ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
pxe-server/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1
cproudlock f73f999938 Unified Common-Enforce for cross-type apps, add WJF Defect Tracker 
Replaces the Acrobat-only enforcer with a generic Common-Enforce that
handles all cross-PC-type apps from one manifest + one scheduled task
on the SFLD share at \\tsgwp00525\shared\dt\shopfloor\common\apps\.

Renames:
  Acrobat-Enforce.ps1        -> Common-Enforce.ps1
  Register-AcrobatEnforce    -> Register-CommonEnforce
  acrobat-manifest.json      -> common-apps-manifest.json
  common.acrobatSharePath    -> common.commonAppsSharePath
  'GE Acrobat Enforce' task  -> 'GE Common Apps Enforce' task
  C:\Program Files\GE\Acrobat -> C:\Program Files\GE\CommonApps

Register-CommonEnforce cleans up the legacy 'GE Acrobat Enforce' task
if present from a prior image.

WJF Defect Tracker (replaces ClickOnce):
  - Added to preinstall.json (PCTypes=*, fleet-wide imaging-time install)
  - MSI staged on PXE at pre-install/installers/
  - Added to common-apps-manifest with FileVersion detection on
    C:\Program Files\WJF_Defect_Tracker\Defect_Tracker.exe
  - site-config + 06-OrganizeDesktop: shortcut changed from ClickOnce
    'existing' to exe-path pointing at the MSI-installed binary
  - Update workflow: drop new MSI on share, bump DetectionValue

CMM 09-Setup-CMM: added goCMM + DODA to the ACL grant list.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 11:13:05 -04:00

237 lines
11 KiB
PowerShell
Raw Permalink Blame History

# 09-Setup-CMM.ps1 - CMM type setup (runs during shopfloor-setup phase).
#
# At imaging time the tsgwp00525 SFLD share is NOT yet reachable - Azure DSC
# has not provisioned the share credentials that early. So we install from a
# WinPE-staged local copy at C:\CMM-Install (put there by startnet.cmd when
# the tech picks pc-type=CMM), then register a logon-triggered scheduled
# task that runs CMM-Enforce.ps1 for ongoing updates from the share.
#
# Sequence:
# 1. Enable .NET Framework 3.5 (PC-DMIS 2016 prereq on Win10/11 where 3.5
# is an off-by-default optional feature).
# 2. Run Install-FromManifest against C:\CMM-Install\cmm-manifest.json.
# 3. Stage Install-FromManifest.ps1 + CMM-Enforce.ps1 + the manifest to
# C:\Program Files\GE\CMM so the scheduled task has them after imaging.
# 4. Register a SYSTEM scheduled task "GE CMM Enforce" that runs
# CMM-Enforce.ps1 on any user logon.
# 5. Delete C:\CMM-Install to reclaim the ~2 GB of bootstrap installers.
# The share-side enforcer takes over from here.
#
# Log: C:\Logs\CMM\09-Setup-CMM.log (stdout from this script) plus the
# install-time log at C:\Logs\CMM\install.log written by Install-FromManifest.
$ErrorActionPreference = 'Continue'
$stagingRoot = 'C:\CMM-Install'
$stagingMani = Join-Path $stagingRoot 'cmm-manifest.json'
$libSource = Join-Path $PSScriptRoot 'lib\Install-FromManifest.ps1'
$enforceSource = Join-Path $PSScriptRoot 'CMM-Enforce.ps1'
$runtimeRoot = 'C:\Program Files\GE\CMM'
$runtimeLibDir = Join-Path $runtimeRoot 'lib'
$runtimeLib = Join-Path $runtimeLibDir 'Install-FromManifest.ps1'
$runtimeEnforce = Join-Path $runtimeRoot 'CMM-Enforce.ps1'
$logDir = 'C:\Logs\CMM'
$logFile = Join-Path $logDir 'install.log'
$transcriptLog = Join-Path $logDir '09-Setup-CMM.log'
if (-not (Test-Path $logDir)) {
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
}
# Independent transcript in addition to whatever Run-ShopfloorSetup.ps1 is
# capturing at the top level. Lets a tech open C:\Logs\CMM\09-Setup-CMM.log
# and see the entire CMM-type setup run without scrolling through the
# monolithic shopfloor-setup.log.
try { Start-Transcript -Path $transcriptLog -Append -Force | Out-Null } catch {}
function Write-CMMLog {
param([string]$Message, [string]$Level = 'INFO')
$stamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Write-Host "[$stamp] [$Level] $Message"
}
Write-CMMLog "================================================================"
Write-CMMLog "=== CMM Setup (imaging-time) session start (PID $PID) ==="
Write-CMMLog "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
Write-CMMLog "================================================================"
# Diagnostic dump - knowing WHY the script took a branch is half the battle.
Write-CMMLog "Script root: $PSScriptRoot"
foreach ($file in @('pc-type.txt','pc-subtype.txt','machine-number.txt')) {
$path = "C:\Enrollment\$file"
if (Test-Path -LiteralPath $path) {
$content = (Get-Content -LiteralPath $path -First 1 -ErrorAction SilentlyContinue).Trim()
Write-CMMLog " $file = $content"
} else {
Write-CMMLog " $file = (not present)"
}
}
if (Test-Path $stagingRoot) {
$bootstrapFiles = @(Get-ChildItem -LiteralPath $stagingRoot -File -ErrorAction SilentlyContinue)
Write-CMMLog "Bootstrap staging: $stagingRoot ($($bootstrapFiles.Count) files)"
foreach ($f in $bootstrapFiles) {
Write-CMMLog " - $($f.Name) ($([math]::Round($f.Length/1MB)) MB)"
}
} else {
Write-CMMLog "Bootstrap staging: $stagingRoot (DOES NOT EXIST - startnet.cmd did not stage it)" "ERROR"
}
# ============================================================================
# Step 1: Enable .NET Framework 3.5
# ============================================================================
# PC-DMIS 2016 lists .NET 3.5 as a prereq for some older components. On Win10/
# Win11 it's an optional Windows feature that is OFF by default. Enable-
# WindowsOptionalFeature pulls the payload from Windows Update when the PC
# has internet; sources from the installed Windows image otherwise. Idempotent
# (no-op if already enabled). We swallow failures because if internet and
# media are both unavailable this becomes a known gap rather than an imaging
# blocker - we'd still rather try to install PC-DMIS and surface the real
# failure in its log.
Write-CMMLog "Checking .NET Framework 3.5 state..."
try {
$netfx = Get-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -ErrorAction Stop
if ($netfx.State -eq 'Enabled') {
Write-CMMLog " .NET 3.5 already enabled"
} else {
Write-CMMLog " .NET 3.5 state is $($netfx.State) - enabling now (may take a minute)..."
$result = Enable-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -All -NoRestart -ErrorAction Stop
Write-CMMLog " Enable-WindowsOptionalFeature RestartNeeded=$($result.RestartNeeded)"
}
} catch {
Write-CMMLog " Failed to enable .NET 3.5: $_" "WARN"
Write-CMMLog " Continuing anyway - PC-DMIS installers will surface any hard dependency."
}
# ============================================================================
# Step 2: Install apps from the WinPE-staged bootstrap at C:\CMM-Install
# ============================================================================
if (-not (Test-Path $stagingRoot)) {
Write-CMMLog "$stagingRoot does not exist - startnet.cmd did not stage CMM installers" "ERROR"
Write-CMMLog "Skipping install. The logon enforcer will pick up from the share when SFLD creds are available."
}
elseif (-not (Test-Path $stagingMani)) {
Write-CMMLog "$stagingMani missing - staging directory is incomplete" "ERROR"
}
elseif (-not (Test-Path $libSource)) {
Write-CMMLog "Shared library not found at $libSource" "ERROR"
}
else {
Write-CMMLog "Running Install-FromManifest against $stagingRoot"
& $libSource -ManifestPath $stagingMani -InstallerRoot $stagingRoot -LogFile $logFile
$rc = $LASTEXITCODE
Write-CMMLog "Install-FromManifest returned $rc"
}
# ============================================================================
# Step 2.5: Grant Users write access to PC-DMIS install directories
# ============================================================================
# PC-DMIS writes settings, probe configs, and measurement data to its own
# install directory at runtime. Without Modify permission for BUILTIN\Users,
# non-admin accounts get a UAC elevation prompt on every launch. Granting
# the ACL here is the Hexagon-documented approach for non-admin deployment
# and avoids the need for a first-run-as-admin (which hits a license dialog
# and can't be automated silently).
$pcdmisDirs = @(
'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit',
'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit',
'C:\ProgramData\Hexagon',
'C:\Program Files (x86)\General Electric\goCMM',
'C:\Program Files\DODA'
)
foreach ($dir in $pcdmisDirs) {
if (-not (Test-Path -LiteralPath $dir)) {
Write-CMMLog "PC-DMIS dir not found: $dir - skipping ACL"
continue
}
try {
$acl = Get-Acl -LiteralPath $dir
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
'BUILTIN\Users',
'Modify',
'ContainerInherit,ObjectInherit',
'None',
'Allow'
)
$acl.AddAccessRule($rule)
Set-Acl -LiteralPath $dir -AclObject $acl -ErrorAction Stop
Write-CMMLog "Granted BUILTIN\Users Modify on $dir"
} catch {
Write-CMMLog "Failed to set ACL on $dir : $_" "WARN"
}
}
# ============================================================================
# Step 3: Stage runtime scripts to C:\Program Files\GE\CMM
# ============================================================================
# These files survive past the bootstrap cleanup so the logon-triggered
# scheduled task can run them. The manifest is staged as well so the enforcer
# has a fallback in case the share copy is unreachable on first logon.
Write-CMMLog "Staging runtime scripts to $runtimeRoot"
foreach ($dir in @($runtimeRoot, $runtimeLibDir)) {
if (-not (Test-Path $dir)) {
New-Item -Path $dir -ItemType Directory -Force | Out-Null
}
}
Copy-Item -Path $libSource -Destination $runtimeLib -Force
Copy-Item -Path $enforceSource -Destination $runtimeEnforce -Force
# ============================================================================
# Step 4: Register "GE CMM Enforce" scheduled task (logon trigger, SYSTEM)
# ============================================================================
$taskName = 'GE CMM Enforce'
# Drop any stale version first so re-imaging is idempotent.
$existing = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
if ($existing) {
Write-CMMLog "Removing existing scheduled task '$taskName'"
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
}
Write-CMMLog "Registering scheduled task '$taskName' (logon trigger, SYSTEM)"
try {
$action = New-ScheduledTaskAction `
-Execute 'powershell.exe' `
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$runtimeEnforce`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet `
-AllowStartIfOnBatteries `
-DontStopIfGoingOnBatteries `
-StartWhenAvailable `
-ExecutionTimeLimit (New-TimeSpan -Hours 2) `
-MultipleInstances IgnoreNew
Register-ScheduledTask `
-TaskName $taskName `
-Action $action `
-Trigger $trigger `
-Principal $principal `
-Settings $settings `
-Description 'GE CMM: enforce Hexagon apps against tsgwp00525 SFLD share on user logon' | Out-Null
Write-CMMLog "Scheduled task registered"
} catch {
Write-CMMLog "Failed to register scheduled task: $_" "ERROR"
}
# ============================================================================
# Step 5: Clean up the bootstrap staging dir
# ============================================================================
# ~2 GB reclaimed. From here on, CMM-Enforce.ps1 runs against the tsgwp00525
# share, which is the canonical source for ongoing updates.
if (Test-Path $stagingRoot) {
Write-CMMLog "Deleting bootstrap staging at $stagingRoot"
try {
Remove-Item -LiteralPath $stagingRoot -Recurse -Force -ErrorAction Stop
Write-CMMLog "Bootstrap cleanup complete"
} catch {
Write-CMMLog "Failed to delete $stagingRoot : $_" "WARN"
}
}
Write-CMMLog "=== CMM Setup Complete ==="
try { Stop-Transcript | Out-Null } catch {}
Reference in New Issue View Git Blame Copy Permalink