From d54a5cb8db5c554d17fa686734978ffd701def7e Mon Sep 17 00:00:00 2001
From: sysadmin <sysadmin@silverlined.dev>
Date: Tue, 9 Jun 2026 18:12:57 +0100
Subject: [PATCH] fix(kiosk): re-assert UAC auto-approve online (OOBE resets
 the offline bake)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4th e2e showed a UAC consent prompt for the unsigned Welcome app — the offline-baked
ConsentPromptBehaviorAdmin=0 is reset by Windows during OOBE. Re-assert it (and
PromptOnSecureDesktop=0) ONLINE in Configure-Kiosk.ps1, which runs right before the
sm-bootstrap autologon, so 'Start-Process -Verb RunAs' elevates silently. RevertKioskAsync
restores SECURE UAC (ConsentPromptBehaviorAdmin=2, PromptOnSecureDesktop=1) for the real user.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 windows/installer/oem/Configure-Kiosk.ps1              | 10 +++++++++-
 .../SilverOS.Welcome.Core/Apply/BootstrapService.cs    |  5 ++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/windows/installer/oem/Configure-Kiosk.ps1 b/windows/installer/oem/Configure-Kiosk.ps1
index cc2d360..a22ec38 100644
--- a/windows/installer/oem/Configure-Kiosk.ps1
+++ b/windows/installer/oem/Configure-Kiosk.ps1
@@ -77,4 +77,12 @@ New-Item $sys -Force | Out-Null
 Set-ItemProperty $sys -Name DisableTaskMgr        -Value 1 -Type DWord
 Set-ItemProperty $sys -Name DisableLockWorkstation -Value 1 -Type DWord
 Set-ItemProperty $sys -Name HideFastUserSwitching  -Value 1 -Type DWord
-Log 'escape policies set; kiosk ready'
+
+# Silent elevation for the sm-bootstrap launcher's 'Start-Process -Verb RunAs':
+# the offline-baked UAC auto-approve (build.ps1) is RESET by Windows during OOBE,
+# so re-assert it online here (runs before the autologon shell). Otherwise the
+# kiosk shows a UAC consent prompt for the (unsigned) Welcome app. Reverted at
+# teardown so the real end-user keeps normal UAC.
+Set-ItemProperty $sys -Name ConsentPromptBehaviorAdmin -Value 0 -Type DWord
+Set-ItemProperty $sys -Name PromptOnSecureDesktop      -Value 0 -Type DWord
+Log 'escape policies + UAC auto-approve set; kiosk ready'
diff --git a/windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs b/windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs
index e0fca60..6f63f33 100644
--- a/windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs
+++ b/windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs
@@ -19,7 +19,10 @@ public sealed class BootstrapService(IProcessRunner runner) : IBootstrapService
         // Revert escape policies set by Configure-Kiosk.ps1.
         await Ps(
             "$s='HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System';" +
-            "Remove-ItemProperty $s -Name DisableTaskMgr,DisableLockWorkstation,HideFastUserSwitching -EA SilentlyContinue",
+            "Remove-ItemProperty $s -Name DisableTaskMgr,DisableLockWorkstation,HideFastUserSwitching -EA SilentlyContinue;" +
+            // Restore SECURE UAC for the real end-user (the kiosk auto-approved unsigned elevation).
+            "Set-ItemProperty $s -Name ConsentPromptBehaviorAdmin -Value 2 -Type DWord -EA SilentlyContinue;" +
+            "Set-ItemProperty $s -Name PromptOnSecureDesktop -Value 1 -Type DWord -EA SilentlyContinue",
             ct);
     }