ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ef981f19e253a9ad065dd571b1017814774ff7e
pxe-server/playbook/shopfloor-setup/Standard/Register-MachineEnforce.ps1
cproudlock 3ef981f19e Add Standard-Machine logon enforcer for UDC/eDNC/NTLARS 
Reason: Intune DSC's main-category YAML was pushing these to every main
device, including Timeclocks - DSC has no awareness of our pc-subtype
distinction. After UDC/eDNC/NTLARS are removed from the DSC YAML, ongoing
version drift would no longer be corrected. This enforcer replaces that,
scoped correctly by subtype.

Structure mirrors CMM (CMM-Enforce.ps1) and common (Acrobat-Enforce.ps1):
- Machine-Enforce.ps1: SYSTEM logon task; mounts SFLD share with HKLM-
  backed creds; hands off to Install-FromManifest.
- machineapps-manifest.template.json: repo reference; authoritative copy
  lives on the share at \\tsgwp00525.wjs.geaerospace.net\shared\dt\
  shopfloor\main\machineapps\machineapps-manifest.json.
- Register-MachineEnforce.ps1: idempotent setup; stages scripts to
  C:\Program Files\GE\MachineApps and registers the task.
- lib/Install-FromManifest.ps1: copy of the common/ version (already has
  Type=CMD support).

Sub-type gating belt-and-suspenders:
- Run-ShopfloorSetup.ps1 only calls Register-MachineEnforce when
  $pcType -eq "Standard" -and $pcSubType -eq "Machine".
- Machine-Enforce.ps1 itself re-reads pc-subtype.txt and exits early if
  not "Machine", so a mistakenly-deployed copy no-ops.

site-config.json:
- Added "machineappsSharePath" to Standard-Machine pcProfile.

Drive letter U: to stay clear of CMM (S:) and Acrobat (T:) enforcers
that may run concurrently at logon.

Update workflow:
  drop new UDC/eDNC/NTLARS installer on the SFLD share,
  bump DetectionValue in machineapps-manifest.json,
  every Machine PC catches up on next user logon.
2026-04-15 12:16:17 -04:00

86 lines
3.5 KiB
PowerShell
Raw Blame History

# Register-MachineEnforce.ps1 - One-time setup for the Standard-Machine
# logon-enforce scheduled task. Called by Run-ShopfloorSetup.ps1 on
# Standard-Machine PCs only (Timeclocks skip). Idempotent: re-running
# refreshes staged scripts and re-registers the task.
#
# Parallel to CMM\09-Setup-CMM.ps1 steps 3-4 (stage Install-FromManifest +
# Machine-Enforce, register the task) with no imaging-time install step -
# initial UDC/eDNC/NTLARS install is already handled by the preinstall
# phase on the PXE server.
$ErrorActionPreference = 'Continue'
$installRoot = 'C:\Program Files\GE\MachineApps'
$runtimeLib = Join-Path $installRoot 'lib\Install-FromManifest.ps1'
$runtimeEnforce = Join-Path $installRoot 'Machine-Enforce.ps1'
$logDir = 'C:\Logs\MachineApps'
$setupLog = Join-Path $logDir 'setup.log'
$sourceLib = Join-Path $PSScriptRoot 'lib\Install-FromManifest.ps1'
$sourceEnforce = Join-Path $PSScriptRoot 'Machine-Enforce.ps1'
if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }
if (-not (Test-Path $installRoot)) { New-Item -Path $installRoot -ItemType Directory -Force | Out-Null }
if (-not (Test-Path (Join-Path $installRoot 'lib'))) {
New-Item -Path (Join-Path $installRoot 'lib') -ItemType Directory -Force | Out-Null
}
function Write-SetupLog {
param([string]$Message, [string]$Level = 'INFO')
$line = "[{0}] [{1}] {2}" -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Level, $Message
Write-Host $line
Add-Content -Path $setupLog -Value $line -ErrorAction SilentlyContinue
}
Write-SetupLog "=== Register-MachineEnforce start ==="
foreach ($pair in @(
@{ Src = $sourceLib; Dst = $runtimeLib },
@{ Src = $sourceEnforce; Dst = $runtimeEnforce }
)) {
if (-not (Test-Path $pair.Src)) {
Write-SetupLog "Source not found: $($pair.Src) - cannot stage" "ERROR"
continue
}
Copy-Item -Path $pair.Src -Destination $pair.Dst -Force
Write-SetupLog "Staged $($pair.Src) -> $($pair.Dst)"
}
$taskName = 'GE Shopfloor Machine Apps Enforce'
$existing = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
if ($existing) {
Write-SetupLog "Removing existing scheduled task '$taskName'"
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
}
Write-SetupLog "Registering scheduled task '$taskName' (logon trigger, SYSTEM)"
try {
$action = New-ScheduledTaskAction `
-Execute 'powershell.exe' `
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$runtimeEnforce`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
# ExecutionTimeLimit 1 hour; UDC/eDNC/NTLARS combined shouldn't exceed that.
$settings = New-ScheduledTaskSettingsSet `
-AllowStartIfOnBatteries `
-DontStopIfGoingOnBatteries `
-StartWhenAvailable `
-ExecutionTimeLimit (New-TimeSpan -Hours 1) `
-MultipleInstances IgnoreNew
Register-ScheduledTask `
-TaskName $taskName `
-Action $action `
-Trigger $trigger `
-Principal $principal `
-Settings $settings `
-Description 'GE Shopfloor Machine: enforce UDC/eDNC/NTLARS version against tsgwp00525 SFLD share on user logon' | Out-Null
Write-SetupLog "Scheduled task registered"
} catch {
Write-SetupLog "Failed to register scheduled task: $_" "ERROR"
}
Write-SetupLog "=== Register-MachineEnforce end ==="
Reference in New Issue View Git Blame Copy Permalink