SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a0075ce66ed83893d8542424fb074ff213b2b68
SilverMetal/windows/README.md
SysAdmin 0a0075ce66 docs(naming): adopt OS / Enhanced product-line framing + align with existing repos 
Two product lines, named to make scope obvious to buyers:
- 🔒 SilverMetal OS — we ship the operating system or ROM
  (Linux, Pixel, Samsung-unlocked, Motorola-unlocked)
- 🛡️ SilverMetal Enhanced — we harden the OS the device already runs
  (Windows, macOS, iOS, generic Android)

Repo alignment:
- SilverVPN already exists as a SilverLABS product (server + MAUI client +
  Linux client + tunnel service). stack/vpn/ is now an integration pointer
  rather than a re-scaffold; per-platform READMEs reference it.
- SilverApple is deprecated; SilverMetal Enhanced — iOS supersedes it.
  Migration step added as roadmap milestone 3I.1.
- SilverDROID name clash explicitly noted as unrelated (it's the SilverSHELL
  AppStore Android client, not an Android ROM).
- SilverChat may overlap with SilverVPN.Client.Chat; alignment decision
  added as roadmap milestone 1.1.1.

Roadmap restructured: phases now track the OS/Enhanced split.
Platform matrix re-sectioned and decision flowchart updated.
README rewritten around the two-product-line framing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:30:45 +01:00

2.3 KiB
Raw Blame History

SilverMetal Enhanced — Windows

Status: Phase 3W (planning, post-Linux v1)

🛡️ SilverMetal Enhanced product line — we harden Windows in place; we do not ship a custom Windows kernel (Microsoft does not permit that).

Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes.

Scope (v1)

LTSC IoT-based installer that transforms a vanilla Windows install into a SilverMetal-hardened build:

  • Windows 11 IoT Enterprise LTSC base (no Cortana, no Store, no Edge baked in, ~10-year support)
  • Group Policy hardening (telemetry off, services disabled, sane defaults)
  • Defender ASR rules at maximum
  • AppLocker allow-list mode
  • BitLocker enforced (TPM-bound)
  • Telemetry blocked at hosts file + service + GP layers
  • Edge / Chrome replaced with SilverBrowser default
  • Full SilverLABS Stack preinstalled (native Windows builds)
  • SilverVPN MAUI Windows client integrated from existing SilverLABS/SilverVPN

Out of scope

  • Anything requiring kernel modifications
  • Anything requiring developer-controlled verified boot
  • Bypassing Microsoft Update (we ship updates via the same channel; we cannot replace it)

Directory layout

To be populated in Phase 3W. Initial structure planned:

windows/
├── installer/         # PowerShell / WiX-based installer
├── policies/          # Group Policy templates, ADMX
├── applocker/         # AppLocker rules
├── debloat/           # Removal scripts (Edge, Cortana residue, telemetry)
├── stack-installer/   # Native SilverLABS Stack package builders
└── tests/             # Telemetry-leak test, hardening-baseline test

Verification gates

  • Telemetry-leak test on hardened install — minimum-feasible Microsoft contact, documented in full (we cannot reach zero on Windows; we publish what remains)
  • BitLocker enabled with TPM binding verified
  • AppLocker allow-list functional and documented
  • Stack apps install and function

Upstream we depend on

  • Windows 11 IoT Enterprise LTSC — base OS (licensed)
  • AtlasOS / ReviOS / privacy.sexy — reference for hardening configs
  • Chris Titus Tech / O&O ShutUp10 — reference for telemetry blocking
  • SilverLABS/SilverVPN — MAUI Windows client (existing)
Reference in New Issue View Git Blame Copy Permalink