SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(kiosk): re-assert UAC auto-approve online (OOBE resets the offline bake)
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 5m6s
Details

Browse Source 
4th e2e showed a UAC consent prompt for the unsigned Welcome app — the offline-baked
ConsentPromptBehaviorAdmin=0 is reset by Windows during OOBE. Re-assert it (and
PromptOnSecureDesktop=0) ONLINE in Configure-Kiosk.ps1, which runs right before the
sm-bootstrap autologon, so 'Start-Process -Verb RunAs' elevates silently. RevertKioskAsync
restores SECURE UAC (ConsentPromptBehaviorAdmin=2, PromptOnSecureDesktop=1) for the real user.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
sysadmin
2026-06-09 18:12:57 +01:00
parent 159cea0019
commit d54a5cb8db
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/installer/oem/Configure-Kiosk.ps1
View File

@@ -77,4 +77,12 @@ New-Item $sys -Force | Out-Null
Set-ItemProperty $sys -Name DisableTaskMgr -Value 1 -Type DWord
Set-ItemProperty $sys -Name DisableLockWorkstation -Value 1 -Type DWord
Set-ItemProperty $sys -Name HideFastUserSwitching -Value 1 -Type DWord
Log 'escape policies set; kiosk ready'
# Silent elevation for the sm-bootstrap launcher's 'Start-Process -Verb RunAs':
# the offline-baked UAC auto-approve (build.ps1) is RESET by Windows during OOBE,
# so re-assert it online here (runs before the autologon shell). Otherwise the
# kiosk shows a UAC consent prompt for the (unsigned) Welcome app. Reverted at
# teardown so the real end-user keeps normal UAC.
Set-ItemProperty $sys -Name ConsentPromptBehaviorAdmin -Value 0 -Type DWord
Set-ItemProperty $sys -Name PromptOnSecureDesktop -Value 0 -Type DWord
Log 'escape policies + UAC auto-approve set; kiosk ready'

5
windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs
View File

@@ -19,7 +19,10 @@ public sealed class BootstrapService(IProcessRunner runner) : IBootstrapService
// Revert escape policies set by Configure-Kiosk.ps1.
await Ps(
"$s='HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System';" +
"Remove-ItemProperty $s -Name DisableTaskMgr,DisableLockWorkstation,HideFastUserSwitching -EA SilentlyContinue",
"Remove-ItemProperty $s -Name DisableTaskMgr,DisableLockWorkstation,HideFastUserSwitching -EA SilentlyContinue;" +
// Restore SECURE UAC for the real end-user (the kiosk auto-approved unsigned elevation).
"Set-ItemProperty $s -Name ConsentPromptBehaviorAdmin -Value 2 -Type DWord -EA SilentlyContinue;" +
"Set-ItemProperty $s -Name PromptOnSecureDesktop -Value 1 -Type DWord -EA SilentlyContinue",
ct);
}