SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
SilverMetal/windows/README.md
SysAdmin 0a0075ce66 docs(naming): adopt OS / Enhanced product-line framing + align with existing repos 
Two product lines, named to make scope obvious to buyers:
- 🔒 SilverMetal OS — we ship the operating system or ROM
  (Linux, Pixel, Samsung-unlocked, Motorola-unlocked)
- 🛡️ SilverMetal Enhanced — we harden the OS the device already runs
  (Windows, macOS, iOS, generic Android)

Repo alignment:
- SilverVPN already exists as a SilverLABS product (server + MAUI client +
  Linux client + tunnel service). stack/vpn/ is now an integration pointer
  rather than a re-scaffold; per-platform READMEs reference it.
- SilverApple is deprecated; SilverMetal Enhanced — iOS supersedes it.
  Migration step added as roadmap milestone 3I.1.
- SilverDROID name clash explicitly noted as unrelated (it's the SilverSHELL
  AppStore Android client, not an Android ROM).
- SilverChat may overlap with SilverVPN.Client.Chat; alignment decision
  added as roadmap milestone 1.1.1.

Roadmap restructured: phases now track the OS/Enhanced split.
Platform matrix re-sectioned and decision flowchart updated.
README rewritten around the two-product-line framing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:30:45 +01:00

56 lines
2.3 KiB
Markdown
Raw Permalink Blame History

# SilverMetal Enhanced — Windows
**Status**: Phase 3W (planning, post-Linux v1)
🛡️ **SilverMetal Enhanced product line** — we harden Windows in place; we do not ship a custom Windows kernel (Microsoft does not permit that).
Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes.
## Scope (v1)
LTSC IoT-based installer that transforms a vanilla Windows install into a SilverMetal-hardened build:
- Windows 11 IoT Enterprise LTSC base (no Cortana, no Store, no Edge baked in, ~10-year support)
- Group Policy hardening (telemetry off, services disabled, sane defaults)
- Defender ASR rules at maximum
- AppLocker allow-list mode
- BitLocker enforced (TPM-bound)
- Telemetry blocked at hosts file + service + GP layers
- Edge / Chrome replaced with SilverBrowser default
- Full SilverLABS Stack preinstalled (native Windows builds)
- SilverVPN MAUI Windows client integrated from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN)
## Out of scope
- Anything requiring kernel modifications
- Anything requiring developer-controlled verified boot
- Bypassing Microsoft Update (we ship updates via the same channel; we cannot replace it)
## Directory layout
To be populated in Phase 3W. Initial structure planned:
```
windows/
├── installer/ # PowerShell / WiX-based installer
├── policies/ # Group Policy templates, ADMX
├── applocker/ # AppLocker rules
├── debloat/ # Removal scripts (Edge, Cortana residue, telemetry)
├── stack-installer/ # Native SilverLABS Stack package builders
└── tests/ # Telemetry-leak test, hardening-baseline test
```
## Verification gates
- Telemetry-leak test on hardened install — minimum-feasible Microsoft contact, *documented in full* (we cannot reach zero on Windows; we publish what remains)
- BitLocker enabled with TPM binding verified
- AppLocker allow-list functional and documented
- Stack apps install and function
## Upstream we depend on
- **Windows 11 IoT Enterprise LTSC** — base OS (licensed)
- **AtlasOS / ReviOS / privacy.sexy** — reference for hardening configs
- **Chris Titus Tech / O&O ShutUp10** — reference for telemetry blocking
- **`SilverLABS/SilverVPN`** — MAUI Windows client (existing)
Reference in New Issue View Git Blame Copy Permalink