8848fca88a
Acrobat Reader enforcement:
- playbook/shopfloor-setup/common/ is the cross-PC-type staging dir. Mirrors
CMM/ structure (enforce script + its Install-FromManifest copy + manifest
template + register script).
- Acrobat-Enforce.ps1 runs as SYSTEM on every logon, reads
acrobatSharePath from site-config.common, mounts the SFLD share with
the same HKLM-backed credential lookup CMM-Enforce uses, hands the
acrobat-manifest.json from the share to Install-FromManifest.
- Install-FromManifest extended with Type=CMD so it can invoke vendor-
supplied .cmd wrappers (Install-AcroReader.cmd does a two-step MSI+MSP
install that does not fit MSI/EXE types cleanly). cmd.exe /c wraps it
because UseShellExecute=false cannot launch .cmd directly.
- Register-AcrobatEnforce.ps1 stages scripts to C:\Program Files\GE\Acrobat
and registers "GE Acrobat Enforce" scheduled task. Called from
Run-ShopfloorSetup.ps1 right before the enrollment (PPKG) step so it
applies to every PC type, not just CMM.
- acrobat-manifest.template.json is the repo reference; the authoritative
copy lives on the SFLD share at
\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\common\acrobat\
Bumping Acrobat updates = drop new MSP on share, bump DetectionValue in
manifest; enforcer catches every PC on next logon.
- site-config.json: add "common": { "acrobatSharePath": ... }. Uses a
new top-level block rather than a PC-type-specific one since Acrobat
applies everywhere.
Initial install still happens via the preinstall flow
(Install-AcroReader.cmd during WinPE). The enforcer is the ongoing-
updates side; on a freshly-imaged PC detection passes and it no-ops.
Also in this commit:
- run-enrollment.ps1: provtool.exe argument syntax fix. First test
returned 0x80004005 E_FAIL in 1s because /ppkg: and /log: are not
valid provtool flags; the cmdlet's internal call used positional
path + /quiet + /source. Switched to that syntax.
135 lines
5.5 KiB
PowerShell
135 lines
5.5 KiB
PowerShell
# Acrobat-Enforce.ps1 - On-logon Adobe Acrobat Reader DC enforcer.
|
|
#
|
|
# Cross-PC-type companion to CMM-Enforce.ps1. Runs under a SYSTEM scheduled
|
|
# task triggered at user logon on every PC regardless of PC type, mounts the
|
|
# tsgwp00525 SFLD share (common\acrobat path) using SFLD creds provisioned
|
|
# by Azure DSC, reads acrobat-manifest.json from the share, and hands off to
|
|
# Install-FromManifest.ps1 which installs anything whose detection fails.
|
|
#
|
|
# Initial Acrobat install happens at imaging time via the preinstall flow
|
|
# (playbook/preinstall/...). This enforcer is the ongoing-updates side: when
|
|
# Adobe publishes a new quarterly DC patch, drop the new .msp on the share,
|
|
# bump DetectionValue in acrobat-manifest.json, and every PC catches up on
|
|
# its next logon. On a freshly-imaged PC, detection passes immediately and
|
|
# this script no-ops.
|
|
#
|
|
# Graceful degradation mirrors CMM-Enforce:
|
|
# - SFLD creds missing (Azure DSC has not run yet) -> log + exit 0
|
|
# - Share unreachable (network, VPN) -> log + exit 0
|
|
# - Install failure -> log + exit 0
|
|
#
|
|
# Never returns non-zero to the task scheduler; failures show up in the log.
|
|
|
|
$ErrorActionPreference = 'Continue'
|
|
|
|
$installRoot = 'C:\Program Files\GE\Acrobat'
|
|
$libPath = Join-Path $installRoot 'lib\Install-FromManifest.ps1'
|
|
$logDir = 'C:\Logs\Acrobat'
|
|
$logFile = Join-Path $logDir ('enforce-{0}.log' -f (Get-Date -Format 'yyyyMMdd'))
|
|
# Use a drive letter that does not clash with CMM-Enforce's S: drive so the
|
|
# two enforcers can run concurrently at logon without fighting for the mount.
|
|
$driveLetter = 'T:'
|
|
|
|
if (-not (Test-Path $logDir)) {
|
|
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
|
|
}
|
|
|
|
function Write-EnforceLog {
|
|
param([string]$Message, [string]$Level = 'INFO')
|
|
$line = "[{0}] [{1}] {2}" -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Level, $Message
|
|
Write-Host $line
|
|
Add-Content -Path $logFile -Value $line -ErrorAction SilentlyContinue
|
|
}
|
|
|
|
Write-EnforceLog "================================================================"
|
|
Write-EnforceLog "=== Acrobat-Enforce session start (PID $PID, user $env:USERNAME) ==="
|
|
Write-EnforceLog "================================================================"
|
|
|
|
# --- Load site-config for acrobatSharePath ---
|
|
# Dot-source the same Get-PCProfile.ps1 used at imaging time. It walks
|
|
# C:\Enrollment\site-config.json into $pcProfile / $siteConfig script vars.
|
|
$getProfileScript = 'C:\Enrollment\shopfloor-setup\Shopfloor\lib\Get-PCProfile.ps1'
|
|
if (-not (Test-Path $getProfileScript)) {
|
|
Write-EnforceLog "Get-PCProfile.ps1 not found at $getProfileScript - cannot locate share" "ERROR"
|
|
exit 0
|
|
}
|
|
. $getProfileScript
|
|
|
|
# Acrobat share lives under the site-config "common" section, which applies
|
|
# to every PC type (unlike cmmSharePath which is CMM-only).
|
|
if (-not $siteConfig -or -not $siteConfig.common -or -not $siteConfig.common.acrobatSharePath) {
|
|
Write-EnforceLog "No common.acrobatSharePath in site-config - nothing to enforce" "WARN"
|
|
exit 0
|
|
}
|
|
|
|
$sharePath = $siteConfig.common.acrobatSharePath
|
|
Write-EnforceLog "Share: $sharePath"
|
|
|
|
function Get-SFLDCredential {
|
|
param([string]$ServerName)
|
|
$basePath = 'HKLM:\SOFTWARE\GE\SFLD\Credentials'
|
|
if (-not (Test-Path $basePath)) { return $null }
|
|
|
|
foreach ($entry in Get-ChildItem -Path $basePath -ErrorAction SilentlyContinue) {
|
|
$props = Get-ItemProperty -Path $entry.PSPath -ErrorAction SilentlyContinue
|
|
if (-not $props -or -not $props.TargetHost) { continue }
|
|
if ($props.TargetHost -eq $ServerName -or
|
|
$props.TargetHost -like "$ServerName.*" -or
|
|
$ServerName -like "$($props.TargetHost).*") {
|
|
return @{
|
|
Username = $props.Username
|
|
Password = $props.Password
|
|
TargetHost = $props.TargetHost
|
|
KeyName = $entry.PSChildName
|
|
}
|
|
}
|
|
}
|
|
return $null
|
|
}
|
|
|
|
$serverName = ($sharePath -replace '^\\\\', '') -split '\\' | Select-Object -First 1
|
|
$cred = Get-SFLDCredential -ServerName $serverName
|
|
|
|
if (-not $cred -or -not $cred.Username -or -not $cred.Password) {
|
|
Write-EnforceLog "No SFLD credential for $serverName yet (Azure DSC has not provisioned it) - will retry at next logon"
|
|
exit 0
|
|
}
|
|
|
|
Write-EnforceLog "Credential: $($cred.KeyName) (user: $($cred.Username))"
|
|
|
|
# --- Mount the share ---
|
|
net use $driveLetter /delete /y 2>$null | Out-Null
|
|
|
|
$netResult = & net use $driveLetter $sharePath /user:$($cred.Username) $($cred.Password) /persistent:no 2>&1
|
|
if ($LASTEXITCODE -ne 0) {
|
|
Write-EnforceLog "net use failed (exit $LASTEXITCODE): $netResult" "WARN"
|
|
Write-EnforceLog "Share unreachable - probably off-network. Will retry at next logon."
|
|
exit 0
|
|
}
|
|
Write-EnforceLog "Mounted $sharePath as $driveLetter"
|
|
|
|
try {
|
|
$manifestOnShare = Join-Path $driveLetter 'acrobat-manifest.json'
|
|
if (-not (Test-Path $manifestOnShare)) {
|
|
Write-EnforceLog "acrobat-manifest.json not found on share - nothing to enforce" "WARN"
|
|
return
|
|
}
|
|
|
|
if (-not (Test-Path $libPath)) {
|
|
Write-EnforceLog "Install-FromManifest.ps1 not found at $libPath" "ERROR"
|
|
return
|
|
}
|
|
|
|
Write-EnforceLog "Handing off to Install-FromManifest.ps1 (InstallerRoot=$driveLetter)"
|
|
& $libPath -ManifestPath $manifestOnShare -InstallerRoot $driveLetter -LogFile $logFile
|
|
$rc = $LASTEXITCODE
|
|
Write-EnforceLog "Install-FromManifest returned $rc"
|
|
}
|
|
finally {
|
|
net use $driveLetter /delete /y 2>$null | Out-Null
|
|
Write-EnforceLog "Unmounted $driveLetter"
|
|
Write-EnforceLog "=== Acrobat-Enforce session end ==="
|
|
}
|
|
|
|
exit 0
|