3a30a0421e
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.
Scaffold windows/ per the planned layout:
- installer/ build.ps1 (7-stage orchestrator, stages stubbed to M2),
inputs.manifest.json (pinned-input schema), autounattend.xml
(local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/ shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
(used by BOTH the ISO first-boot path and the self-apply track).
BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/ scaffolded with
READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
anti-pattern; rename applocker/ -> wdac/ realised.
All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
29 lines
1.8 KiB
PowerShell
29 lines
1.8 KiB
PowerShell
#Requires -Version 5.1
|
|
<# SilverMetal Enhanced - Windows | Domain C: Data at rest (crown jewel)
|
|
BitLocker XTS-AES-256 with TPM + PIN. NEVER TPM-only: the faulTPM class
|
|
extracts the VMK from the AMD fTPM; a PIN forces an offline brute-force.
|
|
The PIN is set INTERACTIVELY by the user (cannot be shipped in an image).
|
|
Spec: ../hardening-spec.md (C) | SCAFFOLD (M1): run on the unit.
|
|
#>
|
|
[CmdletBinding()] param([string]$MountPoint = $env:SystemDrive)
|
|
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
|
|
Write-Host '[C] Data at rest (BitLocker TPM+PIN)'
|
|
|
|
# Enforce TPM+PIN at startup and forbid cloud recovery escrow via policy.
|
|
$fve = 'HKLM:\SOFTWARE\Policies\Microsoft\FVE'
|
|
New-Item $fve -Force | Out-Null
|
|
Set-ItemProperty $fve -Name UseAdvancedStartup -Type DWord -Value 1 # require startup auth
|
|
Set-ItemProperty $fve -Name UseTPMPIN -Type DWord -Value 1 # TPM+PIN required
|
|
Set-ItemProperty $fve -Name UseTPM -Type DWord -Value 2 # TPM-only NOT allowed
|
|
Set-ItemProperty $fve -Name EnableNonTPM -Type DWord -Value 0
|
|
Set-ItemProperty $fve -Name MinimumPIN -Type DWord -Value 8 # enhanced PIN length
|
|
Set-ItemProperty $fve -Name OSEncryptionType -Type DWord -Value 1 # full (not used-space-only)
|
|
# No Microsoft-account / AD escrow of recovery key:
|
|
Set-ItemProperty $fve -Name OSManageDRA -Type DWord -Value 0
|
|
|
|
# TODO-M1 (interactive on the unit): prompt the user for a >=8-char enhanced PIN, then:
|
|
# Enable-BitLocker -MountPoint $MountPoint -EncryptionMethod XtsAes256 -TpmAndPinProtector -Pin $securePin
|
|
# Add a recovery password and store it OFFLINE (SilverKeys), never cloud-escrowed.
|
|
|
|
Write-Host " [C] policy set (TPM+PIN required, TPM-only blocked). PIN enrollment = interactive."
|