SilverMetal

SilverLABS/SilverMetal

Fork 0

Commit Graph

Author	SHA1	Message	Date
sysadmin	3a30a0421e	docs(windows): add ISO-builder design + scaffold the windows/ tree Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing frame (IoT = blessed channel for preinstalled custom images; self-apply stays a builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/ oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit- identical on Windows), and M0-M4 milestones. Scaffold windows/ per the planned layout: - installer/ build.ps1 (7-stage orchestrator, stages stubbed to M2), inputs.manifest.json (pinned-input schema), autounattend.xml (local-account OOBE), oem/SetupComplete.cmd (first-boot runner) - hardening/ shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1 (used by BOTH the ISO first-boot path and the self-apply track). BitLocker module enforces TPM+PIN and blocks TPM-only. - policies/ wdac/ debloat/ stack-installer/ drivers/ tests/ scaffolded with READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an anti-pattern; rename applocker/ -> wdac/ realised. All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid. Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware steps documented, not faked). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-08 15:35:13 +01:00

Author

SHA1

Message

Date

sysadmin

3a30a0421e

docs(windows): add ISO-builder design + scaffold the windows/ tree

Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.

Scaffold windows/ per the planned layout:
- installer/  build.ps1 (7-stage orchestrator, stages stubbed to M2),
              inputs.manifest.json (pinned-input schema), autounattend.xml
              (local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/  shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
              (used by BOTH the ISO first-boot path and the self-apply track).
              BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/  scaffolded with
  READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
  anti-pattern; rename applocker/ -> wdac/ realised.

All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-08 15:35:13 +01:00

1 Commits