A new open-source tool called Nano11 Builder can compress a standard Windows 11 installation image down to a mere 2.29 GB, a 67% reduction from the original 7.04 GB ISO. The builder, created by NTDEV—the same developer behind the popular Tiny11 project—takes a scorched-earth approach to debloating, stripping out not just inbox apps and language packs, but also critical servicing components like Windows Update and the Windows Component Store. The result is a drastically lighter Windows 11 that boots in seconds and consumes minimal disk space, but one that comes with serious trade-offs in security and maintainability.
The Windows debloating scene has evolved rapidly. What began as third-party scripts that removed pre-installed Candy Crush and OneDrive after setup has matured into full-blown image rebuilding pipelines. NTDEV’s Tiny11 series demonstrated that even a modern OS like Windows 11 could be comfortably installed on low-storage hardware. Now, Nano11 pushes that concept to its logical extreme, targeting not just bloat but the very systems that keep Windows up to date and secure.
Inside the Nano11 pipeline: DISM, oscdimg, and surgical stripping
Nano11 is not a collection of registry hacks or post-install tweaks. It is a PowerShell-based image builder that leverages Microsoft’s own command-line tools—DISM (Deployment Image Servicing and Management) and oscdimg.exe from the Windows Assessment and Deployment Kit (ADK)—to service and repack the installation media. By using only first-party utilities, the project maintains a high degree of auditability and avoids introducing unknown binaries.
The process starts with an official Windows 11 ISO in either WIM or ESD format. The script mounts the image offline, then uses DISM to surgically remove hundreds of packages, optional features, drivers, fonts, input method editors (IMEs), and inbox apps. It also disables or deletes services and injects an unattend.xml answer file to skip the Microsoft Account prompt during setup. Once the image is trimmed, it is re-exported using DISM’s recovery compression mode, which employs the potent LZMS/LZX algorithms to push file size to the absolute minimum. Finally, oscdimg.exe creates a bootable ISO ready for USB or virtual machine deployment.
This pipeline is fully scripted, making it reproducible in lab environments and CI/CD workflows. The builder supports both x64 and ARM64 architectures and works across various Windows 11 editions, including LTSC (Long-Term Servicing Channel) builds.
The compression secret: LZMS and LZX
The headline figures depend on a compression scheme that is far more aggressive than the default XPRESS mode used by most Windows installation media. By specifying /Compress:recovery during export, DISM switches to a combination of LZMS and LZX algorithms originally designed for system recovery images. These algorithms achieve a higher compression ratio but at a cost: they consume more CPU and memory during the export phase, and expansion during installation takes longer. In practice, the trade-off yields install.wim files that are 40–60% smaller than those produced with standard compression.
When this compression is combined with the removal of gigabytes of optional components, the impact is dramatic. NTDEV’s community demonstrations show a stock 7.04 GB Windows 11 ISO transformed into a 2.29 GB installer. An LTSC edition, already lighter, was installed to a footprint of just 2.8 GB. These numbers are configuration-dependent, however; results vary based on the source edition, included language packs, and the specific removal profile chosen.
What gets removed: a laundry list of excised components
Nano11 offers two primary profiles: a “Tiny11” profile that retains serviceability and a more radical “Core” profile that removes the update mechanisms entirely. In the Core profile, the following components are typically stripped:
- All inbox apps: Clipchamp, Xbox, Solitaire, Media Player, Mail & Calendar, Feedback Hub, and more.
- AI and modern clients: Copilot, new Outlook for Windows, consumer Microsoft Teams.
- Cloud integration: OneDrive client and deep OneDrive shell hooks.
- Browsers: Microsoft Edge and its related components.
- Security: Windows Defender anti-malware service and its definition updates (in some builds).
- Servicing: Windows Update, the Windows Component Store (WinSxS), and associated servicing stack bits.
- Accessibility features, language packs, all IMEs, wallpapers, optional fonts, and most optional drivers.
- Even the audio stack can be removed in the most extreme configuration.
The Tiny11 profile, by contrast, leaves Windows Update and critical security services intact, resulting in a slightly larger but updateable image.
A step-by-step tour of the build process
For system administrators and advanced users, the Nano11 workflow is refreshingly transparent:
- Preparation: Obtain an official Microsoft ISO (Windows 11 22H2 or later) and install the Windows ADK to get oscdimg.exe. Launch PowerShell with administrative privileges and adjust the execution policy if necessary.
- Mounting: The script extracts the
install.wimorinstall.esdfrom the ISO and mounts the desired edition to a staging directory. - Offline servicing: Using DISM commands, the builder removes app packages by name, turns off optional features, deletes language packs and IMEs, and strips driver classes. It also applies registry hacks to disable or delete services.
- Unattend injection: An autounattend.xml file is inserted to customize OOBE—skipping Microsoft Account sign-in, enabling local accounts, and setting other deployment preferences.
- Repacking: The serviced image is exported with recovery compression, a resource-intensive step that can take several minutes on a powerful machine.
- ISO creation: Oscdimg.exe assembles the final bootable ISO, which can then be written to a USB drive or mounted in a hypervisor.
The entire process is designed to run unattended, making it ideal for automated build pipelines.
Measured outcomes: why size varies
While the 2.29 GB ISO and 2.8 GB installed footprint are impressive, they are not universal constants. Several factors influence the final size:
- Source edition: LTSC and Pro editions without pre-installed language packs compress better than consumer Home images.
- Languages and IMEs: A single-language image is far smaller than a multilingual one; stripping out all non-English components can save over a gigabyte.
- Driver payload: OEM driver bundles inflate the component store; removing them early yields dramatic WinSxS shrinkage.
- Profile selection: The Core profile produces the smallest images, but even within Core, additional options (like keeping audio) affect the result.
In one community test, an LTSC 2024 build starting from a 7.04 GB ISO ended up at 2.29 GB on disk and installed to 2.8 GB. Your mileage will vary.
Who stands to gain: labs, CI, and embedded devices
For the right use cases, Nano11 is a game-changer:
- Rapid VM provisioning: Developers and QA engineers can spin up Windows sandboxes in seconds instead of minutes, with minimal storage consumption.
- Ephemeral test environments: CI/CD pipelines benefit from quick-to-deploy disposable instances that match production configurations.
- Embedded and kiosk systems: Devices with 16 GB or 32 GB storage can run a full Windows 11 system stripped of unnecessary overhead.
- Forensic and malware analysis: A minimal, deterministic image reduces noise and potential interference during investigations.
These environments rarely require long-term patching or built-in security, making Nano11’s downsides less relevant.
The dark side: no updates, no security, no mercy
The same austerity that makes Nano11 tiny also makes it fragile and potentially dangerous:
- No Windows Update: By removing the servicing stack and WinSxS, the Core image cannot receive security patches through normal channels. Every fix requires rebuilding and redeploying the entire OS.
- No default security: Windows Defender and its definition updates are often removed. Attackers exploiting a vulnerability find no automated barrier, and the system lacks the ability to self-heal.
- Hardware breakage: Without IMEs, critical drivers, or audio services, peripherals may fail. A keyboard layout for a language you didn’t strip might stop working, and biometric sensors become inert.
- Legal and support quicksand: Though the underlying license remains Microsoft’s, running a community-modified image can void vendor support agreements and violate organizational IT policies.
- Supply-chain trust: The build script itself, while open source, is maintained by a third party. It must be audited line-by-line to ensure it hasn’t been tampered with or injected with malicious code.
These risks relegate Nano11 to strictly controlled environments. The project’s own documentation labels it “experimental” and warns against production use.
Risk matrix at a glance
| Risk category | Severity | Mitigation |
|---|---|---|
| Security (no updates) | Critical | Treat images as immutable; rebuild monthly from patched source ISOs. |
| Security (no Defender) | High | Deploy a third-party anti-malware agent with auto-update capability. |
| Serviceability | High | Use only in ephemeral roles; never as a daily driver. |
| Hardware compatibility | Medium | Test exhaustively on target hardware; keep driver injections on hand. |
| Legal / compliance | Medium | Consult licensing agreements; obtain legal sign-off for enterprise deployment. |
| Supply chain integrity | Medium | Audit the script, verify checksums, and run in isolated build environments. |
Recommendations for the brave
If you decide to experiment with Nano11, follow these guidelines:
- Never use Core images on internet-connected daily-use machines. Treat them as throwaway artifacts.
- Start with the Tiny11 profile to understand the impact before moving to Core.
- Keep a verified copy of the original Microsoft ISO and rebuild frequently from it.
- Audit the PowerShell script every time you update it; maintain a private fork with your own trusted changes.
- Incorporate third-party security if the image must be networked: a known, repudable anti-malware solution and a firewall profile locked down to only necessary ports.
- Adopt immutable infrastructure patterns: rebuild images on a weekly or monthly schedule, baking in the latest patches, rather than trying to update in place.
The legal tightrope
Nano11 does not distribute modified ISOs; it builds them on your machine from your own licensed media. That means the Windows EULA remains the governing document. However, deploying such images in a corporate environment could still raise red flags with Microsoft’s support team. Always consult your organization’s Microsoft licensing and support agreements before rolling out community-serviced images in a production setting.
Where Nano11 fits—and where it doesn’t
Nano11 is a precision instrument, not a general-purpose toolkit. Its ideal deployments include:
- CI/CD runners: Where a clean, disposable Windows instance is needed for testing and the runner is destroyed after the job.
- Kiosk and digital signage: Locked-down appliances that never see a Microsoft update and can be reflashed for patching.
- Educational demonstrations: To illustrate the modular nature of Windows and the power of offline servicing.
It is wildly unsuitable for:
- General office PCs: Users expect updates, security, and peripheral compatibility.
- Regulated industries: Healthcare, finance, and government require validated, supported configurations.
- Any machine storing sensitive data: Without Defender and the ability to patch, such a system is a liability.
Conclusion: a marvel of minimalism, not a replacement for Windows
NTDEV’s Nano11 Builder represents the state of the art in Windows image compression and stripping. By combining aggressive DISM removals with LZMS compression, it produces installers and footprints that would have been unthinkable a decade ago. For developers, testers, and embedded system designers, it unlocks scenarios where every megabyte counts.
But this minimalist triumph is built on a foundation of absent safety nets. The removal of Windows Update, Defender, and the component store transforms Windows from a self-maintaining ecosystem into a static, vulnerable artifact—comparable to a classic embedded OS that must be reflashed for any change. Embrace Nano11 where its trade-offs align with your operational model, but never mistake it for a secure, maintainable Windows installation.