SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(welcome): BitLocker PIN first-boot + recovery-key display + FlavourStep Next #14

Merged
SilverLABS merged 2 commits from feat/wizard-recipes into main 2026-06-09 21:05:40 +00:00
Conversation 0 Commits 2 Files Changed 5 +69 -5
SilverLABS commented 2026-06-09 20:57:54 +00:00
Owner
Copy Link

Three wizard fixes from live e2e (the role app-recipes feature is not in this PR despite the branch name — it's still in design, pending the per-role app lists).

1. BitLocker PIN now works on the first boot. Dropped -SkipHardwareTest from Enable-BitLocker. With it, BitLocker sealed the key immediately against unvalidated PCRs → first post-enroll boot hit E_FVE_SECURE_BOOT_CHANGED / PCR-11 mismatch and dropped to recovery every time. Without it, BitLocker runs its hardware test on the next reboot (the wizard's end-of-flow restart), validating the TPM+PIN unseal against the real boot config before encrypting — so the PIN works first time.

2. The Done step now shows the BitLocker recovery key. Reads the 48-digit key the enrollment already saves (C:\ProgramData\SilverMetal\bitlocker-recovery.txt) and displays it with a "write this down" warning. Previously it was never surfaced to the user — a lockout risk we hit directly on the VM.

3. FlavourStep "Next" enables immediately. Selecting a role updated State.Flavour but didn't notify the wizard host, so Next stayed disabled until a back/forward re-render. Now it raises OnSelected → host re-evaluates (same pattern AccountStep uses).

Verified: welcome solution builds, 29/29 tests pass.

Still tracked as follow-ups (not here): role → app recipes (winget vs curated mirror + per-role lists, pending operator input); escrow the recovery key to SilverSync.

🤖 Generated with Claude Code

Three wizard fixes from live e2e (the role app-recipes feature is **not** in this PR despite the branch name — it's still in design, pending the per-role app lists). **1. BitLocker PIN now works on the first boot.** Dropped `-SkipHardwareTest` from `Enable-BitLocker`. With it, BitLocker sealed the key immediately against unvalidated PCRs → first post-enroll boot hit `E_FVE_SECURE_BOOT_CHANGED` / PCR-11 mismatch and dropped to **recovery** every time. Without it, BitLocker runs its hardware test on the next reboot (the wizard's end-of-flow restart), validating the TPM+PIN unseal against the real boot config *before* encrypting — so the PIN works first time. **2. The Done step now shows the BitLocker recovery key.** Reads the 48-digit key the enrollment already saves (`C:\ProgramData\SilverMetal\bitlocker-recovery.txt`) and displays it with a "write this down" warning. Previously it was never surfaced to the user — a lockout risk we hit directly on the VM. **3. FlavourStep "Next" enables immediately.** Selecting a role updated `State.Flavour` but didn't notify the wizard host, so Next stayed disabled until a back/forward re-render. Now it raises `OnSelected` → host re-evaluates (same pattern AccountStep uses). Verified: welcome solution builds, **29/29** tests pass. Still tracked as follow-ups (not here): role → app recipes (winget vs curated mirror + per-role lists, pending operator input); escrow the recovery key to SilverSync. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
SilverLABS added 2 commits 2026-06-09 20:57:54 +00:00
fix(welcome): FlavourStep notifies host on select so Next enables immediately 6d6eb2cdc8 
WIP on local branch feat/wizard-recipes (NOT pushed) — holding per operator while
more wizard changes (role app-recipes) are designed.
fix(welcome): BitLocker PIN works first boot (drop -SkipHardwareTest) + show recovery key
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 7m5s
Details
a3623b1fbb 
- BitLocker: remove -SkipHardwareTest so BitLocker validates the TPM+PIN unseal via
  its hardware test on the next reboot (the wizard's end-of-flow reboot) before
  encrypting — fixes the E_FVE_SECURE_BOOT_CHANGED / PCR-11 drop-to-recovery on the
  first post-enroll boot. The PIN now works first time instead of needing recovery.
- Done step now DISPLAYS the 48-digit BitLocker recovery key (read from the file the
  enrollment saves) with a 'save this' warning — previously it was never surfaced.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS merged commit 5f0df87405 into main 2026-06-09 21:05:40 +00:00
SilverLABS deleted branch feat/wizard-recipes 2026-06-09 21:05:40 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
SilverLABS
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SilverLABS/SilverMetal#14
Delete Branch "feat/wizard-recipes"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?