AutoLogonCount depletion:
Run-ShopfloorSetup set AutoLogonCount=4 for SupportUser. Windows
decrements per-logon; at 0 it clears AutoAdminLogon + DefaultPassword,
nuking the lockdown-configured ShopFloor autologon. Fix: delete
AutoLogonCount in Invoke-SetupComplete before the lockdown reboot.
ShopFloor's Autologon.exe-set config persists indefinitely.
Sync_intune window on ShopFloor:
The marker-check path used 'exit 0' but the task runs with -NoExit,
leaving a dangling PowerShell window on every ShopFloor logon. Fix:
[Environment]::Exit(0) kills the host outright, defeating -NoExit.
S: drive mapping:
Vendor ConsumeCredentials.ps1 calls New-StoredCredential -Persist
LocalMachine (needs admin) before net use. ShopFloor is non-admin so
cred-store fails silently and net use has no auth. Fix: new
Map-SfldShare.ps1 reads HKLM creds and passes them inline to
net use /user: -- no Credential Manager needed, works as Limited.
Register-MapSfldShare updated to stage + reference our script.
Wired NIC re-enable:
SYSTEM task polls for SFLD creds (Phase 5), re-enables wired NICs,
self-deletes. Replaces the broken Enable-NetAdapter in Monitor
(Limited principal can't enable NICs). No-WiFi devices unaffected
(migrate-to-wifi never disables, re-enable is a no-op).
Sync throttle:
15 min retrigger when only waiting for lockdown (was 5 min for all
phases). Avoids interrupting the Intune Remediation script.
Defect Tracker path:
All references corrected to C:\Program Files (x86)\WJF_Defect_Tracker.
QR code retry:
Build-QRCodeText retried every poll cycle until DeviceId appears
(was single-shot that could miss the dsregcmd timing window).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replaces the Acrobat-only enforcer with a generic Common-Enforce that
handles all cross-PC-type apps from one manifest + one scheduled task
on the SFLD share at \\tsgwp00525\shared\dt\shopfloor\common\apps\.
Renames:
Acrobat-Enforce.ps1 -> Common-Enforce.ps1
Register-AcrobatEnforce -> Register-CommonEnforce
acrobat-manifest.json -> common-apps-manifest.json
common.acrobatSharePath -> common.commonAppsSharePath
'GE Acrobat Enforce' task -> 'GE Common Apps Enforce' task
C:\Program Files\GE\Acrobat -> C:\Program Files\GE\CommonApps
Register-CommonEnforce cleans up the legacy 'GE Acrobat Enforce' task
if present from a prior image.
WJF Defect Tracker (replaces ClickOnce):
- Added to preinstall.json (PCTypes=*, fleet-wide imaging-time install)
- MSI staged on PXE at pre-install/installers/
- Added to common-apps-manifest with FileVersion detection on
C:\Program Files\WJF_Defect_Tracker\Defect_Tracker.exe
- site-config + 06-OrganizeDesktop: shortcut changed from ClickOnce
'existing' to exe-path pointing at the MSI-installed binary
- Update workflow: drop new MSI on share, bump DetectionValue
CMM 09-Setup-CMM: added goCMM + DODA to the ACL grant list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
File-existence detection on NTLARS.exe couldn't tell eDNC 6.4.3 from 6.4.4
(both installers leave the same binary in place), so the enforcer skipped
upgrades. FileVersion compares the vendor-stamped FileVersion field on a
named binary against the manifest's DetectionValue with exact-string match.
Added to all three lib copies (common, Standard, CMM). Standard manifest
template flipped to FileVersion against DncMain.exe -- the eDNC main
binary is more reliably version-stamped than the bundled NTLARS sub-tool.
Update workflow now: drop the new vendor MSI on the SFLD share, bump
Installer + DetectionValue in machineapps-manifest.json, next user logon
runs Machine-Enforce which detects mismatch and installs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Needed for eMxInfo.txt (site-specific eDNC config). The file has no
DisplayVersion in the registry and no canonical MSI; we ship it as a
standalone secret on the SFLD share and key drift correction off its
SHA256. When the yearly replacement drops, bump the hash in
machineapps-manifest.json and every Standard-Machine PC catches up on
next logon.
Patched Install-FromManifest in all three copies (CMM, common, Standard)
for consistency. Also adds the eMxInfo.txt entry to the Standard
machineapps-manifest template and an Install-eMxInfo.cmd template that
copies the file into both 32/64-bit eDNC Program Files paths.
Acrobat Reader enforcement:
- playbook/shopfloor-setup/common/ is the cross-PC-type staging dir. Mirrors
CMM/ structure (enforce script + its Install-FromManifest copy + manifest
template + register script).
- Acrobat-Enforce.ps1 runs as SYSTEM on every logon, reads
acrobatSharePath from site-config.common, mounts the SFLD share with
the same HKLM-backed credential lookup CMM-Enforce uses, hands the
acrobat-manifest.json from the share to Install-FromManifest.
- Install-FromManifest extended with Type=CMD so it can invoke vendor-
supplied .cmd wrappers (Install-AcroReader.cmd does a two-step MSI+MSP
install that does not fit MSI/EXE types cleanly). cmd.exe /c wraps it
because UseShellExecute=false cannot launch .cmd directly.
- Register-AcrobatEnforce.ps1 stages scripts to C:\Program Files\GE\Acrobat
and registers "GE Acrobat Enforce" scheduled task. Called from
Run-ShopfloorSetup.ps1 right before the enrollment (PPKG) step so it
applies to every PC type, not just CMM.
- acrobat-manifest.template.json is the repo reference; the authoritative
copy lives on the SFLD share at
\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\common\acrobat\
Bumping Acrobat updates = drop new MSP on share, bump DetectionValue in
manifest; enforcer catches every PC on next logon.
- site-config.json: add "common": { "acrobatSharePath": ... }. Uses a
new top-level block rather than a PC-type-specific one since Acrobat
applies everywhere.
Initial install still happens via the preinstall flow
(Install-AcroReader.cmd during WinPE). The enforcer is the ongoing-
updates side; on a freshly-imaged PC detection passes and it no-ops.
Also in this commit:
- run-enrollment.ps1: provtool.exe argument syntax fix. First test
returned 0x80004005 E_FAIL in 1s because /ppkg: and /log: are not
valid provtool flags; the cmdlet's internal call used positional
path + /quiet + /source. Switched to that syntax.
