diff --git a/windows/installer/oem/Configure-Kiosk.ps1 b/windows/installer/oem/Configure-Kiosk.ps1
index 2cd00bb..552930a 100644
--- a/windows/installer/oem/Configure-Kiosk.ps1
+++ b/windows/installer/oem/Configure-Kiosk.ps1
@@ -19,9 +19,12 @@ function Log($m){ "$(Get-Date -f s) $m" | Add-Content $log }
 # Elevating launcher: Shell Launcher runs this as the shell; it relaunches the
 # Welcome app elevated (silent via the baked UAC auto-approve).
 $launcher='C:\Windows\Setup\Scripts\Start-WelcomeShell.cmd'
+$welcomeEscaped = $WelcomeExe.Replace("'","''")
 @"
 @echo off
-powershell -NoProfile -ExecutionPolicy Bypass -Command "Start-Process -FilePath '$WelcomeExe' -Verb RunAs"
+powershell -NoProfile -ExecutionPolicy Bypass -Command "Start-Process -LiteralPath '$welcomeEscaped' -Verb RunAs"
+REM Shell Launcher tracks this CMD process; the Welcome app runs detached above.
+REM Loop keeps the process alive so Shell Launcher doesn't restart it on idle.
 :loop
 timeout /t 3600 >nul
 goto loop
@@ -30,8 +33,10 @@ Log "wrote launcher $launcher"
 
 # --- Shell Launcher v2 (WMI bridge) ---
 $cls='root\standardcimv2\embedded'
-$wesl=Get-CimInstance -Namespace $cls -ClassName WESL_UserSetting -ErrorAction Stop
+# Enable Shell Launcher FIRST, then fetch a fresh instance (the pre-enable
+# snapshot's instance methods can silently no-op on some WESL builds).
 Invoke-CimMethod -Namespace $cls -ClassName WESL_UserSetting -MethodName SetEnabled -Arguments @{Enabled=$true} | Out-Null
+$wesl=Get-CimInstance -Namespace $cls -ClassName WESL_UserSetting -ErrorAction Stop
 # Default shell stays Explorer for everyone else.
 Invoke-CimMethod -InputObject $wesl -MethodName SetDefaultShell -Arguments @{Shell='explorer.exe';DefaultAction=[uint32]0} | Out-Null
 # sm-bootstrap => the elevating launcher; on exit, restart the shell (action 0).
diff --git a/windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs b/windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs
index 0e2c1a5..b557631 100644
--- a/windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs
+++ b/windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs
@@ -3,6 +3,9 @@ public sealed class BootstrapService(IProcessRunner runner) : IBootstrapService
 {
     public async Task RevertKioskAsync(CancellationToken ct = default)
     {
+        // -EA SilentlyContinue throughout: Shell Launcher revert is best-effort.
+        // If WESL is unavailable the real user still gets Explorer (no custom shell
+        // for their SID). Intentional: don't fail teardown over a missing WMI class.
         // Remove sm-bootstrap custom shell entry + disable Shell Launcher's per-user entry.
         await Ps(
             "$c='root\\\\standardcimv2\\\\embedded';" +