ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e17a0564f1dda519b7836e2eabbdb93f20997f0
pxe-server/playbook/shopfloor-setup/Shopfloor/Force-Lockdown.bat
cproudlock ce3fbf5a28 sweep: pre-existing drift + matrix UDC entry + ignore 142MB EXE 
Bundles drift left uncommitted from prior sessions and the UDC matrix
verify entry added today.

Drift items (all per session-progress.md, completed in earlier sessions
but never staged):

- playbook/check-bios.cmd (deleted, moved to BIOS/check-bios.cmd)
- playbook/migrate-to-wifi.ps1 (made no-op 2026-04-24 after the dnsmasq
  no-gateway fix removed the wired-NIC race that motivated it)
- playbook/preinstall/oracle/Install-Oracle11r2.cmd (post-OUI .ora copy
  added 2026-04-24)
- playbook/preinstall/oracle/tnsnames.ora (live tnsnames, 469 KB,
  deployed alongside the wrapper 2026-04-24)
- playbook/pxe_server_setup.yml (dnsmasq dhcp-option=3,6 commented,
  Oracle .ora deploy task added 2026-04-24)
- playbook/shopfloor-setup/BIOS/{check-bios.cmd, models.txt} (BIOS
  detection refinements)
- playbook/shopfloor-setup/Shopfloor/Force-Lockdown.bat
- playbook/shopfloor-setup/Shopfloor/Monitor-IntuneProgress.ps1
- playbook/shopfloor-setup/Shopfloor/SetShopfloorAutoLogon.bat (new)
- playbook/shopfloor-setup/Shopfloor/09-Install-PrinterInstallerMap.ps1
  (new, places PrinterInstallerMap.exe + Public Desktop shortcut at
  imaging time; manifest entry self-heals on tamper)
- playbook/shopfloor-setup/Shopfloor/lib/Show-IntuneDeviceQR.ps1 (new,
  standalone QR rendering for site that wanted just that piece)
- playbook/shopfloor-setup/gea-shopfloor-collections/{Install-eMxInfo.cmd.template,
  Restore-UDCData.ps1} (these were uncommitted in pre-rename Standard/;
  git mv didn't catch them because they were untracked at the time)
- docs/shopfloor-machine-imaging-guide.md (operator-facing how-to)

Matrix:
- common.test/matrix.json: add UDC verify entry to gea-shopfloor-collections
  row. Surfaces UDC silent-install issue (item H pending) instead of
  letting it pass silently.

.gitignore:
- PrinterInstallerMap.exe (142 MB) excluded. Track via LFS or stage on
  PXE server only - too big for regular git history. Untouched on disk
  so existing local copy still works.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 08:49:43 -04:00

82 lines
2.6 KiB
Batchfile
Raw Blame History

@echo off
REM Force-Lockdown.bat - Manual SFLD lockdown trigger for SupportUser.
REM
REM Vendor-documented escape hatch: if the Intune-pushed Lockdown
REM configuration hasn't actually applied within ~30 minutes after the
REM device was added to the Lockdown group, run sfld_autologon.ps1
REM directly as admin to force it.
REM
REM This wrapper exists so the tech doesn't have to remember the path
REM or open an elevated cmd by hand. It self-elevates to admin via UAC.
REM ---- Self-elevate ---------------------------------------------------
net session >nul 2>&1
if %errorLevel% neq 0 (
echo Requesting admin rights...
powershell -Command "Start-Process '%~f0' -Verb RunAs"
exit /b
)
setlocal
set "SCRIPT=C:\Program Files\Sysinternals\sfld_autologon.ps1"
echo ============================================================
echo Force SFLD Lockdown
echo ============================================================
echo.
echo *** WARNING ***
echo.
echo Do NOT run this script unless an ARTS request has already
echo been submitted and approved for this device.
echo.
echo Forcing lockdown without an ARTS request bypasses the
echo normal Intune Lockdown-group push and will be flagged
echo in the audit trail.
echo.
echo ============================================================
echo Target: %SCRIPT%
echo.
set /p CONFIRM=Type YES (uppercase) to confirm ARTS request is in place:
if /i not "%CONFIRM%"=="YES" (
echo.
echo Cancelled - no action taken.
echo.
pause
exit /b 2
)
echo.
if not exist "%SCRIPT%" (
echo ERROR: %SCRIPT% not found.
echo Sysinternals Autologon PPKG step may not have completed yet.
echo.
pause
exit /b 1
)
echo Running sfld_autologon.ps1 ...
echo.
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File "%SCRIPT%"
set RC=%errorLevel%
REM On success, write a marker that Monitor-IntuneProgress.ps1 (Phase 6 /
REM Get-LockdownState) recognizes as authoritative. Manual lockdown via
REM sfld_autologon.ps1 only flips Winlogon; the Intune Remediation log
REM never gets the "Autologon set for ShopFloor" line because Detection
REM now passes and Remediation never re-runs. The marker tells the monitor
REM to treat (Winlogon registry matches + marker present) as Complete.
if "%RC%"=="0" (
if not exist "C:\Enrollment" mkdir "C:\Enrollment"
> "C:\Enrollment\force-lockdown-applied.txt" echo %DATE% %TIME%
echo Marker written: C:\Enrollment\force-lockdown-applied.txt
)
echo.
echo ============================================================
echo Lockdown script exit code: %RC%
echo ============================================================
echo.
pause
endlocal
Reference in New Issue View Git Blame Copy Permalink