ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Shopfloor: single autologon, clear Start pins, Intune sync tool, update docs

Browse Source 
- AutoLogonCount reduced from 2 to 1 in Run-ShopfloorSetup.ps1
- Remove default pinned Start Menu tiles and set blank layout for future users
- Add sync_intune.bat: triggers MDM sync and polls for SFLD group policies
- Update README.md and SETUP.md with current project state (boot chain, new
  scripts, samba shares, webapp pages, commit history)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-03-31 09:43:00 -04:00
parent 163e58ab0b
commit 9912b044a3
5 changed files with 176 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
View File

@@ -70,16 +70,21 @@ if ($pcType -ne "Shopfloor") {
Write-Host "Shopfloor setup complete for $pcType."
# Copy backup lockdown script to SupportUser desktop
# Copy utility scripts to SupportUser desktop
$lockdownScript = Join-Path $setupDir "backup_lockdown.bat"
if (Test-Path $lockdownScript) {
Copy-Item -Path $lockdownScript -Destination "C:\Users\SupportUser\Desktop\backup_lockdown.bat" -Force
Write-Host "backup_lockdown.bat copied to desktop."
}
$syncScript = Join-Path $setupDir "Shopfloor\sync_intune.bat"
if (Test-Path $syncScript) {
Copy-Item -Path $syncScript -Destination "C:\Users\SupportUser\Desktop\sync_intune.bat" -Force
Write-Host "sync_intune.bat copied to desktop."
}
# Set auto-logon to expire after 2 more logins
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 2 /f | Out-Null
Write-Host "Auto-logon set to 2 remaining logins."
# Set auto-logon to expire after 1 more login
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 1 /f | Out-Null
Write-Host "Auto-logon set to 1 remaining login."
Write-Host "Rebooting in 10 seconds..."
shutdown /r /t 10

30
playbook/shopfloor-setup/Shopfloor/03-StartMenu.ps1
View File

@@ -1,6 +1,36 @@
# 03-StartMenu.ps1 — Create Start Menu shortcuts for all users (baseline)
# Shortcuts in ProgramData\Microsoft\Windows\Start Menu\Programs\ persist for all accounts.
# --- Remove all default pinned Start Menu tiles ---
# Unpin tiles for the current user
try {
$shell = New-Object -ComObject Shell.Application
$shell.NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ForEach-Object {
$_.Verbs() | Where-Object { $_.Name -match 'Unpin from Start|Un.*pin' } | ForEach-Object { $_.DoIt() }
}
Write-Host "Unpinned all default Start Menu tiles for current user."
} catch {
Write-Warning "Could not unpin Start tiles: $_"
}
# Set blank layout for future user profiles
$blankLayout = @"
<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6" />
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
"@
$layoutDir = "C:\Users\Default\AppData\Local\Microsoft\Windows\Shell"
if (-not (Test-Path $layoutDir)) { New-Item -Path $layoutDir -ItemType Directory -Force | Out-Null }
$blankLayout | Out-File -FilePath "$layoutDir\LayoutModification.xml" -Encoding UTF8 -Force
Write-Host "Set blank Start Menu layout for future users."
$startMenu = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
$shell = New-Object -ComObject WScript.Shell

80
playbook/shopfloor-setup/Shopfloor/sync_intune.bat Normal file
View File

@@ -0,0 +1,80 @@
@echo off
title Intune Policy Sync
:: Self-elevate to administrator
net session >nul 2>&1
if %errorlevel% neq 0 (
powershell -Command "Start-Process '%~f0' -Verb RunAs"
exit /b
)
echo.
echo ========================================
echo Intune Policy Sync
echo ========================================
echo.
:: Check current state
reg query "HKLM\Software\GE\SFLD" >nul 2>&1
if %errorlevel% equ 0 (
echo SFLD policies already applied.
echo.
echo Run sync anyway? (Y/N)
choice /c YN /n
if errorlevel 2 exit /b
)
:: Trigger sync via the MDM enrollment scheduled task
echo Triggering Intune sync...
powershell -ExecutionPolicy Bypass -Command ^
"$enrollPath = 'HKLM:\SOFTWARE\Microsoft\Enrollments'; "^
"$found = $false; "^
"Get-ChildItem $enrollPath -ErrorAction SilentlyContinue | ForEach-Object { "^
" $id = $_.PSChildName; "^
" $provider = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).ProviderID; "^
" if ($provider -eq 'MS DM Server') { "^
" $found = $true; "^
" Write-Host \"Enrollment ID: $id\"; "^
" $taskPath = \"\Microsoft\Windows\EnterpriseMgmt\$id\\\"; "^
" Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue | "^
" Where-Object { $_.TaskName -match 'Schedule #3' } | "^
" ForEach-Object { "^
" Start-ScheduledTask -InputObject $_; "^
" Write-Host \"Sync triggered: $($_.TaskName)\"; "^
" }; "^
" } "^
"}; "^
"if (-not $found) { Write-Host 'ERROR: No Intune enrollment found.' -ForegroundColor Red }"
echo.
echo Waiting for SFLD group policies (HKLM\Software\GE\SFLD)...
echo Press Ctrl+C to stop waiting.
echo.
:: Poll every 15 seconds for up to 10 minutes
set /a attempts=0
set /a max=40
:poll
reg query "HKLM\Software\GE\SFLD" >nul 2>&1
if %errorlevel% equ 0 (
echo.
echo ========================================
echo SFLD group policies applied!
echo ========================================
echo.
pause
exit /b
)
set /a attempts+=1
if %attempts% geq %max% (
echo.
echo Timed out after 10 minutes. SFLD policies not yet applied.
echo The device category may not be assigned yet in Intune.
echo Assign the category in the portal, then run this again.
echo.
pause
exit /b
)
echo [%attempts%/%max%] Waiting... checking again in 15s
timeout /t 15 /nobreak >nul
goto poll