ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6e85e19c85ab67b4d2ca9be5c93d15fb54394608
pxe-server/playbook/shopfloor-setup/Shopfloor/03-ShellDefaults.ps1
cproudlock ac23759486 UDC firewall rules + Acrobat Reader as default PDF viewer 
- Pre-create Windows Firewall inbound-allow rules for UDC.exe and
  MTConnect agent.exe before UDC_Setup.exe runs, suppressing the
  interactive "allow through firewall?" dialogs during silent install.

- Set Adobe Acrobat Reader (Acrobat.Document.DC) as the default .pdf
  handler via dism /import-defaultappassociations. Runs in
  03-ShellDefaults.ps1 so the OEMDefaultAssociations.xml is in place
  before ShopFloor's profile is created on first logon. Edge no longer
  claims .pdf on new profiles.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 09:18:44 -04:00

128 lines
5.3 KiB
PowerShell
Raw Blame History

# 03-ShellDefaults.ps1 - Shell appearance defaults for all new user profiles.
#
# Applies the following tweaks so shopfloor PCs look/behave closer to the
# Win10 baseline and don't reach out to Bing from the Start menu:
# 1. Taskbar aligned to the left (TaskbarAl=0). Per-user setting, written
# into the Default User hive so every NEW profile inherits it.
# 2. Start menu "Recommended" section hidden (HideRecommendedSection=1).
# 3. Web results + Bing search-box suggestions killed in Start/Search.
# 4. Cortana disabled via policy (no-op on LTSC 2024 since Cortana isn't
# shipped, but set anyway for belt-and-suspenders).
#
# 2-4 are HKLM policy values - W11 LTSC / Enterprise honour them; Home/Pro
# do not. Fine here since the fleet is LTSC 2024.
#
# Existing profiles (SupportUser, pre-existing end-user accounts) are NOT
# modified for TaskbarAl - the Default User hive is a template copied on
# profile creation, not a live cascade. The HKLM policies affect everyone.
$ErrorActionPreference = 'Continue'
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
Write-Host "ERROR: 03-ShellDefaults.ps1 must run as Administrator." -ForegroundColor Red
exit 1
}
# ---- 1. HKLM policy DWORDs (all LTSC-honoured) -------------------------------
# Each entry: KeyPath, ValueName, ValueData. Key is created if missing.
$hklmPolicies = @(
# Hide Start menu "Recommended" section.
@{ Key = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer'
Name = 'HideRecommendedSection'; Value = 1 }
# Kill web results in Start/taskbar search.
@{ Key = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
Name = 'DisableWebSearch'; Value = 1 }
@{ Key = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
Name = 'ConnectedSearchUseWeb'; Value = 0 }
# Disable Cortana (policy; LTSC doesn't ship Cortana but this is harmless).
@{ Key = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
Name = 'AllowCortana'; Value = 0 }
# Kill Bing-powered search-box suggestions (per-keystroke telemetry).
@{ Key = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer'
Name = 'DisableSearchBoxSuggestions'; Value = 1 }
)
foreach ($p in $hklmPolicies) {
try {
if (-not (Test-Path $p.Key)) {
New-Item -Path $p.Key -Force | Out-Null
}
Set-ItemProperty -Path $p.Key -Name $p.Name -Value $p.Value -Type DWord -Force
Write-Host ("Set {0}\{1} = {2}" -f $p.Key, $p.Name, $p.Value)
} catch {
Write-Warning ("Failed to set {0}\{1}: {2}" -f $p.Key, $p.Name, $_)
}
}
# ---- 2. Set Adobe Acrobat Reader as default PDF viewer ----
# OEMDefaultAssociations.xml is read when a new user profile is created.
# Deploying it before ShopFloor's first logon means the profile lands with
# Acrobat as the PDF handler instead of Edge. Existing profiles (SupportUser)
# are not affected. DISM /import-defaultappassociations writes the XML to
# C:\Windows\System32\OEMDefaultAssociations.xml and sets the policy key.
$assocXml = @"
<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
<Association Identifier=".pdf" ProgId="Acrobat.Document.DC" ApplicationName="Adobe Acrobat" />
</DefaultAssociations>
"@
$assocPath = Join-Path $env:TEMP 'DefaultAssociations.xml'
try {
Set-Content -Path $assocPath -Value $assocXml -Encoding UTF8 -Force
$out = & dism.exe /online /import-defaultappassociations:"$assocPath" 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Host "Set .pdf default to Acrobat.Document.DC via DISM"
} else {
Write-Warning "DISM import-defaultappassociations returned $LASTEXITCODE"
}
Remove-Item $assocPath -Force -ErrorAction SilentlyContinue
} catch {
Write-Warning "Failed to set default PDF viewer: $_"
}
# ---- 3. Taskbar left-align via Default User hive ----
$defaultHive = 'C:\Users\Default\NTUSER.DAT'
$mountPoint = 'HKU\SFLDDefault'
$regPath = 'Registry::HKEY_USERS\SFLDDefault\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced'
if (-not (Test-Path -LiteralPath $defaultHive)) {
Write-Warning "Default User hive not found at $defaultHive - skipping taskbar tweak."
exit 0
}
# Unload a stale mount from a previous run, if any. reg unload returns
# non-zero when nothing is mounted; ignore that.
& reg.exe unload $mountPoint *> $null
$loadOutput = & reg.exe load $mountPoint $defaultHive 2>&1
if ($LASTEXITCODE -ne 0) {
Write-Warning "reg load failed ($LASTEXITCODE): $loadOutput"
exit 1
}
try {
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
Set-ItemProperty -Path $regPath -Name 'TaskbarAl' -Value 0 -Type DWord -Force
Write-Host "Set Default User TaskbarAl=0 (left-aligned)"
} catch {
Write-Warning "Failed to set TaskbarAl: $_"
} finally {
# Force GC so PowerShell drops its handles on the hive before unload,
# otherwise reg unload fails with "The process cannot access the file".
[gc]::Collect()
[gc]::WaitForPendingFinalizers()
[gc]::Collect()
& reg.exe unload $mountPoint *> $null
if ($LASTEXITCODE -ne 0) {
Write-Warning "reg unload returned $LASTEXITCODE - Default User hive may still be mounted"
}
}
exit 0
Reference in New Issue View Git Blame Copy Permalink