ce3fbf5a28
Bundles drift left uncommitted from prior sessions and the UDC matrix
verify entry added today.
Drift items (all per session-progress.md, completed in earlier sessions
but never staged):
- playbook/check-bios.cmd (deleted, moved to BIOS/check-bios.cmd)
- playbook/migrate-to-wifi.ps1 (made no-op 2026-04-24 after the dnsmasq
no-gateway fix removed the wired-NIC race that motivated it)
- playbook/preinstall/oracle/Install-Oracle11r2.cmd (post-OUI .ora copy
added 2026-04-24)
- playbook/preinstall/oracle/tnsnames.ora (live tnsnames, 469 KB,
deployed alongside the wrapper 2026-04-24)
- playbook/pxe_server_setup.yml (dnsmasq dhcp-option=3,6 commented,
Oracle .ora deploy task added 2026-04-24)
- playbook/shopfloor-setup/BIOS/{check-bios.cmd, models.txt} (BIOS
detection refinements)
- playbook/shopfloor-setup/Shopfloor/Force-Lockdown.bat
- playbook/shopfloor-setup/Shopfloor/Monitor-IntuneProgress.ps1
- playbook/shopfloor-setup/Shopfloor/SetShopfloorAutoLogon.bat (new)
- playbook/shopfloor-setup/Shopfloor/09-Install-PrinterInstallerMap.ps1
(new, places PrinterInstallerMap.exe + Public Desktop shortcut at
imaging time; manifest entry self-heals on tamper)
- playbook/shopfloor-setup/Shopfloor/lib/Show-IntuneDeviceQR.ps1 (new,
standalone QR rendering for site that wanted just that piece)
- playbook/shopfloor-setup/gea-shopfloor-collections/{Install-eMxInfo.cmd.template,
Restore-UDCData.ps1} (these were uncommitted in pre-rename Standard/;
git mv didn't catch them because they were untracked at the time)
- docs/shopfloor-machine-imaging-guide.md (operator-facing how-to)
Matrix:
- common.test/matrix.json: add UDC verify entry to gea-shopfloor-collections
row. Surfaces UDC silent-install issue (item H pending) instead of
letting it pass silently.
.gitignore:
- PrinterInstallerMap.exe (142 MB) excluded. Track via LFS or stage on
PXE server only - too big for regular git history. Untouched on disk
so existing local copy still works.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Shopfloor enforcer regression tests
Lightweight harness for end-to-end validation of GE-Enforce.ps1 +
Install-FromManifest.ps1 against the v2 staging tree, using the Win11
analyzer VM as a synthetic shopfloor PC.
Files
vm-test-harness.ps1— setup + invocation of GE-Enforce inside the VM. Accepts-PCTypeand-PCSubTypeparameters. CreatesC:\Enrollment\stubs (pc-type.txt, pc-subtype.txt, site-config.json), stages the enforcer runtime from\\192.168.122.1\pxe-images\enforcer-stage\, injects a fake SFLD credential inHKLM:\SOFTWARE\GE\SFLD\Credentials\sambapointing at the host's samba share as if it were tsgwp00525, then runsGE-Enforce.ps1with output captured.
Prereqs
win11libvirt VM running, IP reachable at 192.168.122.210- qemu-guest-agent exec path available (
/tmp/guest-exec.sh) - host samba shares
pxe-images+windows-projectswritable bycampuser - enforcer staged at
/home/camp/pxe-images/enforcer-stage/(viacp <repo>/common/GE-Enforce.ps1 <repo>/common/lib/Install-FromManifest.ps1 /home/camp/pxe-images/enforcer-stage/) - v2 share staging at
/home/camp/pxe-images/tsgwp00525-v2/...
Usage
From the repo root on the host:
# Round 1: Shopfloor scope (exercises common manifest, PCTypes filter for Oracle)
B64=$(iconv -f UTF-8 -t UTF-16LE common/test/vm-test-harness.ps1 | base64 -w0)
/tmp/guest-exec.sh powershell.exe "[\"-NoProfile\",\"-EncodedCommand\",\"$B64\"]"
Or with non-default pcType (wrap in a tiny outer script that sets parameters):
cat > /tmp/round.ps1 <<'EOF'
$PCType = 'Standard'
$PCSubType = 'Machine'
EOF
sed -n '/^param(/,/^)/!p' common/test/vm-test-harness.ps1 >> /tmp/round.ps1
B64=$(iconv -f UTF-8 -t UTF-16LE /tmp/round.ps1 | base64 -w0)
/tmp/guest-exec.sh powershell.exe "[\"-NoProfile\",\"-EncodedCommand\",\"$B64\"]"
What each round validates
| Round | pcType / pcSubType | Exercises |
|---|---|---|
| 1 | Shopfloor / — | common manifest only, PCTypes filter (Oracle skips) |
| 2 | Standard / Machine | common + standard-machine manifests, eDNC upgrade detection, UDC skip, eMxInfo cmd |
| 3 | Keyence / — | common + keyence manifest, VR-6000 MSI detection, pnputil INF detection |
| 4 | Display / — | common + display manifest, kiosk-setup CMD wrapper |
| 5 (composite) | Shopfloor with a corrupted manifest / bad SFLD creds / tampered local XML | graceful-degradation paths + upgrade/rollback via hash mismatch |
See the main repo enforcer design doc (TBD) for scenario details.
Known cleanup after test runs
-
The harness intentionally leaves installed apps in place (Acrobat Reader DC, WJF Defect Tracker, 3OF9 font, Edge site-list XML, Firefox if tested). To reset to a clean baseline, revert the VM to the
clean-baselibvirt snapshot:virsh snapshot-revert win11 clean-base. -
Orphan
msiexec.exeworkers from long-running installs (UDC_Setup, PC-DMIS) can leave the MSI mutex held, blocking the next install with 1619/1618. Between rounds if you hit this:Get-Process -Name msiexec -ErrorAction SilentlyContinue | Stop-Process -ForceNote: a Stage 2b lib improvement is planned to retry once on 1618 after killing stale msiexec processes.