ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Run-ShopfloorSetup: skip GE-Enforce + S: map on Display PCs

Browse Source 
Display kiosk user cannot authenticate to the tsgwp00525 SFLD share,
so any share-dependent enforcement task on Displays would fail every
cycle. Display is now self-contained: kiosk EXE installs at imaging
time via preinstall.json (Install-KioskApp.cmd) and Edge kiosk
policies via 09-Setup-Display.ps1. No ongoing SFLD-share dependency.

Gate both registrations behind a $noEnforceTypes alias group so
either pcType form (Display, gea-shopfloor-display) hits the skip
path. Other PC types still register both tasks unchanged.

Verified on win11 VM: matrix test confirmed Display + gea-shopfloor-
display SKIP both gates while Standard / CMM / gea-shopfloor-
collections still REGISTER.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-05-08 13:01:34 -04:00
parent 39f9945382
commit 3a5c907cbf
1 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
View File

@@ -345,8 +345,17 @@ $commonSetupDir = Join-Path $setupDir 'common'
# Single dispatcher for all PC-type ongoing-update enforcement. Reads
# per-pctype manifest.json from the tsgwp00525 share and processes
# common + per-type + per-type-subtype manifests in order.
#
# Display PCs are excluded: their kiosk user cannot reach the SFLD
# share, and everything Display needs (kiosk EXE + Edge policies) is
# baked at imaging time (preinstall.json Install-KioskApp + 09-Setup-
# Display.ps1). No ongoing share-dependent enforcement on Displays.
$noEnforceTypes = @('Display', 'gea-shopfloor-display')
$registerGE = Join-Path $commonSetupDir 'Register-GEEnforce.ps1'
if (Test-Path -LiteralPath $registerGE) {
if ($noEnforceTypes -contains $pcType) {
Write-Host ""
Write-Host "=== Skipping GE-Enforce registration ($pcType is self-contained) ==="
} elseif (Test-Path -LiteralPath $registerGE) {
Write-Host ""
Write-Host "=== Registering unified GE Shopfloor enforcer ==="
try {
@@ -372,8 +381,13 @@ if (Test-Path -LiteralPath $registerGE) {
# vendor 'SFLD - Consume Credentials' task is principal-restricted and
# does not fire for the ShopFloor end-user, so this parallel task fills
# the gap. Cross-PC-type because every shopfloor account needs S:.
# Display PCs skipped: kiosk user has no SFLD creds, S: map would fail
# every logon. Self-contained Display has no share dependency.
$registerMapShare = Join-Path $setupDir 'Shopfloor\Register-MapSfldShare.ps1'
if (Test-Path -LiteralPath $registerMapShare) {
if ($noEnforceTypes -contains $pcType) {
Write-Host ""
Write-Host "=== Skipping S: drive logon mapper ($pcType is self-contained) ==="
} elseif (Test-Path -LiteralPath $registerMapShare) {
Write-Host ""
Write-Host "=== Registering S: drive logon mapper ==="
try { & $registerMapShare } catch { Write-Warning "Map-SfldShare registration failed: $_" }