Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24

Single-site bay-stuck issue at WJ: GE Intune Report IP script filters Get-NetIPAddress on StartsWith("10.") and posts everything matching to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP captured and reported -> GE backend tags bays as on a non-corp 10.x subnet -> dynamic group eligibility for SFLD policy never matches. Other GE sites work because their PXE LANs aren't on 10.x at all. Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally skips wired PXE addresses without any disable-NIC dance. Server-side already in flight (netplan dual-bound, dnsmasq scope + boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript all sed'd to 172.16.9.1). This commit is the playbook / scripts / docs side: 109 hits across 35 files sed'd in one shot. After this lands + boot.wim is rebuilt + bays renumber off DHCP, the 10.9.100.1 binding will be dropped from netplan as the final cleanup step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 16:30:32 -04:00
parent c6b249f866
commit ce604adcda
87 changed files with 697 additions and 139 deletions
--- a/playbook/shopfloor-setup/Shopfloor/00-PreInstall-MachineApps.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/00-PreInstall-MachineApps.ps1
@@ -165,8 +165,12 @@ if (Test-Path -LiteralPath $machineNumFile) {
 #     before UDC_Setup.exe runs means the installer's File.Copy (overwrite:true)
 #     would overwrite it IF the share were reachable, but since it isn't, our
 #     pre-staged file survives and UDC launches with correct settings.
+# UDC payload (settings backups + webserver settings) lives only in the
+# collections per-pc-type dir - UDC is the "C" of "collections". On nocoll
+# bays the dir doesn't exist; Test-Path skips silently.
+$udcCollDir   = Join-Path (Split-Path $PSScriptRoot -Parent) 'gea-shopfloor-collections'
 if ($machineNum -and $machineNum -ne '9999') {
-    $udcBackupDir = 'C:\Enrollment\shopfloor-setup\Standard\udc-backups'
+    $udcBackupDir = Join-Path $udcCollDir 'udc-backups'
    $udcBackup    = Join-Path $udcBackupDir "udc_settings_$machineNum.json"
    $udcTarget    = 'C:\ProgramData\UDC\udc_settings.json'
    if (Test-Path -LiteralPath $udcBackup) {
@@ -176,11 +180,11 @@ if ($machineNum -and $machineNum -ne '9999') {
        Copy-Item -Path $udcBackup -Destination $udcTarget -Force
        Write-PreInstallLog "Pre-staged UDC settings from $udcBackup -> $udcTarget"
    } else {
-        Write-PreInstallLog "No UDC settings backup for machine $machineNum in $udcBackupDir"
+        Write-PreInstallLog "No UDC settings backup for machine $machineNum at $udcBackup (skipping - normal for nocoll bays)"
    }
 }

-$udcWebSrc = 'C:\Enrollment\shopfloor-setup\Standard\udc_webserver_settings.json'
+$udcWebSrc = Join-Path $udcCollDir 'udc_webserver_settings.json'
 $udcWebDst = 'C:\ProgramData\UDC\udc_webserver_settings.json'
 if (Test-Path -LiteralPath $udcWebSrc) {
    if (-not (Test-Path 'C:\ProgramData\UDC')) {
@@ -189,7 +193,7 @@ if (Test-Path -LiteralPath $udcWebSrc) {
    Copy-Item -Path $udcWebSrc -Destination $udcWebDst -Force
    Write-PreInstallLog "Pre-staged UDC webserver settings from $udcWebSrc -> $udcWebDst"
 } else {
-    Write-PreInstallLog "No UDC webserver settings file at $udcWebSrc" "WARN"
+    Write-PreInstallLog "No UDC webserver settings file at $udcWebSrc (skipping - normal for nocoll bays)"
 }

 # --- Suppress Windows Defender Firewall "Allow access" prompts globally for
@@ -326,15 +330,27 @@ foreach ($app in $config.Applications) {
            if ($g -icontains $n) { foreach ($x in $g) { [void]$myNames.Add($x) } }
        }
    }
+    # PCTypesStrict=true bypasses the alias-expansion matcher and requires
+    # the actual pcType (or composite pcProfileKey) to literally equal one
+    # of the allowedTypes entries. Used by UDC because the alias graph
+    # transitively connects gea-shopfloor-collections <-> nocollections via
+    # the legacy 'Standard' group, which would otherwise cause UDC to install
+    # on nocoll bays even with PCTypes=['gea-shopfloor-collections'].
    $matchesType = ($allowedTypes -contains '*')
    if (-not $matchesType) {
-        foreach ($t in $allowedTypes) {
-            if ($myNames.Contains($t)) { $matchesType = $true; break }
-            foreach ($g in $aliasGroups) {
-                if ($g -icontains $t) {
-                    foreach ($x in $g) { if ($myNames.Contains($x)) { $matchesType = $true; break } }
+        if ($app.PCTypesStrict) {
+            foreach ($t in $allowedTypes) {
+                if (($pcType -ieq $t) -or ($pcProfileKey -ieq $t)) { $matchesType = $true; break }
+            }
+        } else {
+            foreach ($t in $allowedTypes) {
+                if ($myNames.Contains($t)) { $matchesType = $true; break }
+                foreach ($g in $aliasGroups) {
+                    if ($g -icontains $t) {
+                        foreach ($x in $g) { if ($myNames.Contains($x)) { $matchesType = $true; break } }
+                    }
+                    if ($matchesType) { break }
                }
-                if ($matchesType) { break }
            }
        }
    }