ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Force-Lockdown.bat + S: drive logon mapper for ShopFloor end-user

Browse Source 
Force-Lockdown.bat (SupportUser desktop):
  Vendor escape hatch when Intune Lockdown push hasn't applied within
  ~30 minutes. Self-elevates via UAC, prompts for typed YES confirmation
  that an ARTS request is in place, then runs sfld_autologon.ps1.

Register-MapSfldShare.ps1 (every PC type):
  The SFLD vendor's 'SFLD - Consume Credentials' scheduled task is
  principal-restricted (admin-only) so it fires for SupportUser logon
  but not for ShopFloor logon -- ShopFloor lands at the desktop with
  no S: drive and no way to reach \\tsgwp00525\shared. Workaround:
  register a parallel 'GE Shopfloor Map S: Drive' AtLogOn task with
  Principal=BUILTIN\Users + RunLevel=Limited that invokes the vendor's
  C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1 in the
  interactive user's session. Vendor script handles cred-store + net use
  end to end; we just give it a wider trigger principal. Cross-PC-type
  because every shopfloor account needs S:.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-04-15 18:31:18 -04:00
parent a334a56f1e
commit a4de11814d
3 changed files with 159 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
playbook/shopfloor-setup/Shopfloor/Force-Lockdown.bat Normal file
View File

@@ -0,0 +1,69 @@
@echo off
REM Force-Lockdown.bat - Manual SFLD lockdown trigger for SupportUser.
REM
REM Vendor-documented escape hatch: if the Intune-pushed Lockdown
REM configuration hasn't actually applied within ~30 minutes after the
REM device was added to the Lockdown group, run sfld_autologon.ps1
REM directly as admin to force it.
REM
REM This wrapper exists so the tech doesn't have to remember the path
REM or open an elevated cmd by hand. It self-elevates to admin via UAC.
REM ---- Self-elevate ---------------------------------------------------
net session >nul 2>&1
if %errorLevel% neq 0 (
echo Requesting admin rights...
powershell -Command "Start-Process '%~f0' -Verb RunAs"
exit /b
)
setlocal
set "SCRIPT=C:\Program Files\Sysinternals\sfld_autologon.ps1"
echo ============================================================
echo Force SFLD Lockdown
echo ============================================================
echo.
echo *** WARNING ***
echo.
echo Do NOT run this script unless an ARTS request has already
echo been submitted and approved for this device.
echo.
echo Forcing lockdown without an ARTS request bypasses the
echo normal Intune Lockdown-group push and will be flagged
echo in the audit trail.
echo.
echo ============================================================
echo Target: %SCRIPT%
echo.
set /p CONFIRM=Type YES (uppercase) to confirm ARTS request is in place:
if /i not "%CONFIRM%"=="YES" (
echo.
echo Cancelled - no action taken.
echo.
pause
exit /b 2
)
echo.
if not exist "%SCRIPT%" (
echo ERROR: %SCRIPT% not found.
echo Sysinternals Autologon PPKG step may not have completed yet.
echo.
pause
exit /b 1
)
echo Running sfld_autologon.ps1 ...
echo.
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File "%SCRIPT%"
set RC=%errorLevel%
echo.
echo ============================================================
echo Lockdown script exit code: %RC%
echo ============================================================
echo.
pause
endlocal