From c06310f5bdf8f502d1754a3bccf6aee90f924668 Mon Sep 17 00:00:00 2001 From: cproudlock Date: Fri, 10 Apr 2026 13:23:11 -0400 Subject: [PATCH] Replace all Unicode characters with ASCII in playbook scripts Em dashes (U+2014) and arrows (U+2192) break PowerShell 5.1 on Windows when the file has no UTF-8 BOM -- byte 0x94 gets read as a right double quote in Windows-1252, silently closing strings mid-parse. This caused run-enrollment.ps1 to fail on PXE-imaged machines with "string is missing the terminator" at line 113. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../Display/01-Setup-Display.ps1 | 2 +- .../shopfloor-setup/Run-ShopfloorSetup.ps1 | 440 +++++++++--------- .../Shopfloor/04-NetworkAndWinRM.ps1 | 2 +- .../Shopfloor/06-OrganizeDesktop.ps1 | 4 +- .../Shopfloor/lib/Monitor-IntuneProgress.ps1 | 45 +- playbook/shopfloor-setup/run-enrollment.ps1 | 100 ++-- playbook/startnet.cmd | 3 +- 7 files changed, 321 insertions(+), 275 deletions(-) diff --git a/playbook/shopfloor-setup/Display/01-Setup-Display.ps1 b/playbook/shopfloor-setup/Display/01-Setup-Display.ps1 index bcd393d..0d85555 100644 --- a/playbook/shopfloor-setup/Display/01-Setup-Display.ps1 +++ b/playbook/shopfloor-setup/Display/01-Setup-Display.ps1 @@ -1,4 +1,4 @@ -# 01-Setup-Display.ps1 — Display-specific setup (runs after Shopfloor baseline) +# 01-Setup-Display.ps1 -- Display-specific setup (runs after Shopfloor baseline) # Reads display-type.txt to install either LobbyDisplay or Dashboard kiosk app. $enrollDir = "C:\Enrollment" diff --git a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 index 67decae..306e47a 100644 --- a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 +++ b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 @@ -1,221 +1,219 @@ -# Run-ShopfloorSetup.ps1 - Dispatcher for shopfloor PC type setup -# Runs Shopfloor baseline scripts first, then type-specific scripts on top. - -param( - # Stage-Dispatcher.ps1 passes -FromDispatcher to bypass the stage-file - # gate below. When called by the unattend's FirstLogonCommands (no flag), - # the gate defers to the dispatcher if a stage file exists. - [switch]$FromDispatcher -) - -# --- Stage-file gate --- -# If run-enrollment.ps1 wrote a stage file, the imaging chain is managed by -# Stage-Dispatcher.ps1 via RunOnce. Exit immediately so the FirstLogonCommands -# chain finishes, the PPKG reboot fires, and the dispatcher takes over on -# the next boot. Without this gate, the unattend's FirstLogonCommands runs -# this script right after run-enrollment in the same session (before the -# PPKG reboot), bypassing the entire staged chain. -if (-not $FromDispatcher) { - $stageFile = 'C:\Enrollment\setup-stage.txt' - if (Test-Path -LiteralPath $stageFile) { - $stage = (Get-Content -LiteralPath $stageFile -First 1 -ErrorAction SilentlyContinue) - Write-Host "Stage file found ($stage) - deferring to Stage-Dispatcher.ps1 on next logon." - exit 0 - } -} - -# --- Transcript logging --- -# Captures everything the dispatcher and all child scripts write to host so -# we can diagnose setup failures after the fact. -Append + -Force so repeat -# invocations (e.g. after a reboot mid-setup) accumulate instead of clobbering. -$logDir = 'C:\Logs\SFLD' -if (-not (Test-Path $logDir)) { - try { New-Item -ItemType Directory -Path $logDir -Force | Out-Null } catch { $logDir = $env:TEMP } -} -$transcriptPath = Join-Path $logDir 'shopfloor-setup.log' -try { Start-Transcript -Path $transcriptPath -Append -Force | Out-Null } catch {} - -Write-Host "" -Write-Host "================================================================" -Write-Host "=== Run-ShopfloorSetup.ps1 starting $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ===" -Write-Host " Transcript: $transcriptPath" -Write-Host "================================================================" -Write-Host "" - -# Bump AutoLogonCount HIGH at the start so reboots during setup (e.g. VC++ 2008 -# triggering an immediate ExitWindowsEx) don't exhaust autologin attempts before -# the dispatcher can complete. The end-of-script reset puts it back to 2 once -# everything succeeds. -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 99 /f | Out-Null - -# Cancel any pending reboot so it doesn't interrupt setup -cmd /c "shutdown /a 2>nul" *>$null - -# Prompt user to unplug from PXE switch before re-enabling wired adapters -Write-Host "" -Write-Host "========================================" -ForegroundColor Yellow -Write-Host " UNPLUG the ethernet cable from the" -ForegroundColor Yellow -Write-Host " PXE imaging switch NOW." -ForegroundColor Yellow -Write-Host "========================================" -ForegroundColor Yellow -Write-Host "" -Write-Host "Press any key to continue..." -ForegroundColor Yellow -$null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") - -# Re-enable wired adapters -Get-NetAdapter -Physical | Where-Object { $_.InterfaceDescription -notmatch 'Wi-Fi|Wireless' } | Enable-NetAdapter -Confirm:$false -ErrorAction SilentlyContinue - -$enrollDir = "C:\Enrollment" -$typeFile = Join-Path $enrollDir "pc-type.txt" -$setupDir = Join-Path $enrollDir "shopfloor-setup" - -if (-not (Test-Path $typeFile)) { - Write-Host "No pc-type.txt found - skipping shopfloor setup." - exit 0 -} - -$pcType = (Get-Content $typeFile -First 1).Trim() -if (-not $pcType) { - Write-Host "pc-type.txt is empty - skipping shopfloor setup." - exit 0 -} - -Write-Host "Shopfloor PC Type: $pcType" - -# Scripts to skip in the alphabetical baseline loop. Each is either run -# explicitly in the finalization phase below, or invoked internally by -# another script: -# -# 05 - Office shortcuts. Invoked by 06 as Phase 0. Office isn't installed -# until after the first reboot, so 05 no-ops on the imaging run. -# 06's SYSTEM logon task re-runs it on the second boot. -# 06 - Desktop org. Phase 2 needs eDNC/NTLARS on disk (installed by -# type-specific 01-eDNC.ps1). Run in finalization phase. -# 07 - Taskbar pin layout. Reads 06's output. Run in finalization phase. -# 08 - Edge default browser + startup tabs. Invoked by 06 as Phase 4. -# Reads .url files delivered by DSC (after setup reboots). 06's -# SYSTEM logon task re-runs it to pick them up. -$skipInBaseline = @( - '05-OfficeShortcuts.ps1', - '06-OrganizeDesktop.ps1', - '07-TaskbarLayout.ps1', - '08-EdgeDefaultBrowser.ps1', - 'Check-MachineNumber.ps1', - 'Configure-PC.ps1' -) - -# Scripts run AFTER type-specific scripts complete. 05 and 08 are NOT -# here because 06 calls them internally as sub-phases. -$runAfterTypeSpecific = @( - '06-OrganizeDesktop.ps1', - '07-TaskbarLayout.ps1' -) - -# --- Run Shopfloor baseline scripts first (skipping deferred ones) --- -$baselineDir = Join-Path $setupDir "Shopfloor" -if (Test-Path $baselineDir) { - $scripts = Get-ChildItem -Path $baselineDir -Filter "*.ps1" -File | Sort-Object Name - foreach ($script in $scripts) { - if ($skipInBaseline -contains $script.Name) { - Write-Host "Skipping baseline: $($script.Name) (runs in finalization phase)" - continue - } - cmd /c "shutdown /a 2>nul" *>$null - Write-Host "Running baseline: $($script.Name)" - try { - & $script.FullName - } catch { - Write-Warning "Baseline script $($script.Name) failed: $_" - } - } -} - -# --- Run type-specific scripts (if not just baseline Shopfloor) --- -if ($pcType -ne "Shopfloor") { - $typeDir = Join-Path $setupDir $pcType - if (Test-Path $typeDir) { - # Only run numbered scripts (01-eDNC.ps1, 02-MachineNumberACLs.ps1). - # Unnumbered .ps1 files (Set-MachineNumber.ps1) are desktop tools, - # not installer scripts, and must not auto-run during setup. - $scripts = Get-ChildItem -Path $typeDir -Filter "*.ps1" -File | - Where-Object { $_.Name -match '^\d' } | - Sort-Object Name - foreach ($script in $scripts) { - cmd /c "shutdown /a 2>nul" *>$null - Write-Host "Running $pcType setup: $($script.Name)" - try { - & $script.FullName - } catch { - Write-Warning "Script $($script.Name) failed: $_" - } - } - } else { - Write-Host "No type-specific scripts found for $pcType." - } -} - -# --- Finalization: run deferred baseline scripts (desktop org, taskbar pins) -# --- -# These needed to wait until all apps (eDNC, NTLARS, UDC, OpenText) were -# installed by the baseline + type-specific phases above. 06 internally -# calls 05 (Office shortcuts) and 08 (Edge config) as sub-phases, so we -# only need to invoke 06 and 07 explicitly here. -foreach ($name in $runAfterTypeSpecific) { - $script = Join-Path $baselineDir $name - if (-not (Test-Path $script)) { - Write-Warning "Deferred script not found: $script" - continue - } - cmd /c "shutdown /a 2>nul" *>$null - Write-Host "Running deferred baseline: $name" - try { - & $script - } catch { - Write-Warning "Deferred script $name failed: $_" - } -} - -Write-Host "Shopfloor setup complete for $pcType." - -# Copy utility scripts to SupportUser desktop -foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat')) { - $src = Join-Path $setupDir "Shopfloor\$tool" - if (Test-Path $src) { - Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$tool" -Force - Write-Host "$tool copied to desktop." - } -} - -# Standard PCs get the UDC/eDNC machine number helper -if ($pcType -eq "Standard") { - foreach ($helper in @("Set-MachineNumber.bat", "Set-MachineNumber.ps1")) { - $src = Join-Path $setupDir "Standard\$helper" - if (Test-Path $src) { - Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$helper" -Force - Write-Host "$helper copied to SupportUser desktop." - } - } -} - -# Set auto-logon to expire after 2 more logins -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 2 /f | Out-Null -Write-Host "Auto-logon set to 2 remaining logins." - -Write-Host "" -Write-Host "================================================================" -Write-Host "=== Run-ShopfloorSetup.ps1 complete $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ===" -Write-Host "================================================================" - -# Flush transcript before shutdown so the log file is complete on next boot -try { Stop-Transcript | Out-Null } catch {} - -if ($FromDispatcher) { - # Dispatcher owns the reboot — it cancels ours and reboots on its own - # terms after advancing the stage and re-registering RunOnce. We still - # schedule one as a safety net (dispatcher cancels it immediately). - Write-Host "Returning to Stage-Dispatcher for reboot." - shutdown /r /t 30 -} else { - # Standalone run (manual or legacy FirstLogonCommands) — reboot directly. - Write-Host "Rebooting in 10 seconds..." - shutdown /r /t 10 -} +# Run-ShopfloorSetup.ps1 - Main dispatcher for shopfloor PC type setup. +# +# Flow: +# 1. PreInstall apps (Oracle, VC++, OpenText, UDC) -- from local bundle +# 2. Type-specific scripts (eDNC, ACLs, CMM share apps, etc.) +# 3. Deferred baseline (desktop org, taskbar pins) +# 4. Copy desktop tools (sync_intune, Configure-PC, Set-MachineNumber) +# 5. Run enrollment (PPKG install + wait for completion) +# 6. Register sync_intune as @logon scheduled task +# 7. Reboot -- PPKG file operations complete, sync_intune fires on next logon +# +# Called by the unattend FirstLogonCommands as SupportUser (admin). + +# --- Transcript logging --- +$logDir = 'C:\Logs\SFLD' +if (-not (Test-Path $logDir)) { + try { New-Item -ItemType Directory -Path $logDir -Force | Out-Null } catch { $logDir = $env:TEMP } +} +$transcriptPath = Join-Path $logDir 'shopfloor-setup.log' +try { Start-Transcript -Path $transcriptPath -Append -Force | Out-Null } catch {} + +Write-Host "" +Write-Host "================================================================" +Write-Host "=== Run-ShopfloorSetup.ps1 starting $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ===" +Write-Host " Transcript: $transcriptPath" +Write-Host "================================================================" +Write-Host "" + +# Bump AutoLogonCount HIGH at the start so reboots during setup (e.g. VC++ 2008 +# triggering an immediate ExitWindowsEx) don't exhaust autologin attempts before +# the dispatcher can complete. The end-of-script reset puts it back to 2 once +# everything succeeds. +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 99 /f | Out-Null + +# Cancel any pending reboot so it doesn't interrupt setup +cmd /c "shutdown /a 2>nul" *>$null + +# Prompt user to unplug from PXE switch before re-enabling wired adapters +Write-Host "" +Write-Host "========================================" -ForegroundColor Yellow +Write-Host " UNPLUG the ethernet cable from the" -ForegroundColor Yellow +Write-Host " PXE imaging switch NOW." -ForegroundColor Yellow +Write-Host "========================================" -ForegroundColor Yellow +Write-Host "" +Write-Host "Press any key to continue..." -ForegroundColor Yellow +$null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") + +# Re-enable wired adapters +Get-NetAdapter -Physical | Where-Object { $_.InterfaceDescription -notmatch 'Wi-Fi|Wireless' } | Enable-NetAdapter -Confirm:$false -ErrorAction SilentlyContinue + +$enrollDir = "C:\Enrollment" +$typeFile = Join-Path $enrollDir "pc-type.txt" +$setupDir = Join-Path $enrollDir "shopfloor-setup" + +if (-not (Test-Path $typeFile)) { + Write-Host "No pc-type.txt found - skipping shopfloor setup." + exit 0 +} + +$pcType = (Get-Content $typeFile -First 1).Trim() +if (-not $pcType) { + Write-Host "pc-type.txt is empty - skipping shopfloor setup." + exit 0 +} + +Write-Host "Shopfloor PC Type: $pcType" + +# Scripts to skip in the alphabetical baseline loop. Each is either run +# explicitly in the finalization phase below, or invoked internally by +# another script: +# +# 05 - Office shortcuts. Invoked by 06 as Phase 0. Office isn't installed +# until after the PPKG + reboot, so 05 no-ops initially. 06's SYSTEM +# logon task re-runs it on the next boot. +# 06 - Desktop org. Phase 2 needs eDNC/NTLARS on disk (installed by +# type-specific 01-eDNC.ps1). Run in finalization phase. +# 07 - Taskbar pin layout. Reads 06's output. Run in finalization phase. +# 08 - Edge default browser + startup tabs. Invoked by 06 as Phase 4. +# Reads .url files delivered by DSC (after Intune enrollment). 06's +# SYSTEM logon task re-runs it to pick them up. +$skipInBaseline = @( + '05-OfficeShortcuts.ps1', + '06-OrganizeDesktop.ps1', + '07-TaskbarLayout.ps1', + '08-EdgeDefaultBrowser.ps1', + 'Check-MachineNumber.ps1', + 'Configure-PC.ps1' +) + +# Scripts run AFTER type-specific scripts complete. 05 and 08 are NOT +# here because 06 calls them internally as sub-phases. +$runAfterTypeSpecific = @( + '06-OrganizeDesktop.ps1', + '07-TaskbarLayout.ps1' +) + +# --- Run Shopfloor baseline scripts first (skipping deferred ones) --- +$baselineDir = Join-Path $setupDir "Shopfloor" +if (Test-Path $baselineDir) { + $scripts = Get-ChildItem -Path $baselineDir -Filter "*.ps1" -File | Sort-Object Name + foreach ($script in $scripts) { + if ($skipInBaseline -contains $script.Name) { + Write-Host "Skipping baseline: $($script.Name) (runs in finalization phase)" + continue + } + cmd /c "shutdown /a 2>nul" *>$null + Write-Host "Running baseline: $($script.Name)" + try { + & $script.FullName + } catch { + Write-Warning "Baseline script $($script.Name) failed: $_" + } + } +} + +# --- Run type-specific scripts (if not just baseline Shopfloor) --- +if ($pcType -ne "Shopfloor") { + $typeDir = Join-Path $setupDir $pcType + if (Test-Path $typeDir) { + # Only run numbered scripts (01-eDNC.ps1, 02-MachineNumberACLs.ps1). + # Unnumbered .ps1 files (Set-MachineNumber.ps1) are desktop tools, + # not installer scripts, and must not auto-run during setup. + $scripts = Get-ChildItem -Path $typeDir -Filter "*.ps1" -File | + Where-Object { $_.Name -match '^\d' } | + Sort-Object Name + foreach ($script in $scripts) { + cmd /c "shutdown /a 2>nul" *>$null + Write-Host "Running $pcType setup: $($script.Name)" + try { + & $script.FullName + } catch { + Write-Warning "Script $($script.Name) failed: $_" + } + } + } else { + Write-Host "No type-specific scripts found for $pcType." + } +} + +# --- Finalization: run deferred baseline scripts (desktop org, taskbar pins) +# --- +# These needed to wait until all apps (eDNC, NTLARS, UDC, OpenText) were +# installed by the baseline + type-specific phases above. 06 internally +# calls 05 (Office shortcuts) and 08 (Edge config) as sub-phases, so we +# only need to invoke 06 and 07 explicitly here. +foreach ($name in $runAfterTypeSpecific) { + $script = Join-Path $baselineDir $name + if (-not (Test-Path $script)) { + Write-Warning "Deferred script not found: $script" + continue + } + cmd /c "shutdown /a 2>nul" *>$null + Write-Host "Running deferred baseline: $name" + try { + & $script + } catch { + Write-Warning "Deferred script $name failed: $_" + } +} + +Write-Host "Shopfloor setup complete for $pcType." + +# --- Copy utility scripts to SupportUser desktop --- +foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat')) { + $src = Join-Path $setupDir "Shopfloor\$tool" + if (Test-Path $src) { + Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$tool" -Force + Write-Host "$tool copied to desktop." + } +} + +# Standard PCs get the UDC/eDNC machine number helper +if ($pcType -eq "Standard") { + foreach ($helper in @("Set-MachineNumber.bat", "Set-MachineNumber.ps1")) { + $src = Join-Path $setupDir "Standard\$helper" + if (Test-Path $src) { + Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$helper" -Force + Write-Host "$helper copied to SupportUser desktop." + } + } +} + +# --- Run enrollment (PPKG install) --- +# Enrollment runs AFTER all our apps are installed. The PPKG installs +# Chrome, Office, CyberArk, Tanium, etc. and needs a reboot for file +# operations (Zscaler rename, PPKG cleanup). run-enrollment.ps1 waits +# for all PPKG steps to complete, registers sync_intune as a persistent +# @logon scheduled task, then reboots. +$enrollScript = Join-Path $enrollDir 'run-enrollment.ps1' +if (Test-Path -LiteralPath $enrollScript) { + Write-Host "" + Write-Host "=== Running enrollment (PPKG install) ===" + try { + & $enrollScript + } catch { + Write-Warning "run-enrollment.ps1 failed: $_" + } +} else { + Write-Host "run-enrollment.ps1 not found - skipping enrollment." +} + +# Set auto-logon to expire after 2 more logins +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 2 /f | Out-Null +Write-Host "Auto-logon set to 2 remaining logins." + +Write-Host "" +Write-Host "================================================================" +Write-Host "=== Run-ShopfloorSetup.ps1 complete $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ===" +Write-Host "================================================================" + +# Flush transcript before shutdown so the log file is complete on next boot +try { Stop-Transcript | Out-Null } catch {} + +# run-enrollment.ps1 already initiated the reboot. If it didn't run +# (no PPKG), reboot now. +if (-not (Test-Path -LiteralPath $enrollScript)) { + Write-Host "Rebooting in 10 seconds..." + shutdown /r /t 10 +} diff --git a/playbook/shopfloor-setup/Shopfloor/04-NetworkAndWinRM.ps1 b/playbook/shopfloor-setup/Shopfloor/04-NetworkAndWinRM.ps1 index f292857..d2e4126 100644 --- a/playbook/shopfloor-setup/Shopfloor/04-NetworkAndWinRM.ps1 +++ b/playbook/shopfloor-setup/Shopfloor/04-NetworkAndWinRM.ps1 @@ -1,4 +1,4 @@ -# 04-NetworkAndWinRM.ps1 — Set network profiles to Private and enable WinRM (baseline) +# 04-NetworkAndWinRM.ps1 -- Set network profiles to Private and enable WinRM (baseline) # --- Transcript --- $logDir = 'C:\Logs\SFLD' diff --git a/playbook/shopfloor-setup/Shopfloor/06-OrganizeDesktop.ps1 b/playbook/shopfloor-setup/Shopfloor/06-OrganizeDesktop.ps1 index efd715a..7d9ca9f 100644 --- a/playbook/shopfloor-setup/Shopfloor/06-OrganizeDesktop.ps1 +++ b/playbook/shopfloor-setup/Shopfloor/06-OrganizeDesktop.ps1 @@ -336,7 +336,7 @@ function Add-ShopfloorToolsApps { $src = Find-ExistingLnk $app.SourceName if ($src) { # Skip if the sweep already moved the source into the - # destination folder (src == dest → "cannot overwrite + # destination folder (src == dest -> "cannot overwrite # the item with itself"). if ((Resolve-Path -LiteralPath $src -ErrorAction SilentlyContinue).Path -eq (Join-Path $shopfloorToolsDir $app.SourceName)) { @@ -390,7 +390,7 @@ function Remove-EmptyCategoryFolders { # are delivered by DSC AFTER this initial shopfloor setup, so the first # run at imaging time won't find them (falls back to hardcoded URLs, # Plant Apps gets skipped). By calling 08 from inside 06, every SYSTEM -# scheduled-task logon re-run of 06 also re-runs 08 — so after DSC drops +# scheduled-task logon re-run of 06 also re-runs 08 -- so after DSC drops # the .url files and the next sweep files them into Web Links\, 08 # picks them up and updates the Edge policy. Self-healing. # ============================================================================ diff --git a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 index c0ffe24..e1137f8 100644 --- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 +++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 @@ -52,12 +52,17 @@ param( [int]$PollSecs = 30, [int]$RetriggerMinutes = 5, - # When set, the monitor exits with a status code instead of prompting - # or rebooting. Used by Stage-Dispatcher.ps1 to keep control of the - # imaging chain. Manual sync_intune.bat usage (no flag) stays interactive. - # exit 0 = post-reboot install complete, all milestones reached - # exit 2 = pre-reboot deployment done, reboot needed - [switch]$Unattended + # -Unattended: exit with status code instead of prompting/rebooting. + # Legacy flag kept for backward compatibility with manual testing. + [switch]$Unattended, + # -AsTask: runs as a persistent @logon scheduled task. On pre-reboot + # complete: reboots directly. On post-reboot complete: unregisters own + # task, launches ConfigureScript, exits. This is the primary mode for + # the imaging chain (registered by run-enrollment.ps1). + [switch]$AsTask, + # Path to Configure-PC.ps1, launched after post-reboot completion in + # -AsTask mode. Passed by the scheduled task's -ArgumentList. + [string]$ConfigureScript = '' ) # ============================================================================ @@ -554,8 +559,22 @@ function Invoke-SetupComplete { Write-Host "" Write-Host "The post-reboot DSC install phase is finished. The device is ready." + if ($AsTask) { + # Task mode: unregister our own scheduled task, launch Configure-PC + Write-Host "Unregistering sync task..." -ForegroundColor Cyan + try { + Unregister-ScheduledTask -TaskName 'Shopfloor Intune Sync' -Confirm:$false -ErrorAction SilentlyContinue + } catch {} + + if ($ConfigureScript -and (Test-Path -LiteralPath $ConfigureScript)) { + Write-Host "Launching Configure-PC..." -ForegroundColor Cyan + try { & $ConfigureScript } catch { Write-Warning "Configure-PC failed: $_" } + } + exit 0 + } + if ($Unattended) { - Write-Host "(Unattended mode - returning to dispatcher)" + Write-Host "(Unattended mode - exiting)" exit 0 } Wait-ForAnyKey @@ -574,11 +593,13 @@ function Invoke-RebootPrompt { Write-Host "Install-UDC, Install-VCRedists, Install-OpenText, and so on." Write-Host "" - if ($Unattended) { - # Dispatcher mode: exit with code 2 so the dispatcher can set - # RunOnce before initiating the reboot itself. - Write-Host "Pre-reboot complete. Returning to dispatcher (exit 2)." -ForegroundColor Yellow - exit 2 + if ($AsTask -or $Unattended) { + # Task/unattended mode: reboot directly, no prompt. + # The task persists across the reboot -- it fires again on next + # logon and picks up the post-reboot monitoring phase. + Write-Host "Pre-reboot complete. Rebooting in 5 seconds..." -ForegroundColor Yellow + shutdown /r /t 5 + exit 0 } # Interactive mode (manual sync_intune.bat): prompt and reboot directly. diff --git a/playbook/shopfloor-setup/run-enrollment.ps1 b/playbook/shopfloor-setup/run-enrollment.ps1 index 7fb77a4..7c6ce49 100755 --- a/playbook/shopfloor-setup/run-enrollment.ps1 +++ b/playbook/shopfloor-setup/run-enrollment.ps1 @@ -1,6 +1,11 @@ # run-enrollment.ps1 -# Installs GCCH enrollment provisioning package via Install-ProvisioningPackage -# Called by FirstLogonCommands as SupportUser (admin) after imaging +# Installs GCCH enrollment provisioning package, waits for all PPKG apps +# to finish installing, registers sync_intune as a persistent @logon task, +# then reboots. +# +# Called by Run-ShopfloorSetup.ps1 AFTER all PreInstall + type-specific +# apps are already installed (not as a FirstLogonCommand -- that was the +# old flow). $ErrorActionPreference = 'Continue' $logFile = "C:\Logs\enrollment.log" @@ -19,8 +24,8 @@ Log "=== GE Aerospace GCCH Enrollment ===" # --- Find the .ppkg --- $ppkgFile = Get-ChildItem "C:\Enrollment\*.ppkg" -ErrorAction SilentlyContinue | Select-Object -First 1 if (-not $ppkgFile) { - Log "ERROR: No .ppkg found in C:\Enrollment\" - exit 1 + Log "No .ppkg found in C:\Enrollment\ - skipping enrollment." + return } Log "Package: $($ppkgFile.Name)" @@ -43,28 +48,25 @@ try { Log "Provisioning package added successfully (fallback)." } catch { Log "ERROR: Fallback also failed: $_" - exit 1 + return } } # --- Wait for PPKG provisioning to finish --- -# Install-ProvisioningPackage is async — it queues the provisioning engine +# Install-ProvisioningPackage is async -- it queues the provisioning engine # and returns immediately. The actual app installs (Chrome, Office, Tanium, -# CyberArk, etc.) run in the background as BPRT steps. Each step writes a -# Log.txt under C:\Logs\BPRT\\. "Remove Staging Locations" is -# the LAST step — when its Log.txt exists, all provisioning is done. -# We poll for that marker before writing the stage file, so the PPKG reboot -# doesn't fire while installs are still in progress. +# CyberArk, etc.) run in the background as BPRT steps. "Remove Staging +# Locations" is the LAST step -- when its Log.txt exists, all provisioning +# is done. $bprtMarker = 'C:\Logs\BPRT\Remove Staging Locations\Log.txt' $maxWait = 900 # 15 minutes (Office install can be slow) $pollInterval = 10 $elapsed = 0 -Log "Waiting for PPKG provisioning to complete (polling for $bprtMarker)..." +Log "Waiting for PPKG provisioning to complete..." while (-not (Test-Path -LiteralPath $bprtMarker) -and $elapsed -lt $maxWait) { Start-Sleep -Seconds $pollInterval $elapsed += $pollInterval - # Show progress every 30 seconds if ($elapsed % 30 -eq 0) { $completedSteps = @(Get-ChildItem 'C:\Logs\BPRT' -Directory -ErrorAction SilentlyContinue | Where-Object { Test-Path (Join-Path $_.FullName 'Log.txt') } | @@ -75,11 +77,8 @@ while (-not (Test-Path -LiteralPath $bprtMarker) -and $elapsed -lt $maxWait) { if (Test-Path -LiteralPath $bprtMarker) { Log "PPKG provisioning complete after $elapsed s." - $allSteps = @(Get-ChildItem 'C:\Logs\BPRT' -Directory -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Name) - Log " Completed steps: $($allSteps -join ', ')" } else { - Log "WARNING: PPKG provisioning timeout after $maxWait s — some apps may not be installed." - Log " Proceeding anyway. The SYSTEM logon task will retry incomplete items on next boot." + Log "WARNING: PPKG provisioning timeout after $maxWait s." } # --- Set OOBE complete --- @@ -87,27 +86,56 @@ Log "Setting OOBE as complete..." reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OOBE" /v OOBEComplete /t REG_DWORD /d 1 /f | Out-Null reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OOBE" /v SetupDisplayedEula /t REG_DWORD /d 1 /f | Out-Null -# --- Stage the imaging chain for next boot --- -# The PPKG schedules a reboot (PendingFileRenameOperations for Zscaler -# rename, PPKG self-cleanup, etc). Instead of canceling it and cramming -# Run-ShopfloorSetup into this same session, we let the reboot happen -# and register a RunOnce entry that fires Stage-Dispatcher.ps1 on the -# next autologon. The dispatcher reads setup-stage.txt and chains -# through: shopfloor-setup -> sync-intune -> configure-pc. -$stageFile = 'C:\Enrollment\setup-stage.txt' -$dispatcherPath = 'C:\Enrollment\Stage-Dispatcher.ps1' -$runOnceKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' +# --- Register sync_intune as persistent @logon scheduled task --- +# sync_intune monitors the Intune enrollment lifecycle (5-phase status +# table). It stays registered as a logon task until: +# - Pre-reboot: monitors until Phase 1+2+3 done -> reboots +# - Post-reboot: monitors until DSC install complete -> unregisters +# itself, launches Configure-PC +# +# Runs as BUILTIN\Users (logged-in user) so it can show GUI (QR code, +# status table). Needs the interactive session, NOT SYSTEM. +$taskName = 'Shopfloor Intune Sync' +$monitorScript = 'C:\Enrollment\shopfloor-setup\Shopfloor\lib\Monitor-IntuneProgress.ps1' +$configureScript = 'C:\Enrollment\shopfloor-setup\Shopfloor\Configure-PC.ps1' -Log "Writing stage file: shopfloor-setup" -Set-Content -LiteralPath $stageFile -Value 'shopfloor-setup' -Force +if (Test-Path -LiteralPath $monitorScript) { + try { + $action = New-ScheduledTaskAction ` + -Execute 'powershell.exe' ` + -Argument "-NoProfile -NoExit -ExecutionPolicy Bypass -File `"$monitorScript`" -AsTask -ConfigureScript `"$configureScript`"" -if (Test-Path -LiteralPath $dispatcherPath) { - Log "Registering RunOnce for Stage-Dispatcher.ps1" - Set-ItemProperty -Path $runOnceKey -Name 'ShopfloorSetup' ` - -Value "powershell.exe -NoProfile -ExecutionPolicy Bypass -File `"$dispatcherPath`"" ` - -Type String -Force + $trigger = New-ScheduledTaskTrigger -AtLogOn + + $principal = New-ScheduledTaskPrincipal ` + -GroupId 'S-1-5-32-545' ` + -RunLevel Limited + + $settings = New-ScheduledTaskSettingsSet ` + -AllowStartIfOnBatteries ` + -DontStopIfGoingOnBatteries ` + -StartWhenAvailable ` + -ExecutionTimeLimit (New-TimeSpan -Hours 2) + + Register-ScheduledTask ` + -TaskName $taskName ` + -Action $action ` + -Trigger $trigger ` + -Principal $principal ` + -Settings $settings ` + -Force ` + -ErrorAction Stop | Out-Null + + Log "Registered '$taskName' logon task (persists until sync complete)." + } catch { + Log "WARNING: Failed to register sync task: $_" + } } else { - Log "WARNING: Stage-Dispatcher.ps1 not found at $dispatcherPath - RunOnce not set" + Log "WARNING: Monitor-IntuneProgress.ps1 not found at $monitorScript" } -Log "=== Enrollment complete. PPKG reboot will fire and Stage-Dispatcher picks up on next logon. ===" +Log "=== Enrollment complete. Rebooting... ===" + +# Reboot -- PPKG file operations (Zscaler rename, cleanup) happen on next boot. +# sync_intune fires at next logon via the scheduled task. +shutdown /r /t 10 diff --git a/playbook/startnet.cmd b/playbook/startnet.cmd index 32f44b2..adf7796 100644 --- a/playbook/startnet.cmd +++ b/playbook/startnet.cmd @@ -258,8 +258,7 @@ if errorlevel 1 ( echo WARNING: Failed to copy enrollment package. goto copy_pctype ) -copy /Y "Y:\run-enrollment.ps1" "W:\run-enrollment.ps1" -copy /Y "Y:\shopfloor-setup\Stage-Dispatcher.ps1" "W:\Enrollment\Stage-Dispatcher.ps1" +copy /Y "Y:\run-enrollment.ps1" "W:\Enrollment\run-enrollment.ps1" REM --- Create enroll.cmd at drive root as manual fallback --- > W:\enroll.cmd (