diff --git a/windows/installer/build.ps1 b/windows/installer/build.ps1
index 36ee376..45f83c7 100644
--- a/windows/installer/build.ps1
+++ b/windows/installer/build.ps1
@@ -213,6 +213,11 @@ function Invoke-ServiceWim {
         # Stage Welcome app + flavours while the WIM is still mounted.
         Copy-WelcomePayload
 
+        # Bake the four branding layers into the offline hives (must be inside the mount).
+        Write-Stage 'Stage 3e: bake SilverMetal branding (OEM/lockscreen/desktop/bitlocker)'
+        & (Join-Path $WindowsDir 'branding\Apply-Branding.ps1') -Mode Offline -MountPath $mount
+        if ($LASTEXITCODE -ne 0) { throw 'branding apply failed' }
+
         # Bake offline UAC auto-approve policy so the Welcome wizard (launched via
         # Start-Process -Verb RunAs in FirstLogonCommands) silently elevates during
         # the ephemeral sm-bootstrap session without a UAC prompt.
@@ -247,7 +252,13 @@ function Invoke-InjectUnattend {
 }
 
 # --- 5. Brand --------------------------------------------------------------
-function Invoke-Brand { Write-Stage 'Stage 5: branding'; Write-Warning '   deferred to M4.' }
+# NOTE: branding edits the OFFLINE hives, so it must run while the WIM is still
+# mounted. We therefore call it from inside Invoke-ServiceWim (see Step 2), and
+# this stage just asserts the staged result for the SBOM/log.
+function Invoke-Brand {
+    Write-Stage 'Stage 5: branding (applied during WIM servicing)'
+    Write-Host '   branding layers baked via branding\Apply-Branding.ps1 -Mode Offline'
+}
 
 # --- 6. Repack -------------------------------------------------------------
 function Invoke-Repack {