ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0eb52c6a9edbe10abb4e9aec7ffe95db0f4dfc06
pxe-server/docs/shopfloor-machine-imaging-guide.md
cproudlock ce3fbf5a28 sweep: pre-existing drift + matrix UDC entry + ignore 142MB EXE 
Bundles drift left uncommitted from prior sessions and the UDC matrix
verify entry added today.

Drift items (all per session-progress.md, completed in earlier sessions
but never staged):

- playbook/check-bios.cmd (deleted, moved to BIOS/check-bios.cmd)
- playbook/migrate-to-wifi.ps1 (made no-op 2026-04-24 after the dnsmasq
  no-gateway fix removed the wired-NIC race that motivated it)
- playbook/preinstall/oracle/Install-Oracle11r2.cmd (post-OUI .ora copy
  added 2026-04-24)
- playbook/preinstall/oracle/tnsnames.ora (live tnsnames, 469 KB,
  deployed alongside the wrapper 2026-04-24)
- playbook/pxe_server_setup.yml (dnsmasq dhcp-option=3,6 commented,
  Oracle .ora deploy task added 2026-04-24)
- playbook/shopfloor-setup/BIOS/{check-bios.cmd, models.txt} (BIOS
  detection refinements)
- playbook/shopfloor-setup/Shopfloor/Force-Lockdown.bat
- playbook/shopfloor-setup/Shopfloor/Monitor-IntuneProgress.ps1
- playbook/shopfloor-setup/Shopfloor/SetShopfloorAutoLogon.bat (new)
- playbook/shopfloor-setup/Shopfloor/09-Install-PrinterInstallerMap.ps1
  (new, places PrinterInstallerMap.exe + Public Desktop shortcut at
  imaging time; manifest entry self-heals on tamper)
- playbook/shopfloor-setup/Shopfloor/lib/Show-IntuneDeviceQR.ps1 (new,
  standalone QR rendering for site that wanted just that piece)
- playbook/shopfloor-setup/gea-shopfloor-collections/{Install-eMxInfo.cmd.template,
  Restore-UDCData.ps1} (these were uncommitted in pre-rename Standard/;
  git mv didn't catch them because they were untracked at the time)
- docs/shopfloor-machine-imaging-guide.md (operator-facing how-to)

Matrix:
- common.test/matrix.json: add UDC verify entry to gea-shopfloor-collections
  row. Surfaces UDC silent-install issue (item H pending) instead of
  letting it pass silently.

.gitignore:
- PrinterInstallerMap.exe (142 MB) excluded. Track via LFS or stage on
  PXE server only - too big for regular git history. Untouched on disk
  so existing local copy still works.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 08:49:43 -04:00

11 KiB
Raw Blame History

Shopfloor Machine PC Imaging Guide

Step-by-step for imaging a new (or replacement) shopfloor PC that will sit at a CNC machine and run UDC, eDNC, NTLARS, MTConnect, and the standard shopfloor toolset.

Prerequisites

  • PC connected to the PXE switch (not the production network yet)
  • USB mouse + keyboard connected
  • PXE server is running and reachable (verify by pinging 10.9.100.1 from another PC on the same switch)
  • Target machine number known (e.g., 7605) — you can enter it at PXE time, or use 9999 as a placeholder if the PC will be configured at the bay later
  • ARTS Lockdown request submitted for this PC (or know that you'll submit one mid-imaging)

Step 1: BIOS Configuration

  1. Plug the PC into the KVM.
  2. Power on the PC and begin tapping F12 to bring up the One-Time-Boot menu.
  3. Select BIOS Setup.
  4. Toggle Advanced Setup to ENABLED.
  5. Click Boot Configuration:
    • Verify Enable Secure Boot is ENABLED
    • Verify Enable Microsoft UEFI CA is ENABLED
  6. Click Storage and verify SATA/NVMe Operation is set to AHCI/NVMe.
  7. If this is a Precision Tower: click Security and ENABLE "Start Data Wipe" (wipes existing data on next boot).
  8. Click Apply Changes, then Exit.

Step 2: PXE Boot

  1. Begin tapping F12 again to return to the One-Time-Boot menu.
  2. Verify the network cable is connected to the PXE Server's isolated switch (NOT the production network).
  3. From the One-Time-Boot menu, select ONBOARD NIC (IPV4).
  4. Once the PXE Boot menu appears, select Windows PE (Image Deployment).
  5. WinPE launches with a command prompt that automatically updates the BIOS to the latest version before prompting you to select the image type.

Step 3: Image + Enrollment Selection

  1. WinPE Setup Menu: select 3. GEA Shopfloor.
  2. GCCH Enrollment Profile: select 1. No Office (machine PCs don't need Office).
  3. Shopfloor PC Type: select 6. Standard.
  4. Standard PC Sub-Type: select 1. Machine.
  5. Machine number prompt:
    • If the PC's target bay is known: type the machine number (e.g., 7605) and press Enter.
    • If the bay isn't known yet: just press Enter to use placeholder 9999. You'll set the real number after the PC is physically placed at the bay (see Step 9).

Step 4: Imaging (Automated Phase)

Once GE Image Setup launches:

  1. Click Start.
  2. The process runs unattended through:
    • Disk partition + Windows install
    • PreInstall apps (Oracle Client 11.2, OpenText HostExplorer, VC++ Redists, eDNC if Standard-Machine, UDC, etc.)
    • GE-Enforce framework registration
    • First reboot
  3. Note the Serial Number from the screen — log it in your tracking sheet.
  4. The PC reboots and auto-logs in as SupportUser. The "Shopfloor Intune Sync" PowerShell window opens automatically.

This whole phase takes ~20-40 minutes depending on hardware.

Step 5: Monitor Intune Enrollment

Once the Shopfloor Intune Sync window is open, you'll see a 5-phase status table that refreshes every 30 seconds:

  1. Intune Registration     [WAITING/IN PROGRESS/COMPLETE]
  2. Device Configuration    [WAITING/IN PROGRESS/COMPLETE]
  3. Software Deployment     [WAITING/IN PROGRESS/COMPLETE]
  4. Credential Setup        [WAITING/IN PROGRESS/COMPLETE]
  5. Lockdown                [WAITING/IN PROGRESS/COMPLETE]

Below the table, an Intune Device ID + QR code appears. Scan the QR with your phone to copy the device ID into your ARTS Lockdown request.

What to do at each phase

  • Phase 1 → COMPLETE: a >> Select Device Category in Intune portal hint appears. Action: in Intune, set the Device Category to Shopfloor (or whatever your site uses).
  • Phase 2 → COMPLETE: just keep watching.
  • Phase 3 → IN PROGRESS forever: known issue — the DSC device-config.yaml download is currently failing with a 403. It does NOT block setup-complete — Phases 4 and 5 are independent. Skip ahead.
  • Phase 4 → COMPLETE: SFLD share creds landed in registry. A >> Initiate ARTS Lockdown request hint appears if you haven't already.
  • Phase 5 → COMPLETE: lockdown applied via Intune Remediation. The script auto-fires "Setup Complete" and reboots the PC.

If Phase 5 stays WAITING for >30 minutes after Phase 4 completes, see Step 6.

Step 6: Force Lockdown (only if needed)

If Phase 5 is stuck WAITING for 30+ minutes after Phase 4 completed AND the ARTS Lockdown request is approved:

  1. Open an elevated cmd or PowerShell.
  2. Run: 
    C:\Enrollment\shopfloor-setup\Shopfloor\Force-Lockdown.bat
  3. It self-elevates via UAC, prompts for confirmation: 
    Type YES (uppercase) to confirm ARTS request is in place: YES
  4. The script runs sfld_autologon.ps1, flips Winlogon to ShopFloor autologon, and writes C:\Enrollment\force-lockdown-applied.txt on success.
  5. Within 30 seconds, the Intune Sync window's Phase 5 flips to COMPLETE → "Setup Complete" → reboot.

WARNING: Do NOT run Force-Lockdown without an approved ARTS request. It bypasses the normal Intune Lockdown-group push and will be flagged in the audit trail.

Step 7: Post-Reboot — ShopFloor Autologon Phase

After the lockdown reboot, the PC auto-logs in as ShopFloor (instead of SupportUser).

What happens automatically:

  1. WiFi profile (AESFMA SSID) lands via Intune.
  2. PC connects to AESFMA.
  3. S: drive maps to \\tsgwp00525.wjs.geaerospace.net\shared.
  4. GE Shopfloor Machine Apps Enforce scheduled task fires on logon.
  5. Manifest engine reads \\tsgwp00525\...\common\manifest.json AND \\tsgwp00525\...\standard-machine\manifest.json, evaluates each app entry against current state, runs installer if not detected.
  6. Apps installed/verified: Adobe Acrobat Reader DC, WJF Defect Tracker, 3OF9 barcode font, Edge IE-Mode site list + policy, VNC firewall rule, Oracle Client 11.2, OpenText HostExplorer ShopFloor, UDC, eDNC + NTLARS, eMxInfo.txt, MTConnect Fanuc/OKUMA/Makino/eDNC variants (per machine number).
  7. May take 5-15 minutes on first logon (cold app installs); subsequent logons skip-and-validate in <30 seconds.

You can watch progress in C:\GE Aerospace\machineapps-enforce.log.

Step 8: Move to the Bay

Physically move the PC to its target machine. Plug into the production ethernet (NOT the PXE switch).

If the PC doesn't have an assigned machine number yet, or if you used 9999 placeholder at PXE time, continue to Step 9.

If you entered the real machine number at PXE time, Configure-PC.ps1 already wrote it to UDC, eDNC, the DNC registry, and MTConnect Devices.xml automatically — skip to Step 10.

Step 9: Set Machine Number (only if 9999 placeholder was used)

  1. Log in as SupportUser (admin).
  2. Run from Desktop or Start Menu: 
    Set Machine Number.lnk
    (which calls C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1)
  3. Type the new machine number (digits only) when the GUI prompts.
  4. Click OK. The script:
    • Stops UDC, writes the new number to UDC settings JSON, relaunches UDC
    • Writes the new number to eDNC registry (HKLM:\SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General\MachineNo)
    • Pulls the per-machine eDNC .reg backup from \\tsgwp00525\...\ntlars-backups\<num>.reg (restores eFocas/PPDCS/Hssb config for that machine)
    • Updates MTConnect Devices.xml for any installed agent (Fanuc/Okuma/Makino/eDNC) and restarts the agent service
  5. A summary dialog confirms what was updated.

Step 10: Verify the Machine

Before signing off, confirm the PC is healthy:

# Service health
Get-Service | Where-Object { $_.Name -match '^(MTConnect|Makino|MakinoMTConnect|MTConnect eDNC|MTConnect Adapter|UDC|DNC)' } |
    Format-Table Name, Status, StartType -AutoSize

# Machine number persisted everywhere
"UDC: $((Get-Content 'C:\ProgramData\UDC\udc_settings.json' -Raw | ConvertFrom-Json).GeneralSettings.MachineNumber)"
"eDNC: $((Get-ItemProperty 'HKLM:\SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General' -Name MachineNo).MachineNo)"

# MTConnect HTTP probe (depends on variant - port 5000 for Fanuc/OKUMA, 5001 for eDNC, 5005 for UDC)
Invoke-WebRequest 'http://localhost:5000/probe' -UseBasicParsing -TimeoutSec 3 | Select StatusCode

# Manifest engine ran cleanly
Get-Content 'C:\GE Aerospace\machineapps-enforce.log' -Tail 20

Expected healthy state:

  • All MTConnect/UDC/DNC services: Running + Auto start type
  • UDC + eDNC machine numbers: match the assigned bay
  • HTTP probe: HTTP 200 with a <MTConnectDevices> XML response
  • Manifest enforce log: ends with evaluation complete: N entries, 0 failures (or similar)

Troubleshooting

Intune Sync window closes by itself

It writes C:\Logs\SFLD\sync_intune_transcript.txt continuously. Open that log to see what it last reported. Re-launch via:

C:\Enrollment\shopfloor-setup\Shopfloor\sync_intune.bat

Phase 3 stuck at IN PROGRESS

Known issue — the DSC blob download is 403'ing right now. Doesn't block setup-complete. If you need DSC's wallpaper / start menu pins / FileSystem actions, escalate to IT to fix the SAS token or storage account firewall on geasfldwestjefferson. Until then, those visual customizations won't appear — operators won't notice if the start menu pins are absent because they're not the primary workflow.

Phase 5 (Lockdown) stays WAITING after 30 minutes

ARTS request is probably still pending. Confirm approval, then run Force-Lockdown.bat (Step 6).

Manifest engine logs show "DllNotFoundException" or "share not reachable"

PC isn't on AESFMA WiFi yet (or WiFi profile hasn't pushed). Wait 5-10 minutes after the post-lockdown reboot. Verify:

(Get-NetConnectionProfile).Name
Test-Path '\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\common\manifest.json'

If Test-Path returns False, WiFi/auth isn't ready. If True, kick the manifest engine manually:

Start-ScheduledTask -TaskName 'GE Shopfloor Machine Apps Enforce'

MTConnect not running after machine-number set

The wrapper logs land at C:\GE Aerospace\mtc-install-runservice-batconvert.log. Common causes: pre-existing Windows Firewall Block rule (rare), Mark-of-the-Web on copied EXEs (the wrapper's Unblock-File sweep handles this), or the bundle isn't on the SFLD share for this variant. Open the log and grep for ERROR.

Configure-PC machine-number GUI doesn't open

The script needs a desktop session. Won't run via WinRM/SSH/non-interactive. Make sure you're logged in at the console as SupportUser.

Reference

  • PXE server: 10.9.100.1
  • SFLD share: \\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\
  • Manifest engine log: C:\GE Aerospace\machineapps-enforce.log
  • Intune sync transcript: C:\Logs\SFLD\sync_intune_transcript.txt
  • DSC logs: C:\Logs\SFLD\ (DSCDeployment.log, DSCInstall.log, version.txt)
  • Per-app install logs: C:\Logs\SFLD\Install-*.log
  • Force-Lockdown marker: C:\Enrollment\force-lockdown-applied.txt
  • Set-MachineNumber script: C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1
Reference in New Issue View Git Blame Copy Permalink