f44fa150e2
Three regressions surfaced by VM 102 validation, plus the winget reliability fix:
- Hardening never ran. SetupComplete.cmd DEFERS hardening to the toolbox when the
Welcome app is present ("hardening deferred to SilverOS Welcome"), but ApplyService
only did apps->bitlocker->done — the call was dropped in the collector slim-down, so
all 8 modules were staged-but-never-executed. Add IHardeningService/HardeningService
and run it (with the flavour's module selection) as the last Apply step.
- Branding disappeared. Apply-Branding.ps1 -Mode Online crashed looking for
C:\branding.manifest.json (param default's $PSScriptRoot came back unrooted under
-File), so the post-OOBE re-apply never ran and personalization reverted. Resolve the
manifest/assets robustly in the body, falling back to the script's own directory.
- Apps didn't install. The runtime winget bootstrap failed silently on IoT LTSC
(exit 1, no diag). Provision App Installer + VCLibs + UI.Xaml into the offline image
at build time (Add-AppxProvisionedPackage) so winget is present at first boot. The
runtime bootstrap remains as a non-fatal fallback.
- Apply UX looked hung. Add a continuous progress-bar sheen + spinner + "this can take
several minutes" hint, and make the percentages monotonic (apps 30->70, bitlocker 75,
hardening 90, done 100).
Tests: 32 passing (ApplyService now verifies apps->bitlocker->hardening order + that
hardening receives the flavour modules).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverMetal Enhanced — Windows
Status: Phase 3W (planning, post-Linux v1)
🛡️ SilverMetal Enhanced product line — we harden Windows in place; we do not ship a custom Windows kernel (Microsoft does not permit that).
Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes.
Scope (v1)
LTSC IoT-based installer that transforms a vanilla Windows install into a SilverMetal-hardened build:
- Windows 11 IoT Enterprise LTSC base (no Cortana, no Store, no Edge baked in, ~10-year support)
- Group Policy hardening (telemetry at
Securityfloor, services disabled, sane defaults) - VBS + HVCI + Credential Guard + Kernel DMA Protection (Microsoft's hardware-backed isolation)
- Defender ASR rules at maximum
- WDAC (App Control for Business) allow-list — kernel-enforced, audit-first then enforce (AppLocker is the documented fallback, not the primary)
- BitLocker enforced — TPM + PIN (never TPM-only; PIN defeats the faulTPM-class offline attack on the AMD fTPM)
- Telemetry suppressed at GP + service + firewall layers (not hosts-file blocking of Microsoft domains — that breaks Windows Update); residual published, not claimed zero
- Edge / Chrome replaced with SilverBrowser default
- Full SilverLABS Stack preinstalled (native Windows builds)
- SilverVPN MAUI Windows client integrated from existing
SilverLABS/SilverVPN
Out of scope
- Anything requiring kernel modifications
- Anything requiring developer-controlled verified boot
- Bypassing Microsoft Update (we ship updates via the same channel; we cannot replace it)
Directory layout
To be populated in Phase 3W. Initial structure planned:
windows/
├── installer/ # PowerShell / WiX-based installer
├── policies/ # Group Policy templates, ADMX
├── wdac/ # WDAC (App Control) policies (AppLocker fallback rules if needed)
├── debloat/ # Removal scripts (Edge, Cortana residue, telemetry)
├── stack-installer/ # Native SilverLABS Stack package builders
└── tests/ # Telemetry-leak test, hardening-baseline test
Verification gates
- Telemetry-leak test on hardened install — minimum-feasible Microsoft contact, documented in full (we cannot reach zero on Windows; we publish what remains)
- BitLocker enabled with TPM + PIN binding verified (TPM-only is rejected)
- VBS / HVCI / Credential Guard verified running
- WDAC allow-list functional (enforced) and documented
- Stack apps install and function
Full hardening specification
The detailed control spec — eight control domains, verification commands, residual-risk statement, and productization notes — lives in hardening-spec.md. Reference device: GPD Pocket 4 (AMD Strix Point).
Upstream we depend on
- Windows 11 IoT Enterprise LTSC — base OS (licensed)
- AtlasOS / ReviOS / privacy.sexy — reference for hardening configs
- Chris Titus Tech / O&O ShutUp10 — reference for telemetry blocking
SilverLABS/SilverVPN— MAUI Windows client (existing)