- BitLocker: remove -SkipHardwareTest so BitLocker validates the TPM+PIN unseal via
its hardware test on the next reboot (the wizard's end-of-flow reboot) before
encrypting — fixes the E_FVE_SECURE_BOOT_CHANGED / PCR-11 drop-to-recovery on the
first post-enroll boot. The PIN now works first time instead of needing recovery.
- Done step now DISPLAYS the 48-digit BitLocker recovery key (read from the file the
enrollment saves) with a 'save this' warning — previously it was never surfaced.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
VM e2e: full wizard ran end-to-end and enrolled TPM+PIN, but BitLockerService only
created TPM+PIN with NO recovery protector — a forgotten/mistyped PIN bricks the
drive (hit exactly that on the VM). Add a RecoveryPassword protector and save the
48-digit key to ProgramData AND the unencrypted EFI System Partition (readable even
when the OS volume is locked, e.g. for offline recovery/verification).
PRODUCT TODO (follow-up): escrow the recovery key to SilverSync + display it in the
wizard's Done step so the end-user records it.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
