diff --git a/windows/hardening/Invoke-Hardening.ps1 b/windows/hardening/Invoke-Hardening.ps1
new file mode 100644
index 0000000..2359e27
--- /dev/null
+++ b/windows/hardening/Invoke-Hardening.ps1
@@ -0,0 +1,17 @@
+#Requires -Version 5.1
+<#  SilverMetal Enhanced - Windows | First-boot hardening runner.
+    Runs the §A-H modules (00*.ps1 .. 08*.ps1) in order, then the Verify gate.
+    Called by SetupComplete.cmd via -File (no cmd-quoting fragility). Logs to the
+    pipeline that SetupComplete redirects.
+#>
+[CmdletBinding()] param()
+$ErrorActionPreference = 'Continue'
+$here = Split-Path -Parent $MyInvocation.MyCommand.Path
+Write-Host "=== SilverMetal hardening modules ==="
+Get-ChildItem (Join-Path $here '0*.ps1') | Sort-Object Name | ForEach-Object {
+    Write-Host "--> $($_.Name)"
+    try { & $_.FullName } catch { Write-Warning "$($_.Name) FAILED: $_" }
+}
+Write-Host "=== Verify (effects needing reboot/PIN will show pending) ==="
+try { & (Join-Path $here 'Verify-SilverMetalWindows.ps1') } catch { Write-Warning "Verify error: $_" }
+Write-Host "=== SilverMetal hardening runner done ==="
diff --git a/windows/installer/oem/SetupComplete.cmd b/windows/installer/oem/SetupComplete.cmd
index 87bf28e..78a8649 100644
--- a/windows/installer/oem/SetupComplete.cmd
+++ b/windows/installer/oem/SetupComplete.cmd
@@ -1,15 +1,12 @@
 @echo off
 REM ===========================================================================
 REM  SilverMetal Enhanced - Windows : first-boot entry point.
-REM  Invoked once by autounattend.xml FirstLogonCommands. Runs the shared
-REM  hardening/ modules in order, logs to disk, then schedules verification.
-REM
-REM  The hardening/ modules are staged into C:\Windows\Setup\Scripts\hardening
-REM  by build.ps1 (stage 4). They are SHARED with the self-apply track.
+REM  Windows runs %WINDIR%\Setup\Scripts\SetupComplete.cmd automatically (as
+REM  SYSTEM) at the end of setup. It hands off to Invoke-Hardening.ps1 via -File
+REM  to avoid cmd/PowerShell quoting fragility (an inline -Command one-liner
+REM  here previously failed to parse, so the §A-H modules never ran).
 REM
 REM  Design: ../../iso-builder.md   Controls: ../../hardening-spec.md
-REM  SCAFFOLD (M0): module bodies stubbed; safe to run (modules log and no-op
-REM  until implemented at M1).
 REM ===========================================================================
 
 set LOG=C:\Windows\Setup\Scripts\silvermetal-firstboot.log
@@ -17,16 +14,7 @@ set HARD=C:\Windows\Setup\Scripts\hardening
 
 echo [%DATE% %TIME%] SilverMetal first-boot start >> "%LOG%"
 
-powershell -NoProfile -ExecutionPolicy Bypass -Command ^
-  "$ErrorActionPreference='Stop';" ^
-  "Get-ChildItem '%HARD%\0*.ps1' | Sort-Object Name | ForEach-Object {" ^
-  "  Write-Host \"--> $($_.Name)\";" ^
-  "  & $_.FullName *>> '%LOG%'" ^
-  "}" >> "%LOG%" 2>&1
-
-REM Register the verification task to run after the first full boot/login.
-schtasks /Create /TN "SilverMetal\Verify" /SC ONLOGON /RL HIGHEST /F ^
-  /TR "powershell -NoProfile -ExecutionPolicy Bypass -File %HARD%\Verify-SilverMetalWindows.ps1" >> "%LOG%" 2>&1
+powershell -NoProfile -ExecutionPolicy Bypass -File "%HARD%\Invoke-Hardening.ps1" >> "%LOG%" 2>&1
 
 echo [%DATE% %TIME%] SilverMetal first-boot done >> "%LOG%"
 exit /b 0