Configure-PC + nocollections ACL: align with two-task machine number design

- gea-shopfloor-nocollections/02-MachineNumberACLs.ps1: gut to no-op matching the collections variant. SYSTEM Apply task no longer needs per-user ACLs on the eDNC reg key or UDC ProgramData dir. - Configure-PC.ps1 item 6 (Machine number logon prompt toggle): Stop duplicating Register-ScheduledTask logic inline. Call the shared Register-CheckMachineNumberTask.ps1 registrar so both the Prompt user-task and Apply SYSTEM-task are installed with matching SDDL config. Existence check now treats EITHER the new "Prompt Machine Number" task OR the legacy "Check Machine Number" task as "ON" so old bays still register correctly. Toggle OFF unregisters all three names (Prompt + Apply + legacy) for clean removal.
2026-05-24 18:36:35 -04:00
parent 7298d433eb
commit 97b9e58d23
2 changed files with 66 additions and 124 deletions
--- a/playbook/shopfloor-setup/Shopfloor/Configure-PC.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/Configure-PC.ps1
@@ -285,8 +285,13 @@ if ($null -ne $cfgItems -and $cfgItems.Count -gt 0) {
    )
 }

-# Machine-number logon task is item 6
-$machineNumTaskName = 'Check Machine Number'
+# Machine-number logon tasks (item 6 toggle controls both)
+# 2026-05-24: split into user-context Prompt + SYSTEM-context Apply.
+# 'Check Machine Number' is the legacy single-task name kept for
+# backward-detection on bays imaged before the split.
+$machineNumPromptTask = 'Prompt Machine Number'
+$machineNumApplyTask  = 'Apply Machine Number'
+$machineNumLegacyTask = 'Check Machine Number'

 # ============================================================================
 # Interactive UI
@@ -354,8 +359,12 @@ foreach ($item in $items) {
    Write-Host "    $($item.Num). $on $($item.Label) - $($item.Detail)$avail"
 }

-# Item 6: machine number logon prompt
-$machineNumTaskExists = [bool](Get-ScheduledTask -TaskName $machineNumTaskName -ErrorAction SilentlyContinue)
+# Item 6: machine number logon prompt. "ON" if EITHER the new Prompt task OR
+# the legacy Check Machine Number task is registered.
+$machineNumTaskExists = [bool](
+    (Get-ScheduledTask -TaskName $machineNumPromptTask -ErrorAction SilentlyContinue) -or
+    (Get-ScheduledTask -TaskName $machineNumLegacyTask -ErrorAction SilentlyContinue)
+)
 $mnOn = if ($machineNumTaskExists) { '[ON]' } else { '[  ]' }
 Write-Host "    6. $mnOn Prompt standard user for machine number if 9999"

@@ -419,62 +428,47 @@ if ($selection) {
    # Process item 6: machine number logon task
    if ($selected -contains 6) {
        if ($machineNumTaskExists) {
-            # Toggle OFF
-            try {
-                Unregister-ScheduledTask -TaskName $machineNumTaskName -Confirm:$false -ErrorAction Stop
-                Write-Host "    Machine number logon prompt: REMOVED" -ForegroundColor Yellow
-                $machineNumTaskExists = $false
-            } catch { Write-Warning "    Failed to remove task: $_" }
+            # Toggle OFF - remove Prompt + Apply (new design) AND the legacy
+            # Check Machine Number task name (in case this bay was imaged
+            # before the split and never re-imaged).
+            $removed = @()
+            foreach ($t in @($machineNumPromptTask, $machineNumApplyTask, $machineNumLegacyTask)) {
+                try {
+                    if (Get-ScheduledTask -TaskName $t -ErrorAction SilentlyContinue) {
+                        Unregister-ScheduledTask -TaskName $t -Confirm:$false -ErrorAction Stop
+                        $removed += $t
+                    }
+                } catch { Write-Warning "    Failed to remove '$t': $_" }
+            }
+            if ($removed) {
+                Write-Host "    Machine number logon prompt: REMOVED ($($removed -join ', '))" -ForegroundColor Yellow
+            }
+            $machineNumTaskExists = $false
        } else {
            # Toggle ON - register logon task
-            # The task needs to run as the logged-in user (for GUI), but
-            # writing to HKLM + ProgramData requires the ACLs we pre-grant
-            # during imaging (see task 7 / ACL pre-grant script).
+            # Defer task registration to the shared registrar so this code
+            # path always matches the imaging-time path. Registrar installs
+            # BOTH the user-context "Prompt Machine Number" task and the
+            # SYSTEM-context "Apply Machine Number" task, sets the SDDL on
+            # Apply so Limited users can schtasks /run it, and cleans up
+            # any legacy "Check Machine Number" task name.
            $scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
-            $checkScript = Join-Path $scriptDir 'Check-MachineNumber.ps1'
-
-            if (-not (Test-Path -LiteralPath $checkScript)) {
-                # Fallback: check enrollment staging dir
-                $checkScript = 'C:\Enrollment\shopfloor-setup\Shopfloor\Check-MachineNumber.ps1'
+            $registrar = Join-Path $scriptDir 'Register-CheckMachineNumberTask.ps1'
+            if (-not (Test-Path -LiteralPath $registrar)) {
+                $registrar = 'C:\Enrollment\shopfloor-setup\Shopfloor\Register-CheckMachineNumberTask.ps1'
            }
-
-            if (Test-Path -LiteralPath $checkScript) {
+            if (Test-Path -LiteralPath $registrar) {
                try {
-                    $action = New-ScheduledTaskAction `
-                        -Execute 'powershell.exe' `
-                        -Argument "-NoProfile -ExecutionPolicy Bypass -WindowStyle Normal -File `"$checkScript`""
-
-                    $trigger = New-ScheduledTaskTrigger -AtLogOn
-
-                    # Run as the logged-in user (needs GUI for InputBox), NOT
-                    # SYSTEM (SYSTEM can't show UI to the user's desktop).
-                    $principal = New-ScheduledTaskPrincipal `
-                        -GroupId 'S-1-5-32-545' `
-                        -RunLevel Limited
-
-                    $settings = New-ScheduledTaskSettingsSet `
-                        -AllowStartIfOnBatteries `
-                        -DontStopIfGoingOnBatteries `
-                        -StartWhenAvailable `
-                        -ExecutionTimeLimit (New-TimeSpan -Minutes 5)
-
-                    Register-ScheduledTask `
-                        -TaskName  $machineNumTaskName `
-                        -Action    $action `
-                        -Trigger   $trigger `
-                        -Principal $principal `
-                        -Settings  $settings `
-                        -Force `
-                        -ErrorAction Stop | Out-Null
-
+                    & $registrar
                    Write-Host "    Machine number logon prompt: ENABLED" -ForegroundColor Green
-                    Write-Host "    (will auto-disable after machine number is set)" -ForegroundColor DarkGray
+                    Write-Host "    (Prompt user-task + Apply SYSTEM-task registered;" -ForegroundColor DarkGray
+                    Write-Host "     will auto-disable after machine number is set)" -ForegroundColor DarkGray
                    $machineNumTaskExists = $true
                } catch {
-                    Write-Warning "    Failed to register task: $_"
+                    Write-Warning "    Register-CheckMachineNumberTask failed: $_"
                }
            } else {
-                Write-Warning "    Check-MachineNumber.ps1 not found at $checkScript"
+                Write-Warning "    Register-CheckMachineNumberTask.ps1 not found at $registrar"
            }
        }
    }