pxe-server/playbook/shopfloor-setup/gea-shopfloor-cmm/09-Setup-CMM.ps1

# 09-Setup-CMM.ps1 - CMM type setup (runs during shopfloor-setup phase).
#
# At imaging time the tsgwp00525 SFLD share is NOT yet reachable - Azure DSC
# has not provisioned the share credentials that early. So we install from a
# WinPE-staged local copy at C:\CMM-Install (put there by startnet.cmd when
# the tech picks pc-type=CMM). Ongoing enforcement is handled by GE-Enforce
# (registered separately in Run-ShopfloorSetup.ps1) reading cmm/manifest.json
# from the tsgwp00525 share.
#
# Sequence:
#   1. Enable .NET Framework 3.5 (PC-DMIS 2016 prereq on Win10/11 where 3.5
#      is an off-by-default optional feature).
#   2. Run Install-FromManifest against C:\CMM-Install\cmm-manifest.json.
#   2.5. Grant BUILTIN\Users Modify on PC-DMIS install dirs (Hexagon-documented
#        approach for non-admin runtime).
#   3. Delete C:\CMM-Install to reclaim the ~2 GB of bootstrap installers.
#
# Library lookup: the imaging-time install uses the common Install-FromManifest
# library at ..\common\lib\Install-FromManifest.ps1 (relative to $PSScriptRoot).
#
# Log: C:\Logs\CMM\09-Setup-CMM.log (stdout from this script) plus the
# install-time log at C:\Logs\CMM\install.log written by Install-FromManifest.

$ErrorActionPreference = 'Continue'

$stagingRoot    = 'C:\CMM-Install'
$stagingMani    = Join-Path $stagingRoot 'cmm-manifest.json'
$libSource      = Join-Path $PSScriptRoot '..\common\lib\Install-FromManifest.ps1'

$logDir        = 'C:\Logs\CMM'
$logFile       = Join-Path $logDir 'install.log'
$transcriptLog = Join-Path $logDir '09-Setup-CMM.log'

if (-not (Test-Path $logDir)) {
    New-Item -Path $logDir -ItemType Directory -Force | Out-Null
}

# Independent transcript in addition to whatever Run-ShopfloorSetup.ps1 is
# capturing at the top level. Lets a tech open C:\Logs\CMM\09-Setup-CMM.log
# and see the entire CMM-type setup run without scrolling through the
# monolithic shopfloor-setup.log.
try { Start-Transcript -Path $transcriptLog -Append -Force | Out-Null } catch {}

function Write-CMMLog {
    param([string]$Message, [string]$Level = 'INFO')
    $stamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    Write-Host "[$stamp] [$Level] $Message"
}

Write-CMMLog "================================================================"
Write-CMMLog "=== CMM Setup (imaging-time) session start (PID $PID) ==="
Write-CMMLog "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
Write-CMMLog "================================================================"

# Status push to PXE webapp - best-effort, never blocks imaging.
$pxeStatusLib = Join-Path $PSScriptRoot '..\Shopfloor\lib\Send-PxeStatus.ps1'
if (Test-Path $pxeStatusLib) {
    try { . $pxeStatusLib; Send-PxeStatus -Stage '09-Setup-CMM: starting' -StageIndex 3 -StageTotal 8 } catch { }
}

# Diagnostic dump - knowing WHY the script took a branch is half the battle.
Write-CMMLog "Script root: $PSScriptRoot"
foreach ($file in @('pc-type.txt','pc-subtype.txt','machine-number.txt')) {
    $path = "C:\Enrollment\$file"
    if (Test-Path -LiteralPath $path) {
        $content = (Get-Content -LiteralPath $path -First 1 -ErrorAction SilentlyContinue).Trim()
        Write-CMMLog "  $file = $content"
    } else {
        Write-CMMLog "  $file = (not present)"
    }
}
if (Test-Path $stagingRoot) {
    $bootstrapFiles = @(Get-ChildItem -LiteralPath $stagingRoot -File -ErrorAction SilentlyContinue)
    Write-CMMLog "Bootstrap staging: $stagingRoot ($($bootstrapFiles.Count) files)"
    foreach ($f in $bootstrapFiles) {
        Write-CMMLog "  - $($f.Name) ($([math]::Round($f.Length/1MB)) MB)"
    }
} else {
    Write-CMMLog "Bootstrap staging: $stagingRoot (DOES NOT EXIST - startnet.cmd did not stage it)" "ERROR"
}

# ============================================================================
# Step 1: Enable .NET Framework 3.5
# ============================================================================
# PC-DMIS 2016 lists .NET 3.5 as a prereq for some older components. On Win10/
# Win11 it's an optional Windows feature that is OFF by default. Enable-
# WindowsOptionalFeature pulls the payload from Windows Update when the PC
# has internet; sources from the installed Windows image otherwise. Idempotent
# (no-op if already enabled). We swallow failures because if internet and
# media are both unavailable this becomes a known gap rather than an imaging
# blocker - we'd still rather try to install PC-DMIS and surface the real
# failure in its log.
Write-CMMLog "Checking .NET Framework 3.5 state..."
try {
    $netfx = Get-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -ErrorAction Stop
    if ($netfx.State -eq 'Enabled') {
        Write-CMMLog "  .NET 3.5 already enabled"
    } else {
        Write-CMMLog "  .NET 3.5 state is $($netfx.State) - enabling now (may take a minute)..."
        $result = Enable-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -All -NoRestart -ErrorAction Stop
        Write-CMMLog "  Enable-WindowsOptionalFeature RestartNeeded=$($result.RestartNeeded)"
    }
} catch {
    Write-CMMLog "  Failed to enable .NET 3.5: $_" "WARN"
    Write-CMMLog "  Continuing anyway - PC-DMIS installers will surface any hard dependency."
}

# ============================================================================
# Step 2: Install apps from the WinPE-staged bootstrap at C:\CMM-Install
# ============================================================================
if (-not (Test-Path $stagingRoot)) {
    Write-CMMLog "$stagingRoot does not exist - startnet.cmd did not stage CMM installers" "ERROR"
    Write-CMMLog "Skipping install. The logon enforcer will pick up from the share when SFLD creds are available."
}
elseif (-not (Test-Path $stagingMani)) {
    Write-CMMLog "$stagingMani missing - staging directory is incomplete" "ERROR"
}
elseif (-not (Test-Path $libSource)) {
    Write-CMMLog "Shared library not found at $libSource" "ERROR"
}
else {
    $pcType    = ''
    $pcSubType = ''
    if (Test-Path 'C:\Enrollment\pc-type.txt')    { $pcType    = (Get-Content 'C:\Enrollment\pc-type.txt'    -First 1 -EA 0).Trim() }
    if (Test-Path 'C:\Enrollment\pc-subtype.txt') { $pcSubType = (Get-Content 'C:\Enrollment\pc-subtype.txt' -First 1 -EA 0).Trim() }

    # Read resolved PC-DMIS version from bay-config (written by
    # resolve-cmm-bay-config.ps1 via startnet.cmd). If missing, install all
    # PC-DMIS versions (legacy behavior for bays imaged before the picker).
    $cmmVersion = ''
    $cmmVersionFile = 'C:\Enrollment\cmm\version.txt'
    if (Test-Path -LiteralPath $cmmVersionFile) {
        $cmmVersion = (Get-Content -LiteralPath $cmmVersionFile -First 1 -EA 0).Trim()
    }
    Write-CMMLog "Resolved CMM version: $(if ($cmmVersion) { $cmmVersion } else { '(none - installing all)' })"

    # Filter manifest: drop entries whose _CmmVersion doesn't match the
    # resolved version. Entries without _CmmVersion always pass (CLM, goCMM,
    # Protect Viewer, DODA). Write a temp filtered manifest for the lib.
    if ($cmmVersion) {
        try {
            $cfg = Get-Content $stagingMani -Raw | ConvertFrom-Json
            $filtered = @($cfg.Applications | Where-Object {
                if (-not $_._CmmVersion) { return $true }
                return ($_._CmmVersion -ieq $cmmVersion)
            })
            $skipped = @($cfg.Applications | Where-Object {
                $_._CmmVersion -and ($_._CmmVersion -ine $cmmVersion)
            })
            foreach ($s in $skipped) {
                Write-CMMLog "  Skipping $($s.Name) (_CmmVersion=$($_._CmmVersion) != $cmmVersion)"
            }
            $cfg.Applications = $filtered
            $filteredMani = Join-Path $stagingRoot 'cmm-manifest-filtered.json'
            $cfg | ConvertTo-Json -Depth 10 | Set-Content -LiteralPath $filteredMani -Encoding UTF8
            Write-CMMLog "Filtered manifest: $($filtered.Count) entries (from $($filtered.Count + $skipped.Count))"
            $stagingMani = $filteredMani
        } catch {
            Write-CMMLog "Version filter failed: $_ - using unfiltered manifest" 'WARN'
        }
    }

    Write-CMMLog "Running Install-FromManifest against $stagingRoot (PCType=$pcType, PCSubType=$pcSubType)"
    & $libSource -ManifestPath $stagingMani -InstallerRoot $stagingRoot -LogFile $logFile -PCType $pcType -PCSubType $pcSubType
    $rc = $LASTEXITCODE
    Write-CMMLog "Install-FromManifest returned $rc"
}

# ============================================================================
# Step 2.5: Grant Users write access to PC-DMIS install directories
# ============================================================================
# PC-DMIS writes settings, probe configs, and measurement data to its own
# install directory at runtime. Without Modify permission for BUILTIN\Users,
# non-admin accounts get a UAC elevation prompt on every launch. Granting
# the ACL here is the Hexagon-documented approach for non-admin deployment.
# Step 2.6 below handles the required first-run-as-admin initialization.
$pcdmisDirs = @(
    'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit',
    'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit',
    'C:\Program Files\Hexagon\PC-DMIS 2026.1 64-bit',
    'C:\ProgramData\Hexagon',
    'C:\Program Files (x86)\General Electric\goCMM',
    'C:\Program Files\DODA'
)
foreach ($dir in $pcdmisDirs) {
    if (-not (Test-Path -LiteralPath $dir)) {
        Write-CMMLog "PC-DMIS dir not found: $dir - skipping ACL"
        continue
    }
    try {
        $acl = Get-Acl -LiteralPath $dir
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
            'BUILTIN\Users',
            'Modify',
            'ContainerInherit,ObjectInherit',
            'None',
            'Allow'
        )
        $acl.AddAccessRule($rule)
        Set-Acl -LiteralPath $dir -AclObject $acl -ErrorAction Stop
        Write-CMMLog "Granted BUILTIN\Users Modify on $dir"
    } catch {
        Write-CMMLog "Failed to set ACL on $dir : $_" "WARN"
    }
}

# ============================================================================
# Step 2.6: First-run-as-admin for each installed PC-DMIS version
# ============================================================================
# PC-DMIS performs one-time initialization on first launch (COM registration,
# config file creation, internal setup). This must happen with admin rights
# before the PPKG locks the machine down. Launch each installed version,
# wait for it to initialize, then kill it.
$pcdmisExes = @(
    'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit\PCDLRN.exe',
    'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit\PCDLRN.exe',
    'C:\Program Files\Hexagon\PC-DMIS 2026.1 64-bit\PCDLRN.exe'
)
foreach ($exe in $pcdmisExes) {
    if (-not (Test-Path -LiteralPath $exe)) { continue }
    $ver = Split-Path (Split-Path $exe -Parent) -Leaf
    Write-CMMLog "First-run init: launching $ver"
    try {
        $proc = Start-Process -FilePath $exe -PassThru -ErrorAction Stop
        $initTimeout = 45
        Write-CMMLog "  PID $($proc.Id) started, waiting ${initTimeout}s for initialization..."
        Start-Sleep -Seconds $initTimeout
        if (-not $proc.HasExited) {
            $proc.Kill()
            $proc.WaitForExit(10000)
            Write-CMMLog "  Killed after ${initTimeout}s (first-run init complete)"
        } else {
            Write-CMMLog "  Exited on its own (exit $($proc.ExitCode))"
        }
    } catch {
        Write-CMMLog "  First-run launch failed: $_" 'WARN'
    }
}

# ============================================================================
# Step 2.7: Seed goCMM Shared Data Directory + grant Users write on the key
# ============================================================================
# goCMM (.NET x86 WPF app) stores its program-source path in the registry at
# HKLM\SOFTWARE\WOW6432Node\General Electric\goCMM, value "Shared Data
# Directory" (the folder it browses for *.prg PC-DMIS measurement routines).
# It is a 32-bit MSI / 32-bit process, so both the install seed and runtime
# reads land in the WOW6432Node view. Because the value lives in HKLM, a
# non-admin shopfloor user cannot set it via goCMM's settings UI - and cannot
# save a "Selected Part Group" switch either (same key). So we do two things
# here in admin context:
#   1. Seed "Shared Data Directory" to the per-bay path resolved by
#      resolve-cmm-bay-config.ps1 (C:\Enrollment\cmm\shareddatadir.txt).
#   2. Grant BUILTIN\Users write on the key so runtime writes (part-group
#      switching, or a deliberate path change) succeed without elevation.
# This mirrors Step 2.5, which grants Users Modify on the install dirs.
$goCmmKey = 'HKLM:\SOFTWARE\WOW6432Node\General Electric\goCMM'

# Path may contain internal spaces (e.g. CMM8 "Venture CMM8"). Get-Content
# + Trim keeps internal spaces; the value is passed as a single -Value arg,
# never through a command line, so the space cannot split the path.
$sharedDataDir = ''
$sddFile = 'C:\Enrollment\cmm\shareddatadir.txt'
if (Test-Path -LiteralPath $sddFile) {
    $sharedDataDir = (Get-Content -LiteralPath $sddFile -First 1 -EA 0).Trim()
}

if (-not (Test-Path $goCmmKey)) {
    Write-CMMLog "goCMM key absent ($goCmmKey) - goCMM not installed or install failed; creating key so the seed/ACL still land" 'WARN'
    try { New-Item -Path $goCmmKey -Force | Out-Null } catch { Write-CMMLog "Could not create $goCmmKey : $_" 'WARN' }
}

if ($sharedDataDir) {
    try {
        New-ItemProperty -Path $goCmmKey -Name 'Shared Data Directory' -Value $sharedDataDir -PropertyType String -Force | Out-Null
        Write-CMMLog "Set goCMM 'Shared Data Directory' = $sharedDataDir"
    } catch {
        Write-CMMLog "Failed to set goCMM 'Shared Data Directory': $_" 'WARN'
    }
} else {
    Write-CMMLog "No shareddatadir.txt (bay not in bay-config, or manual CMM ID) - leaving goCMM path unset" 'WARN'
}

# Grant BUILTIN\Users ReadKey+WriteKey (WriteKey = SetValue + CreateSubKey).
# Registry ACEs use ContainerInherit only (no leaf objects in the registry).
if (Test-Path $goCmmKey) {
    try {
        $racl  = Get-Acl -Path $goCmmKey
        $rrule = New-Object System.Security.AccessControl.RegistryAccessRule(
            'BUILTIN\Users',
            'ReadKey,WriteKey',
            'ContainerInherit',
            'None',
            'Allow'
        )
        $racl.AddAccessRule($rrule)
        Set-Acl -Path $goCmmKey -AclObject $racl -ErrorAction Stop
        Write-CMMLog "Granted BUILTIN\Users write on $goCmmKey"
    } catch {
        Write-CMMLog "Failed to set ACL on $goCmmKey : $_" 'WARN'
    }
}

# ============================================================================
# Step 3: Conditional cleanup of the bootstrap staging dir
# ============================================================================
# Only delete C:\CMM-Install when EVERY manifest entry detected as installed.
# A vendor installer that forces an unplanned mid-install reboot would
# otherwise leave us with no recovery path on the self-resumed re-run
# (Run-ShopfloorSetup's new RunOnce would fire, but Step 2 would log
# "$stagingRoot does not exist" and bail). Leaving the staging dir in
# place until the manifest fully converges means a re-fire just re-runs
# the partial installs and completes.
$allDetected = $true
if (Test-Path $stagingMani) {
    try {
        $cfg = Get-Content $stagingMani -Raw | ConvertFrom-Json
        foreach ($app in $cfg.Applications) {
            if (-not $app.DetectionMethod -or -not $app.DetectionPath) { continue }
            # Honor PCTypes filter when checking detection.
            if ($app.PCTypes -and $app.PCTypes.Count -gt 0) {
                $myNames = @($pcType)
                if ($pcSubType) { $myNames += "$pcType-$pcSubType" }
                $match = $false
                foreach ($t in $app.PCTypes) { if ($myNames -contains $t) { $match = $true; break } }
                if (-not $match) { continue }  # not applicable to this PC, skip detection
            }
            if (-not (Test-Path $app.DetectionPath)) { $allDetected = $false; Write-CMMLog "Not installed: $($app.Name)"; break }
            if ($app.DetectionName) {
                $val = (Get-ItemProperty -Path $app.DetectionPath -Name $app.DetectionName -EA 0).$($app.DetectionName)
                if (-not $val) { $allDetected = $false; Write-CMMLog "Not installed (no value): $($app.Name)"; break }
                if ($app.DetectionValue -and $val -ne $app.DetectionValue) { $allDetected = $false; Write-CMMLog "Wrong version: $($app.Name) got $val expected $($app.DetectionValue)"; break }
            }
        }
    } catch {
        Write-CMMLog "Could not parse manifest for cleanup-gate check: $_" 'WARN'
        $allDetected = $false
    }
}

if ($allDetected -and (Test-Path $stagingRoot)) {
    Write-CMMLog "All manifest entries installed. Deleting bootstrap staging at $stagingRoot"
    try {
        Remove-Item -LiteralPath $stagingRoot -Recurse -Force -ErrorAction Stop
        Write-CMMLog "Bootstrap cleanup complete"
    } catch {
        Write-CMMLog "Failed to delete $stagingRoot : $_" "WARN"
    }
} elseif (Test-Path $stagingRoot) {
    Write-CMMLog "Bootstrap staging retained at $stagingRoot (not all entries installed yet - will retry on next self-resumed run)"
}

if (Get-Command Send-PxeStatus -ErrorAction SilentlyContinue) {
    Send-PxeStatus -Stage '09-Setup-CMM: complete' -StageIndex 4 -StageTotal 8
}
Write-CMMLog "=== CMM Setup Complete ==="
try { Stop-Transcript | Out-Null } catch {}