85278e01bf
Run-ShopfloorSetup.ps1 is copied by startnet.cmd to W:\Enrollment\
(root of Enrollment, NOT inside shopfloor-setup/). So $PSScriptRoot is
W:\Enrollment\. The dot-source path was Join-Path $PSScriptRoot
'Shopfloor\lib\Send-PxeStatus.ps1' which resolves to
W:\Enrollment\Shopfloor\lib\Send-PxeStatus.ps1 - that path does not
exist.
The actual file lands at W:\Enrollment\shopfloor-setup\Shopfloor\lib\
Send-PxeStatus.ps1 (xcopied by startnet from the Shopfloor share dir
into the shopfloor-setup\ subdir). Test-Path returned false, dot-source
silently skipped, Send-PxeStatus was never defined, every Report-Stage
call no-op'd, no log file was written, no POSTs reached the dashboard.
Symptom: bay reaches Windows desktop + runs Run-ShopfloorSetup but
never appears on /imaging dashboard. C:\Logs\send-pxe-status.log does
not exist on the bay.
Fix: add the missing 'shopfloor-setup\' segment so the path resolves
to the actual file location.
09-Setup-*.ps1 use a different relative path ('..\Shopfloor\lib\...')
from inside the per-type dir and were unaffected. Monitor-IntuneProgress
sits in Shopfloor\lib already and uses a sibling lookup - also fine.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
505 lines
24 KiB
PowerShell
505 lines
24 KiB
PowerShell
# Run-ShopfloorSetup.ps1 - Main dispatcher for shopfloor PC type setup.
|
|
#
|
|
# Flow:
|
|
# 1. PreInstall apps (Oracle, VC++, OpenText, UDC) -- from local bundle
|
|
# 2. Type-specific scripts (eDNC, ACLs, CMM share apps, etc.)
|
|
# 3. Deferred baseline (desktop org, taskbar pins)
|
|
# 4. Copy desktop tools (sync_intune, Configure-PC, Set-MachineNumber)
|
|
# 5. Run enrollment (PPKG install + wait for completion)
|
|
# 6. Register sync_intune as @logon scheduled task
|
|
# 7. Reboot -- PPKG file operations complete, sync_intune fires on next logon
|
|
#
|
|
# Called by the unattend FirstLogonCommands as SupportUser (admin).
|
|
|
|
# --- Transcript logging ---
|
|
$logDir = 'C:\Logs\SFLD'
|
|
if (-not (Test-Path $logDir)) {
|
|
try { New-Item -ItemType Directory -Path $logDir -Force | Out-Null } catch { $logDir = $env:TEMP }
|
|
}
|
|
$transcriptPath = Join-Path $logDir 'shopfloor-setup.log'
|
|
try { Start-Transcript -Path $transcriptPath -Append -Force | Out-Null } catch {}
|
|
|
|
Write-Host ""
|
|
Write-Host "================================================================"
|
|
Write-Host "=== Run-ShopfloorSetup.ps1 starting $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ==="
|
|
Write-Host " Transcript: $transcriptPath"
|
|
Write-Host "================================================================"
|
|
Write-Host ""
|
|
|
|
# Imaging-progress reporter. Posts coarse stage updates to the PXE webapp
|
|
# at http://10.9.100.1:9009/imaging/status so the operator can watch
|
|
# progress in a browser. Best-effort: failures never block imaging.
|
|
$pxeStatusLib = Join-Path $PSScriptRoot 'shopfloor-setup\Shopfloor\lib\Send-PxeStatus.ps1'
|
|
if (Test-Path $pxeStatusLib) {
|
|
try { . $pxeStatusLib } catch { Write-Warning "Send-PxeStatus load failed: $_" }
|
|
}
|
|
function Report-Stage {
|
|
param([string]$Stage, [int]$Index, [int]$Total = 8, [string]$Status = 'in_progress', [string]$Error_ = '')
|
|
if (Get-Command Send-PxeStatus -ErrorAction SilentlyContinue) {
|
|
Send-PxeStatus -Stage $Stage -StageIndex $Index -StageTotal $Total -Status $Status -Error_ $Error_
|
|
}
|
|
}
|
|
Report-Stage -Stage 'Run-ShopfloorSetup: starting' -Index 2
|
|
|
|
# AutoLogonCount is NOT set here. Previously we bumped it to 99/4, but
|
|
# Windows decrements it per-logon and at 0 clears AutoAdminLogon -- which
|
|
# nukes the lockdown-configured ShopFloor autologon later in the chain.
|
|
# The unattend XML's <AutoLogon><LogonCount> handles SupportUser logons;
|
|
# the lockdown's Autologon.exe handles ShopFloor. We stay out of it.
|
|
|
|
# Cancel any pending reboot so it doesn't interrupt setup
|
|
cmd /c "shutdown /a 2>nul" *>$null
|
|
|
|
# Wired NIC state handling moved to sync_intune (Monitor-IntuneProgress.ps1).
|
|
# Previously this script prompted the tech to unplug the PXE cable and
|
|
# then re-enabled wired adapters interactively - that blocked the whole
|
|
# imaging chain on human keypress. The new flow leaves the wired state
|
|
# exactly as Order 5 (migrate-to-wifi.ps1) left it:
|
|
# - Tower (no WiFi): wired stays enabled, Run-ShopfloorSetup runs on wired.
|
|
# - Laptop (WiFi): wired disabled, Run-ShopfloorSetup runs on WiFi.
|
|
# Sync_intune re-enables wired at the start of its monitor loop, by which
|
|
# time the tech has had ample wall-clock time to physically unplug PXE
|
|
# and re-cable into production without blocking the chain on a keypress.
|
|
|
|
$enrollDir = "C:\Enrollment"
|
|
$typeFile = Join-Path $enrollDir "pc-type.txt"
|
|
$setupDir = Join-Path $enrollDir "shopfloor-setup"
|
|
|
|
if (-not (Test-Path $typeFile)) {
|
|
Write-Host "No pc-type.txt found - skipping shopfloor setup."
|
|
exit 0
|
|
}
|
|
|
|
$pcType = (Get-Content $typeFile -First 1).Trim()
|
|
if (-not $pcType) {
|
|
Write-Host "pc-type.txt is empty - skipping shopfloor setup."
|
|
exit 0
|
|
}
|
|
|
|
$subtypeFile = Join-Path $enrollDir "pc-subtype.txt"
|
|
$pcSubType = ''
|
|
if (Test-Path $subtypeFile) {
|
|
$pcSubType = (Get-Content $subtypeFile -First 1).Trim()
|
|
}
|
|
|
|
Write-Host "Shopfloor PC Type: $pcType$(if ($pcSubType) { " / $pcSubType" })"
|
|
|
|
# Scripts to skip in the alphabetical baseline loop. Each is either run
|
|
# explicitly in the finalization phase below, or invoked internally by
|
|
# another script:
|
|
#
|
|
# 05 - Office shortcuts. Invoked by 06 as Phase 0. Office isn't installed
|
|
# until after the PPKG + reboot, so 05 no-ops initially. 06's SYSTEM
|
|
# logon task re-runs it on the next boot.
|
|
# 06 - Desktop org. Phase 2 needs eDNC/NTLARS on disk (installed by
|
|
# type-specific 01-eDNC.ps1). Run in finalization phase.
|
|
# 07 - Taskbar pin layout. Reads 06's output. Run in finalization phase.
|
|
# 08 - Edge default browser + startup tabs. Invoked by 06 as Phase 4.
|
|
# Reads .url files delivered by DSC (after Intune enrollment). 06's
|
|
# SYSTEM logon task re-runs it to pick them up.
|
|
$skipInBaseline = @(
|
|
'05-OfficeShortcuts.ps1',
|
|
'06-OrganizeDesktop.ps1',
|
|
'07-TaskbarLayout.ps1',
|
|
'08-EdgeDefaultBrowser.ps1',
|
|
'Check-MachineNumber.ps1',
|
|
'Configure-PC.ps1'
|
|
)
|
|
|
|
# Scripts run AFTER type-specific scripts complete. 05 and 08 are NOT
|
|
# here because 06 calls them internally as sub-phases.
|
|
$runAfterTypeSpecific = @(
|
|
'06-OrganizeDesktop.ps1',
|
|
'07-TaskbarLayout.ps1'
|
|
)
|
|
|
|
# --- Run Shopfloor baseline scripts first (skipping deferred ones) ---
|
|
$baselineDir = Join-Path $setupDir "Shopfloor"
|
|
if (Test-Path $baselineDir) {
|
|
$scripts = Get-ChildItem -Path $baselineDir -Filter "*.ps1" -File | Sort-Object Name
|
|
foreach ($script in $scripts) {
|
|
if ($skipInBaseline -contains $script.Name) {
|
|
Write-Host "Skipping baseline: $($script.Name) (runs in finalization phase)"
|
|
continue
|
|
}
|
|
cmd /c "shutdown /a 2>nul" *>$null
|
|
Write-Host "Running baseline: $($script.Name)"
|
|
try {
|
|
& $script.FullName
|
|
} catch {
|
|
Write-Warning "Baseline script $($script.Name) failed: $_"
|
|
}
|
|
}
|
|
}
|
|
|
|
# --- PCType dir alias resolution (2026-05-04 rename reorg) -------------
|
|
# Fleet PCs may have pc-type.txt = legacy "Standard"/"CMM"/etc OR new
|
|
# gea-shopfloor-* names. Repo dirs have been renamed to new names; this
|
|
# helper resolves either form to the actual on-disk dir under $setupDir.
|
|
$pcTypeDirAliases = @(
|
|
@('Standard', 'gea-shopfloor-collections', 'gea-shopfloor-nocollections'),
|
|
@('Standard-Machine', 'gea-shopfloor-collections', 'gea-shopfloor-nocollections'),
|
|
@('Standard-Timeclock', 'gea-shopfloor-common'),
|
|
@('CMM', 'gea-shopfloor-cmm'),
|
|
@('Keyence', 'gea-shopfloor-keyence'),
|
|
@('Lab', 'gea-shopfloor-common'),
|
|
@('WaxAndTrace', 'gea-shopfloor-waxtrace'),
|
|
@('Genspect', 'gea-shopfloor-genspect'),
|
|
@('Display', 'gea-shopfloor-display'),
|
|
@('Heattreat', 'gea-shopfloor-heattreat')
|
|
)
|
|
function Resolve-PCTypeDir {
|
|
param([string]$BaseDir, [string]$Name)
|
|
$primary = Join-Path $BaseDir $Name
|
|
if (Test-Path $primary) { return $primary }
|
|
foreach ($g in $pcTypeDirAliases) {
|
|
if ($g -icontains $Name) {
|
|
foreach ($alias in $g) {
|
|
if ($alias -ieq $Name) { continue }
|
|
$candidate = Join-Path $BaseDir $alias
|
|
if (Test-Path $candidate) { return $candidate }
|
|
}
|
|
}
|
|
}
|
|
return $null
|
|
}
|
|
|
|
# --- Run type-specific scripts (if not just baseline Shopfloor) ---
|
|
if ($pcType -ne "Shopfloor") {
|
|
$typeDir = Resolve-PCTypeDir -BaseDir $setupDir -Name $pcType
|
|
if ($typeDir -and (Test-Path $typeDir)) {
|
|
# Only run numbered scripts (01-eDNC.ps1, 02-MachineNumberACLs.ps1).
|
|
# Unnumbered .ps1 files (Set-MachineNumber.ps1) are desktop tools,
|
|
# not installer scripts, and must not auto-run during setup.
|
|
$scripts = Get-ChildItem -Path $typeDir -Filter "*.ps1" -File |
|
|
Where-Object { $_.Name -match '^\d' } |
|
|
Sort-Object Name
|
|
foreach ($script in $scripts) {
|
|
cmd /c "shutdown /a 2>nul" *>$null
|
|
Write-Host "Running $pcType setup: $($script.Name)"
|
|
try {
|
|
& $script.FullName
|
|
} catch {
|
|
Write-Warning "Script $($script.Name) failed: $_"
|
|
}
|
|
}
|
|
} else {
|
|
Write-Host "No type-specific scripts found for $pcType."
|
|
}
|
|
}
|
|
|
|
# --- Finalization: run deferred baseline scripts (desktop org, taskbar pins)
|
|
# ---
|
|
# These needed to wait until all apps (eDNC, NTLARS, UDC, OpenText) were
|
|
# installed by the baseline + type-specific phases above. 06 internally
|
|
# calls 05 (Office shortcuts) and 08 (Edge config) as sub-phases, so we
|
|
# only need to invoke 06 and 07 explicitly here.
|
|
foreach ($name in $runAfterTypeSpecific) {
|
|
$script = Join-Path $baselineDir $name
|
|
if (-not (Test-Path $script)) {
|
|
Write-Warning "Deferred script not found: $script"
|
|
continue
|
|
}
|
|
cmd /c "shutdown /a 2>nul" *>$null
|
|
Write-Host "Running deferred baseline: $name"
|
|
try {
|
|
& $script
|
|
} catch {
|
|
Write-Warning "Deferred script $name failed: $_"
|
|
}
|
|
}
|
|
|
|
Write-Host "Shopfloor setup complete for $pcType."
|
|
|
|
# --- Copy utility scripts to SupportUser desktop ---
|
|
foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat', 'Force-Lockdown.bat', 'SetShopfloorAutoLogon.bat')) {
|
|
$src = Join-Path $setupDir "Shopfloor\$tool"
|
|
if (Test-Path $src) {
|
|
Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$tool" -Force
|
|
Write-Host "$tool copied to desktop."
|
|
}
|
|
}
|
|
|
|
# Machine-number-using PC types (collections + nocollections, plus their
|
|
# legacy Standard-Machine alias) get the Set-MachineNumber helper on the
|
|
# SupportUser desktop. Timeclock / Lab / common variants don't use a
|
|
# machine number, so the helper has nothing to do there.
|
|
$needsMachineNumberHelper = $false
|
|
if ($pcType -ieq 'Standard' -and $pcSubType -ne 'Timeclock') { $needsMachineNumberHelper = $true }
|
|
if ($pcType -ieq 'gea-shopfloor-collections' -or $pcType -ieq 'gea-shopfloor-nocollections') { $needsMachineNumberHelper = $true }
|
|
if ($needsMachineNumberHelper) {
|
|
$helperSrc = Resolve-PCTypeDir -BaseDir $setupDir -Name 'gea-shopfloor-collections'
|
|
if (-not $helperSrc) { $helperSrc = Resolve-PCTypeDir -BaseDir $setupDir -Name 'Standard' }
|
|
foreach ($helper in @('Set-MachineNumber.bat', 'Set-MachineNumber.ps1')) {
|
|
if ($helperSrc) {
|
|
$src = Join-Path $helperSrc $helper
|
|
if (Test-Path $src) {
|
|
Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$helper" -Force
|
|
Write-Host "$helper copied to SupportUser desktop."
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# --- Register sync_intune as persistent @logon scheduled task ---
|
|
# Must be registered BEFORE enrollment because Install-ProvisioningPackage
|
|
# triggers an immediate reboot that kills run-enrollment.ps1. The task
|
|
# registration must survive the PPKG reboot, so we do it here while
|
|
# Run-ShopfloorSetup.ps1 is still running.
|
|
#
|
|
# The task fires at every logon until sync_intune detects completion and
|
|
# unregisters itself. It monitors Intune enrollment (Phase 1-5), NOT BPRT
|
|
# app installs -- BPRT finishes on its own in the background after the
|
|
# PPKG reboot, and is irrelevant to the Intune lifecycle.
|
|
$taskName = 'Shopfloor Intune Sync'
|
|
$monitorScript = Join-Path $setupDir 'Shopfloor\lib\Monitor-IntuneProgress.ps1'
|
|
$configureScript = Join-Path $setupDir 'Shopfloor\Configure-PC.ps1'
|
|
|
|
if (Test-Path -LiteralPath $monitorScript) {
|
|
try {
|
|
$action = New-ScheduledTaskAction `
|
|
-Execute 'powershell.exe' `
|
|
-Argument "-NoProfile -NoExit -ExecutionPolicy Bypass -File `"$monitorScript`" -AsTask -ConfigureScript `"$configureScript`""
|
|
|
|
$trigger = New-ScheduledTaskTrigger -AtLogOn
|
|
|
|
$principal = New-ScheduledTaskPrincipal `
|
|
-GroupId 'S-1-5-32-545' `
|
|
-RunLevel Limited
|
|
|
|
$settings = New-ScheduledTaskSettingsSet `
|
|
-AllowStartIfOnBatteries `
|
|
-DontStopIfGoingOnBatteries `
|
|
-StartWhenAvailable `
|
|
-ExecutionTimeLimit (New-TimeSpan -Hours 2)
|
|
|
|
Register-ScheduledTask `
|
|
-TaskName $taskName `
|
|
-Action $action `
|
|
-Trigger $trigger `
|
|
-Principal $principal `
|
|
-Settings $settings `
|
|
-Force `
|
|
-ErrorAction Stop | Out-Null
|
|
|
|
Write-Host "Registered '$taskName' logon task."
|
|
} catch {
|
|
Write-Warning "Failed to register sync task: $_"
|
|
}
|
|
} else {
|
|
Write-Warning "Monitor-IntuneProgress.ps1 not found at $monitorScript"
|
|
}
|
|
|
|
# Set auto-logon to expire after 4 more logins (2 needed for sync_intune
|
|
# pre-reboot + post-reboot, plus 2 margin for unexpected reboots from
|
|
# Windows Update, PPKG file operations, or script crashes).
|
|
# (AutoLogonCount intentionally not set -- see comment at top of script)
|
|
|
|
# --- Register cross-PC-type enforcers (Acrobat, etc.) ---
|
|
# These run on every logon regardless of PC type, mounting the SFLD share
|
|
# for version-pinned app enforcement. Initial install already handled by
|
|
# preinstall flow; enforcers only kick in when detection fails.
|
|
# --- Re-enable wired NICs once lockdown completes (Phase 6) ---
|
|
# migrate-to-wifi.ps1 disables wired NICs so the PPKG runs over WiFi.
|
|
# Keep them disabled through the entire Intune sync + DSC + lockdown
|
|
# chain so nothing interrupts the WiFi-based enrollment. Only re-enable
|
|
# after lockdown lands (Autologon_Remediation.log confirms ShopFloor
|
|
# autologon set). Monitor-IntuneProgress runs as Limited and can't call
|
|
# Enable-NetAdapter (needs admin). This SYSTEM task fires at logon,
|
|
# polls for lockdown completion, re-enables wired NICs, and self-deletes.
|
|
$reEnableTask = 'GE Re-enable Wired NICs'
|
|
try {
|
|
$script = @'
|
|
$imeLogs = 'C:\ProgramData\Microsoft\IntuneManagementExtension\Logs'
|
|
$remLog = Join-Path $imeLogs 'Autologon_Remediation.log'
|
|
if (-not (Test-Path $remLog)) { exit 0 }
|
|
$content = Get-Content $remLog -Raw -ErrorAction SilentlyContinue
|
|
if ($content -notmatch 'Autologon set for ShopFloor') { exit 0 }
|
|
|
|
# Vendor-agnostic wired-NIC re-enable. NetAdapter "Name" varies wildly
|
|
# ("Ethernet", "Ethernet 2", "Network", per-vendor names like "Realtek
|
|
# Gaming GbE", "Intel(R) Ethernet Connection (10) I219-V") so filtering
|
|
# by Name is unreliable. Filter by PhysicalMediaType instead, with a
|
|
# keyword-negative guard for drivers that mis-report PhysicalMediaType.
|
|
# Captures Realtek, Intel, Broadcom, Marvell, Aquantia, etc.
|
|
Get-NetAdapter -Physical -ErrorAction SilentlyContinue |
|
|
Where-Object {
|
|
$_.HardwareInterface -eq $true -and
|
|
$_.PhysicalMediaType -ne 'Native 802.11' -and
|
|
$_.PhysicalMediaType -ne 'Wireless WAN' -and
|
|
$_.PhysicalMediaType -ne 'BlueTooth' -and
|
|
$_.InterfaceDescription -notmatch '(?i)Wi-?Fi|Wireless|WLAN|802\.11|Bluetooth'
|
|
} |
|
|
Enable-NetAdapter -Confirm:$false -ErrorAction SilentlyContinue
|
|
Unregister-ScheduledTask -TaskName 'GE Re-enable Wired NICs' -Confirm:$false -ErrorAction SilentlyContinue
|
|
'@
|
|
$scriptPath = 'C:\Program Files\GE\ReEnableNIC.ps1'
|
|
if (-not (Test-Path 'C:\Program Files\GE')) {
|
|
New-Item -Path 'C:\Program Files\GE' -ItemType Directory -Force | Out-Null
|
|
}
|
|
Set-Content -Path $scriptPath -Value $script -Force
|
|
|
|
$reEnableAction = New-ScheduledTaskAction -Execute 'powershell.exe' `
|
|
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$scriptPath`""
|
|
$reEnableTrigger = New-ScheduledTaskTrigger -AtLogOn
|
|
$reEnableTrigger.Repetition = (New-ScheduledTaskTrigger -Once -At (Get-Date) `
|
|
-RepetitionInterval (New-TimeSpan -Minutes 5)).Repetition
|
|
$reEnablePrincipal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
|
|
$reEnableSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries `
|
|
-ExecutionTimeLimit (New-TimeSpan -Minutes 2)
|
|
Register-ScheduledTask -TaskName $reEnableTask -Action $reEnableAction -Trigger $reEnableTrigger `
|
|
-Principal $reEnablePrincipal -Settings $reEnableSettings -Force -ErrorAction Stop | Out-Null
|
|
Write-Host "Registered '$reEnableTask' task (waits for SFLD creds, then re-enables wired NICs)."
|
|
} catch {
|
|
Write-Warning "Failed to register NIC re-enable task: $_"
|
|
}
|
|
|
|
$commonSetupDir = Join-Path $setupDir 'common'
|
|
|
|
# --- Register the unified GE-Enforce scheduled task ---
|
|
# Single dispatcher for all PC-type ongoing-update enforcement. Reads
|
|
# per-pctype manifest.json from the tsgwp00525 share and processes
|
|
# common + per-type + per-type-subtype manifests in order.
|
|
#
|
|
# Display PCs are excluded: their kiosk user cannot reach the SFLD
|
|
# share, and everything Display needs (kiosk EXE + Edge policies) is
|
|
# baked at imaging time (preinstall.json Install-KioskApp + 09-Setup-
|
|
# Display.ps1). No ongoing share-dependent enforcement on Displays.
|
|
$noEnforceTypes = @('Display', 'gea-shopfloor-display')
|
|
$registerGE = Join-Path $commonSetupDir 'Register-GEEnforce.ps1'
|
|
if ($noEnforceTypes -contains $pcType) {
|
|
Write-Host ""
|
|
Write-Host "=== Skipping GE-Enforce registration ($pcType is self-contained) ==="
|
|
} elseif (Test-Path -LiteralPath $registerGE) {
|
|
Write-Host ""
|
|
Write-Host "=== Registering unified GE Shopfloor enforcer ==="
|
|
try {
|
|
$enforcerRuntime = Join-Path $commonSetupDir 'GE-Enforce.ps1'
|
|
$libSource = Join-Path $commonSetupDir 'lib\Install-FromManifest.ps1'
|
|
# Stage enforcer runtime so the scheduled task can reach it post-imaging.
|
|
$runtimeDir = 'C:\Program Files\GE\Shopfloor'
|
|
$runtimeLib = Join-Path $runtimeDir 'lib'
|
|
foreach ($d in @($runtimeDir, $runtimeLib)) {
|
|
if (-not (Test-Path $d)) { New-Item -Path $d -ItemType Directory -Force | Out-Null }
|
|
}
|
|
Copy-Item -LiteralPath $enforcerRuntime -Destination (Join-Path $runtimeDir 'GE-Enforce.ps1') -Force
|
|
Copy-Item -LiteralPath $libSource -Destination (Join-Path $runtimeLib 'Install-FromManifest.ps1') -Force
|
|
& $registerGE -EnforcerPath (Join-Path $runtimeDir 'GE-Enforce.ps1')
|
|
} catch {
|
|
Write-Warning "GE-Enforce registration failed: $_"
|
|
}
|
|
} else {
|
|
Write-Warning "Register-GEEnforce.ps1 not found - no ongoing enforcement will run on this PC"
|
|
}
|
|
|
|
# Map S: drive on user logon for every account in BUILTIN\Users. The
|
|
# vendor 'SFLD - Consume Credentials' task is principal-restricted and
|
|
# does not fire for the ShopFloor end-user, so this parallel task fills
|
|
# the gap. Cross-PC-type because every shopfloor account needs S:.
|
|
# Display PCs skipped: kiosk user has no SFLD creds, S: map would fail
|
|
# every logon. Self-contained Display has no share dependency.
|
|
$registerMapShare = Join-Path $setupDir 'Shopfloor\Register-MapSfldShare.ps1'
|
|
if ($noEnforceTypes -contains $pcType) {
|
|
Write-Host ""
|
|
Write-Host "=== Skipping S: drive logon mapper ($pcType is self-contained) ==="
|
|
} elseif (Test-Path -LiteralPath $registerMapShare) {
|
|
Write-Host ""
|
|
Write-Host "=== Registering S: drive logon mapper ==="
|
|
try { & $registerMapShare } catch { Write-Warning "Map-SfldShare registration failed: $_" }
|
|
} else {
|
|
Write-Host "Register-MapSfldShare.ps1 not found (optional) - skipping"
|
|
}
|
|
|
|
# --- Run enrollment (PPKG install) ---
|
|
# Enrollment is the LAST thing we do. Install-ProvisioningPackage triggers
|
|
# an immediate reboot -- everything after this call is unlikely to execute.
|
|
# The sync_intune task is already registered above, so the PPKG reboot
|
|
# can kill us and the chain continues on the next boot.
|
|
# ---- Network-handoff gate (BEFORE PPKG) ----
|
|
# PXE imaging LAN has no DHCP gateway by design. Laptops with WiFi auto-
|
|
# connect to corp SSID and get a default route via WiFi - PPKG/AAD/Intune
|
|
# work fine. Towers without WiFi have ONLY the wired link to PXE LAN ->
|
|
# no default route -> AAD + Intune endpoints unreachable -> enrollment
|
|
# stalls -> re-image required (recurring failure mode observed
|
|
# 2026-05-05). Block run-enrollment until tech provides a usable internet
|
|
# path. Cheap to verify, prevents wasted imaging cycles.
|
|
$hasWifi = [bool](Get-NetAdapter -ErrorAction SilentlyContinue |
|
|
Where-Object { $_.PhysicalMediaType -eq 'Native 802.11' -or $_.MediaType -like '*802.11*' })
|
|
$hasDefaultRoute = [bool](Get-NetRoute -DestinationPrefix '0.0.0.0/0' -ErrorAction SilentlyContinue)
|
|
if (-not $hasWifi -and -not $hasDefaultRoute) {
|
|
Write-Host ""
|
|
Write-Host "================================================================" -ForegroundColor Red
|
|
Write-Host " STOP - NO USABLE INTERNET PATH" -ForegroundColor Red
|
|
Write-Host "================================================================" -ForegroundColor Red
|
|
Write-Host ""
|
|
Write-Host " This PC has no WiFi adapter and no default route." -ForegroundColor Yellow
|
|
Write-Host " Currently on the PXE imaging LAN, which has no gateway." -ForegroundColor Yellow
|
|
Write-Host " PPKG enrollment WILL fail because AAD + Intune endpoints" -ForegroundColor Yellow
|
|
Write-Host " are unreachable from this network." -ForegroundColor Yellow
|
|
Write-Host ""
|
|
Write-Host " FIX: Plug this PC into a corp wall jack now." -ForegroundColor Cyan
|
|
Write-Host ""
|
|
Write-Host " Verify with: ipconfig" -ForegroundColor Cyan
|
|
Write-Host " A non-blank Default Gateway must show on the wired NIC." -ForegroundColor Cyan
|
|
Write-Host ""
|
|
Write-Host " Press R to retry after moving the cable." -ForegroundColor Cyan
|
|
Write-Host " Press X to abort imaging (no enrollment runs)." -ForegroundColor Cyan
|
|
Write-Host ""
|
|
while ($true) {
|
|
try { $key = ([Console]::ReadKey($true).KeyChar.ToString()).ToUpper() }
|
|
catch { $key = (Read-Host 'Press R or X').Trim().ToUpper() }
|
|
if ($key -eq 'X') {
|
|
Write-Host "Aborted by tech. Imaging stopped before PPKG." -ForegroundColor Yellow
|
|
try { Stop-Transcript | Out-Null } catch {}
|
|
exit 1
|
|
}
|
|
if ($key -eq 'R') {
|
|
$hasDefaultRoute = [bool](Get-NetRoute -DestinationPrefix '0.0.0.0/0' -ErrorAction SilentlyContinue)
|
|
if ($hasDefaultRoute) {
|
|
Write-Host "Default route detected. Continuing to PPKG enrollment." -ForegroundColor Green
|
|
break
|
|
}
|
|
Write-Host "Still no default route. Verify cable + corp jack." -ForegroundColor Red
|
|
}
|
|
}
|
|
}
|
|
|
|
$enrollScript = Join-Path $enrollDir 'run-enrollment.ps1'
|
|
if (Test-Path -LiteralPath $enrollScript) {
|
|
Write-Host ""
|
|
Report-Stage -Stage 'Run-ShopfloorSetup: PPKG enrollment' -Index 5
|
|
Write-Host "=== Running enrollment (PPKG install) ==="
|
|
Write-Host "NOTE: PPKG schedules a near-immediate reboot. We will cancel"
|
|
Write-Host " it and hand off to Monitor-IntuneProgress -PostPpkg, which"
|
|
Write-Host " runs a 180s settle (giving MDM time to push baseline"
|
|
Write-Host " policy) and then performs a clean reboot."
|
|
try { Stop-Transcript | Out-Null } catch {}
|
|
& $enrollScript
|
|
|
|
# PPKG completes -> we're back here with a pending shutdown timer.
|
|
# Hand off to Monitor in -PostPpkg mode. Monitor cancels the shutdown,
|
|
# settles, renders live status, then issues its own reboot. The
|
|
# persistent @logon sync_intune task fires on the next boot to resume
|
|
# tracking through device-category-assignment + lockdown.
|
|
Write-Host ""
|
|
Report-Stage -Stage 'Run-ShopfloorSetup: handoff to Monitor-IntuneProgress' -Index 6
|
|
Write-Host "=== Handing off to Monitor-IntuneProgress -PostPpkg ==="
|
|
cmd /c "shutdown /a 2>nul" | Out-Null
|
|
$monitor = Join-Path $setupDir 'Shopfloor\lib\Monitor-IntuneProgress.ps1'
|
|
if (Test-Path -LiteralPath $monitor) {
|
|
& powershell.exe -NoProfile -ExecutionPolicy Bypass -File $monitor -PostPpkg
|
|
} else {
|
|
Write-Warning "Monitor-IntuneProgress.ps1 not found at $monitor - falling back to plain reboot"
|
|
shutdown /r /t 10
|
|
}
|
|
} else {
|
|
Write-Host "run-enrollment.ps1 not found - skipping enrollment."
|
|
Write-Host ""
|
|
Write-Host "================================================================"
|
|
Write-Host "=== Run-ShopfloorSetup.ps1 complete $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ==="
|
|
Write-Host "================================================================"
|
|
try { Stop-Transcript | Out-Null } catch {}
|
|
Write-Host "Rebooting in 10 seconds..."
|
|
shutdown /r /t 10
|
|
}
|