Retire v1 per-pctype enforcers; GE-Enforce is the sole dispatcher
Stage 2a (GE-Enforce.ps1, landed 2026-04-22) is now the only ongoing-update
enforcer. The legacy per-pctype tasks (Machine-Enforce, Common-Enforce,
CMM-Enforce, Keyence-Enforce, Acrobat-Enforce) were kept as transition
belt-and-suspenders; with retrofitted PCs handled, the v1 path is dead and
gets removed entirely.
Deleted (13 files):
Standard/{Machine-Enforce,Register-MachineEnforce}.ps1
Standard/machineapps-manifest.template.json
common/{Common-Enforce,Acrobat-Enforce,Register-CommonEnforce,Register-AcrobatEnforce}.ps1
common/common-apps-manifest.template.json
CMM/CMM-Enforce.ps1
Keyence/Keyence-Enforce.ps1
{CMM,Keyence,Standard}/lib/Install-FromManifest.ps1 (orphan dups of common/lib)
Trimmed:
Run-ShopfloorSetup.ps1: dropped the legacy register-* invocations (Common,
Machine) and the transition-period comment. Sole enforcer registration
is now Register-GEEnforce.
09-Setup-Keyence.ps1: keeps imaging-time install (step 1); removes the
enforcer staging (step 2) and scheduled-task registration (step 3).
Library lookup repointed to common/lib/Install-FromManifest.ps1.
09-Setup-CMM.ps1: same treatment - keeps .NET 3.5 enable, install,
PC-DMIS ACL grants, and bootstrap cleanup. Library repointed to common/lib.
cmm-manifest.json + keyence-manifest.json: _comment fields updated to
reflect imaging-time-only role (ongoing enforcement now goes through
the v2 share manifests via GE-Enforce).
Verified clean: no orphan references to *-Enforce.ps1 / Register-*Enforce.ps1
/ machineapps-manifest / common-apps-manifest in any code path that runs.
A few historical mentions remain in unmodified header comments (GE-Enforce.ps1,
Deploy-GEEnforce.ps1, Monitor-IntuneProgress.ps1) describing what the new
dispatcher replaced; left as historical context.
Run-ShopfloorSetup.ps1 also picks up an unrelated 1-line hunk adding
SetShopfloorAutoLogon.bat to the desktop-copy list (already in the working
tree from a prior session). The file itself is not yet tracked; the
desktop-copy step is Test-Path-guarded so this is harmless until the
.bat is committed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
@@ -1,134 +0,0 @@
|
||||
# Acrobat-Enforce.ps1 - On-logon Adobe Acrobat Reader DC enforcer.
|
||||
#
|
||||
# Cross-PC-type companion to CMM-Enforce.ps1. Runs under a SYSTEM scheduled
|
||||
# task triggered at user logon on every PC regardless of PC type, mounts the
|
||||
# tsgwp00525 SFLD share (common\acrobat path) using SFLD creds provisioned
|
||||
# by Azure DSC, reads acrobat-manifest.json from the share, and hands off to
|
||||
# Install-FromManifest.ps1 which installs anything whose detection fails.
|
||||
#
|
||||
# Initial Acrobat install happens at imaging time via the preinstall flow
|
||||
# (playbook/preinstall/...). This enforcer is the ongoing-updates side: when
|
||||
# Adobe publishes a new quarterly DC patch, drop the new .msp on the share,
|
||||
# bump DetectionValue in acrobat-manifest.json, and every PC catches up on
|
||||
# its next logon. On a freshly-imaged PC, detection passes immediately and
|
||||
# this script no-ops.
|
||||
#
|
||||
# Graceful degradation mirrors CMM-Enforce:
|
||||
# - SFLD creds missing (Azure DSC has not run yet) -> log + exit 0
|
||||
# - Share unreachable (network, VPN) -> log + exit 0
|
||||
# - Install failure -> log + exit 0
|
||||
#
|
||||
# Never returns non-zero to the task scheduler; failures show up in the log.
|
||||
|
||||
$ErrorActionPreference = 'Continue'
|
||||
|
||||
$installRoot = 'C:\Program Files\GE\Acrobat'
|
||||
$libPath = Join-Path $installRoot 'lib\Install-FromManifest.ps1'
|
||||
$logDir = 'C:\Logs\Acrobat'
|
||||
$logFile = Join-Path $logDir ('enforce-{0}.log' -f (Get-Date -Format 'yyyyMMdd'))
|
||||
# Use a drive letter that does not clash with CMM-Enforce's S: drive so the
|
||||
# two enforcers can run concurrently at logon without fighting for the mount.
|
||||
$driveLetter = 'T:'
|
||||
|
||||
if (-not (Test-Path $logDir)) {
|
||||
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-EnforceLog {
|
||||
param([string]$Message, [string]$Level = 'INFO')
|
||||
$line = "[{0}] [{1}] {2}" -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Level, $Message
|
||||
Write-Host $line
|
||||
Add-Content -Path $logFile -Value $line -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
Write-EnforceLog "================================================================"
|
||||
Write-EnforceLog "=== Acrobat-Enforce session start (PID $PID, user $env:USERNAME) ==="
|
||||
Write-EnforceLog "================================================================"
|
||||
|
||||
# --- Load site-config for acrobatSharePath ---
|
||||
# Dot-source the same Get-PCProfile.ps1 used at imaging time. It walks
|
||||
# C:\Enrollment\site-config.json into $pcProfile / $siteConfig script vars.
|
||||
$getProfileScript = 'C:\Enrollment\shopfloor-setup\Shopfloor\lib\Get-PCProfile.ps1'
|
||||
if (-not (Test-Path $getProfileScript)) {
|
||||
Write-EnforceLog "Get-PCProfile.ps1 not found at $getProfileScript - cannot locate share" "ERROR"
|
||||
exit 0
|
||||
}
|
||||
. $getProfileScript
|
||||
|
||||
# Acrobat share lives under the site-config "common" section, which applies
|
||||
# to every PC type (unlike cmmSharePath which is CMM-only).
|
||||
if (-not $siteConfig -or -not $siteConfig.common -or -not $siteConfig.common.acrobatSharePath) {
|
||||
Write-EnforceLog "No common.acrobatSharePath in site-config - nothing to enforce" "WARN"
|
||||
exit 0
|
||||
}
|
||||
|
||||
$sharePath = $siteConfig.common.acrobatSharePath
|
||||
Write-EnforceLog "Share: $sharePath"
|
||||
|
||||
function Get-SFLDCredential {
|
||||
param([string]$ServerName)
|
||||
$basePath = 'HKLM:\SOFTWARE\GE\SFLD\Credentials'
|
||||
if (-not (Test-Path $basePath)) { return $null }
|
||||
|
||||
foreach ($entry in Get-ChildItem -Path $basePath -ErrorAction SilentlyContinue) {
|
||||
$props = Get-ItemProperty -Path $entry.PSPath -ErrorAction SilentlyContinue
|
||||
if (-not $props -or -not $props.TargetHost) { continue }
|
||||
if ($props.TargetHost -eq $ServerName -or
|
||||
$props.TargetHost -like "$ServerName.*" -or
|
||||
$ServerName -like "$($props.TargetHost).*") {
|
||||
return @{
|
||||
Username = $props.Username
|
||||
Password = $props.Password
|
||||
TargetHost = $props.TargetHost
|
||||
KeyName = $entry.PSChildName
|
||||
}
|
||||
}
|
||||
}
|
||||
return $null
|
||||
}
|
||||
|
||||
$serverName = ($sharePath -replace '^\\\\', '') -split '\\' | Select-Object -First 1
|
||||
$cred = Get-SFLDCredential -ServerName $serverName
|
||||
|
||||
if (-not $cred -or -not $cred.Username -or -not $cred.Password) {
|
||||
Write-EnforceLog "No SFLD credential for $serverName yet (Azure DSC has not provisioned it) - will retry at next logon"
|
||||
exit 0
|
||||
}
|
||||
|
||||
Write-EnforceLog "Credential: $($cred.KeyName) (user: $($cred.Username))"
|
||||
|
||||
# --- Mount the share ---
|
||||
net use $driveLetter /delete /y 2>$null | Out-Null
|
||||
|
||||
$netResult = & net use $driveLetter $sharePath /user:$($cred.Username) $($cred.Password) /persistent:no 2>&1
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
Write-EnforceLog "net use failed (exit $LASTEXITCODE): $netResult" "WARN"
|
||||
Write-EnforceLog "Share unreachable - probably off-network. Will retry at next logon."
|
||||
exit 0
|
||||
}
|
||||
Write-EnforceLog "Mounted $sharePath as $driveLetter"
|
||||
|
||||
try {
|
||||
$manifestOnShare = Join-Path $driveLetter 'acrobat-manifest.json'
|
||||
if (-not (Test-Path $manifestOnShare)) {
|
||||
Write-EnforceLog "acrobat-manifest.json not found on share - nothing to enforce" "WARN"
|
||||
return
|
||||
}
|
||||
|
||||
if (-not (Test-Path $libPath)) {
|
||||
Write-EnforceLog "Install-FromManifest.ps1 not found at $libPath" "ERROR"
|
||||
return
|
||||
}
|
||||
|
||||
Write-EnforceLog "Handing off to Install-FromManifest.ps1 (InstallerRoot=$driveLetter)"
|
||||
& $libPath -ManifestPath $manifestOnShare -InstallerRoot $driveLetter -LogFile $logFile
|
||||
$rc = $LASTEXITCODE
|
||||
Write-EnforceLog "Install-FromManifest returned $rc"
|
||||
}
|
||||
finally {
|
||||
net use $driveLetter /delete /y 2>$null | Out-Null
|
||||
Write-EnforceLog "Unmounted $driveLetter"
|
||||
Write-EnforceLog "=== Acrobat-Enforce session end ==="
|
||||
}
|
||||
|
||||
exit 0
|
||||
@@ -1,123 +0,0 @@
|
||||
# Common-Enforce.ps1 - On-logon enforcer for cross-PC-type apps (Acrobat
|
||||
# Reader, WJF Defect Tracker, future common apps).
|
||||
#
|
||||
# Runs under a SYSTEM scheduled task triggered at user logon on every PC
|
||||
# regardless of PC type. Mounts the tsgwp00525 SFLD share (common\apps
|
||||
# path) using SFLD creds provisioned by Azure DSC, reads
|
||||
# common-apps-manifest.json from the share, and hands off to
|
||||
# Install-FromManifest.ps1 which installs anything whose detection fails.
|
||||
#
|
||||
# Update workflow: drop new installer on the share, bump DetectionValue in
|
||||
# common-apps-manifest.json, every PC catches up on next logon.
|
||||
#
|
||||
# Graceful degradation:
|
||||
# - SFLD creds missing (Azure DSC has not run yet) -> log + exit 0
|
||||
# - Share unreachable (network, VPN) -> log + exit 0
|
||||
# - Install failure -> log + exit 0
|
||||
#
|
||||
# Never returns non-zero to the task scheduler; failures show up in the log.
|
||||
|
||||
$ErrorActionPreference = 'Continue'
|
||||
|
||||
$installRoot = 'C:\Program Files\GE\CommonApps'
|
||||
$libPath = Join-Path $installRoot 'lib\Install-FromManifest.ps1'
|
||||
$logDir = 'C:\Logs\CommonApps'
|
||||
$logFile = Join-Path $logDir ('enforce-{0}.log' -f (Get-Date -Format 'yyyyMMdd'))
|
||||
$driveLetter = 'T:'
|
||||
|
||||
if (-not (Test-Path $logDir)) {
|
||||
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-EnforceLog {
|
||||
param([string]$Message, [string]$Level = 'INFO')
|
||||
$line = "[{0}] [{1}] {2}" -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Level, $Message
|
||||
Write-Host $line
|
||||
Add-Content -Path $logFile -Value $line -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
Write-EnforceLog "================================================================"
|
||||
Write-EnforceLog "=== Common-Enforce session start (PID $PID, user $env:USERNAME) ==="
|
||||
Write-EnforceLog "================================================================"
|
||||
|
||||
$getProfileScript = 'C:\Enrollment\shopfloor-setup\Shopfloor\lib\Get-PCProfile.ps1'
|
||||
if (-not (Test-Path $getProfileScript)) {
|
||||
Write-EnforceLog "Get-PCProfile.ps1 not found at $getProfileScript - cannot locate share" "ERROR"
|
||||
exit 0
|
||||
}
|
||||
. $getProfileScript
|
||||
|
||||
if (-not $siteConfig -or -not $siteConfig.common -or -not $siteConfig.common.commonAppsSharePath) {
|
||||
Write-EnforceLog "No common.commonAppsSharePath in site-config - nothing to enforce" "WARN"
|
||||
exit 0
|
||||
}
|
||||
|
||||
$sharePath = $siteConfig.common.commonAppsSharePath
|
||||
Write-EnforceLog "Share: $sharePath"
|
||||
|
||||
function Get-SFLDCredential {
|
||||
param([string]$ServerName)
|
||||
$basePath = 'HKLM:\SOFTWARE\GE\SFLD\Credentials'
|
||||
if (-not (Test-Path $basePath)) { return $null }
|
||||
|
||||
foreach ($entry in Get-ChildItem -Path $basePath -ErrorAction SilentlyContinue) {
|
||||
$props = Get-ItemProperty -Path $entry.PSPath -ErrorAction SilentlyContinue
|
||||
if (-not $props -or -not $props.TargetHost) { continue }
|
||||
if ($props.TargetHost -eq $ServerName -or
|
||||
$props.TargetHost -like "$ServerName.*" -or
|
||||
$ServerName -like "$($props.TargetHost).*") {
|
||||
return @{
|
||||
Username = $props.Username
|
||||
Password = $props.Password
|
||||
TargetHost = $props.TargetHost
|
||||
KeyName = $entry.PSChildName
|
||||
}
|
||||
}
|
||||
}
|
||||
return $null
|
||||
}
|
||||
|
||||
$serverName = ($sharePath -replace '^\\\\', '') -split '\\' | Select-Object -First 1
|
||||
$cred = Get-SFLDCredential -ServerName $serverName
|
||||
|
||||
if (-not $cred -or -not $cred.Username -or -not $cred.Password) {
|
||||
Write-EnforceLog "No SFLD credential for $serverName yet (Azure DSC has not provisioned it) - will retry at next logon"
|
||||
exit 0
|
||||
}
|
||||
|
||||
Write-EnforceLog "Credential: $($cred.KeyName) (user: $($cred.Username))"
|
||||
|
||||
net use $driveLetter /delete /y 2>$null | Out-Null
|
||||
|
||||
$netResult = & net use $driveLetter $sharePath /user:$($cred.Username) $($cred.Password) /persistent:no 2>&1
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
Write-EnforceLog "net use failed (exit $LASTEXITCODE): $netResult" "WARN"
|
||||
Write-EnforceLog "Share unreachable - probably off-network. Will retry at next logon."
|
||||
exit 0
|
||||
}
|
||||
Write-EnforceLog "Mounted $sharePath as $driveLetter"
|
||||
|
||||
try {
|
||||
$manifestOnShare = Join-Path $driveLetter 'common-apps-manifest.json'
|
||||
if (-not (Test-Path $manifestOnShare)) {
|
||||
Write-EnforceLog "common-apps-manifest.json not found on share - nothing to enforce" "WARN"
|
||||
return
|
||||
}
|
||||
|
||||
if (-not (Test-Path $libPath)) {
|
||||
Write-EnforceLog "Install-FromManifest.ps1 not found at $libPath" "ERROR"
|
||||
return
|
||||
}
|
||||
|
||||
Write-EnforceLog "Handing off to Install-FromManifest.ps1 (InstallerRoot=$driveLetter)"
|
||||
& $libPath -ManifestPath $manifestOnShare -InstallerRoot $driveLetter -LogFile $logFile
|
||||
$rc = $LASTEXITCODE
|
||||
Write-EnforceLog "Install-FromManifest returned $rc"
|
||||
}
|
||||
finally {
|
||||
net use $driveLetter /delete /y 2>$null | Out-Null
|
||||
Write-EnforceLog "Unmounted $driveLetter"
|
||||
Write-EnforceLog "=== Common-Enforce session end ==="
|
||||
}
|
||||
|
||||
exit 0
|
||||
@@ -1,93 +0,0 @@
|
||||
# Register-AcrobatEnforce.ps1 - One-time setup for the Acrobat Reader
|
||||
# logon-enforce scheduled task. Called by each PC type's shopfloor setup
|
||||
# (Run-ShopfloorSetup.ps1) after the baseline imaging steps, once per
|
||||
# fresh install. Idempotent: re-running just refreshes the staged scripts
|
||||
# and re-registers the task.
|
||||
#
|
||||
# Parallel to CMM\09-Setup-CMM.ps1 steps 3-4 (stage Install-FromManifest +
|
||||
# Acrobat-Enforce, register the "GE Acrobat Enforce" task) but without any
|
||||
# imaging-time install step - initial Acrobat install is already handled by
|
||||
# the preinstall flow.
|
||||
|
||||
$ErrorActionPreference = 'Continue'
|
||||
|
||||
$installRoot = 'C:\Program Files\GE\Acrobat'
|
||||
$runtimeLib = Join-Path $installRoot 'lib\Install-FromManifest.ps1'
|
||||
$runtimeEnforce = Join-Path $installRoot 'Acrobat-Enforce.ps1'
|
||||
$logDir = 'C:\Logs\Acrobat'
|
||||
$setupLog = Join-Path $logDir 'setup.log'
|
||||
|
||||
# Source on the imaged client (staged there by WinPE startnet.cmd via
|
||||
# shopfloor-setup\common\).
|
||||
$sourceLib = Join-Path $PSScriptRoot 'lib\Install-FromManifest.ps1'
|
||||
$sourceEnforce = Join-Path $PSScriptRoot 'Acrobat-Enforce.ps1'
|
||||
|
||||
if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }
|
||||
if (-not (Test-Path $installRoot)) { New-Item -Path $installRoot -ItemType Directory -Force | Out-Null }
|
||||
if (-not (Test-Path (Join-Path $installRoot 'lib'))) {
|
||||
New-Item -Path (Join-Path $installRoot 'lib') -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-SetupLog {
|
||||
param([string]$Message, [string]$Level = 'INFO')
|
||||
$line = "[{0}] [{1}] {2}" -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Level, $Message
|
||||
Write-Host $line
|
||||
Add-Content -Path $setupLog -Value $line -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
Write-SetupLog "=== Register-AcrobatEnforce start ==="
|
||||
|
||||
# Stage scripts to their runtime location under Program Files so the
|
||||
# scheduled task can run them as SYSTEM.
|
||||
foreach ($pair in @(
|
||||
@{ Src = $sourceLib; Dst = $runtimeLib },
|
||||
@{ Src = $sourceEnforce; Dst = $runtimeEnforce }
|
||||
)) {
|
||||
if (-not (Test-Path $pair.Src)) {
|
||||
Write-SetupLog "Source not found: $($pair.Src) - cannot stage" "ERROR"
|
||||
continue
|
||||
}
|
||||
Copy-Item -Path $pair.Src -Destination $pair.Dst -Force
|
||||
Write-SetupLog "Staged $($pair.Src) -> $($pair.Dst)"
|
||||
}
|
||||
|
||||
# Register scheduled task. Unregister any stale copy first so re-imaging is
|
||||
# idempotent.
|
||||
$taskName = 'GE Acrobat Enforce'
|
||||
$existing = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
|
||||
if ($existing) {
|
||||
Write-SetupLog "Removing existing scheduled task '$taskName'"
|
||||
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
Write-SetupLog "Registering scheduled task '$taskName' (logon trigger, SYSTEM)"
|
||||
try {
|
||||
$action = New-ScheduledTaskAction `
|
||||
-Execute 'powershell.exe' `
|
||||
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$runtimeEnforce`""
|
||||
|
||||
$trigger = New-ScheduledTaskTrigger -AtLogOn
|
||||
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
|
||||
# ExecutionTimeLimit 30 min - Acrobat DC patches are smaller than PC-DMIS
|
||||
# bundles; 30 min is plenty and keeps a stuck install from lingering.
|
||||
$settings = New-ScheduledTaskSettingsSet `
|
||||
-AllowStartIfOnBatteries `
|
||||
-DontStopIfGoingOnBatteries `
|
||||
-StartWhenAvailable `
|
||||
-ExecutionTimeLimit (New-TimeSpan -Minutes 30) `
|
||||
-MultipleInstances IgnoreNew
|
||||
|
||||
Register-ScheduledTask `
|
||||
-TaskName $taskName `
|
||||
-Action $action `
|
||||
-Trigger $trigger `
|
||||
-Principal $principal `
|
||||
-Settings $settings `
|
||||
-Description 'GE Acrobat: enforce Adobe Acrobat Reader DC version against tsgwp00525 SFLD share on user logon' | Out-Null
|
||||
|
||||
Write-SetupLog "Scheduled task registered"
|
||||
} catch {
|
||||
Write-SetupLog "Failed to register scheduled task: $_" "ERROR"
|
||||
}
|
||||
|
||||
Write-SetupLog "=== Register-AcrobatEnforce end ==="
|
||||
@@ -1,91 +0,0 @@
|
||||
# Register-CommonEnforce.ps1 - Stage Common-Enforce.ps1 + Install-FromManifest
|
||||
# and register the 'GE Common Apps Enforce' logon task. Cross-PC-type: called
|
||||
# from Run-ShopfloorSetup.ps1 for every shopfloor image.
|
||||
#
|
||||
# Replaces the former Acrobat-only enforcer with a single task that handles
|
||||
# all common apps (Acrobat, Defect Tracker, future additions) from one
|
||||
# manifest on the SFLD share.
|
||||
|
||||
$ErrorActionPreference = 'Continue'
|
||||
|
||||
$installRoot = 'C:\Program Files\GE\CommonApps'
|
||||
$runtimeLib = Join-Path $installRoot 'lib\Install-FromManifest.ps1'
|
||||
$runtimeEnforce = Join-Path $installRoot 'Common-Enforce.ps1'
|
||||
$logDir = 'C:\Logs\CommonApps'
|
||||
$setupLog = Join-Path $logDir 'setup.log'
|
||||
|
||||
$sourceLib = Join-Path $PSScriptRoot 'lib\Install-FromManifest.ps1'
|
||||
$sourceEnforce = Join-Path $PSScriptRoot 'Common-Enforce.ps1'
|
||||
|
||||
if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }
|
||||
if (-not (Test-Path $installRoot)) { New-Item -Path $installRoot -ItemType Directory -Force | Out-Null }
|
||||
if (-not (Test-Path (Join-Path $installRoot 'lib'))) {
|
||||
New-Item -Path (Join-Path $installRoot 'lib') -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-SetupLog {
|
||||
param([string]$Message, [string]$Level = 'INFO')
|
||||
$line = "[{0}] [{1}] {2}" -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Level, $Message
|
||||
Write-Host $line
|
||||
Add-Content -Path $setupLog -Value $line -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
Write-SetupLog "=== Register-CommonEnforce start ==="
|
||||
|
||||
foreach ($pair in @(
|
||||
@{ Src = $sourceLib; Dst = $runtimeLib },
|
||||
@{ Src = $sourceEnforce; Dst = $runtimeEnforce }
|
||||
)) {
|
||||
if (-not (Test-Path $pair.Src)) {
|
||||
Write-SetupLog "Source not found: $($pair.Src) - cannot stage" "ERROR"
|
||||
continue
|
||||
}
|
||||
Copy-Item -Path $pair.Src -Destination $pair.Dst -Force
|
||||
Write-SetupLog "Staged $($pair.Src) -> $($pair.Dst)"
|
||||
}
|
||||
|
||||
# Clean up old Acrobat-only enforcer if present (from prior images).
|
||||
foreach ($oldTask in @('GE Acrobat Enforce')) {
|
||||
$old = Get-ScheduledTask -TaskName $oldTask -ErrorAction SilentlyContinue
|
||||
if ($old) {
|
||||
Write-SetupLog "Removing legacy task '$oldTask'"
|
||||
Unregister-ScheduledTask -TaskName $oldTask -Confirm:$false -ErrorAction SilentlyContinue
|
||||
}
|
||||
}
|
||||
|
||||
$taskName = 'GE Common Apps Enforce'
|
||||
$existing = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
|
||||
if ($existing) {
|
||||
Write-SetupLog "Removing existing scheduled task '$taskName'"
|
||||
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
Write-SetupLog "Registering scheduled task '$taskName' (logon trigger, SYSTEM)"
|
||||
try {
|
||||
$action = New-ScheduledTaskAction `
|
||||
-Execute 'powershell.exe' `
|
||||
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$runtimeEnforce`""
|
||||
|
||||
$trigger = New-ScheduledTaskTrigger -AtLogOn
|
||||
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
|
||||
$settings = New-ScheduledTaskSettingsSet `
|
||||
-AllowStartIfOnBatteries `
|
||||
-DontStopIfGoingOnBatteries `
|
||||
-StartWhenAvailable `
|
||||
-ExecutionTimeLimit (New-TimeSpan -Minutes 30) `
|
||||
-MultipleInstances IgnoreNew
|
||||
|
||||
Register-ScheduledTask `
|
||||
-TaskName $taskName `
|
||||
-Action $action `
|
||||
-Trigger $trigger `
|
||||
-Principal $principal `
|
||||
-Settings $settings `
|
||||
-Description 'GE Common Apps: enforce Acrobat, Defect Tracker, and other cross-type apps against tsgwp00525 SFLD share on user logon' | Out-Null
|
||||
|
||||
Write-SetupLog "Scheduled task registered"
|
||||
} catch {
|
||||
Write-SetupLog "Failed to register scheduled task: $_" "ERROR"
|
||||
}
|
||||
|
||||
Write-SetupLog "=== Register-CommonEnforce end ==="
|
||||
@@ -1,27 +0,0 @@
|
||||
{
|
||||
"Version": "1.0",
|
||||
"_comment": "Common cross-PC-type app enforcement manifest. TEMPLATE in repo; authoritative copy on SFLD share at \\\\tsgwp00525.wjs.geaerospace.net\\shared\\dt\\shopfloor\\common\\acrobat\\acrobat-manifest.json. Acrobat-Enforce.ps1 reads the share copy on every user logon. Update workflow: drop new installer on share, bump DetectionValue, next logon catches it.",
|
||||
"Applications": [
|
||||
{
|
||||
"_comment": "Two-step install (MSI + MST transform, then MSP patch) done via the vendor-shipped Install-AcroReader.cmd wrapper.",
|
||||
"Name": "Adobe Acrobat Reader DC",
|
||||
"Installer": "Install-AcroReader.cmd",
|
||||
"Type": "CMD",
|
||||
"LogFile": "C:\\Logs\\Acrobat\\install.log",
|
||||
"DetectionMethod": "Registry",
|
||||
"DetectionPath": "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}",
|
||||
"DetectionName": "DisplayVersion",
|
||||
"DetectionValue": "25.001.20531"
|
||||
},
|
||||
{
|
||||
"_comment": "WJF Defect Tracker. Replaces the old ClickOnce deployment. MSI installs to C:\\Program Files (x86)\\WJF_Defect_Tracker\\. Update workflow: drop new MSI on share, bump DetectionValue to new ProductVersion, next logon upgrades.",
|
||||
"Name": "WJF Defect Tracker",
|
||||
"Installer": "WJF_Defect_Tracker.msi",
|
||||
"Type": "MSI",
|
||||
"InstallArgs": "/qn /norestart ALLUSERS=1 REBOOT=ReallySuppress TARGETDIR=\"C:\\Program Files (x86)\\WJF_Defect_Tracker\"",
|
||||
"DetectionMethod": "FileVersion",
|
||||
"DetectionPath": "C:\\Program Files (x86)\\WJF_Defect_Tracker\\Defect_Tracker.exe",
|
||||
"DetectionValue": "1.0.0.102"
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user