ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24

Browse Source 
Single-site bay-stuck issue at WJ: GE Intune Report IP script filters
Get-NetIPAddress on StartsWith("10.") and posts everything matching
to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP
captured and reported -> GE backend tags bays as on a non-corp 10.x
subnet -> dynamic group eligibility for SFLD policy never matches.
Other GE sites work because their PXE LANs aren't on 10.x at all.

Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally
skips wired PXE addresses without any disable-NIC dance.

Server-side already in flight (netplan dual-bound, dnsmasq scope +
boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript
all sed'd to 172.16.9.1). This commit is the playbook / scripts /
docs side: 109 hits across 35 files sed'd in one shot.

After this lands + boot.wim is rebuilt + bays renumber off DHCP,
the 10.9.100.1 binding will be dropped from netplan as the final
cleanup step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-05-14 16:30:32 -04:00
parent c6b249f866
commit ce604adcda
87 changed files with 697 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
playbook/FlatUnattendW10-shopfloor.xml
View File

@@ -166,11 +166,16 @@
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>6</Order>
<CommandLine>msiexec.exe /i "C:\PreInstall\installers\powershell7\PowerShell-7.5.4-win-x64.msi" /qn /norestart ADD_PATH=1 USE_MU=0 ENABLE_MU=0 DISABLE_TELEMETRY=1</CommandLine>
<Description>Install PowerShell 7 BEFORE PPKG so Intune SetupCredentials Win32App finds pwsh.exe (race fix)</Description>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>7</Order>
<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\run-enrollment.ps1"</CommandLine>
<Description>Run GCCH Enrollment</Description>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>7</Order>
<Order>8</Order>
<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\Enrollment\Run-ShopfloorSetup.ps1"</CommandLine>
<Description>Run shopfloor PC type setup</Description>
</SynchronousCommand>

6
playbook/blancco-init.sh
View File

@@ -80,10 +80,10 @@ echo " IFACE=$IFACE, bringing up..."
ip link set "$IFACE" up || ifconfig "$IFACE" up
sleep 2
SERVER=10.9.100.1
ifconfig "$IFACE" 10.9.100.250 netmask 255.255.255.0 up
SERVER=172.16.9.1
ifconfig "$IFACE" 172.16.9.250 netmask 255.255.255.0 up
sleep 1
echo " IP: 10.9.100.250 SERVER: $SERVER"
echo " IP: 172.16.9.250 SERVER: $SERVER"
ip addr
echo "[3/5] Downloading airootfs.sfs (~756 MB)..."

2
playbook/blancco-preferences.xml
View File

@@ -176,7 +176,7 @@
<username encrypted="false">blancco</username>
<password encrypted="false">blancco</password>
<domain/>
<hostname>10.9.100.1</hostname>
<hostname>172.16.9.1</hostname>
<path>blancco-reports</path>
<protocols key="protocol" type="array">
<protocol selected="true">smb</protocol>

6
playbook/migrate-to-wifi.ps1
View File

@@ -3,16 +3,16 @@
# Previously this disabled all wired NICs at first logon to keep PPKG /
# Intune enrollment routing internet traffic via WiFi. The wired NIC was
# preferred by Windows because the PXE dnsmasq was handing out a default
# gateway (dhcp-option=3,10.9.100.1) which Windows installed as a default
# gateway (dhcp-option=3,172.16.9.1) which Windows installed as a default
# route, and the lower interface metric of wired beat WiFi. Internet-bound
# traffic then black-holed at 10.9.100.1 (the PXE server, which doesn't
# traffic then black-holed at 172.16.9.1 (the PXE server, which doesn't
# forward).
#
# That root cause was fixed by removing the dhcp-option=3 and =6 lines
# from /etc/dnsmasq.conf on the PXE server. Without an advertised gateway
# on the PXE side, Windows can't add a default route via wired, so all
# internet traffic uses WiFi by default and the wired NIC stays harmless
# for same-subnet PXE/SMB traffic to 10.9.100.1.
# for same-subnet PXE/SMB traffic to 172.16.9.1.
#
# Side effect of the original behavior was an eDNC race: eDNC autostart
# would fire while the wired NIC was still disabled and hit WSAEINVAL

BIN
playbook/preinstall/installers/powershell7/PowerShell-7.5.4-win-x64.msi Normal file
View File

Binary file not shown.

17
playbook/preinstall/preinstall.json
View File

@@ -2,6 +2,17 @@
"Version": "1.0",
"Site": "West Jefferson",
"Applications": [
{
"_comment": "PowerShell 7.5.4 - installed BEFORE PPKG via FlatUnattendW10-shopfloor.xml FirstLogonCommand Order 6 (race fix: Intune SetupCredentials Win32App install command starts with pwsh.exe; if PS7 not yet installed when that Win32App fires, it errors with FILE_NOT_FOUND 0x80070002 and IME's GRS retry never re-fires under V3Processor). This entry is a backstop - no-op via ProductCode detection if unattend Order 6 already installed it. PreEnrollment flag is informational; runner does not currently filter on it.",
"Name": "PowerShell 7.5.4",
"Installer": "powershell7\\PowerShell-7.5.4-win-x64.msi",
"Type": "MSI",
"InstallArgs": "/qn /norestart ADD_PATH=1 USE_MU=0 ENABLE_MU=0 DISABLE_TELEMETRY=1",
"DetectionMethod": "Registry",
"DetectionPath": "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{E8159677-ACF8-4D64-9D36-5C36B8BBEA39}",
"PreEnrollment": true,
"PCTypes": ["*"]
},
{
"_comment": "Oracle Client 11.2 Administrator - installed first because downstream apps (eDNC/NTLARS/UDC and CMM tooling) link against the Oracle home and fail cold if it's missing. Installer is a .cmd wrapper (Type=EXE is the preinstall runner's shim for non-MSI launchers, same pattern as OpenText Setup-OpenText.cmd). The wrapper expects Oracle_OracleDatabase_11r2_V03.zip (686 MB) staged next to it, unpacks to %TEMP%, runs Oracle Universal Installer silently with ge_client_install.rsp, then cleans up the staging dir. OUI exit 3 is treated as success (warnings-but-ok). Detection via the registered home key; downstream upgrades or version pins are handled by the runtime enforcer's Oracle Client 11.2 manifest entry in common/manifest.json.",
"Name": "Oracle Client 11.2",
@@ -153,7 +164,7 @@
"Type": "EXE",
"InstallArgs": "",
"LogFile": "C:\\Logs\\PreInstall\\Setup-OpenText.log",
"PCTypes": ["Standard", "CMM", "Keyence", "Genspect", "WaxAndTrace", "Lab"]
"PCTypes": ["Standard", "CMM", "Keyence", "Genspect", "WaxAndTrace", "Lab", "Heattreat"]
},
{
"_comment": "UDC_Setup.exe spawns a hidden WPF window (UDC.exe) after install and never exits, so the runner needs KillAfterDetection: true to terminate UDC_Setup.exe + UDC.exe once the registry detection passes. This is an OPT-IN flag - normal installers should NOT set it because killing msiexec mid-install leaves msiserver holding the install mutex and the next msiexec call returns 1618 (Oracle hit this exact bug).",
@@ -164,7 +175,9 @@
"KillAfterDetection": true,
"DetectionMethod": "Registry",
"DetectionPath": "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\UDC",
"PCTypes": ["Standard-Machine"]
"PCTypes": ["gea-shopfloor-collections"],
"PCTypesStrict": true,
"_pcTypesNote": "UDC = the C in 'collections'. nocollections does NOT collect data so MUST NOT install UDC. PCTypesStrict bypasses the alias-expansion matcher so a nocollections PC's myNames (which transitively contains gea-shopfloor-collections via the Standard group) still won't match this entry."
},
{
"_comment": "Display kiosk app (Lobby Display or Dashboard). Install-KioskApp.cmd wrapper reads C:\\Enrollment\\display-type.txt to determine which installer to run. Both GEAerospaceLobbyDisplaySetup.exe and GEAerospaceDashboardSetup.exe must be staged in the display\\ subtree alongside the wrapper. Inno Setup /VERYSILENT is idempotent so no detection needed.",

2
playbook/pxe-server-helpers/pxe-dhcp-hook.sh
View File

@@ -3,7 +3,7 @@
# pxe-dhcp-hook.sh - dnsmasq dhcp-script hook.
#
# Runs every time a PXE client gets/changes/releases a DHCP lease on
# 10.9.100.0/24. Flushes conntrack entries and drops any lingering
# 172.16.9.0/24. Flushes conntrack entries and drops any lingering
# TCP sockets for that client IP. Prevents stale server-side state from
# causing "System error 53 - network path not found" when a WinPE client
# re-images the same machine without a clean SMB session teardown.

8
playbook/pxe-server-helpers/smb-soft-reset.sh
View File

@@ -14,7 +14,7 @@
# Step 2: restart nmbd (NetBIOS daemon - separate from smbd)
# Step 3: restart smbd (full smbd restart, kills all child sessions)
# Step 4: kill any leftover smbd child processes that survived restart
# Step 5: flush conntrack for 10.9.100.0/24 (kernel connection tracking)
# Step 5: flush conntrack for 172.16.9.0/24 (kernel connection tracking)
# Step 6: flush ARP / neighbour cache on br-pxe
# Step 7: drop TCP sockets on port 445 via ss -K
# Step 8: restart dnsmasq (DHCP/TFTP state as a last resort before reboot)
@@ -56,10 +56,10 @@ sleep 1
systemctl start smbd 2>&1
pause "Step 4 done"
echo "=== Step 5/8: flush conntrack entries for 10.9.100.0/24 ==="
echo "=== Step 5/8: flush conntrack entries for 172.16.9.0/24 ==="
if command -v conntrack >/dev/null 2>&1; then
conntrack -D -s 10.9.100.0/24 2>&1 || true
conntrack -D -d 10.9.100.0/24 2>&1 || true
conntrack -D -s 172.16.9.0/24 2>&1 || true
conntrack -D -d 172.16.9.0/24 2>&1 || true
else
echo " conntrack tool not installed - skipping (apt install conntrack)"
fi

22
playbook/pxe_server_setup.yml
View File

@@ -72,7 +72,7 @@
loop: "{{ ansible_interfaces | select('match','^e(th|n)') | list }}"
ignore_errors: yes
- name: "Find interface with 10.9.100.1 already configured"
- name: "Find interface with 172.16.9.1 already configured"
set_fact:
preconfigured_iface: >-
{{ ansible_interfaces
@@ -80,7 +80,7 @@
| map('regex_replace','^(.*)$','ansible_\1')
| map('extract', hostvars[inventory_hostname])
| selectattr('ipv4','defined')
| selectattr('ipv4.address','equalto','10.9.100.1')
| selectattr('ipv4.address','equalto','172.16.9.1')
| map(attribute='device')
| list
| first
@@ -147,11 +147,11 @@
port=0
interface={{ pxe_iface }}
bind-interfaces
dhcp-range=10.9.100.10,10.9.100.100,12h
dhcp-range=172.16.9.10,172.16.9.100,12h
# No default gateway (option 3) and no DNS (option 6) handed out:
# the PXE network is isolated and the PXE server does not forward
# internet traffic. Previously we set both, which made imaged PCs
# add a default route via 10.9.100.1 and prefer it over WiFi (lower
# add a default route via 172.16.9.1 and prefer it over WiFi (lower
# interface metric). PPKG / Intune enrollment then black-holed
# internet-bound traffic. The fix used to be migrate-to-wifi.ps1
# disabling the wired NIC during first-logon, which created an
@@ -163,7 +163,7 @@
# Important: dnsmasq DEFAULTS to sending its own listening address as
# both router and DNS when these options are unset. Commenting them
# out is NOT the same as disabling - imaged PCs (and Blancco PXE
# clients) end up with 10.9.100.1 as gateway. The empty-value form
# clients) end up with 172.16.9.1 as gateway. The empty-value form
# below explicitly suppresses both options.
dhcp-option=3
dhcp-option=6
@@ -227,7 +227,7 @@
content: |
#!ipxe
set server 10.9.100.1
set server 172.16.9.1
:menu
menu GE Aerospace PXE Boot Menu
@@ -505,7 +505,7 @@
- name: "Deploy BIOS check script + manifest to winpeapps/_shared/BIOS/"
# Path matches what startnet.cmd reads at WinPE boot:
# net use B: \\10.9.100.1\winpeapps\_shared
# net use B: \\172.16.9.1\winpeapps\_shared
# if exist B:\BIOS\check-bios.cmd ...
# Earlier deploy targeted enrollment/pre-install/bios/ (different share)
# which startnet.cmd never read, so BIOS_STATUS perma-stuck on
@@ -899,7 +899,7 @@
shell: |
set -e
python3 -c 'import xml.etree.ElementTree as ET; ET.parse("{{ web_root }}/blancco/preferences.xml")'
grep -q '<hostname>10.9.100.1</hostname>' "{{ web_root }}/blancco/preferences.xml"
grep -q '<hostname>172.16.9.1</hostname>' "{{ web_root }}/blancco/preferences.xml"
grep -q '<path>blancco-reports</path>' "{{ web_root }}/blancco/preferences.xml"
changed_when: false
@@ -1089,7 +1089,7 @@
# Single-NIC fresh-deploy default. Boxes that need higher throughput
# (e.g. WJF prod uses a USB-C 5 Gbps NIC) override this with a bridge
# config bonding the USB NIC + onboard NIC into br-pxe. Live override
# currently deployed on 10.9.100.1 (do NOT re-run this task there
# currently deployed on 172.16.9.1 (do NOT re-run this task there
# without first reviewing /etc/netplan/50-cloud-init.yaml.pre-gold-swap):
#
# network:
@@ -1101,7 +1101,7 @@
# bridges:
# br-pxe:
# interfaces: [enp128s31f6, enx34c8d6b11010]
# addresses: [10.9.100.1/24]
# addresses: [172.16.9.1/24]
# parameters:
# stp: false
#
@@ -1120,7 +1120,7 @@
ethernets:
{{ pxe_iface }}:
dhcp4: no
addresses: [10.9.100.1/24]
addresses: [172.16.9.1/24]
notify: "Apply netplan"
handlers:

2
playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
View File

@@ -27,7 +27,7 @@ Write-Host "================================================================"
Write-Host ""
# Imaging-progress reporter. Posts coarse stage updates to the PXE webapp
# at http://10.9.100.1:9009/imaging/status so the operator can watch
# at http://172.16.9.1:9009/imaging/status so the operator can watch
# progress in a browser. Best-effort: failures never block imaging.
$pxeStatusLib = Join-Path $PSScriptRoot 'shopfloor-setup\Shopfloor\lib\Send-PxeStatus.ps1'
if (Test-Path $pxeStatusLib) {

36
playbook/shopfloor-setup/Shopfloor/00-PreInstall-MachineApps.ps1
View File

@@ -165,8 +165,12 @@ if (Test-Path -LiteralPath $machineNumFile) {
# before UDC_Setup.exe runs means the installer's File.Copy (overwrite:true)
# would overwrite it IF the share were reachable, but since it isn't, our
# pre-staged file survives and UDC launches with correct settings.
# UDC payload (settings backups + webserver settings) lives only in the
# collections per-pc-type dir - UDC is the "C" of "collections". On nocoll
# bays the dir doesn't exist; Test-Path skips silently.
$udcCollDir = Join-Path (Split-Path $PSScriptRoot -Parent) 'gea-shopfloor-collections'
if ($machineNum -and $machineNum -ne '9999') {
$udcBackupDir = 'C:\Enrollment\shopfloor-setup\Standard\udc-backups'
$udcBackupDir = Join-Path $udcCollDir 'udc-backups'
$udcBackup = Join-Path $udcBackupDir "udc_settings_$machineNum.json"
$udcTarget = 'C:\ProgramData\UDC\udc_settings.json'
if (Test-Path -LiteralPath $udcBackup) {
@@ -176,11 +180,11 @@ if ($machineNum -and $machineNum -ne '9999') {
Copy-Item -Path $udcBackup -Destination $udcTarget -Force
Write-PreInstallLog "Pre-staged UDC settings from $udcBackup -> $udcTarget"
} else {
Write-PreInstallLog "No UDC settings backup for machine $machineNum in $udcBackupDir"
Write-PreInstallLog "No UDC settings backup for machine $machineNum at $udcBackup (skipping - normal for nocoll bays)"
}
}
$udcWebSrc = 'C:\Enrollment\shopfloor-setup\Standard\udc_webserver_settings.json'
$udcWebSrc = Join-Path $udcCollDir 'udc_webserver_settings.json'
$udcWebDst = 'C:\ProgramData\UDC\udc_webserver_settings.json'
if (Test-Path -LiteralPath $udcWebSrc) {
if (-not (Test-Path 'C:\ProgramData\UDC')) {
@@ -189,7 +193,7 @@ if (Test-Path -LiteralPath $udcWebSrc) {
Copy-Item -Path $udcWebSrc -Destination $udcWebDst -Force
Write-PreInstallLog "Pre-staged UDC webserver settings from $udcWebSrc -> $udcWebDst"
} else {
Write-PreInstallLog "No UDC webserver settings file at $udcWebSrc" "WARN"
Write-PreInstallLog "No UDC webserver settings file at $udcWebSrc (skipping - normal for nocoll bays)"
}
# --- Suppress Windows Defender Firewall "Allow access" prompts globally for
@@ -326,15 +330,27 @@ foreach ($app in $config.Applications) {
if ($g -icontains $n) { foreach ($x in $g) { [void]$myNames.Add($x) } }
}
}
# PCTypesStrict=true bypasses the alias-expansion matcher and requires
# the actual pcType (or composite pcProfileKey) to literally equal one
# of the allowedTypes entries. Used by UDC because the alias graph
# transitively connects gea-shopfloor-collections <-> nocollections via
# the legacy 'Standard' group, which would otherwise cause UDC to install
# on nocoll bays even with PCTypes=['gea-shopfloor-collections'].
$matchesType = ($allowedTypes -contains '*')
if (-not $matchesType) {
foreach ($t in $allowedTypes) {
if ($myNames.Contains($t)) { $matchesType = $true; break }
foreach ($g in $aliasGroups) {
if ($g -icontains $t) {
foreach ($x in $g) { if ($myNames.Contains($x)) { $matchesType = $true; break } }
if ($app.PCTypesStrict) {
foreach ($t in $allowedTypes) {
if (($pcType -ieq $t) -or ($pcProfileKey -ieq $t)) { $matchesType = $true; break }
}
} else {
foreach ($t in $allowedTypes) {
if ($myNames.Contains($t)) { $matchesType = $true; break }
foreach ($g in $aliasGroups) {
if ($g -icontains $t) {
foreach ($x in $g) { if ($myNames.Contains($x)) { $matchesType = $true; break } }
}
if ($matchesType) { break }
}
if ($matchesType) { break }
}
}
}

2
playbook/shopfloor-setup/Shopfloor/lib/Disable-WiredNics.ps1
View File

@@ -5,7 +5,7 @@
#
# Reason: GE's Intune Proactive-Remediation "Report IP" script enumerates
# Get-NetIPAddress and POSTs every IP it finds to a GE webhook. When a
# shopfloor bay is still cabled to the air-gapped PXE LAN (10.9.100.0/24),
# shopfloor bay is still cabled to the air-gapped PXE LAN (172.16.9.0/24),
# the webhook sees 10.9.100.x as one of the device's IPs and tags the bay
# "not on corp net". A dynamic group / assignment-filter at GE then excludes
# the bay from receiving the SFLD ConfigurationProfile (Function + SasToken

11
playbook/shopfloor-setup/Shopfloor/lib/Get-PCProfile.ps1
View File

@@ -66,6 +66,15 @@ if (Test-Path -LiteralPath $subtypeFile) {
$pcSubtype = (Get-Content -LiteralPath $subtypeFile -First 1 -ErrorAction SilentlyContinue).Trim()
}
# Display sub-type fallback: if pc-subtype.txt is absent (post-rename-reorg
# default) but display-type.txt exists, use it as the subtype. Lets the
# Display-Lobby / Display-Dashboard / gea-shopfloor-display-{lobby,dashboard}
# profile keys resolve correctly for Display PCs.
$displayTypeFile = 'C:\Enrollment\display-type.txt'
if (-not $pcSubtype -and ($pcType -ieq 'gea-shopfloor-display' -or $pcType -ieq 'Display') -and (Test-Path -LiteralPath $displayTypeFile)) {
$pcSubtype = (Get-Content -LiteralPath $displayTypeFile -First 1 -ErrorAction SilentlyContinue).Trim()
}
# Build the profile key: "Standard-Machine", "CMM", "Display-Lobby", etc.
$profileKey = if ($pcSubtype) { "$pcType-$pcSubtype" } else { $pcType }
@@ -82,6 +91,8 @@ $pcProfileAliasGroups = @(
@('WaxAndTrace', 'gea-shopfloor-waxtrace'),
@('Genspect', 'gea-shopfloor-genspect'),
@('Display', 'gea-shopfloor-display'),
@('Display-Lobby', 'gea-shopfloor-display-Lobby', 'gea-shopfloor-display-lobby'),
@('Display-Dashboard', 'gea-shopfloor-display-Dashboard', 'gea-shopfloor-display-dashboard'),
@('Heattreat', 'gea-shopfloor-heattreat')
)

2
playbook/shopfloor-setup/Shopfloor/lib/Send-PxeStatus.ps1
View File

@@ -19,7 +19,7 @@ function Send-PxeStatus {
# Only available post-AAD-join; pass it from Monitor-IntuneProgress
# once captured. The dashboard renders a QR of this value.
[string]$IntuneDeviceId = '',
[string]$PxeServer = '10.9.100.1',
[string]$PxeServer = '172.16.9.1',
[int]$Port = 9009,
[int]$TimeoutSec = 5
)

44
playbook/shopfloor-setup/Shopfloor/lib/Set-OpenTextAutoStart.ps1 Normal file
View File

@@ -0,0 +1,44 @@
# Set-OpenTextAutoStart.ps1 - place WJ Shopfloor.lnk in the All Users
# Startup folder so HostExplorer's "WJ Shopfloor" session launches at
# every login. Idempotent: re-running is a no-op when the .lnk already
# exists at the same path.
#
# Used by per-pc-type 09-Setup scripts for shopfloor types whose only
# business app is OpenText (common, waxtrace, genspect, heattreat).
# collections + nocollections do NOT auto-start OpenText - their techs
# pick which apps via Configure-PC.ps1.
#
# Source .lnk is created by the OpenText preinstall (Setup-OpenText.ps1)
# on the public desktop. If the .lnk is missing, log a warning and exit
# 0 - imaging chain still continues; auto-start can be re-attempted on a
# subsequent login by re-running this script.
$ErrorActionPreference = 'Continue'
$startupDir = 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'
$publicDesktop = 'C:\Users\Public\Desktop'
$candidates = @(
Join-Path $publicDesktop 'WJ Shopfloor.lnk'
Join-Path (Join-Path $publicDesktop 'Shopfloor Tools') 'WJ Shopfloor.lnk'
)
$src = $candidates | Where-Object { Test-Path -LiteralPath $_ } | Select-Object -First 1
if (-not $src) {
Write-Warning "WJ Shopfloor.lnk not found on public desktop - OpenText auto-start NOT configured."
Write-Warning " Searched: $($candidates -join ' ; ')"
Write-Warning " Setup-OpenText.ps1 should create it during preinstall - check OpenText install state."
return
}
if (-not (Test-Path -LiteralPath $startupDir)) {
New-Item -Path $startupDir -ItemType Directory -Force | Out-Null
}
$dst = Join-Path $startupDir 'WJ Shopfloor.lnk'
try {
Copy-Item -LiteralPath $src -Destination $dst -Force
Write-Host "OpenText auto-start enabled: $dst (source: $src)"
} catch {
Write-Warning "Failed to copy WJ Shopfloor.lnk to startup: $_"
}

2
playbook/shopfloor-setup/gea-shopfloor-collections/01-eDNC.ps1
View File

@@ -36,7 +36,7 @@ $siteConfig = Get-SiteConfig
$siteName = if ($siteConfig) { $siteConfig.siteName } else { 'West Jefferson' }
$siteNameCompact = if ($siteConfig) { $siteConfig.siteNameCompact } else { 'WestJefferson' }
$edncDir = "C:\Enrollment\shopfloor-setup\Standard\eDNC"
$edncDir = Join-Path $PSScriptRoot 'eDNC'
if (-not (Test-Path $edncDir)) {
Write-Warning "eDNC folder not found at $edncDir - skipping."

6
playbook/shopfloor-setup/gea-shopfloor-collections/03-RestoreEDncConfig.ps1
View File

@@ -54,7 +54,11 @@ if (-not $machineNum -or $machineNum -eq '9999') {
Write-Host "Machine number: $machineNum"
# ---- Locate local backup root (staged from PXE during imaging) ----
$backupRoot = 'C:\Enrollment\shopfloor-setup\Standard\ntlars-backups'
# Lives at C:\Enrollment\shopfloor-setup\_ntlars-backups (one shared dir
# at the root of the staged shopfloor-setup tree, populated by Ansible
# from playbook/shopfloor-setup/_ntlars-backups). Path is relative to
# this script so it follows wherever per-pc-type dir is staged.
$backupRoot = Join-Path $PSScriptRoot '..\_ntlars-backups'
if (-not (Test-Path $backupRoot)) {
Write-Host "ntlars-backups folder not staged at $backupRoot - skipping."
try { Stop-Transcript | Out-Null } catch {}

6
playbook/shopfloor-setup/gea-shopfloor-collections/Set-MachineNumber.bat
View File

@@ -6,7 +6,7 @@ REM 1. %~dp0Set-MachineNumber.ps1
REM - .bat and .ps1 side-by-side (normal desktop-copied case, repo layout)
REM 2. C:\Users\SupportUser\Desktop\Set-MachineNumber.ps1
REM - dispatcher-copied location, if this .bat lives somewhere else
REM 3. C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1
REM 3. C:\Enrollment\shopfloor-setup\gea-shopfloor-collections\Set-MachineNumber.ps1
REM - canonical enrollment staging copy
REM
REM Goto-based dispatch - no nested if blocks, no literal parens in echo lines.
@@ -21,13 +21,13 @@ if exist "%PS1%" goto :run
set "PS1=C:\Users\SupportUser\Desktop\Set-MachineNumber.ps1"
if exist "%PS1%" goto :run
set "PS1=C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1"
set "PS1=C:\Enrollment\shopfloor-setup\gea-shopfloor-collections\Set-MachineNumber.ps1"
if exist "%PS1%" goto :run
echo ERROR: Set-MachineNumber.ps1 not found in any of:
echo %~dp0Set-MachineNumber.ps1
echo C:\Users\SupportUser\Desktop\Set-MachineNumber.ps1
echo C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1
echo C:\Enrollment\shopfloor-setup\gea-shopfloor-collections\Set-MachineNumber.ps1
echo.
pause
exit /b 1

BIN
playbook/shopfloor-setup/gea-shopfloor-collections/eDNC/eDNC_6-4-5.msi Executable file
View File

Binary file not shown.

12
playbook/shopfloor-setup/gea-shopfloor-common/09-Setup-Lab.ps1
View File

@@ -1,12 +0,0 @@
# 09-Setup-Lab.ps1 - Lab-specific setup (runs after Shopfloor baseline)
#
# PLACEHOLDER: add type-specific app installs when details are finalized.
# This script will be called by Run-ShopfloorSetup.ps1 as part of the
# type-specific phase, after all baseline scripts have completed.
#
# For share-based installs, copy the pattern from CMM/09-Setup-CMM.ps1
# (credential lookup + share mount + install from share).
Write-Host "=== Lab Setup ==="
Write-Host " (no type-specific apps configured yet)"
Write-Host "=== Lab Setup Complete ==="

2
playbook/shopfloor-setup/gea-shopfloor-nocollections/01-eDNC.ps1
View File

@@ -36,7 +36,7 @@ $siteConfig = Get-SiteConfig
$siteName = if ($siteConfig) { $siteConfig.siteName } else { 'West Jefferson' }
$siteNameCompact = if ($siteConfig) { $siteConfig.siteNameCompact } else { 'WestJefferson' }
$edncDir = "C:\Enrollment\shopfloor-setup\Standard\eDNC"
$edncDir = Join-Path $PSScriptRoot 'eDNC'
if (-not (Test-Path $edncDir)) {
Write-Warning "eDNC folder not found at $edncDir - skipping."

3
playbook/shopfloor-setup/gea-shopfloor-nocollections/03-RestoreEDncConfig.ps1
View File

@@ -54,7 +54,8 @@ if (-not $machineNum -or $machineNum -eq '9999') {
Write-Host "Machine number: $machineNum"
# ---- Locate local backup root (staged from PXE during imaging) ----
$backupRoot = 'C:\Enrollment\shopfloor-setup\Standard\ntlars-backups'
# Lives at C:\Enrollment\shopfloor-setup\_ntlars-backups (shared root dir).
$backupRoot = Join-Path $PSScriptRoot '..\_ntlars-backups'
if (-not (Test-Path $backupRoot)) {
Write-Host "ntlars-backups folder not staged at $backupRoot - skipping."
try { Stop-Transcript | Out-Null } catch {}

6
playbook/shopfloor-setup/gea-shopfloor-nocollections/Set-MachineNumber.bat
View File

@@ -6,7 +6,7 @@ REM 1. %~dp0Set-MachineNumber.ps1
REM - .bat and .ps1 side-by-side (normal desktop-copied case, repo layout)
REM 2. C:\Users\SupportUser\Desktop\Set-MachineNumber.ps1
REM - dispatcher-copied location, if this .bat lives somewhere else
REM 3. C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1
REM 3. C:\Enrollment\shopfloor-setup\gea-shopfloor-nocollections\Set-MachineNumber.ps1
REM - canonical enrollment staging copy
REM
REM Goto-based dispatch - no nested if blocks, no literal parens in echo lines.
@@ -21,13 +21,13 @@ if exist "%PS1%" goto :run
set "PS1=C:\Users\SupportUser\Desktop\Set-MachineNumber.ps1"
if exist "%PS1%" goto :run
set "PS1=C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1"
set "PS1=C:\Enrollment\shopfloor-setup\gea-shopfloor-nocollections\Set-MachineNumber.ps1"
if exist "%PS1%" goto :run
echo ERROR: Set-MachineNumber.ps1 not found in any of:
echo %~dp0Set-MachineNumber.ps1
echo C:\Users\SupportUser\Desktop\Set-MachineNumber.ps1
echo C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1
echo C:\Enrollment\shopfloor-setup\gea-shopfloor-nocollections\Set-MachineNumber.ps1
echo.
pause
exit /b 1

BIN
playbook/shopfloor-setup/gea-shopfloor-nocollections/eDNC/eDNC_6-4-5.msi Executable file
View File

Binary file not shown.

24
playbook/shopfloor-setup/site-config.json
View File

@@ -98,6 +98,30 @@
]
},
"gea-shopfloor-nocollections": {
"_comment": "Shopfloor PC running eDNC + NTLARS + Defect Tracker but no UDC (no Collections). Same as Standard-Machine minus UDC pin/desktop/startup. Direct profile lookup (line 92 in Get-PCProfile.ps1) finds this BEFORE the alias-group fallback to Standard-Machine, so Standard-Machine's UDC entries do not leak through.",
"machineappsSharePath": "\\\\tsgwp00525.wjs.geaerospace.net\\shared\\dt\\shopfloor\\main\\machineapps",
"ntlarsBackupSharePath": "\\\\tsgwp00525.wjs.geaerospace.net\\shared\\dt\\shopfloor\\main\\ntlars-backups",
"startupItems": [
{ "label": "WJ Shopfloor", "type": "existing", "sourceLnk": "WJ Shopfloor.lnk" },
{ "label": "Plant Apps", "type": "url", "urlKey": "plantApps" },
{ "label": "eDNC", "type": "exe", "target": "C:\\Program Files (x86)\\Dnc\\bin\\DncMain.exe" }
],
"taskbarPins": [
{ "name": "Microsoft Edge", "lnkPath": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" },
{ "name": "WJ Shopfloor", "lnkPath": "%PUBLIC%\\Desktop\\Shopfloor Tools\\WJ Shopfloor.lnk" },
{ "name": "eDNC", "lnkPath": "%PUBLIC%\\Desktop\\Shopfloor Tools\\eDNC.lnk" },
{ "name": "NTLARS", "lnkPath": "%PUBLIC%\\Desktop\\Shopfloor Tools\\NTLARS.lnk" },
{ "name": "Defect_Tracker", "lnkPath": "%PUBLIC%\\Desktop\\Shopfloor Tools\\Defect_Tracker.lnk" }
],
"desktopApps": [
{ "name": "eDNC", "kind": "exe", "exePath": "C:\\Program Files (x86)\\Dnc\\bin\\DncMain.exe" },
{ "name": "NTLARS", "kind": "exe", "exePath": "C:\\Program Files (x86)\\Dnc\\Common\\NTLARS.exe" },
{ "name": "WJ Shopfloor", "kind": "existing", "sourceName": "WJ Shopfloor.lnk" },
{ "name": "Defect_Tracker", "kind": "exe", "exePath": "C:\\Program Files (x86)\\WJF_Defect_Tracker\\Defect_Tracker.exe" }
]
},
"CMM": {
"_comment": "Hexagon CMM apps (CLM 1.8, goCMM, PC-DMIS 2016, PC-DMIS 2019 R2). At imaging time they install from a WinPE-staged local bootstrap at C:\\CMM-Install (put there by startnet.cmd when pc-type=CMM, source is the PXE server enrollment share). Post-imaging, the unified GE-Enforce dispatcher reads cmm/manifest.json on the tsgwp00525 share below and enforces versions on every user logon (the SFLD creds Azure DSC provisions unlock the mount). cmmSharePath is the ongoing-enforcement source, not the imaging-time source.",
"cmmSharePath": "\\\\tsgwp00525.wjs.geaerospace.net\\shared\\dt\\shopfloor\\cmm\\machineapps",

20
playbook/startnet.cmd
View File

@@ -6,7 +6,7 @@ powercfg /s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
REM --- Wait for network (DHCP may take a moment after wpeinit) ---
echo Waiting for network...
:wait_net
ping -n 2 10.9.100.1 >NUL 2>&1
ping -n 2 172.16.9.1 >NUL 2>&1
if errorlevel 1 goto wait_net
echo Network ready.
@@ -17,7 +17,7 @@ REM CALLed scripts inside parens does not propagate BIOS_STATUS back to
REM this script reliably. Use goto-flow instead so the CALL runs at the
REM top scope and BIOS_STATUS persists.
set BIOS_STATUS=No BIOS check (share unavailable)
net use B: \\10.9.100.1\winpeapps_bios /user:pxe-upload pxe /persistent:no 2>NUL
net use B: \\172.16.9.1\winpeapps_bios /user:pxe-upload pxe /persistent:no 2>NUL
if not exist B:\check-bios.cmd goto :bios_check_done
echo.
echo Checking for BIOS updates...
@@ -167,7 +167,7 @@ set NEED_ENROLL=0
if not "%PPKG%"=="" set NEED_ENROLL=1
if not "%PCTYPE%"=="" set NEED_ENROLL=1
if "%NEED_ENROLL%"=="0" goto enroll_staged
net use Y: \\10.9.100.1\enrollment /user:pxe-upload pxe /persistent:no
net use Y: \\172.16.9.1\enrollment /user:pxe-upload pxe /persistent:no
if "%PPKG%"=="" goto enroll_staged
if not exist "Y:\ppkgs\%SOURCE_PPKG%" (
echo WARNING: %SOURCE_PPKG% not found on server. Enrollment will be skipped.
@@ -192,7 +192,7 @@ echo.
echo Starting GEA Standard setup...
start "FlatApp" %SYSTEMDRIVE%\GESetup\FlatSetupLoader.exe
for /l %%i in (1,1,2000000) do rem
net use Z: \\10.9.100.1\winpeapps\gea-standard /user:pxe-upload pxe /persistent:no
net use Z: \\172.16.9.1\winpeapps\gea-standard /user:pxe-upload pxe /persistent:no
goto end
:gea-engineer
@@ -200,7 +200,7 @@ echo.
echo Starting GEA Engineer setup...
start "FlatApp" %SYSTEMDRIVE%\GESetup\FlatSetupLoader.exe
for /l %%i in (1,1,2000000) do rem
net use Z: \\10.9.100.1\winpeapps\gea-engineer /user:pxe-upload pxe /persistent:no
net use Z: \\172.16.9.1\winpeapps\gea-engineer /user:pxe-upload pxe /persistent:no
goto end
:gea-shopfloor
@@ -208,7 +208,7 @@ echo.
echo Starting GEA Shopfloor setup...
start "FlatApp" %SYSTEMDRIVE%\GESetup\FlatSetupLoader.exe
for /l %%i in (1,1,2000000) do rem
net use Z: \\10.9.100.1\winpeapps\gea-shopfloor /user:pxe-upload pxe /persistent:no
net use Z: \\172.16.9.1\winpeapps\gea-shopfloor /user:pxe-upload pxe /persistent:no
goto end
:ge-standard
@@ -216,7 +216,7 @@ echo.
echo Starting GE Standard setup...
start "FlatApp" %SYSTEMDRIVE%\GESetup\FlatSetupLoader.exe
for /l %%i in (1,1,2000000) do rem
net use Z: \\10.9.100.1\winpeapps\ge-standard /user:pxe-upload pxe /persistent:no
net use Z: \\172.16.9.1\winpeapps\ge-standard /user:pxe-upload pxe /persistent:no
goto end
:ge-engineer
@@ -224,7 +224,7 @@ echo.
echo Starting GE Engineer setup...
start "FlatApp" %SYSTEMDRIVE%\GESetup\FlatSetupLoader.exe
for /l %%i in (1,1,2000000) do rem
net use Z: \\10.9.100.1\winpeapps\ge-engineer /user:pxe-upload pxe /persistent:no
net use Z: \\172.16.9.1\winpeapps\ge-engineer /user:pxe-upload pxe /persistent:no
goto end
:ge-shopfloor-lockdown
@@ -232,7 +232,7 @@ echo.
echo Starting GE Shopfloor Lockdown setup...
start "FlatApp" %SYSTEMDRIVE%\GESetup\FlatSetupLoader.exe
for /l %%i in (1,1,2000000) do rem
net use Z: \\10.9.100.1\winpeapps\ge-shopfloor-lockdown /user:pxe-upload pxe /persistent:no
net use Z: \\172.16.9.1\winpeapps\ge-shopfloor-lockdown /user:pxe-upload pxe /persistent:no
goto end
:ge-shopfloor-mce
@@ -240,7 +240,7 @@ echo.
echo Starting GE Shopfloor MCE setup...
start "FlatApp" %SYSTEMDRIVE%\GESetup\FlatSetupLoader.exe
for /l %%i in (1,1,2000000) do rem
net use Z: \\10.9.100.1\winpeapps\ge-shopfloor-mce /user:pxe-upload pxe /persistent:no
net use Z: \\172.16.9.1\winpeapps\ge-shopfloor-mce /user:pxe-upload pxe /persistent:no
goto end
:end

4
playbook/sync-cmm.sh
View File

@@ -3,7 +3,7 @@
#
# Copies the Hexagon installers + cmm-manifest.json from the local workstation
# to /srv/samba/enrollment/cmm-installers on the PXE server. That directory
# becomes visible as \\10.9.100.1\enrollment\cmm-installers so startnet.cmd
# becomes visible as \\172.16.9.1\enrollment\cmm-installers so startnet.cmd
# can xcopy it onto the target disk during WinPE phase.
#
# Run this on the workstation (not on the PXE server) any time:
@@ -24,7 +24,7 @@ set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
PXE_HOST="${PXE_HOST:-10.9.100.1}"
PXE_HOST="${PXE_HOST:-172.16.9.1}"
PXE_USER="${PXE_USER:-pxe}"
PXE_PASS="${PXE_PASS:-pxe}"

2
playbook/sync-preinstall.sh
View File

@@ -19,7 +19,7 @@ set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
PXE_HOST="${PXE_HOST:-10.9.100.1}"
PXE_HOST="${PXE_HOST:-172.16.9.1}"
PXE_USER="${PXE_USER:-pxe}"
PXE_PASS="${PXE_PASS:-pxe}"

2
playbook/winpe-status-push.ps1
View File

@@ -10,7 +10,7 @@
# X:\Windows\Temp\winpe-status-push.log; failures are swallowed.
param(
[string]$PxeServer = '10.9.100.1',
[string]$PxeServer = '172.16.9.1',
[int]$Port = 9009,
[int]$TimeoutSec = 5,
[string]$PCType = $env:PCTYPE