e3b010530c
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 7m31s
5th VM e2e: with the kiosk fully working mechanically (SL engages, silent UAC, app launches fullscreen as the shell), the MAUI/WebView2 wizard STILL renders blank — WebView2 never initializes when the app is the bare Shell Launcher shell with no Explorer (the same app rendered fine in the earlier build launched with Explorer present). Operator decision: pivot. - autounattend.xml: restore FirstLogonCommands to launch the wizard elevated over the normal (Explorer) first-logon session — where WebView2 works. - Configure-Kiosk.ps1: drop Shell-Launcher-as-shell entirely; keep the lockdown — Keyboard Filter (Win/Start/lock/task-switch/Task-Mgr/Alt+F4), DisableTaskMgr / LockWorkstation / FastUserSwitch, and silent-elevation UAC. The wizard runs fullscreen-topmost over the locked-down Explorer (covers the taskbar). - RevertKioskAsync: disable the Keyboard Filter rules for the real user (no SL to undo); keep escape-policy + secure-UAC restore. Tests updated. Keeps the diagnostics from #10 (welcome.log) to confirm the wizard renders. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
47 lines
2.6 KiB
PowerShell
47 lines
2.6 KiB
PowerShell
#Requires -Version 5.1
|
|
<#
|
|
.SYNOPSIS Lock down the one-time sm-bootstrap onboarding session.
|
|
.DESCRIPTION
|
|
Runs from SetupComplete.cmd as SYSTEM, after accounts exist, before first logon.
|
|
Explorer stays the session shell so the MAUI/WebView2 Welcome wizard RENDERS
|
|
(it does not render when launched as a bare Shell Launcher shell with no
|
|
Explorer). The wizard is launched fullscreen-topmost by autounattend
|
|
FirstLogonCommands; this script applies the lockdown around it:
|
|
- Keyboard Filter: block Win/Start, lock, task-switch and Task-Manager hotkeys
|
|
- DisableTaskMgr / DisableLockWorkstation / HideFastUserSwitching
|
|
- silent-elevation UAC policy (so the unsigned wizard elevates with no prompt)
|
|
All reverted by the Welcome app's ApplyService on wizard success, so the real
|
|
end-user gets a normal, secure desktop.
|
|
#>
|
|
[CmdletBinding()]
|
|
param([string]$BootstrapUser='sm-bootstrap')
|
|
Set-StrictMode -Version Latest
|
|
$ErrorActionPreference='Stop'
|
|
$log='C:\Windows\Setup\Scripts\silvermetal-kiosk.log'
|
|
function Log($m){ "$(Get-Date -f s) $m" | Add-Content $log }
|
|
Log 'configuring onboarding lockdown (Explorer shell + policy)'
|
|
|
|
# --- Keyboard Filter: block shell/escape hotkeys for the locked-down session ---
|
|
Enable-WindowsOptionalFeature -Online -FeatureName Client-KeyboardFilter -NoRestart -ErrorAction SilentlyContinue | Out-Null
|
|
$kf='root\standardcimv2\embedded'
|
|
foreach($combo in 'Win','Win+L','Ctrl+Esc','Ctrl+Win+F','Win+R','Alt+Tab','Ctrl+Shift+Esc','Alt+F4'){
|
|
$p=Get-CimInstance -Namespace $kf -ClassName WEKF_PredefinedKey -Filter "Id='$combo'" -ErrorAction SilentlyContinue
|
|
if($p){ $p.Enabled=$true; Set-CimInstance -InputObject $p -ErrorAction SilentlyContinue }
|
|
}
|
|
Log 'keyboard filter rules enabled'
|
|
|
|
# --- escape policies (machine-wide; reverted at teardown) ---
|
|
$sys='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
|
|
New-Item $sys -Force | Out-Null
|
|
Set-ItemProperty $sys -Name DisableTaskMgr -Value 1 -Type DWord
|
|
Set-ItemProperty $sys -Name DisableLockWorkstation -Value 1 -Type DWord
|
|
Set-ItemProperty $sys -Name HideFastUserSwitching -Value 1 -Type DWord
|
|
|
|
# Silent elevation for the FirstLogonCommands 'Start-Process -Verb RunAs' launch:
|
|
# the offline-baked UAC auto-approve is RESET by Windows during OOBE, so re-assert
|
|
# it online here (before the autologon). Otherwise a UAC consent prompt appears for
|
|
# the unsigned Welcome app. Restored to SECURE UAC at teardown for the real user.
|
|
Set-ItemProperty $sys -Name ConsentPromptBehaviorAdmin -Value 0 -Type DWord
|
|
Set-ItemProperty $sys -Name PromptOnSecureDesktop -Value 0 -Type DWord
|
|
Log 'escape policies + UAC auto-approve set; lockdown ready'
|