ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
59dbd64e3781e559c2c520b719b0262b167ea3c2
pxe-server/docs/shopfloor-machine-imaging-guide.md
cproudlock ce3fbf5a28 sweep: pre-existing drift + matrix UDC entry + ignore 142MB EXE 
Bundles drift left uncommitted from prior sessions and the UDC matrix
verify entry added today.

Drift items (all per session-progress.md, completed in earlier sessions
but never staged):

- playbook/check-bios.cmd (deleted, moved to BIOS/check-bios.cmd)
- playbook/migrate-to-wifi.ps1 (made no-op 2026-04-24 after the dnsmasq
  no-gateway fix removed the wired-NIC race that motivated it)
- playbook/preinstall/oracle/Install-Oracle11r2.cmd (post-OUI .ora copy
  added 2026-04-24)
- playbook/preinstall/oracle/tnsnames.ora (live tnsnames, 469 KB,
  deployed alongside the wrapper 2026-04-24)
- playbook/pxe_server_setup.yml (dnsmasq dhcp-option=3,6 commented,
  Oracle .ora deploy task added 2026-04-24)
- playbook/shopfloor-setup/BIOS/{check-bios.cmd, models.txt} (BIOS
  detection refinements)
- playbook/shopfloor-setup/Shopfloor/Force-Lockdown.bat
- playbook/shopfloor-setup/Shopfloor/Monitor-IntuneProgress.ps1
- playbook/shopfloor-setup/Shopfloor/SetShopfloorAutoLogon.bat (new)
- playbook/shopfloor-setup/Shopfloor/09-Install-PrinterInstallerMap.ps1
  (new, places PrinterInstallerMap.exe + Public Desktop shortcut at
  imaging time; manifest entry self-heals on tamper)
- playbook/shopfloor-setup/Shopfloor/lib/Show-IntuneDeviceQR.ps1 (new,
  standalone QR rendering for site that wanted just that piece)
- playbook/shopfloor-setup/gea-shopfloor-collections/{Install-eMxInfo.cmd.template,
  Restore-UDCData.ps1} (these were uncommitted in pre-rename Standard/;
  git mv didn't catch them because they were untracked at the time)
- docs/shopfloor-machine-imaging-guide.md (operator-facing how-to)

Matrix:
- common.test/matrix.json: add UDC verify entry to gea-shopfloor-collections
  row. Surfaces UDC silent-install issue (item H pending) instead of
  letting it pass silently.

.gitignore:
- PrinterInstallerMap.exe (142 MB) excluded. Track via LFS or stage on
  PXE server only - too big for regular git history. Untouched on disk
  so existing local copy still works.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 08:49:43 -04:00

240 lines
11 KiB
Markdown
Raw Blame History

# Shopfloor Machine PC Imaging Guide
Step-by-step for imaging a new (or replacement) shopfloor PC that will sit at a CNC machine and run UDC, eDNC, NTLARS, MTConnect, and the standard shopfloor toolset.
## Prerequisites
- PC connected to the **PXE switch** (not the production network yet)
- USB mouse + keyboard connected
- PXE server is running and reachable (verify by pinging `10.9.100.1` from another PC on the same switch)
- **Target machine number** known (e.g., `7605`) — you can enter it at PXE time, or use `9999` as a placeholder if the PC will be configured at the bay later
- **ARTS Lockdown request submitted** for this PC (or know that you'll submit one mid-imaging)
---
## Step 1: BIOS Configuration
1. Plug the PC into the **KVM**.
2. Power on the PC and begin **tapping F12** to bring up the One-Time-Boot menu.
3. Select **BIOS Setup**.
4. Toggle **Advanced Setup** to **ENABLED**.
5. Click **Boot Configuration**:
- Verify **Enable Secure Boot** is **ENABLED**
- Verify **Enable Microsoft UEFI CA** is **ENABLED**
6. Click **Storage** and verify **SATA/NVMe Operation** is set to **AHCI/NVMe**.
7. **If this is a Precision Tower**: click **Security** and **ENABLE "Start Data Wipe"** (wipes existing data on next boot).
8. Click **Apply Changes**, then **Exit**.
---
## Step 2: PXE Boot
1. Begin **tapping F12** again to return to the One-Time-Boot menu.
2. Verify the **network cable is connected to the PXE Server's isolated switch** (NOT the production network).
3. From the One-Time-Boot menu, select **ONBOARD NIC (IPV4)**.
4. Once the PXE Boot menu appears, select **Windows PE (Image Deployment)**.
5. WinPE launches with a command prompt that **automatically updates the BIOS to the latest version** before prompting you to select the image type.
---
## Step 3: Image + Enrollment Selection
1. **WinPE Setup Menu**: select `3. GEA Shopfloor`.
2. **GCCH Enrollment Profile**: select `1. No Office` (machine PCs don't need Office).
3. **Shopfloor PC Type**: select `6. Standard`.
4. **Standard PC Sub-Type**: select `1. Machine`.
5. **Machine number prompt**:
- If the PC's target bay is known: type the machine number (e.g., `7605`) and press Enter.
- If the bay isn't known yet: just press Enter to use placeholder `9999`. You'll set the real number after the PC is physically placed at the bay (see Step 9).
---
## Step 4: Imaging (Automated Phase)
Once GE Image Setup launches:
1. Click **Start**.
2. The process runs unattended through:
- Disk partition + Windows install
- PreInstall apps (Oracle Client 11.2, OpenText HostExplorer, VC++ Redists, eDNC if Standard-Machine, UDC, etc.)
- GE-Enforce framework registration
- First reboot
3. Note the **Serial Number** from the screen — log it in your tracking sheet.
4. The PC reboots and auto-logs in as `SupportUser`. The "Shopfloor Intune Sync" PowerShell window opens automatically.
**This whole phase takes ~20-40 minutes** depending on hardware.
---
## Step 5: Monitor Intune Enrollment
Once the **Shopfloor Intune Sync** window is open, you'll see a 5-phase status table that refreshes every 30 seconds:
```
1. Intune Registration [WAITING/IN PROGRESS/COMPLETE]
2. Device Configuration [WAITING/IN PROGRESS/COMPLETE]
3. Software Deployment [WAITING/IN PROGRESS/COMPLETE]
4. Credential Setup [WAITING/IN PROGRESS/COMPLETE]
5. Lockdown [WAITING/IN PROGRESS/COMPLETE]
```
Below the table, an **Intune Device ID** + QR code appears. Scan the QR with your phone to copy the device ID into your ARTS Lockdown request.
### What to do at each phase
- **Phase 1 → COMPLETE**: a `>> Select Device Category in Intune portal` hint appears. **Action**: in Intune, set the Device Category to `Shopfloor` (or whatever your site uses).
- **Phase 2 → COMPLETE**: just keep watching.
- **Phase 3 → IN PROGRESS forever**: known issue — the DSC `device-config.yaml` download is currently failing with a 403. **It does NOT block setup-complete** — Phases 4 and 5 are independent. Skip ahead.
- **Phase 4 → COMPLETE**: SFLD share creds landed in registry. A `>> Initiate ARTS Lockdown request` hint appears if you haven't already.
- **Phase 5 → COMPLETE**: lockdown applied via Intune Remediation. The script auto-fires "Setup Complete" and reboots the PC.
If Phase 5 stays WAITING for >30 minutes after Phase 4 completes, see Step 6.
---
## Step 6: Force Lockdown (only if needed)
If Phase 5 is stuck WAITING for 30+ minutes after Phase 4 completed AND the ARTS Lockdown request is approved:
1. Open an elevated cmd or PowerShell.
2. Run:
```
C:\Enrollment\shopfloor-setup\Shopfloor\Force-Lockdown.bat
```
3. It self-elevates via UAC, prompts for confirmation:
```
Type YES (uppercase) to confirm ARTS request is in place: YES
```
4. The script runs `sfld_autologon.ps1`, flips Winlogon to ShopFloor autologon, and writes `C:\Enrollment\force-lockdown-applied.txt` on success.
5. Within 30 seconds, the Intune Sync window's Phase 5 flips to COMPLETE → "Setup Complete" → reboot.
**WARNING**: Do NOT run Force-Lockdown without an approved ARTS request. It bypasses the normal Intune Lockdown-group push and will be flagged in the audit trail.
---
## Step 7: Post-Reboot — ShopFloor Autologon Phase
After the lockdown reboot, the PC auto-logs in as `ShopFloor` (instead of SupportUser).
What happens automatically:
1. WiFi profile (`AESFMA` SSID) lands via Intune.
2. PC connects to AESFMA.
3. `S:` drive maps to `\\tsgwp00525.wjs.geaerospace.net\shared`.
4. **GE Shopfloor Machine Apps Enforce** scheduled task fires on logon.
5. Manifest engine reads `\\tsgwp00525\...\common\manifest.json` AND `\\tsgwp00525\...\standard-machine\manifest.json`, evaluates each app entry against current state, runs installer if not detected.
6. Apps installed/verified: Adobe Acrobat Reader DC, WJF Defect Tracker, 3OF9 barcode font, Edge IE-Mode site list + policy, VNC firewall rule, Oracle Client 11.2, OpenText HostExplorer ShopFloor, UDC, eDNC + NTLARS, eMxInfo.txt, MTConnect Fanuc/OKUMA/Makino/eDNC variants (per machine number).
7. May take 5-15 minutes on first logon (cold app installs); subsequent logons skip-and-validate in <30 seconds.
You can watch progress in `C:\GE Aerospace\machineapps-enforce.log`.
---
## Step 8: Move to the Bay
Physically move the PC to its target machine. Plug into the production ethernet (NOT the PXE switch).
If the PC doesn't have an assigned machine number yet, or if you used `9999` placeholder at PXE time, continue to Step 9.
If you entered the real machine number at PXE time, Configure-PC.ps1 already wrote it to UDC, eDNC, the DNC registry, and MTConnect Devices.xml automatically — **skip to Step 10**.
---
## Step 9: Set Machine Number (only if 9999 placeholder was used)
1. Log in as **SupportUser** (admin).
2. Run from Desktop or Start Menu:
```
Set Machine Number.lnk
```
(which calls `C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1`)
3. Type the new machine number (digits only) when the GUI prompts.
4. Click OK. The script:
- Stops UDC, writes the new number to UDC settings JSON, relaunches UDC
- Writes the new number to eDNC registry (`HKLM:\SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General\MachineNo`)
- Pulls the per-machine eDNC `.reg` backup from `\\tsgwp00525\...\ntlars-backups\<num>.reg` (restores eFocas/PPDCS/Hssb config for that machine)
- Updates MTConnect `Devices.xml` for any installed agent (Fanuc/Okuma/Makino/eDNC) and restarts the agent service
5. A summary dialog confirms what was updated.
---
## Step 10: Verify the Machine
Before signing off, confirm the PC is healthy:
```powershell
# Service health
Get-Service | Where-Object { $_.Name -match '^(MTConnect|Makino|MakinoMTConnect|MTConnect eDNC|MTConnect Adapter|UDC|DNC)' } |
Format-Table Name, Status, StartType -AutoSize
# Machine number persisted everywhere
"UDC: $((Get-Content 'C:\ProgramData\UDC\udc_settings.json' -Raw | ConvertFrom-Json).GeneralSettings.MachineNumber)"
"eDNC: $((Get-ItemProperty 'HKLM:\SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General' -Name MachineNo).MachineNo)"
# MTConnect HTTP probe (depends on variant - port 5000 for Fanuc/OKUMA, 5001 for eDNC, 5005 for UDC)
Invoke-WebRequest 'http://localhost:5000/probe' -UseBasicParsing -TimeoutSec 3 | Select StatusCode
# Manifest engine ran cleanly
Get-Content 'C:\GE Aerospace\machineapps-enforce.log' -Tail 20
```
Expected healthy state:
- All MTConnect/UDC/DNC services: **Running** + **Auto** start type
- UDC + eDNC machine numbers: **match the assigned bay**
- HTTP probe: **HTTP 200** with a `<MTConnectDevices>` XML response
- Manifest enforce log: ends with `evaluation complete: N entries, 0 failures` (or similar)
---
## Troubleshooting
### Intune Sync window closes by itself
It writes `C:\Logs\SFLD\sync_intune_transcript.txt` continuously. Open that log to see what it last reported. Re-launch via:
```
C:\Enrollment\shopfloor-setup\Shopfloor\sync_intune.bat
```
### Phase 3 stuck at IN PROGRESS
Known issue — the DSC blob download is 403'ing right now. Doesn't block setup-complete. If you need DSC's wallpaper / start menu pins / FileSystem actions, escalate to IT to fix the SAS token or storage account firewall on `geasfldwestjefferson`. Until then, those visual customizations won't appear — operators won't notice if the start menu pins are absent because they're not the primary workflow.
### Phase 5 (Lockdown) stays WAITING after 30 minutes
ARTS request is probably still pending. Confirm approval, then run Force-Lockdown.bat (Step 6).
### Manifest engine logs show "DllNotFoundException" or "share not reachable"
PC isn't on AESFMA WiFi yet (or WiFi profile hasn't pushed). Wait 5-10 minutes after the post-lockdown reboot. Verify:
```powershell
(Get-NetConnectionProfile).Name
Test-Path '\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\common\manifest.json'
```
If `Test-Path` returns False, WiFi/auth isn't ready. If True, kick the manifest engine manually:
```powershell
Start-ScheduledTask -TaskName 'GE Shopfloor Machine Apps Enforce'
```
### MTConnect not running after machine-number set
The wrapper logs land at `C:\GE Aerospace\mtc-install-runservice-batconvert.log`. Common causes: pre-existing Windows Firewall Block rule (rare), Mark-of-the-Web on copied EXEs (the wrapper's Unblock-File sweep handles this), or the bundle isn't on the SFLD share for this variant. Open the log and grep for `ERROR`.
### Configure-PC machine-number GUI doesn't open
The script needs a desktop session. Won't run via WinRM/SSH/non-interactive. Make sure you're logged in at the console as SupportUser.
---
## Reference
- **PXE server**: `10.9.100.1`
- **SFLD share**: `\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\`
- **Manifest engine log**: `C:\GE Aerospace\machineapps-enforce.log`
- **Intune sync transcript**: `C:\Logs\SFLD\sync_intune_transcript.txt`
- **DSC logs**: `C:\Logs\SFLD\` (DSCDeployment.log, DSCInstall.log, version.txt)
- **Per-app install logs**: `C:\Logs\SFLD\Install-*.log`
- **Force-Lockdown marker**: `C:\Enrollment\force-lockdown-applied.txt`
- **Set-MachineNumber script**: `C:\Enrollment\shopfloor-setup\Standard\Set-MachineNumber.ps1`
Reference in New Issue View Git Blame Copy Permalink