SFLD imaging-lifecycle snapshot runbook
========================================

Run all three snapshots on the imaged device (elevated PowerShell). Each
captures registry, files, logs, scheduled-task state, and event logs at a
distinct lifecycle checkpoint so the deltas between them isolate which
phase delivered (or failed to deliver) each component.

Prereq: device is in supportuser auto-logon, just finished PPKG bulk
enrollment, and is enrolled to Intune but no device category assigned yet.

----------------------------------------
0. Map share + stage script (run once, at the start)
----------------------------------------

    net use Z: \\10.9.100.1\image-upload /user:pxe-upload pxe /persistent:no
    Copy-Item Z:\Capture-LockdownState.ps1 C:\Windows\Temp\
    Set-ExecutionPolicy -Scope Process Bypass -Force

----------------------------------------
1. Snapshot BEFORE assigning device category
----------------------------------------

State:
  - PPKG ran, enrolled to Intune
  - Device sitting in SupportUser, no category assigned in portal yet
  - Win32Apps + DSC profiles tied to category have NOT delivered

    C:\Windows\Temp\Capture-LockdownState.ps1 -Stage pre-category

Output: C:\ProgramData\state-pre-category-<stamp>\

----------------------------------------
2. Assign device category in Intune portal
----------------------------------------

  - Intune portal -> Devices -> Windows -> [this device] -> Properties
  - Set Device category to MAIN (or whichever is correct)
  - Wait ~5-10 min for sync (or force sync via Settings -> Accounts ->
    Access work or school -> Info -> Sync)

----------------------------------------
3. Snapshot AFTER category, BEFORE lockdown
----------------------------------------

State:
  - Category lands, dynamic-group membership evaluates
  - SFLD-DSC Win32App (or whatever the category-driven config is) has had
    a chance to download, install, write registry, schedule its task
  - Lockdown has NOT yet flipped Winlogon DefaultUserName from SupportUser
    to ShopFloor (i.e., still in tech / setup mode)

    C:\Windows\Temp\Capture-LockdownState.ps1 -Stage post-category

Output: C:\ProgramData\state-post-category-<stamp>\

----------------------------------------
4. Wait for lockdown to finish landing
----------------------------------------

Watch for the two terminal signals (per Monitor-IntuneProgress.ps1
notes):
  - HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultUserName flips from "SupportUser" to "ShopFloor"
  - AssignedAccess kiosk profile becomes active

----------------------------------------
5. Snapshot AFTER lockdown
----------------------------------------

    C:\Windows\Temp\Capture-LockdownState.ps1 -Stage post-lockdown

Output: C:\ProgramData\state-post-lockdown-<stamp>\

----------------------------------------
6. Copy all three snapshots back to PXE
----------------------------------------

    Get-ChildItem 'C:\ProgramData\state-*' -Directory |
      Where-Object Name -match '^state-(pre-category|post-category|post-lockdown)-' |
      ForEach-Object {
        robocopy $_.FullName "Z:\$($_.Name)" /E /NFL /NDL /NJH /NJS
      }
    net use Z: /delete /y

The three folders land at \\10.9.100.1\image-upload\state-*-<stamp>\.
On the workstation: pull from /home/pxe/image-upload/ on the PXE server
(scp or local mount) and diff against any prior baseline (e.g. the
4/15 v1.3.1 working snapshot at pxe-images/state-post-lockdown-20260415-154705/).

----------------------------------------
What each diff reveals
----------------------------------------

pre-category -> post-category
  - Which Win32Apps Intune assigned via the category
  - Whether SFLD-DSC bootstrap actually ran (DSCDeployment.log,
    HKLM:\SOFTWARE\GE\SFLD\Credentials\baseVersion)
  - Whether sastoken.txt was present in the IMECache (IMECache-Files.csv)
  - Scheduled task SFLD-ApplyDSCConfig - was it created? Did it run?
    What was its last result code? (Tasks-RunHistory.csv)
  - Outbound MDM events: 429 throttles, AAD failures
    (DeviceManagement-Events.csv)

post-category -> post-lockdown
  - Lockdown DSC delta: AssignedAccess kiosk config, AppLocker rules,
    Winlogon flip, autologon change
  - Final registry state for HKLM:\SOFTWARE\GE\SFLD\Credentials\* +
    HKLM:\SOFTWARE\GE\SFLD\DSC (Site, Environment, Function, SasToken)
  - Final PolicyManager state (which Intune profiles fully landed)

----------------------------------------
Key files to look at first when comparing
----------------------------------------

SFLD.reg                  -> creds + DSC values landed?
IMECache-Files.csv        -> sastoken.txt present in Win32App content?
DSCDeployment.log         -> bootstrap version + warnings
Tasks-RunHistory.csv      -> SFLD-ApplyDSCConfig LastRunTime + LastTaskResult
DeviceManagement-Events.csv -> 429s, AAD token failures, sync stalls
GE-WOW6432.reg            -> baseVersion (1.3.1 = working, 2.0.2 = broken)
