From a0b9c2c989a999fd02aaf29531833a7eeace4eb7 Mon Sep 17 00:00:00 2001 From: sysadmin Date: Tue, 9 Jun 2026 00:46:13 +0100 Subject: [PATCH] fix(windows/hardening): tolerate missing hibernation (module G) VM run: `powercfg /hibernate on` writes to stderr where hibernation is unsupported (VMs), which under ErrorActionPreference=Stop aborted module G after its earlier lock-screen settings applied. Wrap it so the module completes cleanly. Co-Authored-By: Claude Opus 4.8 --- windows/hardening/06-physical-lock.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/hardening/06-physical-lock.ps1 b/windows/hardening/06-physical-lock.ps1 index 6b83930..4157651 100644 --- a/windows/hardening/06-physical-lock.ps1 +++ b/windows/hardening/06-physical-lock.ps1 @@ -24,7 +24,9 @@ New-Item $fve -Force | Out-Null Set-ItemProperty $fve -Name DisableExternalDMAUnderLock -Type DWord -Value 1 # Prefer hibernate over sleep (keys not left resident in RAM as long). -powercfg /hibernate on 2>$null +# Tolerate environments without hibernation support (e.g. VMs) -- native stderr +# under ErrorActionPreference=Stop would otherwise abort the module. +try { & powercfg /hibernate on 2>&1 | Out-Null } catch { Write-Host ' (hibernate unavailable here; skipped)' } # TODO-M1: set lid-close + idle -> hibernate via powercfg; deny camera/mic per-app # (Device Manager disable is the stopgap; the Pocket 4 has NO hardware kill switch). # NOTE: SilverDuress (Stack, v1.1) provides duress-PIN / panic-wipe - installed by module 08.