3a30a0421e
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.
Scaffold windows/ per the planned layout:
- installer/ build.ps1 (7-stage orchestrator, stages stubbed to M2),
inputs.manifest.json (pinned-input schema), autounattend.xml
(local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/ shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
(used by BOTH the ISO first-boot path and the self-apply track).
BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/ scaffolded with
READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
anti-pattern; rename applocker/ -> wdac/ realised.
All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
37 lines
1.9 KiB
PowerShell
37 lines
1.9 KiB
PowerShell
#Requires -Version 5.1
|
|
<# SilverMetal Enhanced - Windows | Domain H: Privacy minimisation & update integrity
|
|
Trim telemetry tasks/services at GP+service+firewall layers. Do NOT block
|
|
Microsoft domains in the hosts file (breaks Windows Update; violates
|
|
design-principle #13). Keep Windows Update ON. Publish residual telemetry.
|
|
Spec: ../hardening-spec.md (H) | SCAFFOLD (M1).
|
|
#>
|
|
[CmdletBinding()] param()
|
|
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
|
|
Write-Host '[H] Privacy minimisation & update integrity'
|
|
|
|
# Disable telemetry/feedback scheduled tasks (keep update/time/security tasks).
|
|
$tasks = @(
|
|
'\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser'
|
|
'\Microsoft\Windows\Application Experience\ProgramDataUpdater'
|
|
'\Microsoft\Windows\Customer Experience Improvement Program\Consolidator'
|
|
'\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip'
|
|
'\Microsoft\Windows\Feedback\Siuf\DmClient'
|
|
)
|
|
foreach ($t in $tasks) { Disable-ScheduledTask -TaskPath (Split-Path $t) -TaskName (Split-Path $t -Leaf) -EA SilentlyContinue | Out-Null }
|
|
|
|
# CEIP off.
|
|
$sqm = 'HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows'
|
|
New-Item $sqm -Force | Out-Null; Set-ItemProperty $sqm -Name CEIPEnable -Type DWord -Value 0
|
|
|
|
# Windows Update STAYS ON (update-or-die). We minimise telemetry, never patching.
|
|
Get-Service wuauserv | Set-Service -StartupType Automatic
|
|
# Guard: assert the hosts file contains no Microsoft update/licensing domains (anti-footgun).
|
|
$hosts = Get-Content "$env:windir\System32\drivers\etc\hosts" -EA SilentlyContinue
|
|
if ($hosts -match 'microsoft\.com|windowsupdate|msftncsi|login\.live') {
|
|
Write-Warning ' hosts file blocks Microsoft domains - REMOVE (breaks Windows Update).'
|
|
}
|
|
|
|
# TODO-M1: run tests\telemetry-leak test; document the irreducible residual (we publish, not claim zero).
|
|
|
|
Write-Host ' [H] telemetry tasks/CEIP off; Windows Update preserved.'
|