Found by reading the unencrypted VM disk after run #7:
1. Online branding never ran: Apply-Branding.ps1 had a UTF-8 em-dash in a Write-Warning
STRING; Windows PowerShell 5.1 (SetupComplete) reads .ps1 as ANSI, mangled it, broke
the string terminator -> whole script failed to parse -> lock/login/wallpaper branding
never re-applied. Fix: ASCII-ify the em-dash AND save the branding scripts UTF-8-with-BOM
so PS5.1 always decodes them correctly (verified parses under PS5.1 + PS7).
2. sm-bootstrap never removed: TearDownAsync used schtasks /tr with an inline -EncodedCommand,
which silently fails past the ~261-char /tr limit, so the cleanup task was never created
(confirmed NO_TASK on disk). Fix: Register-ScheduledTask (no length limit).
3. Done step: show a QR code of the BitLocker recovery key (QRCoder) for phone backup, and
lay key+QR side-by-side so the Restart button no longer overflows below the fold.
Verified: welcome solution builds, 29/29 tests; branding Pester 6/6 unit (offline-integration
needs elevation, runs in CI).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
