary. Start with a Windows 11 Enterprise multi-edition ISO, strip every foreign language and optional package, and you’ll get a different result than if you begin with a Home edition. The developer’s figures should be treated as representative, not universal.

Importantly, multiple community reviews confirm that removing the component store indeed breaks Windows Update. This is not a hidden glitch; it’s a documented consequence of the “core” removal profile that nano11 embraces.

Recommendations for Windows enthusiasts and IT pros

  • Use the right tool for the job: nano11 is fantastic for disposable VMs and lab toys; it’s terrible for anything that needs to stay patched.
  • If in doubt, stick with regular tiny11: You’ll still get a fraction of the size but keep the ability to install cumulative updates.
  • Test everything offline first: Surprises are less painful in a sandbox.
  • Have an escape plan: Keep recovery media and a documented rebuild process handy.
  • Enterprise environments should look elsewhere: For production endpoints, Microsoft’s own Windows Configuration Designer or a properly serviced image is the only sane choice.

Final analysis: the power and peril of extreme minimalism

nano11 is a testament to the flexibility of Windows image servicing. It shows that with standard Microsoft tooling and a willingness to sacrifice, you can reshape the OS into a lean, specialized tool. The technique of combining DISM removals with LZX compression is clever, efficient, and open to anyone with an interest in Windows internals.

But the trade-offs are real and escalate steeply. A Windows installation without the servicing stack is a fragile artifact: blazingly fast and astonishingly small today, but increasingly dangerous and brittle tomorrow. For the curious hacker or the lab technician, nano11 opens a window into Windows’ plumbing. For anyone else, it’s a cautionary tale that size reduction isn’t free — and that the only safe way to run such an image is in a tightly sealed sandbox.