# 09-Setup-CMM.ps1 - CMM type setup (runs during shopfloor-setup phase). # # At imaging time the tsgwp00525 SFLD share is NOT yet reachable - Azure DSC # has not provisioned the share credentials that early. So we install from a # WinPE-staged local copy at C:\CMM-Install (put there by startnet.cmd when # the tech picks pc-type=CMM). Ongoing enforcement is handled by GE-Enforce # (registered separately in Run-ShopfloorSetup.ps1) reading cmm/manifest.json # from the tsgwp00525 share. # # Sequence: # 1. Enable .NET Framework 3.5 (PC-DMIS 2016 prereq on Win10/11 where 3.5 # is an off-by-default optional feature). # 2. Run Install-FromManifest against C:\CMM-Install\cmm-manifest.json. # 2.5. Grant BUILTIN\Users Modify on PC-DMIS install dirs (Hexagon-documented # approach for non-admin runtime). # 3. Delete C:\CMM-Install to reclaim the ~2 GB of bootstrap installers. # # Library lookup: the imaging-time install uses the common Install-FromManifest # library at ..\common\lib\Install-FromManifest.ps1 (relative to $PSScriptRoot). # # Log: C:\Logs\CMM\09-Setup-CMM.log (stdout from this script) plus the # install-time log at C:\Logs\CMM\install.log written by Install-FromManifest. $ErrorActionPreference = 'Continue' $stagingRoot = 'C:\CMM-Install' $stagingMani = Join-Path $stagingRoot 'cmm-manifest.json' $libSource = Join-Path $PSScriptRoot '..\common\lib\Install-FromManifest.ps1' $logDir = 'C:\Logs\CMM' $logFile = Join-Path $logDir 'install.log' $transcriptLog = Join-Path $logDir '09-Setup-CMM.log' if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null } # Independent transcript in addition to whatever Run-ShopfloorSetup.ps1 is # capturing at the top level. Lets a tech open C:\Logs\CMM\09-Setup-CMM.log # and see the entire CMM-type setup run without scrolling through the # monolithic shopfloor-setup.log. try { Start-Transcript -Path $transcriptLog -Append -Force | Out-Null } catch {} function Write-CMMLog { param([string]$Message, [string]$Level = 'INFO') $stamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" Write-Host "[$stamp] [$Level] $Message" } Write-CMMLog "================================================================" Write-CMMLog "=== CMM Setup (imaging-time) session start (PID $PID) ===" Write-CMMLog "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)" Write-CMMLog "================================================================" # Status push to PXE webapp - best-effort, never blocks imaging. $pxeStatusLib = Join-Path $PSScriptRoot '..\Shopfloor\lib\Send-PxeStatus.ps1' if (Test-Path $pxeStatusLib) { try { . $pxeStatusLib; Send-PxeStatus -Stage '09-Setup-CMM: starting' -StageIndex 3 -StageTotal 8 } catch { } } # Diagnostic dump - knowing WHY the script took a branch is half the battle. Write-CMMLog "Script root: $PSScriptRoot" foreach ($file in @('pc-type.txt','pc-subtype.txt','machine-number.txt')) { $path = "C:\Enrollment\$file" if (Test-Path -LiteralPath $path) { $content = (Get-Content -LiteralPath $path -First 1 -ErrorAction SilentlyContinue).Trim() Write-CMMLog " $file = $content" } else { Write-CMMLog " $file = (not present)" } } if (Test-Path $stagingRoot) { $bootstrapFiles = @(Get-ChildItem -LiteralPath $stagingRoot -File -ErrorAction SilentlyContinue) Write-CMMLog "Bootstrap staging: $stagingRoot ($($bootstrapFiles.Count) files)" foreach ($f in $bootstrapFiles) { Write-CMMLog " - $($f.Name) ($([math]::Round($f.Length/1MB)) MB)" } } else { Write-CMMLog "Bootstrap staging: $stagingRoot (DOES NOT EXIST - startnet.cmd did not stage it)" "ERROR" } # ============================================================================ # Step 1: Enable .NET Framework 3.5 # ============================================================================ # PC-DMIS 2016 lists .NET 3.5 as a prereq for some older components. On Win10/ # Win11 it's an optional Windows feature that is OFF by default. Enable- # WindowsOptionalFeature pulls the payload from Windows Update when the PC # has internet; sources from the installed Windows image otherwise. Idempotent # (no-op if already enabled). We swallow failures because if internet and # media are both unavailable this becomes a known gap rather than an imaging # blocker - we'd still rather try to install PC-DMIS and surface the real # failure in its log. Write-CMMLog "Checking .NET Framework 3.5 state..." try { $netfx = Get-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -ErrorAction Stop if ($netfx.State -eq 'Enabled') { Write-CMMLog " .NET 3.5 already enabled" } else { Write-CMMLog " .NET 3.5 state is $($netfx.State) - enabling now (may take a minute)..." $result = Enable-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -All -NoRestart -ErrorAction Stop Write-CMMLog " Enable-WindowsOptionalFeature RestartNeeded=$($result.RestartNeeded)" } } catch { Write-CMMLog " Failed to enable .NET 3.5: $_" "WARN" Write-CMMLog " Continuing anyway - PC-DMIS installers will surface any hard dependency." } # ============================================================================ # Step 2: Install apps from the WinPE-staged bootstrap at C:\CMM-Install # ============================================================================ if (-not (Test-Path $stagingRoot)) { Write-CMMLog "$stagingRoot does not exist - startnet.cmd did not stage CMM installers" "ERROR" Write-CMMLog "Skipping install. The logon enforcer will pick up from the share when SFLD creds are available." } elseif (-not (Test-Path $stagingMani)) { Write-CMMLog "$stagingMani missing - staging directory is incomplete" "ERROR" } elseif (-not (Test-Path $libSource)) { Write-CMMLog "Shared library not found at $libSource" "ERROR" } else { $pcType = '' $pcSubType = '' if (Test-Path 'C:\Enrollment\pc-type.txt') { $pcType = (Get-Content 'C:\Enrollment\pc-type.txt' -First 1 -EA 0).Trim() } if (Test-Path 'C:\Enrollment\pc-subtype.txt') { $pcSubType = (Get-Content 'C:\Enrollment\pc-subtype.txt' -First 1 -EA 0).Trim() } # Read resolved PC-DMIS version from bay-config (written by # resolve-cmm-bay-config.ps1 via startnet.cmd). If missing, install all # PC-DMIS versions (legacy behavior for bays imaged before the picker). $cmmVersion = '' $cmmVersionFile = 'C:\Enrollment\cmm\version.txt' if (Test-Path -LiteralPath $cmmVersionFile) { $cmmVersion = (Get-Content -LiteralPath $cmmVersionFile -First 1 -EA 0).Trim() } Write-CMMLog "Resolved CMM version: $(if ($cmmVersion) { $cmmVersion } else { '(none - installing all)' })" # Filter manifest: drop entries whose _CmmVersion doesn't match the # resolved version. Entries without _CmmVersion always pass (CLM, goCMM, # Protect Viewer, DODA). Write a temp filtered manifest for the lib. if ($cmmVersion) { try { $cfg = Get-Content $stagingMani -Raw | ConvertFrom-Json $filtered = @($cfg.Applications | Where-Object { if (-not $_._CmmVersion) { return $true } return ($_._CmmVersion -ieq $cmmVersion) }) $skipped = @($cfg.Applications | Where-Object { $_._CmmVersion -and ($_._CmmVersion -ine $cmmVersion) }) foreach ($s in $skipped) { Write-CMMLog " Skipping $($s.Name) (_CmmVersion=$($_._CmmVersion) != $cmmVersion)" } $cfg.Applications = $filtered $filteredMani = Join-Path $stagingRoot 'cmm-manifest-filtered.json' $cfg | ConvertTo-Json -Depth 10 | Set-Content -LiteralPath $filteredMani -Encoding UTF8 Write-CMMLog "Filtered manifest: $($filtered.Count) entries (from $($filtered.Count + $skipped.Count))" $stagingMani = $filteredMani } catch { Write-CMMLog "Version filter failed: $_ - using unfiltered manifest" 'WARN' } } Write-CMMLog "Running Install-FromManifest against $stagingRoot (PCType=$pcType, PCSubType=$pcSubType)" & $libSource -ManifestPath $stagingMani -InstallerRoot $stagingRoot -LogFile $logFile -PCType $pcType -PCSubType $pcSubType $rc = $LASTEXITCODE Write-CMMLog "Install-FromManifest returned $rc" } # ============================================================================ # Step 2.5: Grant Users write access to PC-DMIS install directories # ============================================================================ # PC-DMIS writes settings, probe configs, and measurement data to its own # install directory at runtime. Without Modify permission for BUILTIN\Users, # non-admin accounts get a UAC elevation prompt on every launch. Granting # the ACL here is the Hexagon-documented approach for non-admin deployment. # Step 2.6 below handles the required first-run-as-admin initialization. $pcdmisDirs = @( 'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit', 'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit', 'C:\Program Files\Hexagon\PC-DMIS 2026.1 64-bit', 'C:\ProgramData\Hexagon', 'C:\Program Files (x86)\General Electric\goCMM', 'C:\Apps\DODA' ) foreach ($dir in $pcdmisDirs) { if (-not (Test-Path -LiteralPath $dir)) { Write-CMMLog "PC-DMIS dir not found: $dir - skipping ACL" continue } try { $acl = Get-Acl -LiteralPath $dir $rule = New-Object System.Security.AccessControl.FileSystemAccessRule( 'BUILTIN\Users', 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow' ) $acl.AddAccessRule($rule) Set-Acl -LiteralPath $dir -AclObject $acl -ErrorAction Stop Write-CMMLog "Granted BUILTIN\Users Modify on $dir" } catch { Write-CMMLog "Failed to set ACL on $dir : $_" "WARN" } } # ============================================================================ # Step 2.6: First-run-as-admin for each installed PC-DMIS version # ============================================================================ # PC-DMIS performs one-time initialization on first launch (COM registration, # config file creation, internal setup). This must happen with admin rights # before the PPKG locks the machine down. Launch each installed version, # wait for it to initialize, then kill it. $pcdmisExes = @( 'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit\PCDLRN.exe', 'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit\PCDLRN.exe', 'C:\Program Files\Hexagon\PC-DMIS 2026.1 64-bit\PCDLRN.exe' ) foreach ($exe in $pcdmisExes) { if (-not (Test-Path -LiteralPath $exe)) { continue } $ver = Split-Path (Split-Path $exe -Parent) -Leaf Write-CMMLog "First-run init: launching $ver" try { $proc = Start-Process -FilePath $exe -PassThru -ErrorAction Stop $initTimeout = 45 Write-CMMLog " PID $($proc.Id) started, waiting ${initTimeout}s for initialization..." Start-Sleep -Seconds $initTimeout if (-not $proc.HasExited) { $proc.Kill() $proc.WaitForExit(10000) Write-CMMLog " Killed after ${initTimeout}s (first-run init complete)" } else { Write-CMMLog " Exited on its own (exit $($proc.ExitCode))" } } catch { Write-CMMLog " First-run launch failed: $_" 'WARN' } } # ============================================================================ # Step 2.7: Seed goCMM registry path values + grant Users write on the key # ============================================================================ # goCMM (.NET x86 WPF app) stores its config in the registry at # HKLM\SOFTWARE\WOW6432Node\General Electric\goCMM (32-bit MSI / 32-bit # process, so install seed and runtime reads both land in the WOW6432Node # view). A capture from a working CMM4 bay shows the two values that matter: # Shared Data Directory = C:\geaofi\ (constant) # Selected Part Group = \\tsgwp00525.wjs.geaerospace.net\SHARED\CMM\CMM4\Spool (per-bay UNC) # i.e. the PER-BAY program path is "Selected Part Group" (a UNC to the # tsgwp00525 SHARED share), and "Shared Data Directory" is the constant local # C:\geaofi\. Both live in HKLM, so a non-admin shopfloor user cannot set # them (nor save a part-group switch) without elevation. So in admin context # we: seed both values, and grant BUILTIN\Users write on the key so runtime # switches succeed without UAC. Mirrors Step 2.5 (install-dir ACL grant). $goCmmKey = 'HKLM:\SOFTWARE\WOW6432Node\General Electric\goCMM' # Constant local data dir on every bay. $goCmmDataDir = 'C:\geaofi\' # Host that S: maps to. Selected Part Group is stored as a UNC to this host's # SHARED share. Kept in one place so a domain/host change is a one-line edit. $partGroupShareRoot = '\\tsgwp00525.wjs.geaerospace.net\SHARED' # Per-bay part group, resolved by resolve-cmm-bay-config.ps1 into # C:\Enrollment\cmm\partgroup.txt as a friendly S:\... path. Convert the S: # drive prefix to the UNC share root. Get-Content + Trim keeps internal spaces # (e.g. CMM8 "Venture CMM8"); the value is passed as a single -Value arg, # never through a command line, so the space cannot split the path. $partGroup = '' $pgFile = 'C:\Enrollment\cmm\partgroup.txt' if (Test-Path -LiteralPath $pgFile) { $raw = (Get-Content -LiteralPath $pgFile -First 1 -EA 0).Trim() if ($raw) { # ^S:\ -> \\host\SHARED\ (case-insensitive). Leave non-S: values as-is. $partGroup = $raw -replace '(?i)^S:\\', "$partGroupShareRoot\" } } if (-not (Test-Path $goCmmKey)) { Write-CMMLog "goCMM key absent ($goCmmKey) - goCMM not installed or install failed; creating key so the seed/ACL still land" 'WARN' try { New-Item -Path $goCmmKey -Force | Out-Null } catch { Write-CMMLog "Could not create $goCmmKey : $_" 'WARN' } } # Shared Data Directory (constant) try { New-ItemProperty -Path $goCmmKey -Name 'Shared Data Directory' -Value $goCmmDataDir -PropertyType String -Force | Out-Null Write-CMMLog "Set goCMM 'Shared Data Directory' = $goCmmDataDir" } catch { Write-CMMLog "Failed to set goCMM 'Shared Data Directory': $_" 'WARN' } # Selected Part Group (per-bay UNC) if ($partGroup) { try { New-ItemProperty -Path $goCmmKey -Name 'Selected Part Group' -Value $partGroup -PropertyType String -Force | Out-Null Write-CMMLog "Set goCMM 'Selected Part Group' = $partGroup" } catch { Write-CMMLog "Failed to set goCMM 'Selected Part Group': $_" 'WARN' } } else { Write-CMMLog "No partgroup.txt (bay not in bay-config, or manual CMM ID) - leaving 'Selected Part Group' unset" 'WARN' } # Grant BUILTIN\Users ReadKey+WriteKey (WriteKey = SetValue + CreateSubKey). # Registry ACEs use ContainerInherit only (no leaf objects in the registry). if (Test-Path $goCmmKey) { try { $racl = Get-Acl -Path $goCmmKey $rrule = New-Object System.Security.AccessControl.RegistryAccessRule( 'BUILTIN\Users', 'ReadKey,WriteKey', 'ContainerInherit', 'None', 'Allow' ) $racl.AddAccessRule($rrule) Set-Acl -Path $goCmmKey -AclObject $racl -ErrorAction Stop Write-CMMLog "Granted BUILTIN\Users write on $goCmmKey" } catch { Write-CMMLog "Failed to set ACL on $goCmmKey : $_" 'WARN' } } # ============================================================================ # Step 3: Conditional cleanup of the bootstrap staging dir # ============================================================================ # Only delete C:\CMM-Install when EVERY manifest entry detected as installed. # A vendor installer that forces an unplanned mid-install reboot would # otherwise leave us with no recovery path on the self-resumed re-run # (Run-ShopfloorSetup's new RunOnce would fire, but Step 2 would log # "$stagingRoot does not exist" and bail). Leaving the staging dir in # place until the manifest fully converges means a re-fire just re-runs # the partial installs and completes. $allDetected = $true if (Test-Path $stagingMani) { try { $cfg = Get-Content $stagingMani -Raw | ConvertFrom-Json foreach ($app in $cfg.Applications) { if (-not $app.DetectionMethod -or -not $app.DetectionPath) { continue } # Honor PCTypes filter when checking detection. if ($app.PCTypes -and $app.PCTypes.Count -gt 0) { $myNames = @($pcType) if ($pcSubType) { $myNames += "$pcType-$pcSubType" } $match = $false foreach ($t in $app.PCTypes) { if ($myNames -contains $t) { $match = $true; break } } if (-not $match) { continue } # not applicable to this PC, skip detection } if (-not (Test-Path $app.DetectionPath)) { $allDetected = $false; Write-CMMLog "Not installed: $($app.Name)"; break } if ($app.DetectionName) { $val = (Get-ItemProperty -Path $app.DetectionPath -Name $app.DetectionName -EA 0).$($app.DetectionName) if (-not $val) { $allDetected = $false; Write-CMMLog "Not installed (no value): $($app.Name)"; break } if ($app.DetectionValue -and $val -ne $app.DetectionValue) { $allDetected = $false; Write-CMMLog "Wrong version: $($app.Name) got $val expected $($app.DetectionValue)"; break } } } } catch { Write-CMMLog "Could not parse manifest for cleanup-gate check: $_" 'WARN' $allDetected = $false } } if ($allDetected -and (Test-Path $stagingRoot)) { Write-CMMLog "All manifest entries installed. Deleting bootstrap staging at $stagingRoot" try { Remove-Item -LiteralPath $stagingRoot -Recurse -Force -ErrorAction Stop Write-CMMLog "Bootstrap cleanup complete" } catch { Write-CMMLog "Failed to delete $stagingRoot : $_" "WARN" } } elseif (Test-Path $stagingRoot) { Write-CMMLog "Bootstrap staging retained at $stagingRoot (not all entries installed yet - will retry on next self-resumed run)" } if (Get-Command Send-PxeStatus -ErrorAction SilentlyContinue) { Send-PxeStatus -Stage '09-Setup-CMM: complete' -StageIndex 4 -StageTotal 8 } Write-CMMLog "=== CMM Setup Complete ===" try { Stop-Transcript | Out-Null } catch {}