diff --git a/windows/installer/oem/Configure-Kiosk.ps1 b/windows/installer/oem/Configure-Kiosk.ps1 new file mode 100644 index 0000000..2cd00bb --- /dev/null +++ b/windows/installer/oem/Configure-Kiosk.ps1 @@ -0,0 +1,60 @@ +#Requires -Version 5.1 +<# +.SYNOPSIS Configure the one-time sm-bootstrap onboarding kiosk. +.DESCRIPTION + Runs from SetupComplete.cmd as SYSTEM, after accounts exist, before first + logon. Sets the sm-bootstrap shell to an elevating launcher for the Welcome + app (no Explorer => no taskbar/Start), turns on the Keyboard Filter for shell + hotkeys, and disables Task Manager / lock / fast-user-switch escapes. + Reverted by the Welcome app's ApplyService on wizard success. +#> +[CmdletBinding()] +param([string]$BootstrapUser='sm-bootstrap', + [string]$WelcomeExe='C:\Program Files\SilverOS\Welcome\SilverOS.Welcome.App.exe') +Set-StrictMode -Version Latest +$ErrorActionPreference='Stop' +$log='C:\Windows\Setup\Scripts\silvermetal-kiosk.log' +function Log($m){ "$(Get-Date -f s) $m" | Add-Content $log } + +# Elevating launcher: Shell Launcher runs this as the shell; it relaunches the +# Welcome app elevated (silent via the baked UAC auto-approve). +$launcher='C:\Windows\Setup\Scripts\Start-WelcomeShell.cmd' +@" +@echo off +powershell -NoProfile -ExecutionPolicy Bypass -Command "Start-Process -FilePath '$WelcomeExe' -Verb RunAs" +:loop +timeout /t 3600 >nul +goto loop +"@ | Set-Content $launcher -Encoding ASCII +Log "wrote launcher $launcher" + +# --- Shell Launcher v2 (WMI bridge) --- +$cls='root\standardcimv2\embedded' +$wesl=Get-CimInstance -Namespace $cls -ClassName WESL_UserSetting -ErrorAction Stop +Invoke-CimMethod -Namespace $cls -ClassName WESL_UserSetting -MethodName SetEnabled -Arguments @{Enabled=$true} | Out-Null +# Default shell stays Explorer for everyone else. +Invoke-CimMethod -InputObject $wesl -MethodName SetDefaultShell -Arguments @{Shell='explorer.exe';DefaultAction=[uint32]0} | Out-Null +# sm-bootstrap => the elevating launcher; on exit, restart the shell (action 0). +Invoke-CimMethod -InputObject $wesl -MethodName SetCustomShell -Arguments @{ + Sid=(New-Object System.Security.Principal.NTAccount($BootstrapUser)).Translate([System.Security.Principal.SecurityIdentifier]).Value + Shell="cmd.exe /c `"$launcher`"" + DefaultAction=[uint32]0 +} | Out-Null +Log 'shell launcher configured for sm-bootstrap' + +# --- Keyboard Filter (block shell hotkeys) --- +Enable-WindowsOptionalFeature -Online -FeatureName Client-KeyboardFilter -NoRestart -ErrorAction SilentlyContinue | Out-Null +$kf='root\standardcimv2\embedded' +foreach($combo in 'Win','Win+L','Ctrl+Esc','Ctrl+Win+F','Win+R'){ + $p=Get-CimInstance -Namespace $kf -ClassName WEKF_PredefinedKey -Filter "Id='$combo'" -ErrorAction SilentlyContinue + if($p){ $p.Enabled=$true; Set-CimInstance -InputObject $p } +} +Log 'keyboard filter rules enabled' + +# --- escape policies (machine-wide; reverted at teardown) --- +$sys='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' +New-Item $sys -Force | Out-Null +Set-ItemProperty $sys -Name DisableTaskMgr -Value 1 -Type DWord +Set-ItemProperty $sys -Name DisableLockWorkstation -Value 1 -Type DWord +Set-ItemProperty $sys -Name HideFastUserSwitching -Value 1 -Type DWord +Log 'escape policies set; kiosk ready'