windows/installer/oem/Configure-Kiosk.ps1

@@ -77,4 +77,12 @@ New-Item $sys -Force | Out-Null
 Set-ItemProperty $sys -Name DisableTaskMgr        -Value 1 -Type DWord
 Set-ItemProperty $sys -Name DisableLockWorkstation -Value 1 -Type DWord
 Set-ItemProperty $sys -Name HideFastUserSwitching  -Value 1 -Type DWord
-Log 'escape policies set; kiosk ready'
+
+# Silent elevation for the sm-bootstrap launcher's 'Start-Process -Verb RunAs':
+# the offline-baked UAC auto-approve (build.ps1) is RESET by Windows during OOBE,
+# so re-assert it online here (runs before the autologon shell). Otherwise the
+# kiosk shows a UAC consent prompt for the (unsigned) Welcome app. Reverted at
+# teardown so the real end-user keeps normal UAC.
+Set-ItemProperty $sys -Name ConsentPromptBehaviorAdmin -Value 0 -Type DWord
+Set-ItemProperty $sys -Name PromptOnSecureDesktop      -Value 0 -Type DWord
+Log 'escape policies + UAC auto-approve set; kiosk ready'

windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs

@@ -19,7 +19,10 @@ public sealed class BootstrapService(IProcessRunner runner) : IBootstrapService
         // Revert escape policies set by Configure-Kiosk.ps1.
         await Ps(
             "$s='HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System';" +
-            "Remove-ItemProperty $s -Name DisableTaskMgr,DisableLockWorkstation,HideFastUserSwitching -EA SilentlyContinue",
+            "Remove-ItemProperty $s -Name DisableTaskMgr,DisableLockWorkstation,HideFastUserSwitching -EA SilentlyContinue;" +
+            // Restore SECURE UAC for the real end-user (the kiosk auto-approved unsigned elevation).
+            "Set-ItemProperty $s -Name ConsentPromptBehaviorAdmin -Value 2 -Type DWord -EA SilentlyContinue;" +
+            "Set-ItemProperty $s -Name PromptOnSecureDesktop -Value 1 -Type DWord -EA SilentlyContinue",
             ct);
     }