SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de283495d97d4006e8e20f24231430d289c703
SilverMetal/windows/hardening/02-data-at-rest.ps1
sysadmin 3a30a0421e docs(windows): add ISO-builder design + scaffold the windows/ tree 
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.

Scaffold windows/ per the planned layout:
- installer/  build.ps1 (7-stage orchestrator, stages stubbed to M2),
              inputs.manifest.json (pinned-input schema), autounattend.xml
              (local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/  shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
              (used by BOTH the ISO first-boot path and the self-apply track).
              BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/  scaffolded with
  READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
  anti-pattern; rename applocker/ -> wdac/ realised.

All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 15:35:13 +01:00

29 lines
1.8 KiB
PowerShell
Raw Blame History

#Requires -Version 5.1
<# SilverMetal Enhanced - Windows | Domain C: Data at rest (crown jewel)
BitLocker XTS-AES-256 with TPM + PIN. NEVER TPM-only: the faulTPM class
extracts the VMK from the AMD fTPM; a PIN forces an offline brute-force.
The PIN is set INTERACTIVELY by the user (cannot be shipped in an image).
Spec: ../hardening-spec.md (C) | SCAFFOLD (M1): run on the unit.
#>
[CmdletBinding()] param([string]$MountPoint = $env:SystemDrive)
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
Write-Host '[C] Data at rest (BitLocker TPM+PIN)'
# Enforce TPM+PIN at startup and forbid cloud recovery escrow via policy.
$fve = 'HKLM:\SOFTWARE\Policies\Microsoft\FVE'
New-Item $fve -Force | Out-Null
Set-ItemProperty $fve -Name UseAdvancedStartup -Type DWord -Value 1 # require startup auth
Set-ItemProperty $fve -Name UseTPMPIN -Type DWord -Value 1 # TPM+PIN required
Set-ItemProperty $fve -Name UseTPM -Type DWord -Value 2 # TPM-only NOT allowed
Set-ItemProperty $fve -Name EnableNonTPM -Type DWord -Value 0
Set-ItemProperty $fve -Name MinimumPIN -Type DWord -Value 8 # enhanced PIN length
Set-ItemProperty $fve -Name OSEncryptionType -Type DWord -Value 1 # full (not used-space-only)
# No Microsoft-account / AD escrow of recovery key:
Set-ItemProperty $fve -Name OSManageDRA -Type DWord -Value 0
# TODO-M1 (interactive on the unit): prompt the user for a >=8-char enhanced PIN, then:
# Enable-BitLocker -MountPoint $MountPoint -EncryptionMethod XtsAes256 -TpmAndPinProtector -Pin $securePin
# Add a recovery password and store it OFFLINE (SilverKeys), never cloud-escrowed.
Write-Host " [C] policy set (TPM+PIN required, TPM-only blocked). PIN enrollment = interactive."
Reference in New Issue View Git Blame Copy Permalink