3f1ea6aa63
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 6m17s
VM e2e: full wizard ran end-to-end and enrolled TPM+PIN, but BitLockerService only created TPM+PIN with NO recovery protector — a forgotten/mistyped PIN bricks the drive (hit exactly that on the VM). Add a RecoveryPassword protector and save the 48-digit key to ProgramData AND the unencrypted EFI System Partition (readable even when the OS volume is locked, e.g. for offline recovery/verification). PRODUCT TODO (follow-up): escrow the recovery key to SilverSync + display it in the wizard's Done step so the end-user records it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>