ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80e9c32faefb3733ac4004ab19155bd5812d80e4
pxe-server/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1
cproudlock 0badfc1983 Retire v1 per-pctype enforcers; GE-Enforce is the sole dispatcher 
Stage 2a (GE-Enforce.ps1, landed 2026-04-22) is now the only ongoing-update
enforcer. The legacy per-pctype tasks (Machine-Enforce, Common-Enforce,
CMM-Enforce, Keyence-Enforce, Acrobat-Enforce) were kept as transition
belt-and-suspenders; with retrofitted PCs handled, the v1 path is dead and
gets removed entirely.

Deleted (13 files):
  Standard/{Machine-Enforce,Register-MachineEnforce}.ps1
  Standard/machineapps-manifest.template.json
  common/{Common-Enforce,Acrobat-Enforce,Register-CommonEnforce,Register-AcrobatEnforce}.ps1
  common/common-apps-manifest.template.json
  CMM/CMM-Enforce.ps1
  Keyence/Keyence-Enforce.ps1
  {CMM,Keyence,Standard}/lib/Install-FromManifest.ps1 (orphan dups of common/lib)

Trimmed:
  Run-ShopfloorSetup.ps1: dropped the legacy register-* invocations (Common,
    Machine) and the transition-period comment. Sole enforcer registration
    is now Register-GEEnforce.
  09-Setup-Keyence.ps1: keeps imaging-time install (step 1); removes the
    enforcer staging (step 2) and scheduled-task registration (step 3).
    Library lookup repointed to common/lib/Install-FromManifest.ps1.
  09-Setup-CMM.ps1: same treatment - keeps .NET 3.5 enable, install,
    PC-DMIS ACL grants, and bootstrap cleanup. Library repointed to common/lib.
  cmm-manifest.json + keyence-manifest.json: _comment fields updated to
    reflect imaging-time-only role (ongoing enforcement now goes through
    the v2 share manifests via GE-Enforce).

Verified clean: no orphan references to *-Enforce.ps1 / Register-*Enforce.ps1
/ machineapps-manifest / common-apps-manifest in any code path that runs.
A few historical mentions remain in unmodified header comments (GE-Enforce.ps1,
Deploy-GEEnforce.ps1, Monitor-IntuneProgress.ps1) describing what the new
dispatcher replaced; left as historical context.

Run-ShopfloorSetup.ps1 also picks up an unrelated 1-line hunk adding
SetShopfloorAutoLogon.bat to the desktop-copy list (already in the working
tree from a prior session). The file itself is not yet tracked; the
desktop-copy step is Test-Path-guarded so this is harmless until the
.bat is committed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 09:55:40 -04:00

177 lines
8.0 KiB
PowerShell
Raw Blame History

# 09-Setup-CMM.ps1 - CMM type setup (runs during shopfloor-setup phase).
#
# At imaging time the tsgwp00525 SFLD share is NOT yet reachable - Azure DSC
# has not provisioned the share credentials that early. So we install from a
# WinPE-staged local copy at C:\CMM-Install (put there by startnet.cmd when
# the tech picks pc-type=CMM). Ongoing enforcement is handled by GE-Enforce
# (registered separately in Run-ShopfloorSetup.ps1) reading cmm/manifest.json
# from the tsgwp00525 share.
#
# Sequence:
# 1. Enable .NET Framework 3.5 (PC-DMIS 2016 prereq on Win10/11 where 3.5
# is an off-by-default optional feature).
# 2. Run Install-FromManifest against C:\CMM-Install\cmm-manifest.json.
# 2.5. Grant BUILTIN\Users Modify on PC-DMIS install dirs (Hexagon-documented
# approach for non-admin runtime).
# 3. Delete C:\CMM-Install to reclaim the ~2 GB of bootstrap installers.
#
# Library lookup: the imaging-time install uses the common Install-FromManifest
# library at ..\common\lib\Install-FromManifest.ps1 (relative to $PSScriptRoot).
#
# Log: C:\Logs\CMM\09-Setup-CMM.log (stdout from this script) plus the
# install-time log at C:\Logs\CMM\install.log written by Install-FromManifest.
$ErrorActionPreference = 'Continue'
$stagingRoot = 'C:\CMM-Install'
$stagingMani = Join-Path $stagingRoot 'cmm-manifest.json'
$libSource = Join-Path $PSScriptRoot '..\common\lib\Install-FromManifest.ps1'
$logDir = 'C:\Logs\CMM'
$logFile = Join-Path $logDir 'install.log'
$transcriptLog = Join-Path $logDir '09-Setup-CMM.log'
if (-not (Test-Path $logDir)) {
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
}
# Independent transcript in addition to whatever Run-ShopfloorSetup.ps1 is
# capturing at the top level. Lets a tech open C:\Logs\CMM\09-Setup-CMM.log
# and see the entire CMM-type setup run without scrolling through the
# monolithic shopfloor-setup.log.
try { Start-Transcript -Path $transcriptLog -Append -Force | Out-Null } catch {}
function Write-CMMLog {
param([string]$Message, [string]$Level = 'INFO')
$stamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Write-Host "[$stamp] [$Level] $Message"
}
Write-CMMLog "================================================================"
Write-CMMLog "=== CMM Setup (imaging-time) session start (PID $PID) ==="
Write-CMMLog "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
Write-CMMLog "================================================================"
# Diagnostic dump - knowing WHY the script took a branch is half the battle.
Write-CMMLog "Script root: $PSScriptRoot"
foreach ($file in @('pc-type.txt','pc-subtype.txt','machine-number.txt')) {
$path = "C:\Enrollment\$file"
if (Test-Path -LiteralPath $path) {
$content = (Get-Content -LiteralPath $path -First 1 -ErrorAction SilentlyContinue).Trim()
Write-CMMLog " $file = $content"
} else {
Write-CMMLog " $file = (not present)"
}
}
if (Test-Path $stagingRoot) {
$bootstrapFiles = @(Get-ChildItem -LiteralPath $stagingRoot -File -ErrorAction SilentlyContinue)
Write-CMMLog "Bootstrap staging: $stagingRoot ($($bootstrapFiles.Count) files)"
foreach ($f in $bootstrapFiles) {
Write-CMMLog " - $($f.Name) ($([math]::Round($f.Length/1MB)) MB)"
}
} else {
Write-CMMLog "Bootstrap staging: $stagingRoot (DOES NOT EXIST - startnet.cmd did not stage it)" "ERROR"
}
# ============================================================================
# Step 1: Enable .NET Framework 3.5
# ============================================================================
# PC-DMIS 2016 lists .NET 3.5 as a prereq for some older components. On Win10/
# Win11 it's an optional Windows feature that is OFF by default. Enable-
# WindowsOptionalFeature pulls the payload from Windows Update when the PC
# has internet; sources from the installed Windows image otherwise. Idempotent
# (no-op if already enabled). We swallow failures because if internet and
# media are both unavailable this becomes a known gap rather than an imaging
# blocker - we'd still rather try to install PC-DMIS and surface the real
# failure in its log.
Write-CMMLog "Checking .NET Framework 3.5 state..."
try {
$netfx = Get-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -ErrorAction Stop
if ($netfx.State -eq 'Enabled') {
Write-CMMLog " .NET 3.5 already enabled"
} else {
Write-CMMLog " .NET 3.5 state is $($netfx.State) - enabling now (may take a minute)..."
$result = Enable-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -All -NoRestart -ErrorAction Stop
Write-CMMLog " Enable-WindowsOptionalFeature RestartNeeded=$($result.RestartNeeded)"
}
} catch {
Write-CMMLog " Failed to enable .NET 3.5: $_" "WARN"
Write-CMMLog " Continuing anyway - PC-DMIS installers will surface any hard dependency."
}
# ============================================================================
# Step 2: Install apps from the WinPE-staged bootstrap at C:\CMM-Install
# ============================================================================
if (-not (Test-Path $stagingRoot)) {
Write-CMMLog "$stagingRoot does not exist - startnet.cmd did not stage CMM installers" "ERROR"
Write-CMMLog "Skipping install. The logon enforcer will pick up from the share when SFLD creds are available."
}
elseif (-not (Test-Path $stagingMani)) {
Write-CMMLog "$stagingMani missing - staging directory is incomplete" "ERROR"
}
elseif (-not (Test-Path $libSource)) {
Write-CMMLog "Shared library not found at $libSource" "ERROR"
}
else {
Write-CMMLog "Running Install-FromManifest against $stagingRoot"
& $libSource -ManifestPath $stagingMani -InstallerRoot $stagingRoot -LogFile $logFile
$rc = $LASTEXITCODE
Write-CMMLog "Install-FromManifest returned $rc"
}
# ============================================================================
# Step 2.5: Grant Users write access to PC-DMIS install directories
# ============================================================================
# PC-DMIS writes settings, probe configs, and measurement data to its own
# install directory at runtime. Without Modify permission for BUILTIN\Users,
# non-admin accounts get a UAC elevation prompt on every launch. Granting
# the ACL here is the Hexagon-documented approach for non-admin deployment
# and avoids the need for a first-run-as-admin (which hits a license dialog
# and can't be automated silently).
$pcdmisDirs = @(
'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit',
'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit',
'C:\ProgramData\Hexagon',
'C:\Program Files (x86)\General Electric\goCMM',
'C:\Program Files\DODA'
)
foreach ($dir in $pcdmisDirs) {
if (-not (Test-Path -LiteralPath $dir)) {
Write-CMMLog "PC-DMIS dir not found: $dir - skipping ACL"
continue
}
try {
$acl = Get-Acl -LiteralPath $dir
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
'BUILTIN\Users',
'Modify',
'ContainerInherit,ObjectInherit',
'None',
'Allow'
)
$acl.AddAccessRule($rule)
Set-Acl -LiteralPath $dir -AclObject $acl -ErrorAction Stop
Write-CMMLog "Granted BUILTIN\Users Modify on $dir"
} catch {
Write-CMMLog "Failed to set ACL on $dir : $_" "WARN"
}
}
# ============================================================================
# Step 3: Clean up the bootstrap staging dir
# ============================================================================
# ~2 GB reclaimed. From here on, GE-Enforce takes over from the tsgwp00525
# share for ongoing updates.
if (Test-Path $stagingRoot) {
Write-CMMLog "Deleting bootstrap staging at $stagingRoot"
try {
Remove-Item -LiteralPath $stagingRoot -Recurse -Force -ErrorAction Stop
Write-CMMLog "Bootstrap cleanup complete"
} catch {
Write-CMMLog "Failed to delete $stagingRoot : $_" "WARN"
}
}
Write-CMMLog "=== CMM Setup Complete ==="
try { Stop-Transcript | Out-Null } catch {}
Reference in New Issue View Git Blame Copy Permalink