3a30a0421e
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.
Scaffold windows/ per the planned layout:
- installer/ build.ps1 (7-stage orchestrator, stages stubbed to M2),
inputs.manifest.json (pinned-input schema), autounattend.xml
(local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/ shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
(used by BOTH the ISO first-boot path and the self-apply track).
BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/ scaffolded with
READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
anti-pattern; rename applocker/ -> wdac/ realised.
All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
33 lines
1.8 KiB
PowerShell
33 lines
1.8 KiB
PowerShell
#Requires -Version 5.1
|
|
<# SilverMetal Enhanced - Windows | Domain G: Physical & lock-screen hygiene
|
|
Theft is threat #1 for a pocket device. Short auto-lock, PIN on wake, block
|
|
DMA while locked, prefer hibernate, no HW kill switch (software cam/mic).
|
|
Spec: ../hardening-spec.md (G) | SCAFFOLD (M1).
|
|
#>
|
|
[CmdletBinding()] param()
|
|
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
|
|
Write-Host '[G] Physical & lock-screen hygiene'
|
|
|
|
# Auto-lock: machine inactivity limit (seconds) + require password on wake.
|
|
$sys = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
|
|
New-Item $sys -Force | Out-Null
|
|
Set-ItemProperty $sys -Name InactivityTimeoutSecs -Type DWord -Value 120 # lock after 2 min idle
|
|
$pol = 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
|
|
New-Item $pol -Force | Out-Null
|
|
Set-ItemProperty $pol -Name ACSettingIndex -Type DWord -Value 1 # require password on wake (AC)
|
|
Set-ItemProperty $pol -Name DCSettingIndex -Type DWord -Value 1 # ... and on battery
|
|
|
|
# Block new DMA-capable devices while the screen is locked (compensates if firmware
|
|
# Kernel DMA Protection is absent - see Domain D / open question §8).
|
|
$fve = 'HKLM:\SOFTWARE\Policies\Microsoft\FVE'
|
|
New-Item $fve -Force | Out-Null
|
|
Set-ItemProperty $fve -Name DisableExternalDMAUnderLock -Type DWord -Value 1
|
|
|
|
# Prefer hibernate over sleep (keys not left resident in RAM as long).
|
|
powercfg /hibernate on 2>$null
|
|
# TODO-M1: set lid-close + idle -> hibernate via powercfg; deny camera/mic per-app
|
|
# (Device Manager disable is the stopgap; the Pocket 4 has NO hardware kill switch).
|
|
# NOTE: SilverDuress (Stack, v1.1) provides duress-PIN / panic-wipe - installed by module 08.
|
|
|
|
Write-Host ' [G] auto-lock=120s, password-on-wake, DMA-blocked-while-locked, hibernate on.'
|