a4de11814d
Force-Lockdown.bat (SupportUser desktop): Vendor escape hatch when Intune Lockdown push hasn't applied within ~30 minutes. Self-elevates via UAC, prompts for typed YES confirmation that an ARTS request is in place, then runs sfld_autologon.ps1. Register-MapSfldShare.ps1 (every PC type): The SFLD vendor's 'SFLD - Consume Credentials' scheduled task is principal-restricted (admin-only) so it fires for SupportUser logon but not for ShopFloor logon -- ShopFloor lands at the desktop with no S: drive and no way to reach \\tsgwp00525\shared. Workaround: register a parallel 'GE Shopfloor Map S: Drive' AtLogOn task with Principal=BUILTIN\Users + RunLevel=Limited that invokes the vendor's C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1 in the interactive user's session. Vendor script handles cred-store + net use end to end; we just give it a wider trigger principal. Cross-PC-type because every shopfloor account needs S:. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
70 lines
2.0 KiB
Batchfile
70 lines
2.0 KiB
Batchfile
@echo off
|
|
REM Force-Lockdown.bat - Manual SFLD lockdown trigger for SupportUser.
|
|
REM
|
|
REM Vendor-documented escape hatch: if the Intune-pushed Lockdown
|
|
REM configuration hasn't actually applied within ~30 minutes after the
|
|
REM device was added to the Lockdown group, run sfld_autologon.ps1
|
|
REM directly as admin to force it.
|
|
REM
|
|
REM This wrapper exists so the tech doesn't have to remember the path
|
|
REM or open an elevated cmd by hand. It self-elevates to admin via UAC.
|
|
|
|
REM ---- Self-elevate ---------------------------------------------------
|
|
net session >nul 2>&1
|
|
if %errorLevel% neq 0 (
|
|
echo Requesting admin rights...
|
|
powershell -Command "Start-Process '%~f0' -Verb RunAs"
|
|
exit /b
|
|
)
|
|
|
|
setlocal
|
|
set "SCRIPT=C:\Program Files\Sysinternals\sfld_autologon.ps1"
|
|
|
|
echo ============================================================
|
|
echo Force SFLD Lockdown
|
|
echo ============================================================
|
|
echo.
|
|
echo *** WARNING ***
|
|
echo.
|
|
echo Do NOT run this script unless an ARTS request has already
|
|
echo been submitted and approved for this device.
|
|
echo.
|
|
echo Forcing lockdown without an ARTS request bypasses the
|
|
echo normal Intune Lockdown-group push and will be flagged
|
|
echo in the audit trail.
|
|
echo.
|
|
echo ============================================================
|
|
echo Target: %SCRIPT%
|
|
echo.
|
|
|
|
set /p CONFIRM=Type YES (uppercase) to confirm ARTS request is in place:
|
|
if /i not "%CONFIRM%"=="YES" (
|
|
echo.
|
|
echo Cancelled - no action taken.
|
|
echo.
|
|
pause
|
|
exit /b 2
|
|
)
|
|
echo.
|
|
|
|
if not exist "%SCRIPT%" (
|
|
echo ERROR: %SCRIPT% not found.
|
|
echo Sysinternals Autologon PPKG step may not have completed yet.
|
|
echo.
|
|
pause
|
|
exit /b 1
|
|
)
|
|
|
|
echo Running sfld_autologon.ps1 ...
|
|
echo.
|
|
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File "%SCRIPT%"
|
|
set RC=%errorLevel%
|
|
|
|
echo.
|
|
echo ============================================================
|
|
echo Lockdown script exit code: %RC%
|
|
echo ============================================================
|
|
echo.
|
|
pause
|
|
endlocal
|