SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a8d7522a700e5ca446ff5506fc49fa9d67c0c2cd
SilverMetal/windows/installer/README.md
sysadmin 3a30a0421e docs(windows): add ISO-builder design + scaffold the windows/ tree 
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.

Scaffold windows/ per the planned layout:
- installer/  build.ps1 (7-stage orchestrator, stages stubbed to M2),
              inputs.manifest.json (pinned-input schema), autounattend.xml
              (local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/  shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
              (used by BOTH the ISO first-boot path and the self-apply track).
              BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/  scaffolded with
  READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
  anti-pattern; rename applocker/ -> wdac/ realised.

All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 15:35:13 +01:00

18 lines
832 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# windows/installer
The custom packed-ISO build pipeline. See [`../iso-builder.md`](../iso-builder.md) for the design.
| File | Role |
|---|---|
| `build.ps1` | Pipeline orchestrator (7 stages). Run on Windows + Windows ADK. |
| `inputs.manifest.json` | Pinned inputs — base ISO SHA-256, driver-pack/Stack/tool versions. The Microsoft ISO is an **input, never committed**. |
| `autounattend/autounattend.xml` | OOBE automation — local account (no MSA), regional, BitLocker-ready disk layout, hands off to first-boot. |
| `oem/SetupComplete.cmd` | First-boot entry point — runs the shared `../hardening/` modules, then schedules `Verify`. |
**Usage (M2+):**
```powershell
.\build.ps1 -SourceIso 'D:\Win11_IoT_Enterprise_LTSC_x64.iso'
```
Current status: **M0 scaffold** — stages 27 throw `NotImplemented` until M2/M3.
Reference in New Issue View Git Blame Copy Permalink