diff --git a/windows/branding/lib/BrandingLayers.ps1 b/windows/branding/lib/BrandingLayers.ps1 index aa07ba4..7425954 100644 --- a/windows/branding/lib/BrandingLayers.ps1 +++ b/windows/branding/lib/BrandingLayers.ps1 @@ -35,10 +35,18 @@ function Set-DesktopBranding { Set-SmRegValue -Root $DefaultUserRoot -SubKey $p -Name 'AppsUseLightTheme' -Type DWord -Value 0 Set-SmRegValue -Root $DefaultUserRoot -SubKey $p -Name 'SystemUsesLightTheme' -Type DWord -Value 0 } - # Accent color as COLORREF (0x00RRGGBB). #00d4ff = cyan. - $bgr = [Convert]::ToInt32($Manifest.desktop.accentColor,16) - Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'AccentColor' -Type DWord -Value $bgr - Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'ColorizationColor' -Type DWord -Value $bgr + # Accent (cyan). DWM uses fully-opaque DWORDs with DIFFERENT byte orders: + # ColorizationColor = 0xAARRGGBB (ARGB); AccentColor = 0xAABBGGRR (ABGR). + # Manifest holds the plain RGB hex (source of truth); derive both, alpha=FF. + # NOTE: exact accent rendering is VM-verified (plan ยง9 soft spot). + $rgb = $Manifest.desktop.accentColor.TrimStart('#') + $r = [Convert]::ToInt32($rgb.Substring(0,2),16) + $g = [Convert]::ToInt32($rgb.Substring(2,2),16) + $b = [Convert]::ToInt32($rgb.Substring(4,2),16) + $argb = [int](0xFF000000 -bor ($r -shl 16) -bor ($g -shl 8) -bor $b) # ColorizationColor + $abgr = [int](0xFF000000 -bor ($b -shl 16) -bor ($g -shl 8) -bor $r) # AccentColor + Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'AccentColor' -Type DWord -Value $abgr + Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\DWM' -Name 'ColorizationColor' -Type DWord -Value $argb if (-not $Manifest.desktop.lockWallpaper) { return } Set-SmRegValue -Root $DefaultUserRoot -SubKey 'Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop' -Name 'NoChangingWallPaper' -Type DWord -Value 1 } diff --git a/windows/installer/autounattend/autounattend.xml b/windows/installer/autounattend/autounattend.xml index 773914e..522cedb 100644 --- a/windows/installer/autounattend/autounattend.xml +++ b/windows/installer/autounattend/autounattend.xml @@ -101,10 +101,11 @@ true diff --git a/windows/installer/build.ps1 b/windows/installer/build.ps1 index 73e7982..ddf78a1 100644 --- a/windows/installer/build.ps1 +++ b/windows/installer/build.ps1 @@ -222,17 +222,18 @@ function Invoke-ServiceWim { Copy-WelcomePayload # Bake the four branding layers into the offline hives (must be inside the mount). - Write-Stage 'Stage 3e: bake SilverMetal branding (OEM/lockscreen/desktop/bitlocker)' + Write-Stage 'Stage 3d: bake SilverMetal branding (OEM/lockscreen/desktop/bitlocker)' & (Join-Path $WindowsDir 'branding\Apply-Branding.ps1') -Mode Offline -MountPath $mount if ($LASTEXITCODE -ne 0) { throw 'branding apply failed' } # Bake offline UAC auto-approve policy so the Welcome wizard (launched via - # Start-Process -Verb RunAs in FirstLogonCommands) silently elevates during - # the ephemeral sm-bootstrap session without a UAC prompt. + # Shell Launcher v2 (Configure-Kiosk.ps1) as the sm-bootstrap shell, which + # elevates the app) silently elevates during the ephemeral sm-bootstrap + # session without a UAC prompt. # UAC stays enabled (EnableLUA=1); the wizard's hardening re-tightens the # policy for the daily user. Only applies when Welcome is enabled. if ($env:SILVERMETAL_WELCOME_ENABLED -ne '0') { - Write-Stage 'Stage 3d: bake offline UAC auto-approve policy (silent elevation for sm-bootstrap)' + Write-Stage 'Stage 3e: bake offline UAC auto-approve policy (silent elevation for sm-bootstrap)' $hive = Join-Path $mount 'Windows\System32\config\SOFTWARE' & reg load HKLM\SM_OFFLINE "$hive" | Out-Null if ($LASTEXITCODE -ne 0) { throw 'reg load SOFTWARE hive failed' }