ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
03ed694671d9d03d024d8895970e96fcdb5d04d5
pxe-server/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
cproudlock eb68793e79 Stage 2a: unified GE-Enforce framework + share-root mirror 
Consolidates per-type enforcers (CMM, Keyence, Machine, Common, Acrobat)
into one dispatcher driven by pc-type.txt + site-config and a share-side
manifest layout. Same share is now the single source of truth for routine
software updates without re-imaging.

Runtime:
  common/GE-Enforce.ps1           SYSTEM scheduled task. Reads
                                   common/manifest.json plus optional
                                   <pcType>/manifest.json and
                                   <pcType-subType>/manifest.json.
                                   Dispatches each entry through the lib.
                                   Writes _outputs/logs/<hostname>/status.json
                                   on the share after each cycle for fleet
                                   monitoring.
  common/Register-GEEnforce.ps1   Task registration. Triggers: AtLogOn +
                                   every 5 min (jittered per-PC from
                                   hostname hash) + daily at 05:45,
                                   13:45, 21:45 EST shift windows.
                                   Unregisters legacy per-type tasks on
                                   install so the two coexist at most for
                                   the duration of a single enforce cycle.
  common/Deploy-GEEnforce.ps1     Retrofit helper for already-imaged PCs
                                   (admin-run; copies runtime + registers
                                   task + optional immediate trigger).

Library (common/lib/Install-FromManifest.ps1):
  - New Type values: PS1, BAT, File, Registry, INF
  - New DetectionMethod values: Always, MarkerFile, ValueMatches, pnputil
  - TargetHostnames filter (exact + -like wildcards, ANDed with PCTypes)
  - Schema version check (logs WARN on manifest newer than lib MAJOR)
  - Auto-writes MarkerFile on successful one-shot PS1/BAT/CMD runs
  - MSI log scan on failure surfaces meaningful install errors
  - Lib version bumped 2.0 -> 2.1 for TargetHostnames

Observability:
  common/monitor-fleet-status.py  Scans _outputs/logs/*/status.json for
                                   stale check-ins, failed scopes, and
                                   version drift. Respects scope (dir-name),
                                   PCTypes, and TargetHostnames filters so
                                   entries excluded from a PC do not
                                   false-flag as drift.

Regression harness:
  common/test/                    Parameterized VM harness + README
                                   covering every action type plus
                                   rollback, bad/missing SFLD creds, and
                                   schema versioning.

Imaging integration:
  Run-ShopfloorSetup.ps1 now stages GE-Enforce.ps1 and lib to
  C:\Program Files\GE\Shopfloor\ and invokes Register-GEEnforce.ps1
  at the end of setup. Legacy Register-CommonEnforce invocation is
  kept for the transition; it and the legacy per-type enforcer files
  are dead code once Register-GEEnforce runs and will be removed in a
  dedicated cleanup pass.

Standard-Machine manifest:
  eDNC entry bumped 6.4.3 -> 6.4.5. DetectionValue pinned to the
  4-part FileVersion 6.4.5.0 verified against a fresh install in the
  Win11 analyzer VM. UDC DetectionValue pinned to 1.0.34 (registry
  stores 3-part for UDC; verified live).

scripts/mirror-from-gold.sh:
  Restructured around share-root rsyncs (one pass per Samba share)
  to close gaps in the prior per-subdir layout: winpeapps/_shared/
  Applications (7.5 GB of Adobe + fonts + Java + Office + OpenText
  + printdrivers + wireless + Zscaler), additional winpeapps image
  types, and enrollment flat-layout root files. Adds
  --skip-clonezilla and --skip-reports.

Verified end-to-end in the Win11 analyzer VM:
  - Every action Type and DetectionMethod round-tripped
  - PCTypes filter (Oracle excluded on Shopfloor, Firefox included
    on Shopfloor and DESKTOP-*, excluded elsewhere)
  - TargetHostnames filter (exact, wildcard, no-match)
  - Upgrade path: XML hash bump + fleet re-copy
  - Rollback path: history-archive restore propagates via enforcer,
    fleet converges back without per-PC intervention
  - Status writeback + monitor script drift detection
  - Graceful degradation on bad creds, missing creds, share
    unreachable (all exit 0, log clearly, retry next cycle)

Not in this commit (follow-ups):
  - Retire legacy per-type *-Enforce.ps1 files and simplify
    09-Setup-*.ps1 scripts (coordinated multi-file cleanup)
  - Stage 2b: InUseCheck close-and-reopen, ApplyMode gating,
    UpdateWindow, .apply-now.txt sentinel, BITS pre-staging,
    1618 mutex retry, PostInstallCheck, Uninstall action
  - Management app (manifest CRUD + deploy + rollback + fleet view)
  - ShopFloor autologon persistence bug (deferred for next imaging
    attempt with live registry evidence)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 11:19:23 -04:00

384 lines
17 KiB
PowerShell
Raw Blame History

# Run-ShopfloorSetup.ps1 - Main dispatcher for shopfloor PC type setup.
#
# Flow:
# 1. PreInstall apps (Oracle, VC++, OpenText, UDC) -- from local bundle
# 2. Type-specific scripts (eDNC, ACLs, CMM share apps, etc.)
# 3. Deferred baseline (desktop org, taskbar pins)
# 4. Copy desktop tools (sync_intune, Configure-PC, Set-MachineNumber)
# 5. Run enrollment (PPKG install + wait for completion)
# 6. Register sync_intune as @logon scheduled task
# 7. Reboot -- PPKG file operations complete, sync_intune fires on next logon
#
# Called by the unattend FirstLogonCommands as SupportUser (admin).
# --- Transcript logging ---
$logDir = 'C:\Logs\SFLD'
if (-not (Test-Path $logDir)) {
try { New-Item -ItemType Directory -Path $logDir -Force | Out-Null } catch { $logDir = $env:TEMP }
}
$transcriptPath = Join-Path $logDir 'shopfloor-setup.log'
try { Start-Transcript -Path $transcriptPath -Append -Force | Out-Null } catch {}
Write-Host ""
Write-Host "================================================================"
Write-Host "=== Run-ShopfloorSetup.ps1 starting $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ==="
Write-Host " Transcript: $transcriptPath"
Write-Host "================================================================"
Write-Host ""
# AutoLogonCount is NOT set here. Previously we bumped it to 99/4, but
# Windows decrements it per-logon and at 0 clears AutoAdminLogon -- which
# nukes the lockdown-configured ShopFloor autologon later in the chain.
# The unattend XML's <AutoLogon><LogonCount> handles SupportUser logons;
# the lockdown's Autologon.exe handles ShopFloor. We stay out of it.
# Cancel any pending reboot so it doesn't interrupt setup
cmd /c "shutdown /a 2>nul" *>$null
# Wired NIC state handling moved to sync_intune (Monitor-IntuneProgress.ps1).
# Previously this script prompted the tech to unplug the PXE cable and
# then re-enabled wired adapters interactively - that blocked the whole
# imaging chain on human keypress. The new flow leaves the wired state
# exactly as Order 5 (migrate-to-wifi.ps1) left it:
# - Tower (no WiFi): wired stays enabled, Run-ShopfloorSetup runs on wired.
# - Laptop (WiFi): wired disabled, Run-ShopfloorSetup runs on WiFi.
# Sync_intune re-enables wired at the start of its monitor loop, by which
# time the tech has had ample wall-clock time to physically unplug PXE
# and re-cable into production without blocking the chain on a keypress.
$enrollDir = "C:\Enrollment"
$typeFile = Join-Path $enrollDir "pc-type.txt"
$setupDir = Join-Path $enrollDir "shopfloor-setup"
if (-not (Test-Path $typeFile)) {
Write-Host "No pc-type.txt found - skipping shopfloor setup."
exit 0
}
$pcType = (Get-Content $typeFile -First 1).Trim()
if (-not $pcType) {
Write-Host "pc-type.txt is empty - skipping shopfloor setup."
exit 0
}
$subtypeFile = Join-Path $enrollDir "pc-subtype.txt"
$pcSubType = ''
if (Test-Path $subtypeFile) {
$pcSubType = (Get-Content $subtypeFile -First 1).Trim()
}
Write-Host "Shopfloor PC Type: $pcType$(if ($pcSubType) { " / $pcSubType" })"
# Scripts to skip in the alphabetical baseline loop. Each is either run
# explicitly in the finalization phase below, or invoked internally by
# another script:
#
# 05 - Office shortcuts. Invoked by 06 as Phase 0. Office isn't installed
# until after the PPKG + reboot, so 05 no-ops initially. 06's SYSTEM
# logon task re-runs it on the next boot.
# 06 - Desktop org. Phase 2 needs eDNC/NTLARS on disk (installed by
# type-specific 01-eDNC.ps1). Run in finalization phase.
# 07 - Taskbar pin layout. Reads 06's output. Run in finalization phase.
# 08 - Edge default browser + startup tabs. Invoked by 06 as Phase 4.
# Reads .url files delivered by DSC (after Intune enrollment). 06's
# SYSTEM logon task re-runs it to pick them up.
$skipInBaseline = @(
'05-OfficeShortcuts.ps1',
'06-OrganizeDesktop.ps1',
'07-TaskbarLayout.ps1',
'08-EdgeDefaultBrowser.ps1',
'Check-MachineNumber.ps1',
'Configure-PC.ps1'
)
# Scripts run AFTER type-specific scripts complete. 05 and 08 are NOT
# here because 06 calls them internally as sub-phases.
$runAfterTypeSpecific = @(
'06-OrganizeDesktop.ps1',
'07-TaskbarLayout.ps1'
)
# --- Run Shopfloor baseline scripts first (skipping deferred ones) ---
$baselineDir = Join-Path $setupDir "Shopfloor"
if (Test-Path $baselineDir) {
$scripts = Get-ChildItem -Path $baselineDir -Filter "*.ps1" -File | Sort-Object Name
foreach ($script in $scripts) {
if ($skipInBaseline -contains $script.Name) {
Write-Host "Skipping baseline: $($script.Name) (runs in finalization phase)"
continue
}
cmd /c "shutdown /a 2>nul" *>$null
Write-Host "Running baseline: $($script.Name)"
try {
& $script.FullName
} catch {
Write-Warning "Baseline script $($script.Name) failed: $_"
}
}
}
# --- Run type-specific scripts (if not just baseline Shopfloor) ---
if ($pcType -ne "Shopfloor") {
$typeDir = Join-Path $setupDir $pcType
if (Test-Path $typeDir) {
# Only run numbered scripts (01-eDNC.ps1, 02-MachineNumberACLs.ps1).
# Unnumbered .ps1 files (Set-MachineNumber.ps1) are desktop tools,
# not installer scripts, and must not auto-run during setup.
$scripts = Get-ChildItem -Path $typeDir -Filter "*.ps1" -File |
Where-Object { $_.Name -match '^\d' } |
Sort-Object Name
foreach ($script in $scripts) {
cmd /c "shutdown /a 2>nul" *>$null
Write-Host "Running $pcType setup: $($script.Name)"
try {
& $script.FullName
} catch {
Write-Warning "Script $($script.Name) failed: $_"
}
}
} else {
Write-Host "No type-specific scripts found for $pcType."
}
}
# --- Finalization: run deferred baseline scripts (desktop org, taskbar pins)
# ---
# These needed to wait until all apps (eDNC, NTLARS, UDC, OpenText) were
# installed by the baseline + type-specific phases above. 06 internally
# calls 05 (Office shortcuts) and 08 (Edge config) as sub-phases, so we
# only need to invoke 06 and 07 explicitly here.
foreach ($name in $runAfterTypeSpecific) {
$script = Join-Path $baselineDir $name
if (-not (Test-Path $script)) {
Write-Warning "Deferred script not found: $script"
continue
}
cmd /c "shutdown /a 2>nul" *>$null
Write-Host "Running deferred baseline: $name"
try {
& $script
} catch {
Write-Warning "Deferred script $name failed: $_"
}
}
Write-Host "Shopfloor setup complete for $pcType."
# --- Copy utility scripts to SupportUser desktop ---
foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat', 'Force-Lockdown.bat')) {
$src = Join-Path $setupDir "Shopfloor\$tool"
if (Test-Path $src) {
Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$tool" -Force
Write-Host "$tool copied to desktop."
}
}
# Standard-Machine PCs get the UDC/eDNC machine number helper. Timeclock
# PCs do not use a machine number, so the helper has nothing to do there.
if ($pcType -eq "Standard" -and $pcSubType -ne "Timeclock") {
foreach ($helper in @("Set-MachineNumber.bat", "Set-MachineNumber.ps1")) {
$src = Join-Path $setupDir "Standard\$helper"
if (Test-Path $src) {
Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$helper" -Force
Write-Host "$helper copied to SupportUser desktop."
}
}
}
# --- Register sync_intune as persistent @logon scheduled task ---
# Must be registered BEFORE enrollment because Install-ProvisioningPackage
# triggers an immediate reboot that kills run-enrollment.ps1. The task
# registration must survive the PPKG reboot, so we do it here while
# Run-ShopfloorSetup.ps1 is still running.
#
# The task fires at every logon until sync_intune detects completion and
# unregisters itself. It monitors Intune enrollment (Phase 1-5), NOT BPRT
# app installs -- BPRT finishes on its own in the background after the
# PPKG reboot, and is irrelevant to the Intune lifecycle.
$taskName = 'Shopfloor Intune Sync'
$monitorScript = Join-Path $setupDir 'Shopfloor\lib\Monitor-IntuneProgress.ps1'
$configureScript = Join-Path $setupDir 'Shopfloor\Configure-PC.ps1'
if (Test-Path -LiteralPath $monitorScript) {
try {
$action = New-ScheduledTaskAction `
-Execute 'powershell.exe' `
-Argument "-NoProfile -NoExit -ExecutionPolicy Bypass -File `"$monitorScript`" -AsTask -ConfigureScript `"$configureScript`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal `
-GroupId 'S-1-5-32-545' `
-RunLevel Limited
$settings = New-ScheduledTaskSettingsSet `
-AllowStartIfOnBatteries `
-DontStopIfGoingOnBatteries `
-StartWhenAvailable `
-ExecutionTimeLimit (New-TimeSpan -Hours 2)
Register-ScheduledTask `
-TaskName $taskName `
-Action $action `
-Trigger $trigger `
-Principal $principal `
-Settings $settings `
-Force `
-ErrorAction Stop | Out-Null
Write-Host "Registered '$taskName' logon task."
} catch {
Write-Warning "Failed to register sync task: $_"
}
} else {
Write-Warning "Monitor-IntuneProgress.ps1 not found at $monitorScript"
}
# Set auto-logon to expire after 4 more logins (2 needed for sync_intune
# pre-reboot + post-reboot, plus 2 margin for unexpected reboots from
# Windows Update, PPKG file operations, or script crashes).
# (AutoLogonCount intentionally not set -- see comment at top of script)
# --- Register cross-PC-type enforcers (Acrobat, etc.) ---
# These run on every logon regardless of PC type, mounting the SFLD share
# for version-pinned app enforcement. Initial install already handled by
# preinstall flow; enforcers only kick in when detection fails.
# --- Re-enable wired NICs once lockdown completes (Phase 6) ---
# migrate-to-wifi.ps1 disables wired NICs so the PPKG runs over WiFi.
# Keep them disabled through the entire Intune sync + DSC + lockdown
# chain so nothing interrupts the WiFi-based enrollment. Only re-enable
# after lockdown lands (Autologon_Remediation.log confirms ShopFloor
# autologon set). Monitor-IntuneProgress runs as Limited and can't call
# Enable-NetAdapter (needs admin). This SYSTEM task fires at logon,
# polls for lockdown completion, re-enables wired NICs, and self-deletes.
$reEnableTask = 'GE Re-enable Wired NICs'
try {
$script = @'
$imeLogs = 'C:\ProgramData\Microsoft\IntuneManagementExtension\Logs'
$remLog = Join-Path $imeLogs 'Autologon_Remediation.log'
if (-not (Test-Path $remLog)) { exit 0 }
$content = Get-Content $remLog -Raw -ErrorAction SilentlyContinue
if ($content -notmatch 'Autologon set for ShopFloor') { exit 0 }
Get-NetAdapter -Physical -ErrorAction SilentlyContinue |
Where-Object { $_.InterfaceDescription -notmatch 'Wi-?Fi|Wireless|WLAN|802\.11' } |
Enable-NetAdapter -Confirm:$false -ErrorAction SilentlyContinue
Unregister-ScheduledTask -TaskName 'GE Re-enable Wired NICs' -Confirm:$false -ErrorAction SilentlyContinue
'@
$scriptPath = 'C:\Program Files\GE\ReEnableNIC.ps1'
if (-not (Test-Path 'C:\Program Files\GE')) {
New-Item -Path 'C:\Program Files\GE' -ItemType Directory -Force | Out-Null
}
Set-Content -Path $scriptPath -Value $script -Force
$reEnableAction = New-ScheduledTaskAction -Execute 'powershell.exe' `
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$scriptPath`""
$reEnableTrigger = New-ScheduledTaskTrigger -AtLogOn
$reEnableTrigger.Repetition = (New-ScheduledTaskTrigger -Once -At (Get-Date) `
-RepetitionInterval (New-TimeSpan -Minutes 5)).Repetition
$reEnablePrincipal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
$reEnableSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries `
-ExecutionTimeLimit (New-TimeSpan -Minutes 2)
Register-ScheduledTask -TaskName $reEnableTask -Action $reEnableAction -Trigger $reEnableTrigger `
-Principal $reEnablePrincipal -Settings $reEnableSettings -Force -ErrorAction Stop | Out-Null
Write-Host "Registered '$reEnableTask' task (waits for SFLD creds, then re-enables wired NICs)."
} catch {
Write-Warning "Failed to register NIC re-enable task: $_"
}
$commonSetupDir = Join-Path $PSScriptRoot 'common'
# --- Register the unified GE-Enforce scheduled task ---
# Replaces the per-type legacy enforcers (CMM-Enforce, Keyence-Enforce,
# Machine-Enforce, Common-Enforce, Acrobat-Enforce). Register-GEEnforce.ps1
# unregisters any of those legacy tasks before creating the new one, so
# running this after the legacy Register-* invocations below is harmless
# and race-free. Once a future repo cleanup retires the legacy Register-*
# scripts entirely, those invocations below can be removed. Until then we
# accept a brief moment of duplicate registration that Register-GEEnforce
# itself resolves.
$registerGE = Join-Path $commonSetupDir 'Register-GEEnforce.ps1'
if (Test-Path -LiteralPath $registerGE) {
Write-Host ""
Write-Host "=== Registering unified GE Shopfloor enforcer ==="
try {
$enforcerRuntime = Join-Path $commonSetupDir 'GE-Enforce.ps1'
$libSource = Join-Path $commonSetupDir 'lib\Install-FromManifest.ps1'
# Stage enforcer runtime so the scheduled task can reach it post-imaging.
$runtimeDir = 'C:\Program Files\GE\Shopfloor'
$runtimeLib = Join-Path $runtimeDir 'lib'
foreach ($d in @($runtimeDir, $runtimeLib)) {
if (-not (Test-Path $d)) { New-Item -Path $d -ItemType Directory -Force | Out-Null }
}
Copy-Item -LiteralPath $enforcerRuntime -Destination (Join-Path $runtimeDir 'GE-Enforce.ps1') -Force
Copy-Item -LiteralPath $libSource -Destination (Join-Path $runtimeLib 'Install-FromManifest.ps1') -Force
& $registerGE -EnforcerPath (Join-Path $runtimeDir 'GE-Enforce.ps1')
} catch {
Write-Warning "GE-Enforce registration failed: $_"
}
} else {
Write-Host "Register-GEEnforce.ps1 not found - skipping (legacy per-type enforcers remain active)"
}
# Legacy Common enforcer: kept for the transition period; GE-Enforce
# unregisters the task it creates. Remove this block when the legacy
# Common-Enforce.ps1 is retired from the repo.
$registerCommon = Join-Path $commonSetupDir 'Register-CommonEnforce.ps1'
if (Test-Path -LiteralPath $registerCommon) {
Write-Host ""
Write-Host "=== (legacy) Registering Common Apps enforcer - will be superseded by GE-Enforce ==="
try { & $registerCommon } catch { Write-Warning "Common enforce registration failed: $_" }
}
# Map S: drive on user logon for every account in BUILTIN\Users. The
# vendor 'SFLD - Consume Credentials' task is principal-restricted and
# does not fire for the ShopFloor end-user, so this parallel task fills
# the gap. Cross-PC-type because every shopfloor account needs S:.
$registerMapShare = Join-Path $PSScriptRoot 'Shopfloor\Register-MapSfldShare.ps1'
if (Test-Path -LiteralPath $registerMapShare) {
Write-Host ""
Write-Host "=== Registering S: drive logon mapper ==="
try { & $registerMapShare } catch { Write-Warning "Map-SfldShare registration failed: $_" }
} else {
Write-Host "Register-MapSfldShare.ps1 not found (optional) - skipping"
}
# Standard-Machine gets a machine-apps enforcer (UDC, eDNC, NTLARS) that
# replaced the Intune DSC path (DSC has no sub-type awareness and was
# pushing these to Timeclocks). Timeclocks skip this registration.
if ($pcType -eq "Standard" -and $pcSubType -eq "Machine") {
$registerMachine = Join-Path $setupDir "Standard\Register-MachineEnforce.ps1"
if (Test-Path -LiteralPath $registerMachine) {
Write-Host ""
Write-Host "=== Registering Machine-apps enforcer ==="
try { & $registerMachine } catch { Write-Warning "Machine enforce registration failed: $_" }
} else {
Write-Host "Register-MachineEnforce.ps1 not found (optional) - skipping"
}
}
# --- Run enrollment (PPKG install) ---
# Enrollment is the LAST thing we do. Install-ProvisioningPackage triggers
# an immediate reboot -- everything after this call is unlikely to execute.
# The sync_intune task is already registered above, so the PPKG reboot
# can kill us and the chain continues on the next boot.
$enrollScript = Join-Path $enrollDir 'run-enrollment.ps1'
if (Test-Path -LiteralPath $enrollScript) {
Write-Host ""
Write-Host "=== Running enrollment (PPKG install) ==="
Write-Host "NOTE: PPKG will trigger an immediate reboot. This is expected."
try { Stop-Transcript | Out-Null } catch {}
& $enrollScript
# If we get here, the PPKG didn't reboot (maybe no PPKG file found).
Write-Host "Enrollment returned without rebooting. Rebooting now..."
shutdown /r /t 10
} else {
Write-Host "run-enrollment.ps1 not found - skipping enrollment."
Write-Host ""
Write-Host "================================================================"
Write-Host "=== Run-ShopfloorSetup.ps1 complete $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ==="
Write-Host "================================================================"
try { Stop-Transcript | Out-Null } catch {}
Write-Host "Rebooting in 10 seconds..."
shutdown /r /t 10
}
Reference in New Issue View Git Blame Copy Permalink