SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5e6303d48e8ef89fee64c20fdc960f5fa2d27034
SilverMetal/windows/installer/oem/SetupComplete.cmd
sysadmin 3a30a0421e docs(windows): add ISO-builder design + scaffold the windows/ tree 
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.

Scaffold windows/ per the planned layout:
- installer/  build.ps1 (7-stage orchestrator, stages stubbed to M2),
              inputs.manifest.json (pinned-input schema), autounattend.xml
              (local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/  shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
              (used by BOTH the ISO first-boot path and the self-apply track).
              BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/  scaffolded with
  READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
  anti-pattern; rename applocker/ -> wdac/ realised.

All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 15:35:13 +01:00

33 lines
1.4 KiB
Batchfile
Raw Blame History

@echo off
REM ===========================================================================
REM SilverMetal Enhanced - Windows : first-boot entry point.
REM Invoked once by autounattend.xml FirstLogonCommands. Runs the shared
REM hardening/ modules in order, logs to disk, then schedules verification.
REM
REM The hardening/ modules are staged into C:\Windows\Setup\Scripts\hardening
REM by build.ps1 (stage 4). They are SHARED with the self-apply track.
REM
REM Design: ../../iso-builder.md Controls: ../../hardening-spec.md
REM SCAFFOLD (M0): module bodies stubbed; safe to run (modules log and no-op
REM until implemented at M1).
REM ===========================================================================
set LOG=C:\Windows\Setup\Scripts\silvermetal-firstboot.log
set HARD=C:\Windows\Setup\Scripts\hardening
echo [%DATE% %TIME%] SilverMetal first-boot start >> "%LOG%"
powershell -NoProfile -ExecutionPolicy Bypass -Command ^
"$ErrorActionPreference='Stop';" ^
"Get-ChildItem '%HARD%\0*.ps1' | Sort-Object Name | ForEach-Object {" ^
" Write-Host \"--> $($_.Name)\";" ^
" & $_.FullName *>> '%LOG%'" ^
"}" >> "%LOG%" 2>&1
REM Register the verification task to run after the first full boot/login.
schtasks /Create /TN "SilverMetal\Verify" /SC ONLOGON /RL HIGHEST /F ^
/TR "powershell -NoProfile -ExecutionPolicy Bypass -File %HARD%\Verify-SilverMetalWindows.ps1" >> "%LOG%" 2>&1
echo [%DATE% %TIME%] SilverMetal first-boot done >> "%LOG%"
exit /b 0
Reference in New Issue View Git Blame Copy Permalink