b69d68f7b5
Install-ProvisioningPackage triggers an immediate reboot that kills
run-enrollment.ps1 before it can register the sync_intune task or do
any post-install work. BPRT app installs happen on the NEXT boot, not
before the reboot.
Fix: move sync task registration into Run-ShopfloorSetup.ps1, executed
BEFORE calling run-enrollment.ps1. The task is safely registered while
we still have control. Then enrollment installs the PPKG and lets it
reboot. After reboot, BPRT finishes in background, sync task fires at
logon, monitors Intune enrollment (which is independent of BPRT).
Run-ShopfloorSetup.ps1:
- Registers "Shopfloor Intune Sync" @logon task after desktop tool
copies but BEFORE enrollment
- Flushes transcript before calling enrollment (since PPKG reboot
will kill us, ensures log is complete)
- Enrollment is the absolute last call
run-enrollment.ps1:
- Stripped to essentials: find PPKG, rename computer, set OOBE,
Install-ProvisioningPackage
- No BPRT polling (irrelevant - happens after reboot)
- No task registration (already done by caller)
- No shutdown call (PPKG handles it)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
263 lines
11 KiB
PowerShell
263 lines
11 KiB
PowerShell
# Run-ShopfloorSetup.ps1 - Main dispatcher for shopfloor PC type setup.
|
|
#
|
|
# Flow:
|
|
# 1. PreInstall apps (Oracle, VC++, OpenText, UDC) -- from local bundle
|
|
# 2. Type-specific scripts (eDNC, ACLs, CMM share apps, etc.)
|
|
# 3. Deferred baseline (desktop org, taskbar pins)
|
|
# 4. Copy desktop tools (sync_intune, Configure-PC, Set-MachineNumber)
|
|
# 5. Run enrollment (PPKG install + wait for completion)
|
|
# 6. Register sync_intune as @logon scheduled task
|
|
# 7. Reboot -- PPKG file operations complete, sync_intune fires on next logon
|
|
#
|
|
# Called by the unattend FirstLogonCommands as SupportUser (admin).
|
|
|
|
# --- Transcript logging ---
|
|
$logDir = 'C:\Logs\SFLD'
|
|
if (-not (Test-Path $logDir)) {
|
|
try { New-Item -ItemType Directory -Path $logDir -Force | Out-Null } catch { $logDir = $env:TEMP }
|
|
}
|
|
$transcriptPath = Join-Path $logDir 'shopfloor-setup.log'
|
|
try { Start-Transcript -Path $transcriptPath -Append -Force | Out-Null } catch {}
|
|
|
|
Write-Host ""
|
|
Write-Host "================================================================"
|
|
Write-Host "=== Run-ShopfloorSetup.ps1 starting $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ==="
|
|
Write-Host " Transcript: $transcriptPath"
|
|
Write-Host "================================================================"
|
|
Write-Host ""
|
|
|
|
# Bump AutoLogonCount HIGH at the start so reboots during setup (e.g. VC++ 2008
|
|
# triggering an immediate ExitWindowsEx) don't exhaust autologin attempts before
|
|
# the dispatcher can complete. The end-of-script reset puts it back to 2 once
|
|
# everything succeeds.
|
|
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 99 /f | Out-Null
|
|
|
|
# Cancel any pending reboot so it doesn't interrupt setup
|
|
cmd /c "shutdown /a 2>nul" *>$null
|
|
|
|
# Prompt user to unplug from PXE switch before re-enabling wired adapters
|
|
Write-Host ""
|
|
Write-Host "========================================" -ForegroundColor Yellow
|
|
Write-Host " UNPLUG the ethernet cable from the" -ForegroundColor Yellow
|
|
Write-Host " PXE imaging switch NOW." -ForegroundColor Yellow
|
|
Write-Host "========================================" -ForegroundColor Yellow
|
|
Write-Host ""
|
|
Write-Host "Press any key to continue..." -ForegroundColor Yellow
|
|
$null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
|
|
|
|
# Re-enable wired adapters
|
|
Get-NetAdapter -Physical | Where-Object { $_.InterfaceDescription -notmatch 'Wi-Fi|Wireless' } | Enable-NetAdapter -Confirm:$false -ErrorAction SilentlyContinue
|
|
|
|
$enrollDir = "C:\Enrollment"
|
|
$typeFile = Join-Path $enrollDir "pc-type.txt"
|
|
$setupDir = Join-Path $enrollDir "shopfloor-setup"
|
|
|
|
if (-not (Test-Path $typeFile)) {
|
|
Write-Host "No pc-type.txt found - skipping shopfloor setup."
|
|
exit 0
|
|
}
|
|
|
|
$pcType = (Get-Content $typeFile -First 1).Trim()
|
|
if (-not $pcType) {
|
|
Write-Host "pc-type.txt is empty - skipping shopfloor setup."
|
|
exit 0
|
|
}
|
|
|
|
Write-Host "Shopfloor PC Type: $pcType"
|
|
|
|
# Scripts to skip in the alphabetical baseline loop. Each is either run
|
|
# explicitly in the finalization phase below, or invoked internally by
|
|
# another script:
|
|
#
|
|
# 05 - Office shortcuts. Invoked by 06 as Phase 0. Office isn't installed
|
|
# until after the PPKG + reboot, so 05 no-ops initially. 06's SYSTEM
|
|
# logon task re-runs it on the next boot.
|
|
# 06 - Desktop org. Phase 2 needs eDNC/NTLARS on disk (installed by
|
|
# type-specific 01-eDNC.ps1). Run in finalization phase.
|
|
# 07 - Taskbar pin layout. Reads 06's output. Run in finalization phase.
|
|
# 08 - Edge default browser + startup tabs. Invoked by 06 as Phase 4.
|
|
# Reads .url files delivered by DSC (after Intune enrollment). 06's
|
|
# SYSTEM logon task re-runs it to pick them up.
|
|
$skipInBaseline = @(
|
|
'05-OfficeShortcuts.ps1',
|
|
'06-OrganizeDesktop.ps1',
|
|
'07-TaskbarLayout.ps1',
|
|
'08-EdgeDefaultBrowser.ps1',
|
|
'Check-MachineNumber.ps1',
|
|
'Configure-PC.ps1'
|
|
)
|
|
|
|
# Scripts run AFTER type-specific scripts complete. 05 and 08 are NOT
|
|
# here because 06 calls them internally as sub-phases.
|
|
$runAfterTypeSpecific = @(
|
|
'06-OrganizeDesktop.ps1',
|
|
'07-TaskbarLayout.ps1'
|
|
)
|
|
|
|
# --- Run Shopfloor baseline scripts first (skipping deferred ones) ---
|
|
$baselineDir = Join-Path $setupDir "Shopfloor"
|
|
if (Test-Path $baselineDir) {
|
|
$scripts = Get-ChildItem -Path $baselineDir -Filter "*.ps1" -File | Sort-Object Name
|
|
foreach ($script in $scripts) {
|
|
if ($skipInBaseline -contains $script.Name) {
|
|
Write-Host "Skipping baseline: $($script.Name) (runs in finalization phase)"
|
|
continue
|
|
}
|
|
cmd /c "shutdown /a 2>nul" *>$null
|
|
Write-Host "Running baseline: $($script.Name)"
|
|
try {
|
|
& $script.FullName
|
|
} catch {
|
|
Write-Warning "Baseline script $($script.Name) failed: $_"
|
|
}
|
|
}
|
|
}
|
|
|
|
# --- Run type-specific scripts (if not just baseline Shopfloor) ---
|
|
if ($pcType -ne "Shopfloor") {
|
|
$typeDir = Join-Path $setupDir $pcType
|
|
if (Test-Path $typeDir) {
|
|
# Only run numbered scripts (01-eDNC.ps1, 02-MachineNumberACLs.ps1).
|
|
# Unnumbered .ps1 files (Set-MachineNumber.ps1) are desktop tools,
|
|
# not installer scripts, and must not auto-run during setup.
|
|
$scripts = Get-ChildItem -Path $typeDir -Filter "*.ps1" -File |
|
|
Where-Object { $_.Name -match '^\d' } |
|
|
Sort-Object Name
|
|
foreach ($script in $scripts) {
|
|
cmd /c "shutdown /a 2>nul" *>$null
|
|
Write-Host "Running $pcType setup: $($script.Name)"
|
|
try {
|
|
& $script.FullName
|
|
} catch {
|
|
Write-Warning "Script $($script.Name) failed: $_"
|
|
}
|
|
}
|
|
} else {
|
|
Write-Host "No type-specific scripts found for $pcType."
|
|
}
|
|
}
|
|
|
|
# --- Finalization: run deferred baseline scripts (desktop org, taskbar pins)
|
|
# ---
|
|
# These needed to wait until all apps (eDNC, NTLARS, UDC, OpenText) were
|
|
# installed by the baseline + type-specific phases above. 06 internally
|
|
# calls 05 (Office shortcuts) and 08 (Edge config) as sub-phases, so we
|
|
# only need to invoke 06 and 07 explicitly here.
|
|
foreach ($name in $runAfterTypeSpecific) {
|
|
$script = Join-Path $baselineDir $name
|
|
if (-not (Test-Path $script)) {
|
|
Write-Warning "Deferred script not found: $script"
|
|
continue
|
|
}
|
|
cmd /c "shutdown /a 2>nul" *>$null
|
|
Write-Host "Running deferred baseline: $name"
|
|
try {
|
|
& $script
|
|
} catch {
|
|
Write-Warning "Deferred script $name failed: $_"
|
|
}
|
|
}
|
|
|
|
Write-Host "Shopfloor setup complete for $pcType."
|
|
|
|
# --- Copy utility scripts to SupportUser desktop ---
|
|
foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat')) {
|
|
$src = Join-Path $setupDir "Shopfloor\$tool"
|
|
if (Test-Path $src) {
|
|
Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$tool" -Force
|
|
Write-Host "$tool copied to desktop."
|
|
}
|
|
}
|
|
|
|
# Standard PCs get the UDC/eDNC machine number helper
|
|
if ($pcType -eq "Standard") {
|
|
foreach ($helper in @("Set-MachineNumber.bat", "Set-MachineNumber.ps1")) {
|
|
$src = Join-Path $setupDir "Standard\$helper"
|
|
if (Test-Path $src) {
|
|
Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$helper" -Force
|
|
Write-Host "$helper copied to SupportUser desktop."
|
|
}
|
|
}
|
|
}
|
|
|
|
# --- Register sync_intune as persistent @logon scheduled task ---
|
|
# Must be registered BEFORE enrollment because Install-ProvisioningPackage
|
|
# triggers an immediate reboot that kills run-enrollment.ps1. The task
|
|
# registration must survive the PPKG reboot, so we do it here while
|
|
# Run-ShopfloorSetup.ps1 is still running.
|
|
#
|
|
# The task fires at every logon until sync_intune detects completion and
|
|
# unregisters itself. It monitors Intune enrollment (Phase 1-5), NOT BPRT
|
|
# app installs -- BPRT finishes on its own in the background after the
|
|
# PPKG reboot, and is irrelevant to the Intune lifecycle.
|
|
$taskName = 'Shopfloor Intune Sync'
|
|
$monitorScript = Join-Path $setupDir 'Shopfloor\lib\Monitor-IntuneProgress.ps1'
|
|
$configureScript = Join-Path $setupDir 'Shopfloor\Configure-PC.ps1'
|
|
|
|
if (Test-Path -LiteralPath $monitorScript) {
|
|
try {
|
|
$action = New-ScheduledTaskAction `
|
|
-Execute 'powershell.exe' `
|
|
-Argument "-NoProfile -NoExit -ExecutionPolicy Bypass -File `"$monitorScript`" -AsTask -ConfigureScript `"$configureScript`""
|
|
|
|
$trigger = New-ScheduledTaskTrigger -AtLogOn
|
|
|
|
$principal = New-ScheduledTaskPrincipal `
|
|
-GroupId 'S-1-5-32-545' `
|
|
-RunLevel Limited
|
|
|
|
$settings = New-ScheduledTaskSettingsSet `
|
|
-AllowStartIfOnBatteries `
|
|
-DontStopIfGoingOnBatteries `
|
|
-StartWhenAvailable `
|
|
-ExecutionTimeLimit (New-TimeSpan -Hours 2)
|
|
|
|
Register-ScheduledTask `
|
|
-TaskName $taskName `
|
|
-Action $action `
|
|
-Trigger $trigger `
|
|
-Principal $principal `
|
|
-Settings $settings `
|
|
-Force `
|
|
-ErrorAction Stop | Out-Null
|
|
|
|
Write-Host "Registered '$taskName' logon task."
|
|
} catch {
|
|
Write-Warning "Failed to register sync task: $_"
|
|
}
|
|
} else {
|
|
Write-Warning "Monitor-IntuneProgress.ps1 not found at $monitorScript"
|
|
}
|
|
|
|
# Set auto-logon to expire after 4 more logins (2 needed for sync_intune
|
|
# pre-reboot + post-reboot, plus 2 margin for unexpected reboots from
|
|
# Windows Update, PPKG file operations, or script crashes).
|
|
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 4 /f | Out-Null
|
|
Write-Host "Auto-logon set to 4 remaining logins."
|
|
|
|
# --- Run enrollment (PPKG install) ---
|
|
# Enrollment is the LAST thing we do. Install-ProvisioningPackage triggers
|
|
# an immediate reboot -- everything after this call is unlikely to execute.
|
|
# The sync_intune task is already registered above, so the PPKG reboot
|
|
# can kill us and the chain continues on the next boot.
|
|
$enrollScript = Join-Path $enrollDir 'run-enrollment.ps1'
|
|
if (Test-Path -LiteralPath $enrollScript) {
|
|
Write-Host ""
|
|
Write-Host "=== Running enrollment (PPKG install) ==="
|
|
Write-Host "NOTE: PPKG will trigger an immediate reboot. This is expected."
|
|
try { Stop-Transcript | Out-Null } catch {}
|
|
& $enrollScript
|
|
# If we get here, the PPKG didn't reboot (maybe no PPKG file found).
|
|
Write-Host "Enrollment returned without rebooting. Rebooting now..."
|
|
shutdown /r /t 10
|
|
} else {
|
|
Write-Host "run-enrollment.ps1 not found - skipping enrollment."
|
|
Write-Host ""
|
|
Write-Host "================================================================"
|
|
Write-Host "=== Run-ShopfloorSetup.ps1 complete $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ==="
|
|
Write-Host "================================================================"
|
|
try { Stop-Transcript | Out-Null } catch {}
|
|
Write-Host "Rebooting in 10 seconds..."
|
|
shutdown /r /t 10
|
|
}
|