SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d5f9cc2463ac2ff1cfa10ddee05c943e97882d3
SilverMetal/windows/README.md
SysAdmin 7d5f9cc246 chore(scaffold): initial SilverMetal program scaffold 
Cross-platform privacy-hardening program. Two-layer product:
- SilverLABS Application Stack (cross-platform spine)
- Platform Hardening Profiles (per-OS, tier-honest)

Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic),
Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has
both a preflashed hardware SKU path and a self-apply "harden your existing
device" path.

Includes umbrella docs (README + threat-model, design-principles,
platform-matrix, roadmap, trust-model), per-platform and per-stack-
component README stubs, .gitignore, LICENSE.

Linux v1 ships first; Stack v1 = Browser + VPN + Sync.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:11:48 +01:00

2.0 KiB
Raw Blame History

SilverMetal Windows

Status: Phase 3 (planning, post-Linux v1)

Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes.

Scope (v1)

LTSC IoT-based installer that transforms a vanilla Windows install into a SilverMetal-hardened build:

  • Windows 11 IoT Enterprise LTSC base (no Cortana, no Store, no Edge baked in, ~10-year support)
  • Group Policy hardening (telemetry off, services disabled, sane defaults)
  • Defender ASR rules at maximum
  • AppLocker allow-list mode
  • BitLocker enforced (TPM-bound)
  • Telemetry blocked at hosts file + service + GP layers
  • Edge / Chrome replaced with SilverBrowser default
  • Full SilverLABS Stack preinstalled (native Windows builds)

Out of scope

  • Anything requiring kernel modifications
  • Anything requiring developer-controlled verified boot
  • Bypassing Microsoft Update (we ship updates via the same channel; we cannot replace it)

Directory layout

To be populated in Phase 3. Initial structure planned:

windows/
├── installer/         # PowerShell / WiX-based installer
├── policies/          # Group Policy templates, ADMX
├── applocker/         # AppLocker rules
├── debloat/           # Removal scripts (Edge, Cortana residue, telemetry)
├── stack-installer/   # Native SilverLABS Stack package builders
└── tests/             # Telemetry-leak test, hardening-baseline test

Verification gates

  • Telemetry-leak test on hardened install — minimum-feasible Microsoft contact, documented in full (we cannot reach zero on Windows; we publish what remains)
  • BitLocker enabled with TPM binding verified
  • AppLocker allow-list functional and documented
  • Stack apps install and function

Upstream we depend on

  • Windows 11 IoT Enterprise LTSC — base OS (licensed)
  • AtlasOS / ReviOS / privacy.sexy — reference for hardening configs
  • Chris Titus Tech / O&O ShutUp10 — reference for telemetry blocking
Reference in New Issue View Git Blame Copy Permalink