# SilverMetal Windows

**Status**: Phase 3 (planning, post-Linux v1)

Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes.

## Scope (v1)

LTSC IoT-based installer that transforms a vanilla Windows install into a SilverMetal-hardened build:

- Windows 11 IoT Enterprise LTSC base (no Cortana, no Store, no Edge baked in, ~10-year support)
- Group Policy hardening (telemetry off, services disabled, sane defaults)
- Defender ASR rules at maximum
- AppLocker allow-list mode
- BitLocker enforced (TPM-bound)
- Telemetry blocked at hosts file + service + GP layers
- Edge / Chrome replaced with SilverBrowser default
- Full SilverLABS Stack preinstalled (native Windows builds)

## Out of scope

- Anything requiring kernel modifications
- Anything requiring developer-controlled verified boot
- Bypassing Microsoft Update (we ship updates via the same channel; we cannot replace it)

## Directory layout

To be populated in Phase 3. Initial structure planned:

```
windows/
├── installer/         # PowerShell / WiX-based installer
├── policies/          # Group Policy templates, ADMX
├── applocker/         # AppLocker rules
├── debloat/           # Removal scripts (Edge, Cortana residue, telemetry)
├── stack-installer/   # Native SilverLABS Stack package builders
└── tests/             # Telemetry-leak test, hardening-baseline test
```

## Verification gates

- Telemetry-leak test on hardened install — minimum-feasible Microsoft contact, *documented in full* (we cannot reach zero on Windows; we publish what remains)
- BitLocker enabled with TPM binding verified
- AppLocker allow-list functional and documented
- Stack apps install and function

## Upstream we depend on

- **Windows 11 IoT Enterprise LTSC** — base OS (licensed)
- **AtlasOS / ReviOS / privacy.sexy** — reference for hardening configs
- **Chris Titus Tech / O&O ShutUp10** — reference for telemetry blocking