HydraIssues

Issues / #135
Suppress visitor-visible Windows toasts during streaming (Update reboot prompt, HP Wolf Security)
open bug Project: hydrabody Reporter: cederik 30 Apr 2026 14:00

Description

## Symptom

While streaming `rupelmonde-castle-viewer` from turbo-pancake to cosmic-pretzel-98 on 2026-04-30, two Windows-side toasts/dialogs were visible to the visitor through the captured display:

1. **Windows Update prompt** ("Restart to keep getting security fixes for Windows (estimate: 20 min - 1 hr)") — full modal in the middle of the screen, blocking the experience visually.
2. **HP Wolf Security toast** bottom-right ("Welcome to HP Wolf Security. Please open the security console for an important message.")

These are body-side OS notifications painted on top of the experience's render output. Because Sunshine captures the desktop via DXGI Desktop Duplication, anything the OS draws gets streamed.

## Why it matters

Visitors at a kiosk should see the experience and only the experience. Windows-side prompts erode the brand and can look broken or alarming. The body kiosk's `kioskoverlay` already hides taskbar/icons, but it doesn't (yet) suppress modal toasts and Update prompts.

## Proposed fix

1. **Disable Windows Update reboot prompts** during provisioning: set `IsExpedited` and `RebootDeadline` policies via registry (`HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings`), set `NoAutoRebootWithLoggedOnUsers=1`, schedule reboots only during off-hours via `WUfB` policies. Add to `recipes/hydrabody-windows.yaml`.
2. **Disable third-party security suite popups** (HP Wolf): either uninstall/disable the suite as part of body provisioning if it's not load-bearing, or apply its own quiet-mode config.
3. **Generic suppression**: configure Focus Assist to "Alarms only" priority on the kiosk user, blocking all toasts during display capture.

Recipe step:
```yaml
- name: suppress-os-prompts
exec: |
# Update prompt suppression
reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v IsExpedited /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v NoAutoRebootWithLoggedOnUsers /t REG_DWORD /d 1 /f
# Focus Assist (alarms only) for the kiosk user — best done via Group Policy
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_TOASTS_ENABLED /t REG_DWORD /d 0 /f
Write-Host "OS prompts suppressed"
```

## Out of scope

- Disabling the OS update mechanism entirely (we still want security patches; just not user-facing prompts).
- Removing HP Wolf Security if it's a vendor-mandated security feature on cosmic's hardware.

## Verification

After the recipe step lands and a body reprovisions: stream any experience, verify no Update modal appears within ≤1 hour of stream start. HP Wolf and similar vendor toasts: file separately if vendor-specific suppression doesn't fit one common toggle.