SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6c96e92fa507d56eebd32ea1016be2b44c389c8a
SilverMetal/windows/installer/oem/Configure-Kiosk.ps1
sysadmin e83ce6bcf0
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 5m0s
Details
fix(kiosk): keyboard filter covers admins + taskbar auto-hide + disable sm-bootstrap in-session 
Live e2e: in the sm-bootstrap session the taskbar showed and Win/Start worked.
- Keyboard Filter EXEMPTS administrators by default and sm-bootstrap is an admin, so
  Win/Start/Alt-Tab etc. were never blocked. Set WEKF_Settings
  DisableKeyboardFilterForAdministrators=false so the filter applies to it.
- Auto-hide the taskbar (default-user StuckRects3, inherited by sm-bootstrap) so it
  doesn't peek over the fullscreen wizard.
- TearDownAsync now Disable-LocalUser's sm-bootstrap in-session (immediate) so it's
  unusable at once; the deferred SYSTEM task still deletes it on next boot (SAM-confirmed
  the delete works now).

Verified: Configure-Kiosk parses under Windows PowerShell 5.1 (ASCII-clean); welcome 29/29.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 23:30:43 +01:00

65 lines
4.0 KiB
PowerShell
Raw Blame History

#Requires -Version 5.1
<#
.SYNOPSIS Lock down the one-time sm-bootstrap onboarding session.
.DESCRIPTION
Runs from SetupComplete.cmd as SYSTEM, after accounts exist, before first logon.
Explorer stays the session shell so the MAUI/WebView2 Welcome wizard RENDERS
(it does not render when launched as a bare Shell Launcher shell with no
Explorer). The wizard is launched fullscreen-topmost by autounattend
FirstLogonCommands; this script applies the lockdown around it:
- Keyboard Filter: block Win/Start, lock, task-switch and Task-Manager hotkeys
- DisableTaskMgr / DisableLockWorkstation / HideFastUserSwitching
- silent-elevation UAC policy (so the unsigned wizard elevates with no prompt)
All reverted by the Welcome app's ApplyService on wizard success, so the real
end-user gets a normal, secure desktop.
#>
[CmdletBinding()]
param([string]$BootstrapUser='sm-bootstrap')
Set-StrictMode -Version Latest
$ErrorActionPreference='Stop'
$log='C:\Windows\Setup\Scripts\silvermetal-kiosk.log'
function Log($m){ "$(Get-Date -f s) $m" | Add-Content $log }
Log 'configuring onboarding lockdown (Explorer shell + policy)'
# --- Keyboard Filter: block shell/escape hotkeys for the locked-down session ---
Enable-WindowsOptionalFeature -Online -FeatureName Client-KeyboardFilter -NoRestart -ErrorAction SilentlyContinue | Out-Null
$kf='root\standardcimv2\embedded'
# CRITICAL: by default the Keyboard Filter EXEMPTS administrators, and sm-bootstrap is an
# admin -> Win/Start/etc. were NOT blocked. Turn that exemption off so the filter applies.
$adm=Get-CimInstance -Namespace $kf -ClassName WEKF_Settings -Filter "Name='DisableKeyboardFilterForAdministrators'" -ErrorAction SilentlyContinue
if($adm){ $adm.Value='false'; Set-CimInstance -InputObject $adm -ErrorAction SilentlyContinue }
foreach($combo in 'Win','Win+L','Ctrl+Esc','Ctrl+Win+F','Win+R','Alt+Tab','Ctrl+Shift+Esc','Alt+F4'){
$p=Get-CimInstance -Namespace $kf -ClassName WEKF_PredefinedKey -Filter "Id='$combo'" -ErrorAction SilentlyContinue
if($p){ $p.Enabled=$true; Set-CimInstance -InputObject $p -ErrorAction SilentlyContinue }
}
Log 'keyboard filter rules enabled (admins included)'
# --- Hide the taskbar for the locked-down session (auto-hide in the default-user hive,
# which the sm-bootstrap profile inherits). The fullscreen wizard covers it, but
# auto-hide stops it peeking. StuckRects3 byte 8: 0x03 = auto-hide on. ---
try {
& reg load 'HKLM\SM_DU_TB' 'C:\Users\Default\NTUSER.DAT' 2>$null | Out-Null
$sr='HKLM:\SM_DU_TB\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects3'
New-Item $sr -Force | Out-Null
$bytes=[byte[]](0x30,0x00,0x00,0x00,0x28,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)
Set-ItemProperty $sr -Name 'Settings' -Value $bytes -Type Binary
} catch {} finally { [gc]::Collect(); Start-Sleep -Milliseconds 300; & reg unload 'HKLM\SM_DU_TB' 2>$null | Out-Null }
Log 'taskbar auto-hide set for default user'
# --- escape policies (machine-wide; reverted at teardown) ---
$sys='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
New-Item $sys -Force | Out-Null
Set-ItemProperty $sys -Name DisableTaskMgr -Value 1 -Type DWord
Set-ItemProperty $sys -Name DisableLockWorkstation -Value 1 -Type DWord
Set-ItemProperty $sys -Name HideFastUserSwitching -Value 1 -Type DWord
# Silent elevation for the FirstLogonCommands 'Start-Process -Verb RunAs' launch:
# the offline-baked UAC auto-approve is RESET by Windows during OOBE, so re-assert
# it online here (before the autologon). Otherwise a UAC consent prompt appears for
# the unsigned Welcome app. Restored to SECURE UAC at teardown for the real user.
Set-ItemProperty $sys -Name ConsentPromptBehaviorAdmin -Value 0 -Type DWord
Set-ItemProperty $sys -Name PromptOnSecureDesktop -Value 0 -Type DWord
Log 'escape policies + UAC auto-approve set; lockdown ready'
Reference in New Issue View Git Blame Copy Permalink