fix(branding): opaque ARGB/ABGR accent DWORDs; fix stage labels + stale launch comments
Some checks failed
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 43s
Some checks failed
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 43s
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
sysadmin
@@ -35,10 +35,18 @@ function Set-DesktopBranding {
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey $p -Name 'AppsUseLightTheme' -Type DWord -Value 0
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey $p -Name 'SystemUsesLightTheme' -Type DWord -Value 0
|
||||
}
|
||||
# Accent color as COLORREF (0x00RRGGBB). #00d4ff = cyan.
|
||||
$bgr = [Convert]::ToInt32($Manifest.desktop.accentColor,16)
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'AccentColor' -Type DWord -Value $bgr
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'ColorizationColor' -Type DWord -Value $bgr
|
||||
# Accent (cyan). DWM uses fully-opaque DWORDs with DIFFERENT byte orders:
|
||||
# ColorizationColor = 0xAARRGGBB (ARGB); AccentColor = 0xAABBGGRR (ABGR).
|
||||
# Manifest holds the plain RGB hex (source of truth); derive both, alpha=FF.
|
||||
# NOTE: exact accent rendering is VM-verified (plan §9 soft spot).
|
||||
$rgb = $Manifest.desktop.accentColor.TrimStart('#')
|
||||
$r = [Convert]::ToInt32($rgb.Substring(0,2),16)
|
||||
$g = [Convert]::ToInt32($rgb.Substring(2,2),16)
|
||||
$b = [Convert]::ToInt32($rgb.Substring(4,2),16)
|
||||
$argb = [int](0xFF000000 -bor ($r -shl 16) -bor ($g -shl 8) -bor $b) # ColorizationColor
|
||||
$abgr = [int](0xFF000000 -bor ($b -shl 16) -bor ($g -shl 8) -bor $r) # AccentColor
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'AccentColor' -Type DWord -Value $abgr
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'ColorizationColor' -Type DWord -Value $argb
|
||||
if (-not $Manifest.desktop.lockWallpaper) { return }
|
||||
Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop' -Name 'NoChangingWallPaper' -Type DWord -Value 1
|
||||
}
|
||||
|
||||
@@ -101,10 +101,11 @@
|
||||
</LocalAccounts>
|
||||
</UserAccounts>
|
||||
<!--
|
||||
AutoLogon: logs in as sm-bootstrap exactly once so that FirstLogonCommands
|
||||
can launch the Welcome wizard. After the wizard completes successfully,
|
||||
ApplyService removes the AutoAdminLogon registry values and deletes
|
||||
sm-bootstrap, so the one-time session cannot be re-entered.
|
||||
AutoLogon: logs in as sm-bootstrap exactly once so that Shell Launcher v2
|
||||
(configured by Configure-Kiosk.ps1, run from SetupComplete.cmd) can launch
|
||||
the Welcome wizard as the sm-bootstrap session shell. After the wizard
|
||||
completes successfully, ApplyService removes the AutoAdminLogon registry
|
||||
values and deletes sm-bootstrap, so the one-time session cannot be re-entered.
|
||||
-->
|
||||
<AutoLogon>
|
||||
<Enabled>true</Enabled>
|
||||
|
||||
@@ -222,17 +222,18 @@ function Invoke-ServiceWim {
|
||||
Copy-WelcomePayload
|
||||
|
||||
# Bake the four branding layers into the offline hives (must be inside the mount).
|
||||
Write-Stage 'Stage 3e: bake SilverMetal branding (OEM/lockscreen/desktop/bitlocker)'
|
||||
Write-Stage 'Stage 3d: bake SilverMetal branding (OEM/lockscreen/desktop/bitlocker)'
|
||||
& (Join-Path $WindowsDir 'branding\Apply-Branding.ps1') -Mode Offline -MountPath $mount
|
||||
if ($LASTEXITCODE -ne 0) { throw 'branding apply failed' }
|
||||
|
||||
# Bake offline UAC auto-approve policy so the Welcome wizard (launched via
|
||||
# Start-Process -Verb RunAs in FirstLogonCommands) silently elevates during
|
||||
# the ephemeral sm-bootstrap session without a UAC prompt.
|
||||
# Shell Launcher v2 (Configure-Kiosk.ps1) as the sm-bootstrap shell, which
|
||||
# elevates the app) silently elevates during the ephemeral sm-bootstrap
|
||||
# session without a UAC prompt.
|
||||
# UAC stays enabled (EnableLUA=1); the wizard's hardening re-tightens the
|
||||
# policy for the daily user. Only applies when Welcome is enabled.
|
||||
if ($env:SILVERMETAL_WELCOME_ENABLED -ne '0') {
|
||||
Write-Stage 'Stage 3d: bake offline UAC auto-approve policy (silent elevation for sm-bootstrap)'
|
||||
Write-Stage 'Stage 3e: bake offline UAC auto-approve policy (silent elevation for sm-bootstrap)'
|
||||
$hive = Join-Path $mount 'Windows\System32\config\SOFTWARE'
|
||||
& reg load HKLM\SM_OFFLINE "$hive" | Out-Null
|
||||
if ($LASTEXITCODE -ne 0) { throw 'reg load SOFTWARE hive failed' }
|
||||
|
||||
Reference in New Issue
Block a user