feat(branding): OEM/lockscreen/desktop/bitlocker layer writers + tests
This commit is contained in:
sysadmin
56
windows/branding/lib/BrandingLayers.ps1
Normal file
56
windows/branding/lib/BrandingLayers.ps1
Normal file
@@ -0,0 +1,56 @@
|
||||
Set-StrictMode -Version Latest
|
||||
. "$PSScriptRoot\RegistryHelpers.ps1"
|
||||
|
||||
function Set-OemInformation {
|
||||
param([Parameter(Mandatory)][string]$SoftwareRoot,[Parameter(Mandatory)]$Manifest,[Parameter(Mandatory)][string]$LogoPath)
|
||||
$sub = 'Microsoft\Windows\CurrentVersion\OEMInformation'
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $sub -Name 'Manufacturer' -Type String -Value $Manifest.oem.manufacturer
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $sub -Name 'Model' -Type String -Value $Manifest.oem.model
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $sub -Name 'SupportURL' -Type String -Value $Manifest.oem.supportUrl
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $sub -Name 'SupportHours' -Type String -Value $Manifest.oem.supportHours
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $sub -Name 'Logo' -Type String -Value $LogoPath
|
||||
}
|
||||
|
||||
function Set-LockScreen {
|
||||
param([Parameter(Mandatory)][string]$SoftwareRoot,[Parameter(Mandatory)][string]$ImagePath,[bool]$Lock=$true)
|
||||
# Per-device modern lock-screen image (reliable on Enterprise/IoT).
|
||||
$csp = 'Microsoft\Windows\CurrentVersion\PersonalizationCSP'
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $csp -Name 'LockScreenImagePath' -Type String -Value $ImagePath
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $csp -Name 'LockScreenImageUrl' -Type String -Value $ImagePath
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $csp -Name 'LockScreenImageStatus' -Type DWord -Value 1
|
||||
if ($Lock) {
|
||||
$pol = 'Policies\Microsoft\Windows\Personalization'
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $pol -Name 'LockScreenImage' -Type String -Value $ImagePath
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $pol -Name 'NoChangingLockScreen' -Type DWord -Value 1
|
||||
}
|
||||
}
|
||||
|
||||
function Set-DesktopBranding {
|
||||
param([Parameter(Mandatory)][string]$DefaultUserRoot,[Parameter(Mandatory)]$Manifest,[Parameter(Mandatory)][string]$WallpaperPath)
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Control Panel\Desktop' -Name 'WallPaper' -Type String -Value $WallpaperPath
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Control Panel\Desktop' -Name 'WallpaperStyle' -Type String -Value '10' # fill
|
||||
if ($Manifest.desktop.darkMode) {
|
||||
$p = 'Software\Microsoft\Windows\CurrentVersion\Themes\Personalize'
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey $p -Name 'AppsUseLightTheme' -Type DWord -Value 0
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey $p -Name 'SystemUsesLightTheme' -Type DWord -Value 0
|
||||
}
|
||||
# Accent (cyan). BGR DWORD from manifest hex (stored little-endian as 0x00BBGGRR).
|
||||
$bgr = [Convert]::ToInt32($Manifest.desktop.accentBgr,16)
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'AccentColor' -Type DWord -Value $bgr
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'ColorizationColor' -Type DWord -Value $bgr
|
||||
if (-not $Manifest.desktop.lockWallpaper) { return }
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop' -Name 'NoChangingWallPaper' -Type DWord -Value 1
|
||||
}
|
||||
|
||||
function Set-BitLockerPreboot {
|
||||
param([Parameter(Mandatory)][string]$SoftwareRoot,[Parameter(Mandatory)]$Manifest)
|
||||
# GPO "Configure pre-boot recovery message and URL" (ADMX VolumeEncryption).
|
||||
# NOTE: only the BitLocker RECOVERY screen is customisable; the normal PIN-entry
|
||||
# screen text is fixed Windows UI. Exact value names are asserted by the read-back
|
||||
# test; if a name is wrong the offline-apply verify (Task A4) catches it.
|
||||
$fve = 'Policies\Microsoft\FVE'
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $fve -Name 'UseCustomRecoveryMessage' -Type DWord -Value 1
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $fve -Name 'RecoveryMessage' -Type String -Value $Manifest.bitlocker.recoveryMessage
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $fve -Name 'UseCustomRecoveryUrl' -Type DWord -Value 1
|
||||
Set-SmRegValue -Root $SoftwareRoot -SubKey $fve -Name 'RecoveryUrl' -Type String -Value $Manifest.bitlocker.recoveryUrl
|
||||
}
|
||||
@@ -20,3 +20,43 @@ Describe 'Set-SmRegValue' {
|
||||
(Get-ItemProperty "$script:root\A").Flag | Should -Be 1
|
||||
}
|
||||
}
|
||||
|
||||
Describe 'Branding layer writers' {
|
||||
BeforeAll {
|
||||
. "$PSScriptRoot\..\branding\lib\BrandingLayers.ps1"
|
||||
$script:sw = 'HKCU:\Software\SilverMetalTest\SW'
|
||||
$script:du = 'HKCU:\Software\SilverMetalTest\DU'
|
||||
$script:m = Get-Content "$PSScriptRoot\..\branding\branding.manifest.json" -Raw | ConvertFrom-Json
|
||||
}
|
||||
AfterAll {
|
||||
Remove-Item 'HKCU:\Software\SilverMetalTest' -Recurse -Force -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
It 'writes OEM About info' {
|
||||
Set-OemInformation -SoftwareRoot $script:sw -Manifest $script:m -LogoPath 'C:\Windows\System32\oemlogo.bmp'
|
||||
$k = Get-ItemProperty "$script:sw\Microsoft\Windows\CurrentVersion\OEMInformation"
|
||||
$k.Manufacturer | Should -Be 'SilverLABS'
|
||||
$k.Model | Should -Be 'SilverMetal Windows'
|
||||
$k.SupportURL | Should -Be 'https://silverlabs.uk'
|
||||
$k.Logo | Should -Be 'C:\Windows\System32\oemlogo.bmp'
|
||||
}
|
||||
|
||||
It 'writes a locked lock-screen image' {
|
||||
Set-LockScreen -SoftwareRoot $script:sw -ImagePath 'C:\Windows\Web\Screen\SilverMetal\lockscreen.jpg' -Lock $true
|
||||
(Get-ItemProperty "$script:sw\Microsoft\Windows\CurrentVersion\PersonalizationCSP").LockScreenImageStatus | Should -Be 1
|
||||
(Get-ItemProperty "$script:sw\Policies\Microsoft\Windows\Personalization").NoChangingLockScreen | Should -Be 1
|
||||
}
|
||||
|
||||
It 'writes desktop wallpaper + dark mode into the default-user root' {
|
||||
Set-DesktopBranding -DefaultUserRoot $script:du -Manifest $script:m -WallpaperPath 'C:\Windows\Web\Wallpaper\SilverMetal\wallpaper.jpg'
|
||||
(Get-ItemProperty "$script:du\Control Panel\Desktop").WallPaper | Should -Be 'C:\Windows\Web\Wallpaper\SilverMetal\wallpaper.jpg'
|
||||
(Get-ItemProperty "$script:du\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize").AppsUseLightTheme | Should -Be 0
|
||||
}
|
||||
|
||||
It 'writes the BitLocker pre-boot recovery message policy' {
|
||||
Set-BitLockerPreboot -SoftwareRoot $script:sw -Manifest $script:m
|
||||
$k = Get-ItemProperty "$script:sw\Policies\Microsoft\FVE"
|
||||
$k.UseCustomRecoveryMessage | Should -Be 1
|
||||
$k.RecoveryMessage | Should -Be 'SilverMetal Windows. Locked out? silverlabs.uk'
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user