SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(kiosk): Configure-Kiosk.ps1 (Shell Launcher v2 + Keyboard Filter + escapes)

Browse Source
This commit is contained in:
sysadmin
2026-06-09 14:26:33 +01:00
parent 4ff12ab543
commit f00ef19578
1 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
windows/installer/oem/Configure-Kiosk.ps1 Normal file
View File

@@ -0,0 +1,60 @@
#Requires -Version 5.1
<#
.SYNOPSIS Configure the one-time sm-bootstrap onboarding kiosk.
.DESCRIPTION
Runs from SetupComplete.cmd as SYSTEM, after accounts exist, before first
logon. Sets the sm-bootstrap shell to an elevating launcher for the Welcome
app (no Explorer => no taskbar/Start), turns on the Keyboard Filter for shell
hotkeys, and disables Task Manager / lock / fast-user-switch escapes.
Reverted by the Welcome app's ApplyService on wizard success.
#>
[CmdletBinding()]
param([string]$BootstrapUser='sm-bootstrap',
[string]$WelcomeExe='C:\Program Files\SilverOS\Welcome\SilverOS.Welcome.App.exe')
Set-StrictMode -Version Latest
$ErrorActionPreference='Stop'
$log='C:\Windows\Setup\Scripts\silvermetal-kiosk.log'
function Log($m){ "$(Get-Date -f s) $m" | Add-Content $log }
# Elevating launcher: Shell Launcher runs this as the shell; it relaunches the
# Welcome app elevated (silent via the baked UAC auto-approve).
$launcher='C:\Windows\Setup\Scripts\Start-WelcomeShell.cmd'
@"
@echo off
powershell -NoProfile -ExecutionPolicy Bypass -Command "Start-Process -FilePath '$WelcomeExe' -Verb RunAs"
:loop
timeout /t 3600 >nul
goto loop
"@ | Set-Content $launcher -Encoding ASCII
Log "wrote launcher $launcher"
# --- Shell Launcher v2 (WMI bridge) ---
$cls='root\standardcimv2\embedded'
$wesl=Get-CimInstance -Namespace $cls -ClassName WESL_UserSetting -ErrorAction Stop
Invoke-CimMethod -Namespace $cls -ClassName WESL_UserSetting -MethodName SetEnabled -Arguments @{Enabled=$true} | Out-Null
# Default shell stays Explorer for everyone else.
Invoke-CimMethod -InputObject $wesl -MethodName SetDefaultShell -Arguments @{Shell='explorer.exe';DefaultAction=[uint32]0} | Out-Null
# sm-bootstrap => the elevating launcher; on exit, restart the shell (action 0).
Invoke-CimMethod -InputObject $wesl -MethodName SetCustomShell -Arguments @{
Sid=(New-Object System.Security.Principal.NTAccount($BootstrapUser)).Translate([System.Security.Principal.SecurityIdentifier]).Value
Shell="cmd.exe /c `"$launcher`""
DefaultAction=[uint32]0
} | Out-Null
Log 'shell launcher configured for sm-bootstrap'
# --- Keyboard Filter (block shell hotkeys) ---
Enable-WindowsOptionalFeature -Online -FeatureName Client-KeyboardFilter -NoRestart -ErrorAction SilentlyContinue | Out-Null
$kf='root\standardcimv2\embedded'
foreach($combo in 'Win','Win+L','Ctrl+Esc','Ctrl+Win+F','Win+R'){
$p=Get-CimInstance -Namespace $kf -ClassName WEKF_PredefinedKey -Filter "Id='$combo'" -ErrorAction SilentlyContinue
if($p){ $p.Enabled=$true; Set-CimInstance -InputObject $p }
}
Log 'keyboard filter rules enabled'
# --- escape policies (machine-wide; reverted at teardown) ---
$sys='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
New-Item $sys -Force | Out-Null
Set-ItemProperty $sys -Name DisableTaskMgr -Value 1 -Type DWord
Set-ItemProperty $sys -Name DisableLockWorkstation -Value 1 -Type DWord
Set-ItemProperty $sys -Name HideFastUserSwitching -Value 1 -Type DWord
Log 'escape policies set; kiosk ready'