ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Force-Lockdown.bat + S: drive logon mapper for ShopFloor end-user

Browse Source 
Force-Lockdown.bat (SupportUser desktop):
  Vendor escape hatch when Intune Lockdown push hasn't applied within
  ~30 minutes. Self-elevates via UAC, prompts for typed YES confirmation
  that an ARTS request is in place, then runs sfld_autologon.ps1.

Register-MapSfldShare.ps1 (every PC type):
  The SFLD vendor's 'SFLD - Consume Credentials' scheduled task is
  principal-restricted (admin-only) so it fires for SupportUser logon
  but not for ShopFloor logon -- ShopFloor lands at the desktop with
  no S: drive and no way to reach \\tsgwp00525\shared. Workaround:
  register a parallel 'GE Shopfloor Map S: Drive' AtLogOn task with
  Principal=BUILTIN\Users + RunLevel=Limited that invokes the vendor's
  C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1 in the
  interactive user's session. Vendor script handles cred-store + net use
  end to end; we just give it a wider trigger principal. Cross-PC-type
  because every shopfloor account needs S:.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-04-15 18:31:18 -04:00
parent a334a56f1e
commit a4de11814d
3 changed files with 159 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
View File

@@ -165,7 +165,7 @@ foreach ($name in $runAfterTypeSpecific) {
Write-Host "Shopfloor setup complete for $pcType."
# --- Copy utility scripts to SupportUser desktop ---
foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat')) {
foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat', 'Force-Lockdown.bat')) {
$src = Join-Path $setupDir "Shopfloor\$tool"
if (Test-Path $src) {
Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$tool" -Force
@@ -254,6 +254,19 @@ if (Test-Path -LiteralPath $registerAcrobat) {
Write-Host "Register-AcrobatEnforce.ps1 not found (optional) - skipping"
}
# Map S: drive on user logon for every account in BUILTIN\Users. The
# vendor 'SFLD - Consume Credentials' task is principal-restricted and
# does not fire for the ShopFloor end-user, so this parallel task fills
# the gap. Cross-PC-type because every shopfloor account needs S:.
$registerMapShare = Join-Path $PSScriptRoot 'Shopfloor\Register-MapSfldShare.ps1'
if (Test-Path -LiteralPath $registerMapShare) {
Write-Host ""
Write-Host "=== Registering S: drive logon mapper ==="
try { & $registerMapShare } catch { Write-Warning "Map-SfldShare registration failed: $_" }
} else {
Write-Host "Register-MapSfldShare.ps1 not found (optional) - skipping"
}
# Standard-Machine gets a machine-apps enforcer (UDC, eDNC, NTLARS) that
# replaced the Intune DSC path (DSC has no sub-type awareness and was
# pushing these to Timeclocks). Timeclocks skip this registration.