ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix ShopFloor autologon persistence, S: drive mapping, sync throttle

Browse Source 
AutoLogonCount depletion:
  Run-ShopfloorSetup set AutoLogonCount=4 for SupportUser. Windows
  decrements per-logon; at 0 it clears AutoAdminLogon + DefaultPassword,
  nuking the lockdown-configured ShopFloor autologon. Fix: delete
  AutoLogonCount in Invoke-SetupComplete before the lockdown reboot.
  ShopFloor's Autologon.exe-set config persists indefinitely.

Sync_intune window on ShopFloor:
  The marker-check path used 'exit 0' but the task runs with -NoExit,
  leaving a dangling PowerShell window on every ShopFloor logon. Fix:
  [Environment]::Exit(0) kills the host outright, defeating -NoExit.

S: drive mapping:
  Vendor ConsumeCredentials.ps1 calls New-StoredCredential -Persist
  LocalMachine (needs admin) before net use. ShopFloor is non-admin so
  cred-store fails silently and net use has no auth. Fix: new
  Map-SfldShare.ps1 reads HKLM creds and passes them inline to
  net use /user: -- no Credential Manager needed, works as Limited.
  Register-MapSfldShare updated to stage + reference our script.

Wired NIC re-enable:
  SYSTEM task polls for SFLD creds (Phase 5), re-enables wired NICs,
  self-deletes. Replaces the broken Enable-NetAdapter in Monitor
  (Limited principal can't enable NICs). No-WiFi devices unaffected
  (migrate-to-wifi never disables, re-enable is a no-op).

Sync throttle:
  15 min retrigger when only waiting for lockdown (was 5 min for all
  phases). Avoids interrupting the Intune Remediation script.

Defect Tracker path:
  All references corrected to C:\Program Files (x86)\WJF_Defect_Tracker.

QR code retry:
  Build-QRCodeText retried every poll cycle until DeviceId appears
  (was single-shot that could miss the dsregcmd timing window).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-04-16 12:29:02 -04:00
parent f73f999938
commit 2ab6055125
8 changed files with 187 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
View File

@@ -244,6 +244,51 @@ Write-Host "Auto-logon set to 4 remaining logins."
# These run on every logon regardless of PC type, mounting the SFLD share
# for version-pinned app enforcement. Initial install already handled by
# preinstall flow; enforcers only kick in when detection fails.
# --- Re-enable wired NICs once SFLD creds arrive (Phase 5) ---
# migrate-to-wifi.ps1 disables wired NICs so the PPKG runs over WiFi.
# After Phase 5 (SFLD creds populated), WiFi duty is done and the tech
# needs wired back for production ethernet. Monitor-IntuneProgress runs
# as Limited and can't call Enable-NetAdapter (needs admin). This SYSTEM
# task fires at logon, waits for the SFLD cred marker, re-enables wired
# NICs, and self-deletes. If creds haven't landed yet, the task exits
# quickly and the repetition interval retries every 5 minutes.
$reEnableTask = 'GE Re-enable Wired NICs'
try {
$script = @'
$credsBase = 'HKLM:\SOFTWARE\GE\SFLD\Credentials'
if (-not (Test-Path $credsBase)) { exit 0 }
$hasCreds = $false
Get-ChildItem -Path $credsBase -ErrorAction SilentlyContinue | ForEach-Object {
$p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
if ($p -and $p.TargetHost -and $p.Username -and $p.Password) { $hasCreds = $true }
}
if (-not $hasCreds) { exit 0 }
Get-NetAdapter -Physical -ErrorAction SilentlyContinue |
Where-Object { $_.InterfaceDescription -notmatch 'Wi-?Fi|Wireless|WLAN|802\.11' } |
Enable-NetAdapter -Confirm:$false -ErrorAction SilentlyContinue
Unregister-ScheduledTask -TaskName 'GE Re-enable Wired NICs' -Confirm:$false -ErrorAction SilentlyContinue
'@
$scriptPath = 'C:\Program Files\GE\ReEnableNIC.ps1'
if (-not (Test-Path 'C:\Program Files\GE')) {
New-Item -Path 'C:\Program Files\GE' -ItemType Directory -Force | Out-Null
}
Set-Content -Path $scriptPath -Value $script -Force
$reEnableAction = New-ScheduledTaskAction -Execute 'powershell.exe' `
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$scriptPath`""
$reEnableTrigger = New-ScheduledTaskTrigger -AtLogOn
$reEnableTrigger.Repetition = (New-ScheduledTaskTrigger -Once -At (Get-Date) `
-RepetitionInterval (New-TimeSpan -Minutes 5)).Repetition
$reEnablePrincipal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
$reEnableSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries `
-ExecutionTimeLimit (New-TimeSpan -Minutes 2)
Register-ScheduledTask -TaskName $reEnableTask -Action $reEnableAction -Trigger $reEnableTrigger `
-Principal $reEnablePrincipal -Settings $reEnableSettings -Force -ErrorAction Stop | Out-Null
Write-Host "Registered '$reEnableTask' task (waits for SFLD creds, then re-enables wired NICs)."
} catch {
Write-Warning "Failed to register NIC re-enable task: $_"
}
$commonSetupDir = Join-Path $PSScriptRoot 'common'
$registerCommon = Join-Path $commonSetupDir 'Register-CommonEnforce.ps1'
if (Test-Path -LiteralPath $registerCommon) {