From 3a5c907cbf6e828c40cfd06296722f59231d58ec Mon Sep 17 00:00:00 2001
From: cproudlock <cproudlock@localhost>
Date: Fri, 8 May 2026 13:01:34 -0400
Subject: [PATCH] Run-ShopfloorSetup: skip GE-Enforce + S: map on Display PCs

Display kiosk user cannot authenticate to the tsgwp00525 SFLD share,
so any share-dependent enforcement task on Displays would fail every
cycle. Display is now self-contained: kiosk EXE installs at imaging
time via preinstall.json (Install-KioskApp.cmd) and Edge kiosk
policies via 09-Setup-Display.ps1. No ongoing SFLD-share dependency.

Gate both registrations behind a $noEnforceTypes alias group so
either pcType form (Display, gea-shopfloor-display) hits the skip
path. Other PC types still register both tasks unchanged.

Verified on win11 VM: matrix test confirmed Display + gea-shopfloor-
display SKIP both gates while Standard / CMM / gea-shopfloor-
collections still REGISTER.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../shopfloor-setup/Run-ShopfloorSetup.ps1     | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
index c9d8986..c87c46e 100644
--- a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
+++ b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
@@ -345,8 +345,17 @@ $commonSetupDir = Join-Path $setupDir 'common'
 # Single dispatcher for all PC-type ongoing-update enforcement. Reads
 # per-pctype manifest.json from the tsgwp00525 share and processes
 # common + per-type + per-type-subtype manifests in order.
+#
+# Display PCs are excluded: their kiosk user cannot reach the SFLD
+# share, and everything Display needs (kiosk EXE + Edge policies) is
+# baked at imaging time (preinstall.json Install-KioskApp + 09-Setup-
+# Display.ps1). No ongoing share-dependent enforcement on Displays.
+$noEnforceTypes = @('Display', 'gea-shopfloor-display')
 $registerGE = Join-Path $commonSetupDir 'Register-GEEnforce.ps1'
-if (Test-Path -LiteralPath $registerGE) {
+if ($noEnforceTypes -contains $pcType) {
+    Write-Host ""
+    Write-Host "=== Skipping GE-Enforce registration ($pcType is self-contained) ==="
+} elseif (Test-Path -LiteralPath $registerGE) {
     Write-Host ""
     Write-Host "=== Registering unified GE Shopfloor enforcer ==="
     try {
@@ -372,8 +381,13 @@ if (Test-Path -LiteralPath $registerGE) {
 # vendor 'SFLD - Consume Credentials' task is principal-restricted and
 # does not fire for the ShopFloor end-user, so this parallel task fills
 # the gap. Cross-PC-type because every shopfloor account needs S:.
+# Display PCs skipped: kiosk user has no SFLD creds, S: map would fail
+# every logon. Self-contained Display has no share dependency.
 $registerMapShare = Join-Path $setupDir 'Shopfloor\Register-MapSfldShare.ps1'
-if (Test-Path -LiteralPath $registerMapShare) {
+if ($noEnforceTypes -contains $pcType) {
+    Write-Host ""
+    Write-Host "=== Skipping S: drive logon mapper ($pcType is self-contained) ==="
+} elseif (Test-Path -LiteralPath $registerMapShare) {
     Write-Host ""
     Write-Host "=== Registering S: drive logon mapper ==="
     try { & $registerMapShare } catch { Write-Warning "Map-SfldShare registration failed: $_" }