Live e2e: in the sm-bootstrap session the taskbar showed and Win/Start worked.
- Keyboard Filter EXEMPTS administrators by default and sm-bootstrap is an admin, so
Win/Start/Alt-Tab etc. were never blocked. Set WEKF_Settings
DisableKeyboardFilterForAdministrators=false so the filter applies to it.
- Auto-hide the taskbar (default-user StuckRects3, inherited by sm-bootstrap) so it
doesn't peek over the fullscreen wizard.
- TearDownAsync now Disable-LocalUser's sm-bootstrap in-session (immediate) so it's
unusable at once; the deferred SYSTEM task still deletes it on next boot (SAM-confirmed
the delete works now).
Verified: Configure-Kiosk parses under Windows PowerShell 5.1 (ASCII-clean); welcome 29/29.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Found by reading the unencrypted VM disk after run #7:
1. Online branding never ran: Apply-Branding.ps1 had a UTF-8 em-dash in a Write-Warning
STRING; Windows PowerShell 5.1 (SetupComplete) reads .ps1 as ANSI, mangled it, broke
the string terminator -> whole script failed to parse -> lock/login/wallpaper branding
never re-applied. Fix: ASCII-ify the em-dash AND save the branding scripts UTF-8-with-BOM
so PS5.1 always decodes them correctly (verified parses under PS5.1 + PS7).
2. sm-bootstrap never removed: TearDownAsync used schtasks /tr with an inline -EncodedCommand,
which silently fails past the ~261-char /tr limit, so the cleanup task was never created
(confirmed NO_TASK on disk). Fix: Register-ScheduledTask (no length limit).
3. Done step: show a QR code of the BitLocker recovery key (QRCoder) for phone backup, and
lay key+QR side-by-side so the Restart button no longer overflows below the fold.
Verified: welcome solution builds, 29/29 tests; branding Pester 6/6 unit (offline-integration
needs elevation, runs in CI).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
