diff --git a/README.md b/README.md
index fa22df1..8966608 100644
--- a/README.md
+++ b/README.md
@@ -99,7 +99,7 @@ Alternatively, you can run each of the steps manually:
 4. Plug the USB into your Chromebook and enter recovery mode. It should detect the USB and run the shimboot bootloader.
 5. Boot into Debian and log in with the username and password that you configured earlier. The default username/password for the prebuilt images is `user/user`.
 6. Expand the rootfs partition so that it fills up the entire disk by running `sudo growpart /dev/sdX 4` (replacing `sdX` with the block device corresponding to your disk) to expand the partition, then running `sudo resize2fs /dev/sdX4` to expand the filesystem.
-7. Change the root password and regular user password by running `sudo passwd root` and `passwd user`.
+7. Change the user password by running `passwd user`. The root user is disabled by default.
 
 ## FAQ:
 
@@ -111,7 +111,11 @@ Debian Sid (the rolling release version of Debian) is also supported if you just
 sudo ./build_rootfs.sh data/rootfs unstable
 ```
 #### How can I install a desktop environment other than XFCE?
-You can pass another argument to the `build_rootfs.sh` script, like this: `sudo ./build_rootfs.sh data/rootfs bookworm custom_packages=task-lxde-desktop`. The `custom_packages` argument is a list of packages (separated by spaces) that will be installed in the place of XFCE. 
+You can pass the `desktop` argument to the `build_complete.sh` script, like this:
+```bash
+sudo ./build_complete.sh grunt desktop=lxde
+```
+The valid values for this argument are: `gnome`, `xfce`, `kde`, `lxde`, `gnome-flashback`, `cinnamon`, `mate`, and `lxqt`.
 
 #### Will this prevent me from using Chrome OS normally?
 Shimboot does not touch the internal storage at all, so you will be able to use Chrome OS as if nothing happened. However, if you are on an enterprise enrolled device, booting Chrome OS again will force a powerwash due to the attempted switch into developer mode.
diff --git a/build_complete.sh b/build_complete.sh
index 2e2a57d..d72858d 100755
--- a/build_complete.sh
+++ b/build_complete.sh
@@ -8,12 +8,19 @@ print_help() {
   echo "  compress_img - Compress the final disk image into a zip file. Set this to any value to enable this option."
   echo "  rootfs_dir   - Use a different rootfs for the build. The directory you select will be copied before any patches are applied."
   echo "  quiet        - Don't use progress indicators which may clog up log files."
+  echo "  desktop      - The desktop environment to install. This defaults to 'xfce'. Valid options include:"
+  echo "                   gnome, xfce, kde, lxde, gnome-flashback, cinnamon, mate, lxqt"
 }
 
 assert_root
 assert_args "$1"
 parse_args "$@"
 
+compress_img="${args['compress_img']}"
+rootfs_dir="${args['rootfs_dir']}"
+quiet="${args['quiet']}"
+desktop="${args['desktop']-'xfce'}"
+
 needed_deps="wget python3 unzip zip git debootstrap cpio binwalk pcregrep cgpt mkfs.ext4 mkfs.ext2 fdisk rsync"
 if [ "$(check_deps "$needed_deps")" ]; then
   #install deps automatically on debian and ubuntu
@@ -63,7 +70,7 @@ download_and_unzip() {
   local zip_path="$2"
   local bin_path="$3"
   if [ ! -f "$bin_path" ]; then
-    if [ ! "${args['quiet']}" ]; then
+    if [ ! "$quiet" ]; then
       wget -q --show-progress $url -O $zip_path -c
     else
       wget -q $url -O $zip_path -c
@@ -74,7 +81,7 @@ download_and_unzip() {
     cleanup_path="$bin_path"
     echo "extracting $zip_path"
     local total_bytes="$(unzip -lq $zip_path | tail -1 | xargs | cut -d' ' -f1)"
-    if [ ! "${args['quiet']}" ]; then
+    if [ ! "$quiet" ]; then
       unzip -p $zip_path | pv -s $total_bytes > $bin_path
     else
       unzip -p $zip_path > $bin_path
@@ -97,31 +104,30 @@ download_and_unzip $reco_url $reco_zip $reco_bin
 echo "downloading shim image"
 download_and_unzip $shim_url $shim_zip $shim_bin
 
-if [ ! "${args['rootfs_dir']}" ]; then
+if [ ! "$rootfs_dir" ]; then
   rootfs_dir="$(realpath -m data/rootfs_$board)"
+  desktop_package="task-$desktop-desktop"
   rm -rf $rootfs_dir
   mkdir -p $rootfs_dir
 
   echo "building debian rootfs"
   ./build_rootfs.sh $rootfs_dir bookworm \
+    custom_packages=$desktop_package \
     hostname=shimboot-$board \
-    root_passwd=root \
     username=user \
-    user_passwd=user  
-else
-  rootfs_dir="$(realpath -m "${args['rootfs_dir']}")"
+    user_passwd=user
 fi
 
 echo "patching debian rootfs"
-retry_cmd ./patch_rootfs.sh $shim_bin $reco_bin $rootfs_dir "quiet=${args['quiet']}"
+retry_cmd ./patch_rootfs.sh $shim_bin $reco_bin $rootfs_dir "quiet=$quiet"
 
 echo "building final disk image"
 final_image="$base_dir/data/shimboot_$board.bin"
 rm -rf $final_image
-retry_cmd ./build.sh $final_image $shim_bin $rootfs_dir "quiet=${args['quiet']}"
+retry_cmd ./build.sh $final_image $shim_bin $rootfs_dir "quiet=$quiet"
 echo "build complete! the final disk image is located at $final_image"
 
-if [ "${args['compress_img']}" ]; then
+if [ "$compress_img" ]; then
   image_zip="$base_dir/data/shimboot_$board.zip"
   echo "compressing disk image into a zip file"
   zip -j $image_zip $final_image
diff --git a/build_rootfs.sh b/build_rootfs.sh
index e313ee4..9a05f6d 100755
--- a/build_rootfs.sh
+++ b/build_rootfs.sh
@@ -14,9 +14,11 @@ print_help() {
   echo "Valid named arguments (specify with 'key=value'):"
   echo "  custom_packages - The packages that will be installed in place of task-xfce-desktop."
   echo "  hostname        - The hostname for the new rootfs."
-  echo "  root_passwd     - The root password."
+  echo "  enable_root     - Enable the root user."
+  echo "  root_passwd     - The root password. This only has an effect if enable_root is set."
   echo "  username        - The unprivileged user name for the new rootfs."
   echo "  user_passwd     - The password for the unprivileged user."
+  echo "  disable_base    - Disable the base packages such as zram, cloud-utils, and command-not-found."
   echo "If you do not specify the hostname and credentials, you will be prompted for them later."
 }
 
@@ -49,11 +51,18 @@ done
 
 hostname="${args['hostname']}"
 root_passwd="${args['root_passwd']}"
+enable_root="${args['enable_root']}"
 username="${args['username']}"
 user_passwd="${args['user_passwd']}"
+disable_base="${args['disable_base']}"
+
+chroot_command="/opt/setup_rootfs.sh \
+  '$DEBUG' '$release_name' '$packages' \
+  '$hostname' '$root_passwd' '$username' \
+  '$user_passwd' '$enable_root' '$disable_base'"
+
+LC_ALL=C chroot $rootfs_dir /bin/bash -c "${chroot_command}"
 
-chroot_command="/opt/setup_rootfs.sh '$DEBUG' '$release_name' '$packages' '$hostname' '$root_passwd' '$username' '$user_passwd'"
-chroot $rootfs_dir /bin/bash -c "${chroot_command}"
 trap - EXIT
 unmount_all
 
diff --git a/common.sh b/common.sh
index b452a0c..827228f 100755
--- a/common.sh
+++ b/common.sh
@@ -29,6 +29,11 @@ assert_deps() {
 parse_args() {
   declare -g -A args
   for argument in "$@"; do
+    if [ "$argument" = "-h" ] || [ "$argument" = "--help" ]; then
+      print_help
+      exit 0
+    fi
+
     local key=$(echo $argument | cut -f1 -d=)
     local key_length=${#key}
     local value="${argument:$key_length+1}"
diff --git a/rootfs/opt/setup_rootfs.sh b/rootfs/opt/setup_rootfs.sh
index f2c6279..238035b 100755
--- a/rootfs/opt/setup_rootfs.sh
+++ b/rootfs/opt/setup_rootfs.sh
@@ -16,12 +16,14 @@ hostname="$4"
 root_passwd="$5"
 username="$6"
 user_passwd="$7"
+enable_root="$8"
+disable_base_pkgs="$9"
 
 custom_repo="https://shimboot.ading.dev/debian"
 custom_repo_domain="shimboot.ading.dev"
 sources_entry="deb [trusted=yes arch=amd64] ${custom_repo} ${release_name} main"
 
-export DEBIAN_FRONTEND=noninteractive
+export DEBIAN_FRONTEND="noninteractive"
 
 #add shimboot repos
 echo -e "${sources_entry}\n$(cat /etc/apt/sources.list)" > /etc/apt/sources.list
@@ -40,14 +42,17 @@ apt-get install --reinstall $installed_systemd
 #enable shimboot services
 systemctl enable kill-frecon.service
 
-#install desktop
-apt-get install -y $packages cloud-utils zram-tools
+#install base packages
+if [ -z "$disable_base_pkgs" ]; then
+  apt-get install -y cloud-utils zram-tools sudo command-not-found
 
-#set up zram
-tee -a /etc/default/zramswap << END
-ALGO=lzo
-PERCENT=50
-END
+  #set up zram
+  echo "ALGO=lzo" >> /etc/default/zramswap
+  echo "PERCENT=50" >> /etc/default/zramswap
+
+  #update apt-file cache
+  apt-file update
+fi
 
 #set up hostname and username
 if [ ! "$hostname" ]; then
@@ -64,28 +69,35 @@ ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 END
 
-echo "Enter a root password:"
-if [ ! "$root_passwd" ]; then
-  while ! passwd root; do
-    echo "Failed to set password, please try again."
-  done
-else
-  yes "$root_passwd" | passwd root
-fi
+#install desktop and other custom packages
+apt-get install -y $packages
 
 if [ ! $username ]; then
   read -p "Enter the username for the user account: " username
 fi
 useradd -m -s /bin/bash -G sudo $username
 
-if [ ! "$user_passwd" ]; then
-  echo "Enter the password for ${username}:"
-  while ! passwd $username; do
-    echo "Failed to set password, please try again."
-  done
+set_password() {
+  local user="$1"
+  local password="$2"
+  if [ ! "$password" ]; then
+    while ! passwd $user; do
+      echo "Failed to set password for $user, please try again."
+    done
+  else
+    yes "$password" | passwd $user
+  fi
+}
+
+if [ "$enable_root" ]; then 
+  echo "Enter a root password:"
+  set_password root "$root_passwd"
 else
-  yes "$user_passwd" | passwd $username
+  usermod -a -G sudo $username
 fi
 
+echo "Enter a user password:"
+set_password "$username" "$user_passwd"
+
 #clean apt caches
 apt-get clean
\ No newline at end of file