# SilverMetal Enhanced — Windows

**Status**: Phase 3W (planning, post-Linux v1)

🛡️ **SilverMetal Enhanced product line** — we harden Windows in place; we do not ship a custom Windows kernel (Microsoft does not permit that).

Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes.

## Scope (v1)

LTSC IoT-based installer that transforms a vanilla Windows install into a SilverMetal-hardened build:

- Windows 11 IoT Enterprise LTSC base (no Cortana, no Store, no Edge baked in, ~10-year support)
- Group Policy hardening (telemetry at `Security` floor, services disabled, sane defaults)
- VBS + HVCI + Credential Guard + Kernel DMA Protection (Microsoft's hardware-backed isolation)
- Defender ASR rules at maximum
- WDAC (App Control for Business) allow-list — kernel-enforced, audit-first then enforce (AppLocker is the documented fallback, not the primary)
- BitLocker enforced — **TPM + PIN** (never TPM-only; PIN defeats the faulTPM-class offline attack on the AMD fTPM)
- Telemetry suppressed at GP + service + firewall layers (**not** hosts-file blocking of Microsoft domains — that breaks Windows Update); residual published, not claimed zero
- Edge / Chrome replaced with SilverBrowser default
- Full SilverLABS Stack preinstalled (native Windows builds)
- SilverVPN MAUI Windows client integrated from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN)

## Out of scope

- Anything requiring kernel modifications
- Anything requiring developer-controlled verified boot
- Bypassing Microsoft Update (we ship updates via the same channel; we cannot replace it)

## Directory layout

To be populated in Phase 3W. Initial structure planned:

```
windows/
├── installer/         # PowerShell / WiX-based installer
├── policies/          # Group Policy templates, ADMX
├── wdac/              # WDAC (App Control) policies (AppLocker fallback rules if needed)
├── debloat/           # Removal scripts (Edge, Cortana residue, telemetry)
├── stack-installer/   # Native SilverLABS Stack package builders
└── tests/             # Telemetry-leak test, hardening-baseline test
```

## Verification gates

- Telemetry-leak test on hardened install — minimum-feasible Microsoft contact, *documented in full* (we cannot reach zero on Windows; we publish what remains)
- BitLocker enabled with **TPM + PIN** binding verified (TPM-only is rejected)
- VBS / HVCI / Credential Guard verified running
- WDAC allow-list functional (enforced) and documented
- Stack apps install and function

## Full hardening specification

The detailed control spec — eight control domains, verification commands, residual-risk statement, and productization notes — lives in [`hardening-spec.md`](hardening-spec.md). Reference device: GPD Pocket 4 (AMD Strix Point).

## Upstream we depend on

- **Windows 11 IoT Enterprise LTSC** — base OS (licensed)
- **AtlasOS / ReviOS / privacy.sexy** — reference for hardening configs
- **Chris Titus Tech / O&O ShutUp10** — reference for telemetry blocking
- **`SilverLABS/SilverVPN`** — MAUI Windows client (existing)