Add Acrobat Reader logon enforcer (cross-PC-type), provtool.exe arg fix
Acrobat Reader enforcement:
- playbook/shopfloor-setup/common/ is the cross-PC-type staging dir. Mirrors
CMM/ structure (enforce script + its Install-FromManifest copy + manifest
template + register script).
- Acrobat-Enforce.ps1 runs as SYSTEM on every logon, reads
acrobatSharePath from site-config.common, mounts the SFLD share with
the same HKLM-backed credential lookup CMM-Enforce uses, hands the
acrobat-manifest.json from the share to Install-FromManifest.
- Install-FromManifest extended with Type=CMD so it can invoke vendor-
supplied .cmd wrappers (Install-AcroReader.cmd does a two-step MSI+MSP
install that does not fit MSI/EXE types cleanly). cmd.exe /c wraps it
because UseShellExecute=false cannot launch .cmd directly.
- Register-AcrobatEnforce.ps1 stages scripts to C:\Program Files\GE\Acrobat
and registers "GE Acrobat Enforce" scheduled task. Called from
Run-ShopfloorSetup.ps1 right before the enrollment (PPKG) step so it
applies to every PC type, not just CMM.
- acrobat-manifest.template.json is the repo reference; the authoritative
copy lives on the SFLD share at
\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\common\acrobat\
Bumping Acrobat updates = drop new MSP on share, bump DetectionValue in
manifest; enforcer catches every PC on next logon.
- site-config.json: add "common": { "acrobatSharePath": ... }. Uses a
new top-level block rather than a PC-type-specific one since Acrobat
applies everywhere.
Initial install still happens via the preinstall flow
(Install-AcroReader.cmd during WinPE). The enforcer is the ongoing-
updates side; on a freshly-imaged PC detection passes and it no-ops.
Also in this commit:
- run-enrollment.ps1: provtool.exe argument syntax fix. First test
returned 0x80004005 E_FAIL in 1s because /ppkg: and /log: are not
valid provtool flags; the cmdlet's internal call used positional
path + /quiet + /source. Switched to that syntax.
This commit is contained in:
cproudlock
93
playbook/shopfloor-setup/common/Register-AcrobatEnforce.ps1
Normal file
93
playbook/shopfloor-setup/common/Register-AcrobatEnforce.ps1
Normal file
@@ -0,0 +1,93 @@
|
||||
# Register-AcrobatEnforce.ps1 - One-time setup for the Acrobat Reader
|
||||
# logon-enforce scheduled task. Called by each PC type's shopfloor setup
|
||||
# (Run-ShopfloorSetup.ps1) after the baseline imaging steps, once per
|
||||
# fresh install. Idempotent: re-running just refreshes the staged scripts
|
||||
# and re-registers the task.
|
||||
#
|
||||
# Parallel to CMM\09-Setup-CMM.ps1 steps 3-4 (stage Install-FromManifest +
|
||||
# Acrobat-Enforce, register the "GE Acrobat Enforce" task) but without any
|
||||
# imaging-time install step - initial Acrobat install is already handled by
|
||||
# the preinstall flow.
|
||||
|
||||
$ErrorActionPreference = 'Continue'
|
||||
|
||||
$installRoot = 'C:\Program Files\GE\Acrobat'
|
||||
$runtimeLib = Join-Path $installRoot 'lib\Install-FromManifest.ps1'
|
||||
$runtimeEnforce = Join-Path $installRoot 'Acrobat-Enforce.ps1'
|
||||
$logDir = 'C:\Logs\Acrobat'
|
||||
$setupLog = Join-Path $logDir 'setup.log'
|
||||
|
||||
# Source on the imaged client (staged there by WinPE startnet.cmd via
|
||||
# shopfloor-setup\common\).
|
||||
$sourceLib = Join-Path $PSScriptRoot 'lib\Install-FromManifest.ps1'
|
||||
$sourceEnforce = Join-Path $PSScriptRoot 'Acrobat-Enforce.ps1'
|
||||
|
||||
if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }
|
||||
if (-not (Test-Path $installRoot)) { New-Item -Path $installRoot -ItemType Directory -Force | Out-Null }
|
||||
if (-not (Test-Path (Join-Path $installRoot 'lib'))) {
|
||||
New-Item -Path (Join-Path $installRoot 'lib') -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-SetupLog {
|
||||
param([string]$Message, [string]$Level = 'INFO')
|
||||
$line = "[{0}] [{1}] {2}" -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Level, $Message
|
||||
Write-Host $line
|
||||
Add-Content -Path $setupLog -Value $line -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
Write-SetupLog "=== Register-AcrobatEnforce start ==="
|
||||
|
||||
# Stage scripts to their runtime location under Program Files so the
|
||||
# scheduled task can run them as SYSTEM.
|
||||
foreach ($pair in @(
|
||||
@{ Src = $sourceLib; Dst = $runtimeLib },
|
||||
@{ Src = $sourceEnforce; Dst = $runtimeEnforce }
|
||||
)) {
|
||||
if (-not (Test-Path $pair.Src)) {
|
||||
Write-SetupLog "Source not found: $($pair.Src) - cannot stage" "ERROR"
|
||||
continue
|
||||
}
|
||||
Copy-Item -Path $pair.Src -Destination $pair.Dst -Force
|
||||
Write-SetupLog "Staged $($pair.Src) -> $($pair.Dst)"
|
||||
}
|
||||
|
||||
# Register scheduled task. Unregister any stale copy first so re-imaging is
|
||||
# idempotent.
|
||||
$taskName = 'GE Acrobat Enforce'
|
||||
$existing = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
|
||||
if ($existing) {
|
||||
Write-SetupLog "Removing existing scheduled task '$taskName'"
|
||||
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
Write-SetupLog "Registering scheduled task '$taskName' (logon trigger, SYSTEM)"
|
||||
try {
|
||||
$action = New-ScheduledTaskAction `
|
||||
-Execute 'powershell.exe' `
|
||||
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$runtimeEnforce`""
|
||||
|
||||
$trigger = New-ScheduledTaskTrigger -AtLogOn
|
||||
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
|
||||
# ExecutionTimeLimit 30 min - Acrobat DC patches are smaller than PC-DMIS
|
||||
# bundles; 30 min is plenty and keeps a stuck install from lingering.
|
||||
$settings = New-ScheduledTaskSettingsSet `
|
||||
-AllowStartIfOnBatteries `
|
||||
-DontStopIfGoingOnBatteries `
|
||||
-StartWhenAvailable `
|
||||
-ExecutionTimeLimit (New-TimeSpan -Minutes 30) `
|
||||
-MultipleInstances IgnoreNew
|
||||
|
||||
Register-ScheduledTask `
|
||||
-TaskName $taskName `
|
||||
-Action $action `
|
||||
-Trigger $trigger `
|
||||
-Principal $principal `
|
||||
-Settings $settings `
|
||||
-Description 'GE Acrobat: enforce Adobe Acrobat Reader DC version against tsgwp00525 SFLD share on user logon' | Out-Null
|
||||
|
||||
Write-SetupLog "Scheduled task registered"
|
||||
} catch {
|
||||
Write-SetupLog "Failed to register scheduled task: $_" "ERROR"
|
||||
}
|
||||
|
||||
Write-SetupLog "=== Register-AcrobatEnforce end ==="
|
||||
Reference in New Issue
Block a user