SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(kiosk): keyboard filter covers admins + taskbar auto-hide + instant sm-bootstrap disable #16

Merged
SilverLABS merged 2 commits from fix/kiosk-lockdown-polish into main 2026-06-09 22:36:42 +00:00
Conversation 0 Commits 2 Files Changed 8 +249 -28
SilverLABS commented 2026-06-09 22:30:57 +00:00
Owner
Copy Link

Live e2e: the sm-bootstrap onboarding session was leaky — the taskbar showed and Win/Start still worked.

  • Keyboard Filter exempts administrators by default, and sm-bootstrap is an admin — so Win/Start/Alt-Tab/etc. were never blocked. Set WEKF_Settings.DisableKeyboardFilterForAdministrators=false so the filter actually applies to the session.
  • Auto-hide the taskbar (default-user StuckRects3, inherited by the sm-bootstrap profile) so it doesn't peek over the fullscreen wizard.
  • Disable sm-bootstrap in-session (Disable-LocalUser) at teardown so it's unusable immediately; the deferred SYSTEM task still does the real delete on next boot (SAM-confirmed the delete works now via Register-ScheduledTask).

Verified: Configure-Kiosk parses under Windows PowerShell 5.1 (ASCII-clean — no repeat of the em-dash issue); welcome 29/29.

Separately, per operator decision, I'm setting up VM 102 as a proper validation rig (enforce OVMF Secure Boot for BitLocker; inject virtio-net for HVCI-compatible networking) — infra, no product change.

🤖 Generated with Claude Code

Live e2e: the `sm-bootstrap` onboarding session was leaky — the taskbar showed and Win/Start still worked. - **Keyboard Filter exempts administrators by default**, and `sm-bootstrap` is an admin — so Win/Start/Alt-Tab/etc. were never blocked. Set `WEKF_Settings.DisableKeyboardFilterForAdministrators=false` so the filter actually applies to the session. - **Auto-hide the taskbar** (default-user `StuckRects3`, inherited by the `sm-bootstrap` profile) so it doesn't peek over the fullscreen wizard. - **Disable `sm-bootstrap` in-session** (`Disable-LocalUser`) at teardown so it's unusable immediately; the deferred SYSTEM task still does the real delete on next boot (SAM-confirmed the delete works now via `Register-ScheduledTask`). Verified: Configure-Kiosk parses under **Windows PowerShell 5.1** (ASCII-clean — no repeat of the em-dash issue); welcome **29/29**. Separately, per operator decision, I'm setting up VM 102 as a proper validation rig (enforce OVMF Secure Boot for BitLocker; inject virtio-net for HVCI-compatible networking) — infra, no product change. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
SilverLABS added 2 commits 2026-06-09 22:30:57 +00:00
fix(first-boot): branding-online parse crash (em-dash/encoding) + bootstrap cleanup task + recovery QR
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 4m47s
Details
6124448003 
Found by reading the unencrypted VM disk after run #7:
1. Online branding never ran: Apply-Branding.ps1 had a UTF-8 em-dash in a Write-Warning
   STRING; Windows PowerShell 5.1 (SetupComplete) reads .ps1 as ANSI, mangled it, broke
   the string terminator -> whole script failed to parse -> lock/login/wallpaper branding
   never re-applied. Fix: ASCII-ify the em-dash AND save the branding scripts UTF-8-with-BOM
   so PS5.1 always decodes them correctly (verified parses under PS5.1 + PS7).
2. sm-bootstrap never removed: TearDownAsync used schtasks /tr with an inline -EncodedCommand,
   which silently fails past the ~261-char /tr limit, so the cleanup task was never created
   (confirmed NO_TASK on disk). Fix: Register-ScheduledTask (no length limit).
3. Done step: show a QR code of the BitLocker recovery key (QRCoder) for phone backup, and
   lay key+QR side-by-side so the Restart button no longer overflows below the fold.

Verified: welcome solution builds, 29/29 tests; branding Pester 6/6 unit (offline-integration
needs elevation, runs in CI).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
fix(kiosk): keyboard filter covers admins + taskbar auto-hide + disable sm-bootstrap in-session
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 5m0s
Details
e83ce6bcf0 
Live e2e: in the sm-bootstrap session the taskbar showed and Win/Start worked.
- Keyboard Filter EXEMPTS administrators by default and sm-bootstrap is an admin, so
  Win/Start/Alt-Tab etc. were never blocked. Set WEKF_Settings
  DisableKeyboardFilterForAdministrators=false so the filter applies to it.
- Auto-hide the taskbar (default-user StuckRects3, inherited by sm-bootstrap) so it
  doesn't peek over the fullscreen wizard.
- TearDownAsync now Disable-LocalUser's sm-bootstrap in-session (immediate) so it's
  unusable at once; the deferred SYSTEM task still deletes it on next boot (SAM-confirmed
  the delete works now).

Verified: Configure-Kiosk parses under Windows PowerShell 5.1 (ASCII-clean); welcome 29/29.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS merged commit efdf5888ac into main 2026-06-09 22:36:42 +00:00
SilverLABS deleted branch fix/kiosk-lockdown-polish 2026-06-09 22:36:42 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
SilverLABS
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SilverLABS/SilverMetal#16
Delete Branch "fix/kiosk-lockdown-polish"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?