ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Shopfloor imaging: CMM type, Configure-PC override fix, serial drivers

Browse Source 
- CMM imaging pipeline: WinPE-staged bootstrap + on-logon enforcer
  against tsgwp00525 share, manifest-driven installer runner shared via
  Install-FromManifest.ps1. Installs PC-DMIS 2016/2019 R2, CLM 1.8,
  goCMM; enables .NET 3.5 prereq; registers GE CMM Enforce logon task
  for ongoing version enforcement.
- Shopfloor serial drivers: StarTech PCIe serial + Prolific PL2303
  USB-to-serial via Install-Drivers.cmd wrapper calling pnputil
  /add-driver /subdirs /install. Scoped to Standard PCs.
- OpenText extended to CMM/Keyence/Genspect/WaxAndTrace via
  preinstall.json PCTypes; Defect Tracker added to CMM profile
  desktopApps + taskbarPins.
- Configure-PC startup-item toggle now persists across the logon
  sweep via C:\\ProgramData\\GE\\Shopfloor\\startup-overrides.json;
  06-OrganizeDesktop Phase 3 respects suppressed items.
- Get-ProfileValue helper added to Shopfloor/lib/Get-PCProfile.ps1;
  distinguishes explicit empty array from missing key (fixes Lab
  getting Plant Apps in startup because empty array was falsy).
- 06-OrganizeDesktop gains transcript logging at C:\\Logs\\SFLD\\
  06-OrganizeDesktop.log and now deletes the stale Shopfloor Intune
  Sync task when C:\\Enrollment\\sync-complete.txt is present (task
  was registered with Limited principal and couldn't self-unregister).
- startnet.cmd CMM xcopy block (gated on pc-type=CMM) stages the
  bundle to W:\\CMM-Install during WinPE.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-04-11 12:58:47 -04:00
parent bc123c1066
commit ee7d3bad66
17 changed files with 1069 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

331
playbook/shopfloor-setup/CMM/01-Setup-CMM.ps1
View File

@@ -1,173 +1,198 @@
# 01-Setup-CMM.ps1 - CMM-specific setup (runs after Shopfloor baseline)
# 01-Setup-CMM.ps1 - CMM type setup (runs during shopfloor-setup phase).
#
# Installs Hexagon CMM applications from a network share using credentials
# stored in the SFLD registry by SetupCredentials.ps1 (PPKG phase).
# At imaging time the tsgwp00525 SFLD share is NOT yet reachable - Azure DSC
# has not provisioned the share credentials that early. So we install from a
# WinPE-staged local copy at C:\CMM-Install (put there by startnet.cmd when
# the tech picks pc-type=CMM), then register a logon-triggered scheduled
# task that runs CMM-Enforce.ps1 for ongoing updates from the share.
#
# Unlike Standard PC apps (which are pre-staged locally via preinstall.json
# or pulled from Azure Blob via DSC), CMM apps live on a file share and
# are installed directly from there. The share credentials come from the
# PPKG's YAML config and are already in the registry by the time this
# script runs.
# Sequence:
# 1. Enable .NET Framework 3.5 (PC-DMIS 2016 prereq on Win10/11 where 3.5
# is an off-by-default optional feature).
# 2. Run Install-FromManifest against C:\CMM-Install\cmm-manifest.json.
# 3. Stage Install-FromManifest.ps1 + CMM-Enforce.ps1 + the manifest to
# C:\Program Files\GE\CMM so the scheduled task has them after imaging.
# 4. Register a SYSTEM scheduled task "GE CMM Enforce" that runs
# CMM-Enforce.ps1 on any user logon.
# 5. Delete C:\CMM-Install to reclaim the ~2 GB of bootstrap installers.
# The share-side enforcer takes over from here.
#
# The share path and app list are read from site-config.json's CMM profile
# when available, with hardcoded West Jefferson defaults as fallback.
#
# PLACEHOLDER: specific app installers (PC-DMIS, CLM License, etc.) are
# not yet finalized. The framework below handles credential lookup, share
# mounting, and has slots for each install step.
# Log: C:\Logs\CMM\01-Setup-CMM.log (stdout from this script) plus the
# install-time log at C:\Logs\CMM\install.log written by Install-FromManifest.
Write-Host "=== CMM Setup ==="
$ErrorActionPreference = 'Continue'
# --- Load site config + PC profile ---
. "$PSScriptRoot\..\Shopfloor\lib\Get-PCProfile.ps1"
$stagingRoot = 'C:\CMM-Install'
$stagingMani = Join-Path $stagingRoot 'cmm-manifest.json'
$libSource = Join-Path $PSScriptRoot 'lib\Install-FromManifest.ps1'
$enforceSource = Join-Path $PSScriptRoot 'CMM-Enforce.ps1'
# --- Configuration ---
# Share path for Hexagon CMM installers. Read from profile config,
# fall back to the known West Jefferson path.
$defaultSharePath = '\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\cmm\hexagon\machineapps'
$runtimeRoot = 'C:\Program Files\GE\CMM'
$runtimeLibDir = Join-Path $runtimeRoot 'lib'
$runtimeLib = Join-Path $runtimeLibDir 'Install-FromManifest.ps1'
$runtimeEnforce = Join-Path $runtimeRoot 'CMM-Enforce.ps1'
$sharePath = $defaultSharePath
if ($pcProfile -and $pcProfile.cmmSharePath) {
$sharePath = $pcProfile.cmmSharePath
} elseif ($siteConfig -and $siteConfig.pcProfiles -and $siteConfig.pcProfiles.CMM -and $siteConfig.pcProfiles.CMM.cmmSharePath) {
$sharePath = $siteConfig.pcProfiles.CMM.cmmSharePath
$logDir = 'C:\Logs\CMM'
$logFile = Join-Path $logDir 'install.log'
$transcriptLog = Join-Path $logDir '01-Setup-CMM.log'
if (-not (Test-Path $logDir)) {
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
}
Write-Host " Share: $sharePath"
# Independent transcript in addition to whatever Run-ShopfloorSetup.ps1 is
# capturing at the top level. Lets a tech open C:\Logs\CMM\01-Setup-CMM.log
# and see the entire CMM-type setup run without scrolling through the
# monolithic shopfloor-setup.log.
try { Start-Transcript -Path $transcriptLog -Append -Force | Out-Null } catch {}
# ============================================================================
# Credential lookup - reads from HKLM:\SOFTWARE\GE\SFLD\Credentials\*
# Written by SetupCredentials.ps1 during the PPKG phase. We scan all
# credential entries and find one whose TargetHost matches the share's
# server name.
# ============================================================================
function Get-SFLDCredential {
param([string]$ServerName)
$basePath = 'HKLM:\SOFTWARE\GE\SFLD\Credentials'
if (-not (Test-Path $basePath)) {
Write-Warning "SFLD credential registry not found at $basePath"
return $null
}
$entries = Get-ChildItem -Path $basePath -ErrorAction SilentlyContinue
foreach ($entry in $entries) {
$props = Get-ItemProperty -Path $entry.PSPath -ErrorAction SilentlyContinue
if (-not $props) { continue }
$targetHost = $props.TargetHost
if (-not $targetHost) { continue }
# Match by hostname (with or without domain suffix)
if ($targetHost -eq $ServerName -or
$targetHost -like "$ServerName.*" -or
$ServerName -like "$targetHost.*") {
return @{
Username = $props.Username
Password = $props.Password
TargetHost = $targetHost
KeyName = $entry.PSChildName
}
}
}
Write-Warning "No SFLD credential found for server '$ServerName'"
return $null
function Write-CMMLog {
param([string]$Message, [string]$Level = 'INFO')
$stamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Write-Host "[$stamp] [$Level] $Message"
}
# ============================================================================
# Mount the share
# ============================================================================
# Extract server name from UNC path: \\server\share\... -> server
$serverName = ($sharePath -replace '^\\\\', '') -split '\\' | Select-Object -First 1
Write-CMMLog "================================================================"
Write-CMMLog "=== CMM Setup (imaging-time) session start (PID $PID) ==="
Write-CMMLog "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
Write-CMMLog "================================================================"
$cred = Get-SFLDCredential -ServerName $serverName
$driveLetter = 'S:'
if ($cred) {
Write-Host " Credential: $($cred.KeyName) (user: $($cred.Username))"
} else {
Write-Host " No credential found for $serverName - attempting guest/current-user access"
}
# Disconnect any stale mapping
net use $driveLetter /delete /y 2>$null | Out-Null
$mountOk = $false
if ($cred -and $cred.Username -and $cred.Password) {
$result = & net use $driveLetter $sharePath /user:$($cred.Username) $($cred.Password) /persistent:no 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Host " Mounted $sharePath as $driveLetter"
$mountOk = $true
# Diagnostic dump - knowing WHY the script took a branch is half the battle.
Write-CMMLog "Script root: $PSScriptRoot"
foreach ($file in @('pc-type.txt','pc-subtype.txt','machine-number.txt')) {
$path = "C:\Enrollment\$file"
if (Test-Path -LiteralPath $path) {
$content = (Get-Content -LiteralPath $path -First 1 -ErrorAction SilentlyContinue).Trim()
Write-CMMLog " $file = $content"
} else {
Write-Warning " net use failed (exit $LASTEXITCODE): $result"
Write-CMMLog " $file = (not present)"
}
}
if (Test-Path $stagingRoot) {
$bootstrapFiles = @(Get-ChildItem -LiteralPath $stagingRoot -File -ErrorAction SilentlyContinue)
Write-CMMLog "Bootstrap staging: $stagingRoot ($($bootstrapFiles.Count) files)"
foreach ($f in $bootstrapFiles) {
Write-CMMLog " - $($f.Name) ($([math]::Round($f.Length/1MB)) MB)"
}
} else {
# Try without explicit credentials (rely on CredMan or current user)
$result = & net use $driveLetter $sharePath /persistent:no 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Host " Mounted $sharePath as $driveLetter (no explicit creds)"
$mountOk = $true
Write-CMMLog "Bootstrap staging: $stagingRoot (DOES NOT EXIST - startnet.cmd did not stage it)" "ERROR"
}
# ============================================================================
# Step 1: Enable .NET Framework 3.5
# ============================================================================
# PC-DMIS 2016 lists .NET 3.5 as a prereq for some older components. On Win10/
# Win11 it's an optional Windows feature that is OFF by default. Enable-
# WindowsOptionalFeature pulls the payload from Windows Update when the PC
# has internet; sources from the installed Windows image otherwise. Idempotent
# (no-op if already enabled). We swallow failures because if internet and
# media are both unavailable this becomes a known gap rather than an imaging
# blocker - we'd still rather try to install PC-DMIS and surface the real
# failure in its log.
Write-CMMLog "Checking .NET Framework 3.5 state..."
try {
$netfx = Get-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -ErrorAction Stop
if ($netfx.State -eq 'Enabled') {
Write-CMMLog " .NET 3.5 already enabled"
} else {
Write-Warning " net use failed (exit $LASTEXITCODE): $result"
Write-CMMLog " .NET 3.5 state is $($netfx.State) - enabling now (may take a minute)..."
$result = Enable-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -All -NoRestart -ErrorAction Stop
Write-CMMLog " Enable-WindowsOptionalFeature RestartNeeded=$($result.RestartNeeded)"
}
} catch {
Write-CMMLog " Failed to enable .NET 3.5: $_" "WARN"
Write-CMMLog " Continuing anyway - PC-DMIS installers will surface any hard dependency."
}
# ============================================================================
# Step 2: Install apps from the WinPE-staged bootstrap at C:\CMM-Install
# ============================================================================
if (-not (Test-Path $stagingRoot)) {
Write-CMMLog "$stagingRoot does not exist - startnet.cmd did not stage CMM installers" "ERROR"
Write-CMMLog "Skipping install. The logon enforcer will pick up from the share when SFLD creds are available."
}
elseif (-not (Test-Path $stagingMani)) {
Write-CMMLog "$stagingMani missing - staging directory is incomplete" "ERROR"
}
elseif (-not (Test-Path $libSource)) {
Write-CMMLog "Shared library not found at $libSource" "ERROR"
}
else {
Write-CMMLog "Running Install-FromManifest against $stagingRoot"
& $libSource -ManifestPath $stagingMani -InstallerRoot $stagingRoot -LogFile $logFile
$rc = $LASTEXITCODE
Write-CMMLog "Install-FromManifest returned $rc"
}
# ============================================================================
# Step 3: Stage runtime scripts to C:\Program Files\GE\CMM
# ============================================================================
# These files survive past the bootstrap cleanup so the logon-triggered
# scheduled task can run them. The manifest is staged as well so the enforcer
# has a fallback in case the share copy is unreachable on first logon.
Write-CMMLog "Staging runtime scripts to $runtimeRoot"
foreach ($dir in @($runtimeRoot, $runtimeLibDir)) {
if (-not (Test-Path $dir)) {
New-Item -Path $dir -ItemType Directory -Force | Out-Null
}
}
Copy-Item -Path $libSource -Destination $runtimeLib -Force
Copy-Item -Path $enforceSource -Destination $runtimeEnforce -Force
# ============================================================================
# Step 4: Register "GE CMM Enforce" scheduled task (logon trigger, SYSTEM)
# ============================================================================
$taskName = 'GE CMM Enforce'
# Drop any stale version first so re-imaging is idempotent.
$existing = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
if ($existing) {
Write-CMMLog "Removing existing scheduled task '$taskName'"
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
}
Write-CMMLog "Registering scheduled task '$taskName' (logon trigger, SYSTEM)"
try {
$action = New-ScheduledTaskAction `
-Execute 'powershell.exe' `
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$runtimeEnforce`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet `
-AllowStartIfOnBatteries `
-DontStopIfGoingOnBatteries `
-StartWhenAvailable `
-ExecutionTimeLimit (New-TimeSpan -Hours 2) `
-MultipleInstances IgnoreNew
Register-ScheduledTask `
-TaskName $taskName `
-Action $action `
-Trigger $trigger `
-Principal $principal `
-Settings $settings `
-Description 'GE CMM: enforce Hexagon apps against tsgwp00525 SFLD share on user logon' | Out-Null
Write-CMMLog "Scheduled task registered"
} catch {
Write-CMMLog "Failed to register scheduled task: $_" "ERROR"
}
# ============================================================================
# Step 5: Clean up the bootstrap staging dir
# ============================================================================
# ~2 GB reclaimed. From here on, CMM-Enforce.ps1 runs against the tsgwp00525
# share, which is the canonical source for ongoing updates.
if (Test-Path $stagingRoot) {
Write-CMMLog "Deleting bootstrap staging at $stagingRoot"
try {
Remove-Item -LiteralPath $stagingRoot -Recurse -Force -ErrorAction Stop
Write-CMMLog "Bootstrap cleanup complete"
} catch {
Write-CMMLog "Failed to delete $stagingRoot : $_" "WARN"
}
}
if (-not $mountOk) {
Write-Warning "Cannot access $sharePath - skipping CMM app installs."
Write-Host "=== CMM Setup Complete (share unavailable) ==="
exit 0
}
# ============================================================================
# Install apps from the share
#
# PLACEHOLDER: uncomment and adjust when app details are finalized.
# Each block follows the pattern:
# 1. Find installer on the share
# 2. Run it with silent args
# 3. Check exit code
# 4. Log result
# ============================================================================
$installRoot = $driveLetter
# --- Example: CLM Tools (license manager, install first) ---
# $clm = Get-ChildItem -Path $installRoot -Filter "CLM_*.exe" -ErrorAction SilentlyContinue | Select-Object -First 1
# if ($clm) {
# Write-Host "Installing CLM Tools: $($clm.Name)..."
# $p = Start-Process -FilePath $clm.FullName -ArgumentList "-q -norestart" -Wait -PassThru
# Write-Host " CLM Tools exit code: $($p.ExitCode)"
# } else {
# Write-Warning "CLM Tools installer not found (expected CLM_*.exe)"
# }
# --- Example: PC-DMIS 2016 ---
# $pcdmis16 = Get-ChildItem -Path $installRoot -Filter "Pcdmis2016*x64.exe" -ErrorAction SilentlyContinue | Select-Object -First 1
# if ($pcdmis16) {
# Write-Host "Installing PC-DMIS 2016: $($pcdmis16.Name)..."
# $p = Start-Process -FilePath $pcdmis16.FullName -ArgumentList "-q INSTALLPDFCONVERTER=0 INSTALLOFFLINEHELP=0 HEIP=0 -norestart" -Wait -PassThru
# Write-Host " PC-DMIS 2016 exit code: $($p.ExitCode)"
# } else {
# Write-Warning "PC-DMIS 2016 installer not found"
# }
# --- Example: PC-DMIS 2019 R2 ---
# $pcdmis19 = Get-ChildItem -Path $installRoot -Filter "Pcdmis2019*x64.exe" -ErrorAction SilentlyContinue | Select-Object -First 1
# if ($pcdmis19) {
# Write-Host "Installing PC-DMIS 2019 R2: $($pcdmis19.Name)..."
# $p = Start-Process -FilePath $pcdmis19.FullName -ArgumentList "-q INSTALLPDFCONVERTER=0 INSTALLOFFLINEHELP=0 HEIP=0 -norestart" -Wait -PassThru
# Write-Host " PC-DMIS 2019 exit code: $($p.ExitCode)"
# } else {
# Write-Warning "PC-DMIS 2019 installer not found"
# }
Write-Host " (no apps configured yet - uncomment install blocks when ready)"
# ============================================================================
# Cleanup
# ============================================================================
Write-Host "Disconnecting $driveLetter..."
net use $driveLetter /delete /y 2>$null | Out-Null
Write-Host "=== CMM Setup Complete ==="
Write-CMMLog "=== CMM Setup Complete ==="
try { Stop-Transcript | Out-Null } catch {}

133
playbook/shopfloor-setup/CMM/CMM-Enforce.ps1 Normal file
View File

@@ -0,0 +1,133 @@
# CMM-Enforce.ps1 - On-logon CMM app enforcer (the mini-DSC side).
#
# Runs under a SYSTEM scheduled task triggered at user logon. Mounts the
# tsgwp00525 SFLD share using creds written to HKLM by Azure DSC, reads
# cmm-manifest.json from the share, and hands off to Install-FromManifest.ps1
# which installs anything whose detection fails.
#
# Why logon trigger: shopfloor operators log in at shift start; the PC may
# have been off or DSC may not have provisioned the SFLD creds until the
# Intune side ran post-PPKG. Logon is a natural catch-up point. Once detection
# passes for every app, each run is ~seconds of no-ops.
#
# Why SYSTEM: installers need machine-wide rights and registry access. The
# task is triggered by logon but runs outside the user's session.
#
# Graceful degradation:
# - SFLD creds missing (Azure DSC hasn't run yet) -> log + exit 0
# - Share unreachable (network, VPN) -> log + exit 0
# - Install failure on any one app -> log + continue with the rest
#
# Never returns non-zero to the task scheduler; failures show up in the log.
$ErrorActionPreference = 'Continue'
$installRoot = 'C:\Program Files\GE\CMM'
$libPath = Join-Path $installRoot 'lib\Install-FromManifest.ps1'
$logDir = 'C:\Logs\CMM'
$logFile = Join-Path $logDir ('enforce-{0}.log' -f (Get-Date -Format 'yyyyMMdd'))
$driveLetter = 'S:'
if (-not (Test-Path $logDir)) {
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
}
function Write-EnforceLog {
param([string]$Message, [string]$Level = 'INFO')
$line = "[{0}] [{1}] {2}" -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Level, $Message
Write-Host $line
Add-Content -Path $logFile -Value $line -ErrorAction SilentlyContinue
}
Write-EnforceLog "================================================================"
Write-EnforceLog "=== CMM-Enforce session start (PID $PID, user $env:USERNAME) ==="
Write-EnforceLog "================================================================"
# --- Load site-config + pcProfile (for cmmSharePath) ---
# Dot-source the same Get-PCProfile.ps1 used during imaging. It walks
# C:\Enrollment\site-config.json into $pcProfile/$siteConfig script variables.
$getProfileScript = 'C:\Enrollment\shopfloor-setup\Shopfloor\lib\Get-PCProfile.ps1'
if (-not (Test-Path $getProfileScript)) {
Write-EnforceLog "Get-PCProfile.ps1 not found at $getProfileScript - is this a CMM PC?" "ERROR"
exit 0
}
. $getProfileScript
if (-not $pcProfile -or -not $pcProfile.cmmSharePath) {
Write-EnforceLog "No cmmSharePath in profile - nothing to enforce" "WARN"
exit 0
}
$sharePath = $pcProfile.cmmSharePath
Write-EnforceLog "Share: $sharePath"
# --- SFLD credential lookup (written by Azure DSC post-PPKG). Bail gracefully
# if the creds haven't been provisioned yet - next logon will retry. ---
function Get-SFLDCredential {
param([string]$ServerName)
$basePath = 'HKLM:\SOFTWARE\GE\SFLD\Credentials'
if (-not (Test-Path $basePath)) { return $null }
foreach ($entry in Get-ChildItem -Path $basePath -ErrorAction SilentlyContinue) {
$props = Get-ItemProperty -Path $entry.PSPath -ErrorAction SilentlyContinue
if (-not $props -or -not $props.TargetHost) { continue }
if ($props.TargetHost -eq $ServerName -or
$props.TargetHost -like "$ServerName.*" -or
$ServerName -like "$($props.TargetHost).*") {
return @{
Username = $props.Username
Password = $props.Password
TargetHost = $props.TargetHost
KeyName = $entry.PSChildName
}
}
}
return $null
}
$serverName = ($sharePath -replace '^\\\\', '') -split '\\' | Select-Object -First 1
$cred = Get-SFLDCredential -ServerName $serverName
if (-not $cred -or -not $cred.Username -or -not $cred.Password) {
Write-EnforceLog "No SFLD credential for $serverName yet (Azure DSC has not provisioned it) - will retry at next logon"
exit 0
}
Write-EnforceLog "Credential: $($cred.KeyName) (user: $($cred.Username))"
# --- Mount the share ---
net use $driveLetter /delete /y 2>$null | Out-Null
$netResult = & net use $driveLetter $sharePath /user:$($cred.Username) $($cred.Password) /persistent:no 2>&1
if ($LASTEXITCODE -ne 0) {
Write-EnforceLog "net use failed (exit $LASTEXITCODE): $netResult" "WARN"
Write-EnforceLog "Share unreachable - probably off-network. Will retry at next logon."
exit 0
}
Write-EnforceLog "Mounted $sharePath as $driveLetter"
try {
$manifestOnShare = Join-Path $driveLetter 'cmm-manifest.json'
if (-not (Test-Path $manifestOnShare)) {
Write-EnforceLog "cmm-manifest.json not found on share - nothing to enforce" "WARN"
return
}
if (-not (Test-Path $libPath)) {
Write-EnforceLog "Install-FromManifest.ps1 not found at $libPath" "ERROR"
return
}
Write-EnforceLog "Handing off to Install-FromManifest.ps1 (InstallerRoot=$driveLetter)"
& $libPath -ManifestPath $manifestOnShare -InstallerRoot $driveLetter -LogFile $logFile
$rc = $LASTEXITCODE
Write-EnforceLog "Install-FromManifest returned $rc"
}
finally {
net use $driveLetter /delete /y 2>$null | Out-Null
Write-EnforceLog "Unmounted $driveLetter"
Write-EnforceLog "=== CMM-Enforce session end ==="
}
# Always return 0 so the scheduled task never shows "last run failed" noise.
exit 0

54
playbook/shopfloor-setup/CMM/cmm-manifest.json Normal file
View File

@@ -0,0 +1,54 @@
{
"Version": "1.0",
"_comment": "CMM machine-app manifest. Consumed by both 01-Setup-CMM.ps1 (at imaging time, reading from C:\\CMM-Install\\) and CMM-Enforce.ps1 (on logon, reading from the tsgwp00525 share). Detection uses the WiX Burn bundle Registration GUIDs pulled from each installer's .wixburn PE section + embedded BurnManifest.xml; bumping DetectionValue (and uploading a matching installer) is how IT ships version updates post-imaging. Install order matters: PC-DMIS 2016 first (it chains an older CLM Tools MSI), then PC-DMIS 2019 R2 (chains CLM 1.7), then standalone CLM 1.8.73 (final CLM Admin upgrade), then goCMM. CLM is left unlicensed - a tech activates via clmadmin.exe post-imaging.",
"Applications": [
{
"_comment": "PC-DMIS 2016 - WiX Burn bundle. INSTALLPDFCONVERTER=0 skips Nitro PDF (saves ~100MB, avoids third-party registration). HEIP=0 disables Hexagon telemetry/error reporting. 2016 does not expose INSTALLOFFLINEHELP (added in 2019). Chained MSIs: CLM Tools + PC-DMIS. Chained EXEs: Win Installer 4.5, VS 2010 x64, VS 2012 x64, .NET 4.6.1, PDF Converter.",
"Name": "PC-DMIS 2016",
"Installer": "Pcdmis2016.0_Release_11.0.1179.0_x64.exe",
"Type": "EXE",
"InstallArgs": "/quiet /norestart /log \"C:\\Logs\\CMM\\Pcdmis2016.log\" INSTALLPDFCONVERTER=0 HEIP=0",
"LogFile": "C:\\Logs\\CMM\\Pcdmis2016.log",
"DetectionMethod": "Registry",
"DetectionPath": "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{b3f85c1a-ba25-43d7-a295-7f2775d83526}",
"DetectionName": "DisplayVersion",
"DetectionValue": "11.0.1179.0"
},
{
"_comment": "PC-DMIS 2019 R2 - WiX Burn bundle. INSTALLOFFLINEHELP=0 skips the ~1-2GB offline help content. INSTALLUNIVERSALUPDATER=0 disables Hexagon's auto-updater (keeps the version frozen until IT bumps it here). INSTALLPDFCONVERTER=0 + HEIP=0 same as 2016. Chained MSIs: CLM Tools 1.7, Protect Viewer, PC-DMIS. Chained EXEs: Win Installer 4.5, VS 2012 x64, VS 2015 x64, .NET 4.6.1, PDF Converter, Universal Updater.",
"Name": "PC-DMIS 2019 R2",
"Installer": "Pcdmis2019_R2_14.2.728.0_x64.exe",
"Type": "EXE",
"InstallArgs": "/quiet /norestart /log \"C:\\Logs\\CMM\\Pcdmis2019.log\" INSTALLPDFCONVERTER=0 INSTALLOFFLINEHELP=0 INSTALLUNIVERSALUPDATER=0 HEIP=0",
"LogFile": "C:\\Logs\\CMM\\Pcdmis2019.log",
"DetectionMethod": "Registry",
"DetectionPath": "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4c816d47-9e18-420a-a7d5-0b38ecdabf50}",
"DetectionName": "DisplayVersion",
"DetectionValue": "14.2.728.0"
},
{
"_comment": "CLM Admin 1.8.73 standalone - upgrades the CLM Tools chained from the PC-DMIS bundles to the latest admin tool. Installs after both PC-DMIS versions so its upgrade path is clean. Chained EXE: VS 2015 x64 redist. No license activation at install time - a tech activates via clmadmin.exe (or the CLM Admin desktop shortcut) post-imaging against licensing.wilcoxassoc.com.",
"Name": "CLM 1.8.73",
"Installer": "CLM_1.8.73.0_x64.exe",
"Type": "EXE",
"InstallArgs": "/quiet /norestart /log \"C:\\Logs\\CMM\\CLM.log\"",
"LogFile": "C:\\Logs\\CMM\\CLM.log",
"DetectionMethod": "Registry",
"DetectionPath": "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{a55fecde-0776-474e-a5b3-d57ea93d6a9f}",
"DetectionName": "DisplayVersion",
"DetectionValue": "1.8.73.0"
},
{
"_comment": "goCMM 1.1.6718 - Hexagon's CMM job launcher utility. Chained EXEs: .NET 4.5.1 (NDP451), VC++ x86 redist. Independent of CLM/PC-DMIS, install order doesn't matter but we install it last.",
"Name": "goCMM",
"Installer": "goCMM_1.1.6718.31289.exe",
"Type": "EXE",
"InstallArgs": "/quiet /norestart /log \"C:\\Logs\\CMM\\goCMM.log\"",
"LogFile": "C:\\Logs\\CMM\\goCMM.log",
"DetectionMethod": "Registry",
"DetectionPath": "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{94f02b85-bbca-422e-9b8b-0c16a769eced}",
"DetectionName": "DisplayVersion",
"DetectionValue": "1.1.6710.18601"
}
]
}

270
playbook/shopfloor-setup/CMM/lib/Install-FromManifest.ps1 Normal file
View File

@@ -0,0 +1,270 @@
# Install-FromManifest.ps1 - Generic JSON-manifest installer for CMM apps.
#
# Duplicated (by design, for now) from Shopfloor\00-PreInstall-MachineApps.ps1
# with the Standard-PC-specific bits stripped out:
# - no PCTypes filter (every CMM manifest entry is CMM-only)
# - no site-name / machine-number placeholder replacement
# - no KillAfterDetection shortcut (Hexagon Burn bundles exit cleanly)
#
# A future pass will unify both runners behind one library; keeping them
# separate now avoids touching the Standard PC imaging path.
#
# Called from:
# - 01-Setup-CMM.ps1 at imaging time with InstallerRoot=C:\CMM-Install
# - CMM-Enforce.ps1 on logon with InstallerRoot=<mounted tsgwp00525 share>
#
# Returns via exit code: 0 if every required app is either already installed
# or installed successfully; non-zero if any install failed.
param(
[Parameter(Mandatory=$true)]
[string]$ManifestPath,
[Parameter(Mandatory=$true)]
[string]$InstallerRoot,
[Parameter(Mandatory=$true)]
[string]$LogFile
)
$ErrorActionPreference = 'Continue'
$logDir = Split-Path -Parent $LogFile
if (-not (Test-Path $logDir)) {
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
}
function Write-InstallLog {
param(
[Parameter(Mandatory=$true, Position=0)]
[string]$Message,
[Parameter(Position=1)]
[ValidateSet('INFO','WARN','ERROR')]
[string]$Level = 'INFO'
)
$stamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$line = "[$stamp] [$Level] $Message"
Write-Host $line
# Synchronous write-through so each line hits disk immediately, mirroring
# the preinstall runner's approach - protects forensic trail if an installer
# triggers a reboot mid-loop.
try {
$fs = New-Object System.IO.FileStream(
$LogFile,
[System.IO.FileMode]::Append,
[System.IO.FileAccess]::Write,
[System.IO.FileShare]::Read,
4096,
[System.IO.FileOptions]::WriteThrough
)
$bytes = [System.Text.Encoding]::UTF8.GetBytes($line + "`r`n")
$fs.Write($bytes, 0, $bytes.Length)
$fs.Flush()
$fs.Dispose()
} catch {
Add-Content -Path $LogFile -Value $line -ErrorAction SilentlyContinue
}
}
Write-InstallLog "================================================================"
Write-InstallLog "=== Install-FromManifest session start (PID $PID) ==="
Write-InstallLog "Manifest: $ManifestPath"
Write-InstallLog "InstallerRoot: $InstallerRoot"
Write-InstallLog "================================================================"
if (-not (Test-Path -LiteralPath $ManifestPath)) {
Write-InstallLog "Manifest not found: $ManifestPath" "ERROR"
exit 2
}
if (-not (Test-Path -LiteralPath $InstallerRoot)) {
Write-InstallLog "InstallerRoot not found: $InstallerRoot" "ERROR"
exit 2
}
try {
$config = Get-Content -LiteralPath $ManifestPath -Raw | ConvertFrom-Json
} catch {
Write-InstallLog "Failed to parse manifest: $_" "ERROR"
exit 2
}
if (-not $config.Applications) {
Write-InstallLog "No Applications in manifest - nothing to do"
exit 0
}
Write-InstallLog "Manifest lists $($config.Applications.Count) app(s)"
# Detection helper - mirrors the preinstall runner's logic. Registry path +
# optional value name + optional exact value. The exact-value compare is how
# version-pinned drift detection works: bumping DetectionValue in the manifest
# makes the current install "fail" detection and reinstall.
function Test-AppInstalled {
param($App)
if (-not $App.DetectionMethod) { return $false }
try {
switch ($App.DetectionMethod) {
"Registry" {
if (-not (Test-Path $App.DetectionPath)) { return $false }
if ($App.DetectionName) {
$value = Get-ItemProperty -Path $App.DetectionPath -Name $App.DetectionName -ErrorAction SilentlyContinue
if (-not $value) { return $false }
if ($App.DetectionValue) {
return ($value.$($App.DetectionName) -eq $App.DetectionValue)
}
return $true
}
return $true
}
"File" {
return Test-Path $App.DetectionPath
}
default {
Write-InstallLog " Unknown detection method: $($App.DetectionMethod)" "WARN"
return $false
}
}
} catch {
Write-InstallLog " Detection check threw: $_" "WARN"
return $false
}
}
$installed = 0
$skipped = 0
$failed = 0
foreach ($app in $config.Applications) {
# Cancel any pending reboot scheduled by a previous installer, same as the
# preinstall runner. Some Burn bundles schedule a reboot even with /norestart
# (chained bootstrapper ignores the flag for some internal prereqs).
cmd /c "shutdown /a 2>nul" *>$null
Write-InstallLog "==> $($app.Name)"
if (Test-AppInstalled -App $app) {
Write-InstallLog " Already installed at expected version - skipping"
$skipped++
continue
}
$installerPath = Join-Path $InstallerRoot $app.Installer
if (-not (Test-Path -LiteralPath $installerPath)) {
Write-InstallLog " Installer file not found: $installerPath" "ERROR"
$failed++
continue
}
Write-InstallLog " Installing from $installerPath"
if ($app.InstallArgs) {
Write-InstallLog " InstallArgs: $($app.InstallArgs)"
}
try {
$psi = New-Object System.Diagnostics.ProcessStartInfo
$psi.UseShellExecute = $false
$psi.CreateNoWindow = $true
$psi.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden
if ($app.Type -eq "MSI") {
$safeName = $app.Name -replace '[^a-zA-Z0-9]','_'
$msiLog = Join-Path $logDir "msi-$safeName.log"
if (Test-Path $msiLog) { Remove-Item $msiLog -Force -ErrorAction SilentlyContinue }
$psi.FileName = "msiexec.exe"
$psi.Arguments = "/i `"$installerPath`""
if ($app.InstallArgs) { $psi.Arguments += " " + $app.InstallArgs }
$psi.Arguments += " /L*v `"$msiLog`""
Write-InstallLog " msiexec verbose log: $msiLog"
}
elseif ($app.Type -eq "EXE") {
$psi.FileName = $installerPath
if ($app.InstallArgs) { $psi.Arguments = $app.InstallArgs }
if ($app.LogFile) {
Write-InstallLog " Installer log: $($app.LogFile)"
}
}
else {
Write-InstallLog " Unsupported Type: $($app.Type) - skipping" "ERROR"
$failed++
continue
}
# Use Process.Start directly rather than Start-Process because PS 5.1's
# Start-Process -PassThru disposes the process handle when control returns,
# making ExitCode read as $null. Direct Process.Start gives us a live handle.
$proc = [System.Diagnostics.Process]::Start($psi)
# No per-app timeout here - PC-DMIS bundles can run 20+ minutes on slow
# disks and we don't want to kill them mid-chain. The calling script
# controls overall session timing.
$proc.WaitForExit()
$exitCode = $proc.ExitCode
# Burn and MSI exit codes:
# 0 success
# 1641 success, reboot initiated
# 3010 success, reboot pending
if ($exitCode -eq 0 -or $exitCode -eq 1641 -or $exitCode -eq 3010) {
Write-InstallLog " Exit code $exitCode - SUCCESS"
if ($exitCode -eq 3010) { Write-InstallLog " (Reboot pending for $($app.Name))" }
if ($exitCode -eq 1641) { Write-InstallLog " (Installer initiated a reboot for $($app.Name))" }
$installed++
}
else {
Write-InstallLog " Exit code $exitCode - FAILED" "ERROR"
if ($app.Type -eq "EXE" -and $app.LogFile -and (Test-Path $app.LogFile)) {
Write-InstallLog " --- last 30 lines of $($app.LogFile) ---"
Get-Content $app.LogFile -Tail 30 -ErrorAction SilentlyContinue | ForEach-Object {
Write-InstallLog " $_"
}
Write-InstallLog " --- end installer log tail ---"
}
if ($app.Type -eq "MSI" -and $msiLog -and (Test-Path $msiLog)) {
Write-InstallLog " --- meaningful lines from $msiLog ---"
$patterns = @(
'Note: 1: ',
'return value 3',
'Error \d+\.',
'CustomAction .* returned actual error',
'Failed to ',
'Installation failed',
'1: 2262',
'1: 2203',
'1: 2330'
)
$regex = ($patterns -join '|')
$matches = Select-String -Path $msiLog -Pattern $regex -ErrorAction SilentlyContinue |
Select-Object -First 30
if ($matches) {
foreach ($m in $matches) { Write-InstallLog " $($m.Line.Trim())" }
} else {
Get-Content $msiLog -Tail 25 -ErrorAction SilentlyContinue | ForEach-Object {
Write-InstallLog " $_"
}
}
Write-InstallLog " --- end MSI log scan ---"
}
$failed++
}
} catch {
Write-InstallLog " Install threw: $_" "ERROR"
$failed++
}
}
Write-InstallLog "============================================"
Write-InstallLog "Install-FromManifest complete: $installed installed, $skipped skipped, $failed failed"
Write-InstallLog "============================================"
cmd /c "shutdown /a 2>nul" *>$null
if ($failed -gt 0) { exit 1 }
exit 0