Fix ShopFloor autologon persistence, S: drive mapping, sync throttle
AutoLogonCount depletion: Run-ShopfloorSetup set AutoLogonCount=4 for SupportUser. Windows decrements per-logon; at 0 it clears AutoAdminLogon + DefaultPassword, nuking the lockdown-configured ShopFloor autologon. Fix: delete AutoLogonCount in Invoke-SetupComplete before the lockdown reboot. ShopFloor's Autologon.exe-set config persists indefinitely. Sync_intune window on ShopFloor: The marker-check path used 'exit 0' but the task runs with -NoExit, leaving a dangling PowerShell window on every ShopFloor logon. Fix: [Environment]::Exit(0) kills the host outright, defeating -NoExit. S: drive mapping: Vendor ConsumeCredentials.ps1 calls New-StoredCredential -Persist LocalMachine (needs admin) before net use. ShopFloor is non-admin so cred-store fails silently and net use has no auth. Fix: new Map-SfldShare.ps1 reads HKLM creds and passes them inline to net use /user: -- no Credential Manager needed, works as Limited. Register-MapSfldShare updated to stage + reference our script. Wired NIC re-enable: SYSTEM task polls for SFLD creds (Phase 5), re-enables wired NICs, self-deletes. Replaces the broken Enable-NetAdapter in Monitor (Limited principal can't enable NICs). No-WiFi devices unaffected (migrate-to-wifi never disables, re-enable is a no-op). Sync throttle: 15 min retrigger when only waiting for lockdown (was 5 min for all phases). Avoids interrupting the Intune Remediation script. Defect Tracker path: All references corrected to C:\Program Files (x86)\WJF_Defect_Tracker. QR code retry: Build-QRCodeText retried every poll cycle until DeviceId appears (was single-shot that could miss the dsregcmd timing window). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
68
playbook/shopfloor-setup/Shopfloor/lib/Map-SfldShare.ps1
Normal file
68
playbook/shopfloor-setup/Shopfloor/lib/Map-SfldShare.ps1
Normal file
@@ -0,0 +1,68 @@
|
||||
# Map-SfldShare.ps1 - Map S: drive on user logon using SFLD creds from HKLM.
|
||||
#
|
||||
# Runs as the interactive user (BUILTIN\Users, Limited) so the drive
|
||||
# mapping lands in the logged-in user's session. Reads username/password
|
||||
# directly from HKLM:\SOFTWARE\GE\SFLD\Credentials\* and passes them
|
||||
# inline to net use -- no Windows Credential Manager involvement.
|
||||
#
|
||||
# Why not the vendor's ConsumeCredentials.ps1: it calls
|
||||
# New-StoredCredential -Persist LocalMachine which requires admin.
|
||||
# ShopFloor is a non-admin user, so the cred-store step fails silently
|
||||
# and the subsequent net use (which relies on those stored creds) has
|
||||
# no authentication. Direct net use /user: bypasses the issue entirely.
|
||||
|
||||
$ErrorActionPreference = 'Continue'
|
||||
|
||||
$logDir = 'C:\Logs\SFLD'
|
||||
if (-not (Test-Path $logDir)) {
|
||||
try { New-Item -Path $logDir -ItemType Directory -Force | Out-Null } catch { $logDir = $env:TEMP }
|
||||
}
|
||||
$logFile = Join-Path $logDir 'map-share.log'
|
||||
|
||||
function Write-MapLog {
|
||||
param([string]$Message)
|
||||
$line = '[{0}] [{1}] {2}' -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $env:USERNAME, $Message
|
||||
Add-Content -Path $logFile -Value $line -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
Write-MapLog '=== Map-SfldShare start ==='
|
||||
|
||||
$credsBase = 'HKLM:\SOFTWARE\GE\SFLD\Credentials'
|
||||
if (-not (Test-Path $credsBase)) {
|
||||
Write-MapLog 'No HKLM SFLD credentials yet - exiting'
|
||||
exit 0
|
||||
}
|
||||
|
||||
foreach ($entry in (Get-ChildItem -Path $credsBase -ErrorAction SilentlyContinue)) {
|
||||
$p = Get-ItemProperty -Path $entry.PSPath -ErrorAction SilentlyContinue
|
||||
if (-not $p -or -not $p.TargetHost -or -not $p.Username -or -not $p.Password) { continue }
|
||||
|
||||
$drive = $null
|
||||
$share = $null
|
||||
try { $drive = $p.DriveLetter } catch {}
|
||||
try { $share = $p.ShareName } catch {}
|
||||
|
||||
if ([string]::IsNullOrWhiteSpace($drive) -or [string]::IsNullOrWhiteSpace($share)) { continue }
|
||||
|
||||
$drive = $drive.TrimEnd(':') + ':'
|
||||
$share = $share.TrimStart('\')
|
||||
$uncPath = "\\$($p.TargetHost)\$share"
|
||||
|
||||
# Skip if already mapped to the right target
|
||||
$existing = & net use $drive 2>&1
|
||||
if ($LASTEXITCODE -eq 0 -and ($existing -join "`n") -match [regex]::Escape($uncPath)) {
|
||||
Write-MapLog "$drive already mapped to $uncPath - skipping"
|
||||
continue
|
||||
}
|
||||
|
||||
& net use $drive /delete /y 2>$null | Out-Null
|
||||
$out = & net use $drive $uncPath /user:$($p.Username) $($p.Password) /persistent:yes 2>&1
|
||||
if ($LASTEXITCODE -eq 0) {
|
||||
Write-MapLog "Mapped $drive -> $uncPath"
|
||||
} else {
|
||||
Write-MapLog "FAILED $drive -> $uncPath (exit $LASTEXITCODE): $out"
|
||||
}
|
||||
}
|
||||
|
||||
Write-MapLog '=== Map-SfldShare end ==='
|
||||
exit 0
|
||||
Reference in New Issue
Block a user