ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Standard-Machine logon enforcer for UDC/eDNC/NTLARS

Browse Source 
Reason: Intune DSC's main-category YAML was pushing these to every main
device, including Timeclocks - DSC has no awareness of our pc-subtype
distinction. After UDC/eDNC/NTLARS are removed from the DSC YAML, ongoing
version drift would no longer be corrected. This enforcer replaces that,
scoped correctly by subtype.

Structure mirrors CMM (CMM-Enforce.ps1) and common (Acrobat-Enforce.ps1):
- Machine-Enforce.ps1: SYSTEM logon task; mounts SFLD share with HKLM-
  backed creds; hands off to Install-FromManifest.
- machineapps-manifest.template.json: repo reference; authoritative copy
  lives on the share at \\tsgwp00525.wjs.geaerospace.net\shared\dt\
  shopfloor\main\machineapps\machineapps-manifest.json.
- Register-MachineEnforce.ps1: idempotent setup; stages scripts to
  C:\Program Files\GE\MachineApps and registers the task.
- lib/Install-FromManifest.ps1: copy of the common/ version (already has
  Type=CMD support).

Sub-type gating belt-and-suspenders:
- Run-ShopfloorSetup.ps1 only calls Register-MachineEnforce when
  $pcType -eq "Standard" -and $pcSubType -eq "Machine".
- Machine-Enforce.ps1 itself re-reads pc-subtype.txt and exits early if
  not "Machine", so a mistakenly-deployed copy no-ops.

site-config.json:
- Added "machineappsSharePath" to Standard-Machine pcProfile.

Drive letter U: to stay clear of CMM (S:) and Acrobat (T:) enforcers
that may run concurrently at logon.

Update workflow:
  drop new UDC/eDNC/NTLARS installer on the SFLD share,
  bump DetectionValue in machineapps-manifest.json,
  every Machine PC catches up on next user logon.
This commit is contained in:
cproudlock
2026-04-15 12:16:17 -04:00
parent 8848fca88a
commit 3ef981f19e
6 changed files with 549 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
View File

@@ -61,7 +61,13 @@ if (-not $pcType) {
exit 0
}
Write-Host "Shopfloor PC Type: $pcType"
$subtypeFile = Join-Path $enrollDir "pc-subtype.txt"
$pcSubType = ''
if (Test-Path $subtypeFile) {
$pcSubType = (Get-Content $subtypeFile -First 1).Trim()
}
Write-Host "Shopfloor PC Type: $pcType$(if ($pcSubType) { " / $pcSubType" })"
# Scripts to skip in the alphabetical baseline loop. Each is either run
# explicitly in the finalization phase below, or invoked internally by
@@ -167,8 +173,9 @@ foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat')) {
}
}
# Standard PCs get the UDC/eDNC machine number helper
if ($pcType -eq "Standard") {
# Standard-Machine PCs get the UDC/eDNC machine number helper. Timeclock
# PCs do not use a machine number, so the helper has nothing to do there.
if ($pcType -eq "Standard" -and $pcSubType -ne "Timeclock") {
foreach ($helper in @("Set-MachineNumber.bat", "Set-MachineNumber.ps1")) {
$src = Join-Path $setupDir "Standard\$helper"
if (Test-Path $src) {
@@ -247,6 +254,20 @@ if (Test-Path -LiteralPath $registerAcrobat) {
Write-Host "Register-AcrobatEnforce.ps1 not found (optional) - skipping"
}
# Standard-Machine gets a machine-apps enforcer (UDC, eDNC, NTLARS) that
# replaced the Intune DSC path (DSC has no sub-type awareness and was
# pushing these to Timeclocks). Timeclocks skip this registration.
if ($pcType -eq "Standard" -and $pcSubType -eq "Machine") {
$registerMachine = Join-Path $setupDir "Standard\Register-MachineEnforce.ps1"
if (Test-Path -LiteralPath $registerMachine) {
Write-Host ""
Write-Host "=== Registering Machine-apps enforcer ==="
try { & $registerMachine } catch { Write-Warning "Machine enforce registration failed: $_" }
} else {
Write-Host "Register-MachineEnforce.ps1 not found (optional) - skipping"
}
}
# --- Run enrollment (PPKG install) ---
# Enrollment is the LAST thing we do. Install-ProvisioningPackage triggers
# an immediate reboot -- everything after this call is unlikely to execute.