Shopfloor: single autologon, clear Start pins, Intune sync tool, update docs

- AutoLogonCount reduced from 2 to 1 in Run-ShopfloorSetup.ps1 - Remove default pinned Start Menu tiles and set blank layout for future users - Add sync_intune.bat: triggers MDM sync and polls for SFLD group policies - Update README.md and SETUP.md with current project state (boot chain, new scripts, samba shares, webapp pages, commit history) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 09:43:00 -04:00
parent 163e58ab0b
commit 9912b044a3
5 changed files with 176 additions and 18 deletions
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@ Client PXE boot (UEFI Secure Boot)
  -> User selects boot option:
     ├── Windows PE  -> wimboot -> boot.wim -> startnet.cmd -> Samba share -> Image deployment
     ├── Clonezilla  -> vmlinuz/initrd -> Disk cloning/imaging
-     ├── Blancco     -> vmlinuz/initrd -> NIST 800-88 drive erasure
+     ├── Blancco     -> Native kernel + initramfs -> NIST 800-88 drive erasure
     └── Memtest86+  -> Memory diagnostics
 ```

@@ -34,7 +34,7 @@ Client PXE boot (UEFI Secure Boot)

 - **PXE server IP:** `10.9.100.1/24`
 - **DHCP range:** `10.9.100.10` - `10.9.100.100`
- **Firewall:** UFW deny-by-default, only service ports open
+- **Firewall:** UFW deny-by-default, only service ports open (22, 67, 69, 80, 445, 4433, 9009)

 ## Quick Start

@@ -102,6 +102,8 @@ The Flask webapp (port 9009) provides a browser-based management UI:
 - **startnet.cmd Editor** — Modify the startnet.cmd inside boot.wim without Windows (uses wimtools)
 - **Clonezilla Backups** — Upload, download, and manage disk backup images
 - **Blancco Reports** — View, download, and manage drive erasure reports (auto-collected via Samba)
+- **Image Config** — Per-image configuration editor (drivers, OS packages, hardware models)
+- **Enrollment** — Upload, download, and manage GCCH bulk enrollment packages
 - **Audit Log** — Activity history for all write operations (imports, edits, deletes)

 ### Image Types Supported
@@ -125,9 +127,15 @@ pxe-server/
 │   └── meta-data                 # Cloud-init metadata (required, empty)
 ├── playbook/
 │   ├── pxe_server_setup.yml      # Ansible playbook: all server configuration
-│   └── inventory.ini             # Ansible inventory
+│   ├── inventory.ini             # Ansible inventory
+│   ├── startnet.cmd              # WinPE startup script (injected into boot.wim)
+│   ├── blancco-init.sh           # Custom initramfs for Blancco PXE boot
+│   ├── blancco-preferences.xml   # Blancco auto-report preferences
+│   ├── check-bios.cmd            # Pre-imaging BIOS update checker
+│   ├── FlatUnattendW10-shopfloor.xml  # Shopfloor unattend.xml
+│   └── shopfloor-setup/          # PC type setup scripts (Standard, CMM, Display, etc.)
 ├── webapp/
-│   ├── app.py                    # Flask application (~900 lines)
+│   ├── app.py                    # Flask application (~1600 lines)
 │   ├── requirements.txt          # Python deps (flask, lxml)
 │   ├── static/
 │   │   ├── ge-aerospace-logo.svg # GE Aerospace branding
@@ -143,9 +151,13 @@ pxe-server/
 │       ├── import.html           # USB image import wizard
 │       ├── unattend_editor.html  # XML editor for unattend files
 │       ├── startnet_editor.html  # startnet.cmd WIM editor
+│       ├── image_config.html     # Per-image driver and hardware config
+│       ├── enrollment.html       # GCCH bulk enrollment packages
 │       ├── backups.html          # Clonezilla backup management
 │       ├── reports.html          # Blancco erasure reports
 │       └── audit.html            # Activity audit log
+├── docs/
+│   └── shopfloor-display-imaging-guide.md  # End-user imaging guide
 ├── unattend/
 │   └── FlatUnattendW10.xml       # Windows unattend.xml template
 ├── boot-tools/                   # Extracted boot tool files (gitignored)
@@ -157,8 +169,14 @@ pxe-server/
 ├── download-packages.sh          # Downloads offline .debs + pip wheels
 ├── build-usb.sh                  # Builds the installer USB (2-partition)
 ├── prepare-boot-tools.sh         # Extracts and patches boot tool files
-├── build-proxmox-iso.sh            # Builds self-contained Proxmox installer ISO
+├── build-proxmox-iso.sh          # Builds self-contained Proxmox installer ISO
 ├── test-vm.sh                    # KVM test environment for validation
+├── test-lab.sh                   # Full PXE lab with server + client VMs
+├── startnet-template.cmd         # startnet.cmd template (synced with playbook copy)
+├── Download-Drivers.ps1          # Download hardware drivers from GE CDN (Windows)
+├── Upload-Image.ps1              # Upload MCL cache to PXE server via SMB (Windows)
+├── download-drivers.py           # Download Dell drivers directly from dell.com
+├── sync_hardware_models.py       # Sync hardware model configs across images
 ├── SETUP.md                      # Detailed setup guide
 └── setup-guide-original.txt      # Original manual setup notes (reference)
 ```
@@ -226,16 +244,14 @@ After the server is running, import deployment images via the web interface at `
 | winpeapps       | /srv/samba/winpeapps      | WinPE deployment images        |
 | clonezilla      | /srv/samba/clonezilla     | Clonezilla disk backup images  |
 | blancco-reports | /srv/samba/blancco-reports| Blancco erasure reports (auto) |
+| enrollment      | /srv/samba/enrollment     | GCCH bulk enrollment packages  |
+| image-upload    | /home/pxe/image-upload    | Image upload staging area      |

 All shares use guest access (no authentication) for ease of use on the isolated network.

 ## Blancco Drive Erasure

-Blancco Drive Eraser is configured to automatically save XML erasure reports to the PXE server's Samba share (`blancco-reports`). The `prepare-boot-tools.sh` script patches Blancco's `config.img` to set:
- Network share hostname: `10.9.100.1`
- Share path: `blancco-reports`
- Auto-backup: enabled
- Erasure standard: NIST 800-88 Purge
+Blancco Drive Eraser 7.15.1 boots via a native Ubuntu kernel with a custom initramfs (`blancco-init.sh`) that downloads and mounts the Blancco rootfs over HTTP. XML erasure reports are automatically saved to the PXE server's Samba share (`blancco-reports`). The server supports BMC cloud licensing for Blancco activation over WiFi.

 Reports are viewable and downloadable from the web interface at `http://10.9.100.1:9009/reports`.

@@ -257,3 +273,11 @@ Reports are viewable and downloadable from the web interface at `http://10.9.100
 | ef75839 | Auto-patch Blancco config.img for network report storage           |
 | 92c9b0f | Fix review findings: offline assets, security, audit logging       |
 | 725c8f4 | Change webapp to port 9009, add test VM script                     |
+| f3a384f | Add Proxmox ISO builder, CSRF protection, boot-files integration   |
+| 1a5c4f7 | Eliminate USB requirement for WinPE PXE boot                       |
+| dd2fec5 | Blancco PXE boot via Ubuntu kernel switch_root                     |
+| 86660a0 | Remove UEFI HTTP Boot config from dnsmasq                          |
+| 6d0e6ee | BIOS check fix, parallel downloads, shopfloor hardening            |
+| 7616549 | Shopfloor PC type system, webapp enhancements                      |
+| b7cd097 | Blancco 7.15.1 upgrade: native kernel boot, BMC cloud licensing    |
+| 163e58a | Fix dnsmasq reboot cron: use /etc/cron.d/ instead of crontab       |