8848fca88a
Acrobat Reader enforcement:
- playbook/shopfloor-setup/common/ is the cross-PC-type staging dir. Mirrors
CMM/ structure (enforce script + its Install-FromManifest copy + manifest
template + register script).
- Acrobat-Enforce.ps1 runs as SYSTEM on every logon, reads
acrobatSharePath from site-config.common, mounts the SFLD share with
the same HKLM-backed credential lookup CMM-Enforce uses, hands the
acrobat-manifest.json from the share to Install-FromManifest.
- Install-FromManifest extended with Type=CMD so it can invoke vendor-
supplied .cmd wrappers (Install-AcroReader.cmd does a two-step MSI+MSP
install that does not fit MSI/EXE types cleanly). cmd.exe /c wraps it
because UseShellExecute=false cannot launch .cmd directly.
- Register-AcrobatEnforce.ps1 stages scripts to C:\Program Files\GE\Acrobat
and registers "GE Acrobat Enforce" scheduled task. Called from
Run-ShopfloorSetup.ps1 right before the enrollment (PPKG) step so it
applies to every PC type, not just CMM.
- acrobat-manifest.template.json is the repo reference; the authoritative
copy lives on the SFLD share at
\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\common\acrobat\
Bumping Acrobat updates = drop new MSP on share, bump DetectionValue in
manifest; enforcer catches every PC on next logon.
- site-config.json: add "common": { "acrobatSharePath": ... }. Uses a
new top-level block rather than a PC-type-specific one since Acrobat
applies everywhere.
Initial install still happens via the preinstall flow
(Install-AcroReader.cmd during WinPE). The enforcer is the ongoing-
updates side; on a freshly-imaged PC detection passes and it no-ops.
Also in this commit:
- run-enrollment.ps1: provtool.exe argument syntax fix. First test
returned 0x80004005 E_FAIL in 1s because /ppkg: and /log: are not
valid provtool flags; the cmdlet's internal call used positional
path + /quiet + /source. Switched to that syntax.
84 lines
3.9 KiB
PowerShell
Executable File
84 lines
3.9 KiB
PowerShell
Executable File
# run-enrollment.ps1
|
|
# Installs GCCH enrollment provisioning package. That's it.
|
|
#
|
|
# Install-ProvisioningPackage triggers an immediate reboot -- nothing after
|
|
# that call executes. The sync_intune task and all other post-enrollment
|
|
# setup are registered by Run-ShopfloorSetup.ps1 BEFORE calling this script.
|
|
|
|
$ErrorActionPreference = 'Continue'
|
|
$logFile = "C:\Logs\enrollment.log"
|
|
New-Item -ItemType Directory -Path "C:\Logs" -Force -ErrorAction SilentlyContinue | Out-Null
|
|
|
|
function Log {
|
|
param([string]$Message)
|
|
$ts = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
|
|
$line = "$ts $Message"
|
|
Write-Host $line
|
|
Add-Content -Path $logFile -Value $line
|
|
}
|
|
|
|
Log "=== GE Aerospace GCCH Enrollment ==="
|
|
|
|
# --- Find the .ppkg ---
|
|
$ppkgFile = Get-ChildItem "C:\Enrollment\*.ppkg" -ErrorAction SilentlyContinue | Select-Object -First 1
|
|
if (-not $ppkgFile) {
|
|
Log "No .ppkg found in C:\Enrollment\ - skipping enrollment."
|
|
return
|
|
}
|
|
Log "Package: $($ppkgFile.Name)"
|
|
|
|
# --- Set computer name to E<serial> ---
|
|
$serial = (Get-CimInstance Win32_BIOS).SerialNumber
|
|
$newName = "E$serial"
|
|
Log "Setting computer name to $newName"
|
|
Rename-Computer -NewName $newName -Force -ErrorAction SilentlyContinue
|
|
|
|
# --- Install provisioning package ---
|
|
# IMPORTANT: The PPKG must be installed BEFORE OOBEComplete is set. Bulk
|
|
# enrollment PPKGs are designed to run during OOBE; on Windows 11 22H2+ they
|
|
# can hang indefinitely if OOBE is already marked complete.
|
|
#
|
|
# We invoke provtool.exe directly instead of Install-ProvisioningPackage.
|
|
# The PowerShell cmdlet enforces a hardcoded 180-second timeout on the
|
|
# underlying provtool call, which a 7-8 GB GCCH PPKG often exceeds on
|
|
# slower disks. When the cmdlet times out it throws, and the Add-
|
|
# ProvisioningPackage fallback has been observed to invoke provtool with
|
|
# an empty packagePathsToAdd (session registered but never started),
|
|
# leaving the PC un-enrolled. provtool.exe directly has no caller-side
|
|
# timeout; Start-Process -Wait waits on the actual child process.
|
|
#
|
|
# The PPKG triggers an IMMEDIATE reboot once fully applied. Nothing below
|
|
# that point executes on the current boot. BPRT app installs (Chrome,
|
|
# Office, Tanium, etc.) happen on the next boot. The sync_intune
|
|
# scheduled task (registered by Run-ShopfloorSetup.ps1 before calling us)
|
|
# fires at the next logon to monitor Intune enrollment.
|
|
$ppkgLogDir = "C:\Logs\PPKG"
|
|
New-Item -ItemType Directory -Path $ppkgLogDir -Force -ErrorAction SilentlyContinue | Out-Null
|
|
$provtool = Join-Path $env:SystemRoot 'System32\provtool.exe'
|
|
# Arg order matches what the Install-ProvisioningPackage cmdlet invokes
|
|
# internally (observed in ProvEventLog.txt): positional path, then /quiet,
|
|
# then /source. No /log: or /ppkg: prefix - those are not valid provtool
|
|
# flags and caused 0x80004005 E_FAIL in the first test.
|
|
$provArgs = @("`"$($ppkgFile.FullName)`"", "/quiet", "/source", "BPRT")
|
|
Log "Installing provisioning package via provtool.exe (no PowerShell timeout)..."
|
|
Log "Command: $provtool $($provArgs -join ' ')"
|
|
Log "PPKG diagnostic logs -> $ppkgLogDir (provtool writes them automatically)"
|
|
try {
|
|
$p = Start-Process -FilePath $provtool -ArgumentList $provArgs -Wait -PassThru -NoNewWindow -ErrorAction Stop
|
|
Log "provtool.exe exit code: $($p.ExitCode)"
|
|
if ($p.ExitCode -ne 0) {
|
|
$hex = '0x{0:X8}' -f $p.ExitCode
|
|
Log "WARNING: provtool.exe returned non-zero exit code ($hex). Check $ppkgLogDir for diagnostic bundle."
|
|
}
|
|
} catch {
|
|
Log "ERROR: Failed to launch provtool.exe: $_"
|
|
}
|
|
|
|
# --- Set OOBE complete (only reached if PPKG didn't trigger immediate reboot) ---
|
|
Log "Setting OOBE as complete..."
|
|
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OOBE" /v OOBEComplete /t REG_DWORD /d 1 /f | Out-Null
|
|
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OOBE" /v SetupDisplayedEula /t REG_DWORD /d 1 /f | Out-Null
|
|
|
|
# If we get here, the PPKG didn't reboot immediately. Unlikely but handle it.
|
|
Log "PPKG did not trigger immediate reboot. Returning to caller."
|