fix(welcome): eject optical install media before BitLocker enrollment #5

SilverLABS · 2026-06-09T10:50:15Z

SilverLABS commented

2026-06-09 10:50:15 +00:00

Summary

Follow-up to #4. A second live VM e2e (after #4 merged) found that BitLocker TPM+PIN enrollment fails while the install ISO is still attached:

Add-TpmAndPinProtectorInternal : BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer.

This is exactly the kind of failure the new exit-code checking (already merged in #4) now surfaces — the wizard showed a clear "Configuration failed … (exit 1)" with Retry instead of silently degrading to TPM-only. This PR completes the BitLocker TPM+PIN enforcement by ejecting optical install media before enrollment.

BitLockerService now runs a best-effort optical-media eject (Shell.Application Eject verb on CD/DVD drives) at the start of the enrollment script, before the FVE policy + Enable-BitLocker/Add-BitLockerKeyProtector + TPM-only-protector cleanup + outcome check.

Test Plan

dotnet test — 26 green (incl. asserting the eject command is emitted).
CI green (this PR).
VM e2e: clean install → wizard apply → confirm BitLocker enrolls TPM+PIN (no "bootable media" failure) and the device prompts for the PIN at pre-boot.

Known follow-ups (noted, not in this PR)

USB install media: the optical eject covers CD/DVD/ISO installs (and is a no-op for preflashed hardware). USB install media would need separate handling (or user removal).
Apply idempotency: with strict exit-checking, a Retry after a partial apply (accounts already created) fails on "user already exists". Make New-LocalUser idempotent so Retry is clean.

🤖 Generated with Claude Code

## Summary Follow-up to [#4](https://git.silverlabs.uk/SilverLABS/SilverMetal/pulls/4). A second live VM e2e (after #4 merged) found that BitLocker TPM+PIN enrollment **fails while the install ISO is still attached**: > `Add-TpmAndPinProtectorInternal : BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer.` This is exactly the kind of failure the new exit-code checking (already merged in #4) now **surfaces** — the wizard showed a clear "Configuration failed … (exit 1)" with Retry instead of silently degrading to TPM-only. This PR completes the BitLocker TPM+PIN enforcement by ejecting optical install media before enrollment. `BitLockerService` now runs a best-effort optical-media eject (`Shell.Application` Eject verb on CD/DVD drives) at the start of the enrollment script, before the FVE policy + `Enable-BitLocker`/`Add-BitLockerKeyProtector` + TPM-only-protector cleanup + outcome check. ## Test Plan - [x] `dotnet test` — 26 green (incl. asserting the eject command is emitted). - [ ] **CI green** (this PR). - [ ] **VM e2e**: clean install → wizard apply → confirm BitLocker enrolls TPM+PIN (no "bootable media" failure) and the device prompts for the PIN at pre-boot. ## Known follow-ups (noted, not in this PR) - **USB install media**: the optical eject covers CD/DVD/ISO installs (and is a no-op for preflashed hardware). USB install media would need separate handling (or user removal). - **Apply idempotency**: with strict exit-checking, a Retry after a partial apply (accounts already created) fails on "user already exists". Make `New-LocalUser` idempotent so Retry is clean. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

SilverLABS added 1 commit 2026-06-09 10:50:15 +00:00

fix(welcome): eject optical install media before BitLocker enroll (it refuses TPM+PIN with bootable media present — found in live e2e)

Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 4m35s

Details

25b02d20ff

SilverLABS added 1 commit 2026-06-09 11:15:49 +00:00

fix(welcome): make bootstrap teardown best-effort (LogonCount=1 already disables auto-logon; cleanup must not fail the apply)

Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 4m32s

Details

bf21eababe

SilverLABS merged commit a9c26d842d into main

2026-06-09 12:26:25 +00:00