diff --git a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 index fd4191e..1123c1e 100644 --- a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 +++ b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 @@ -71,20 +71,15 @@ if ($pcType -ne "Shopfloor") { Write-Host "Shopfloor setup complete for $pcType." # Copy utility scripts to SupportUser desktop -$lockdownScript = Join-Path $setupDir "backup_lockdown.bat" -if (Test-Path $lockdownScript) { - Copy-Item -Path $lockdownScript -Destination "C:\Users\SupportUser\Desktop\backup_lockdown.bat" -Force - Write-Host "backup_lockdown.bat copied to desktop." -} $syncScript = Join-Path $setupDir "Shopfloor\sync_intune.bat" if (Test-Path $syncScript) { Copy-Item -Path $syncScript -Destination "C:\Users\SupportUser\Desktop\sync_intune.bat" -Force Write-Host "sync_intune.bat copied to desktop." } -# Set auto-logon to expire after 1 more login -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 1 /f | Out-Null -Write-Host "Auto-logon set to 1 remaining login." +# Set auto-logon to expire after 2 more logins +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 2 /f | Out-Null +Write-Host "Auto-logon set to 2 remaining logins." Write-Host "Rebooting in 10 seconds..." shutdown /r /t 10 diff --git a/playbook/shopfloor-setup/Shopfloor/sync_intune.bat b/playbook/shopfloor-setup/Shopfloor/sync_intune.bat index 96aec0e..66354d3 100644 --- a/playbook/shopfloor-setup/Shopfloor/sync_intune.bat +++ b/playbook/shopfloor-setup/Shopfloor/sync_intune.bat @@ -1,9 +1,10 @@ @echo off +setlocal enabledelayedexpansion title Intune Policy Sync :: Self-elevate to administrator net session >nul 2>&1 -if %errorlevel% neq 0 ( +if !errorlevel! neq 0 ( powershell -Command "Start-Process '%~f0' -Verb RunAs" exit /b ) @@ -17,7 +18,7 @@ echo. :: Show Intune Device ID and QR code powershell -ExecutionPolicy Bypass -Command ^ "$dsreg = dsregcmd /status 2>&1; "^ - "$line = $dsreg | Select-String 'DeviceId'; "^ + "$line = $dsreg | Select-String DeviceId; "^ "if ($line) { "^ " $deviceId = $line.ToString().Split(':')[1].Trim(); "^ " Write-Host \"Intune Device ID: $deviceId\" -ForegroundColor Cyan; "^ @@ -38,68 +39,92 @@ powershell -ExecutionPolicy Bypass -Command ^ "}" echo. +echo ======================================== +echo Monitoring lockdown progress... +echo ======================================== +echo Step 1: SFLD device configuration +echo Step 2: DSC installation +echo Step 3: SFLD - Consume Credentials task +echo ======================================== +echo. -:: Check current state +:: ---- STEP 1: Wait for SFLD registry key ---- +echo [Step 1/3] Waiting for SFLD device configuration... + +:poll_sfld reg query "HKLM\Software\GE\SFLD" >nul 2>&1 -if %errorlevel% equ 0 ( - echo SFLD policies already applied. - echo. - echo Run sync anyway? (Y/N) - choice /c YN /n - if errorlevel 2 exit /b -) +if !errorlevel! equ 0 goto sfld_done +call :do_sync +echo Checking again in 15s... +timeout /t 15 /nobreak >nul +goto poll_sfld -:: Trigger sync via the MDM enrollment scheduled task -echo Triggering Intune sync... +:sfld_done +echo [DONE] SFLD device configuration received. + +:: ---- STEP 2: Wait for DSC install completion ---- +echo. +echo [Step 2/3] Waiting for DSC installation to complete... + +:poll_dsc +set "dsc_ok=0" +if exist "C:\LOGS\SFLD\DSCInstall.log" ( + findstr /C:"Installation completed successfully" "C:\LOGS\SFLD\DSCInstall.log" >nul 2>&1 + if !errorlevel! equ 0 set "dsc_ok=1" +) +if !dsc_ok! equ 1 goto dsc_done +call :do_sync +echo Checking again in 15s... +timeout /t 15 /nobreak >nul +goto poll_dsc + +:dsc_done +echo [DONE] DSC installation completed successfully. + +:: ---- STEP 3: Wait for Consume Credentials scheduled task ---- +echo. +echo [Step 3/3] Waiting for SFLD - Consume Credentials task... + +:poll_task +schtasks /query /tn "SFLD - Consume Credentials" >nul 2>&1 +if !errorlevel! equ 0 goto task_done +call :do_sync +echo Checking again in 15s... +timeout /t 15 /nobreak >nul +goto poll_task + +:task_done +echo [DONE] SFLD - Consume Credentials task found. + +:: ---- COMPLETE ---- +echo. +echo ======================================== +echo Shopfloor Lockdown complete! +echo ======================================== +echo. +echo All 3 steps passed: +echo 1. SFLD device configuration +echo 2. DSC installation +echo 3. Consume Credentials task +echo. +echo A reboot is required to finalize. +echo. +choice /c YN /m "Reboot now" +if !errorlevel! equ 1 shutdown /r /t 5 +exit /b + +:: ---- Subroutine: trigger Intune sync ---- +:do_sync powershell -ExecutionPolicy Bypass -Command ^ "$enrollPath = 'HKLM:\SOFTWARE\Microsoft\Enrollments'; "^ - "$found = $false; "^ "Get-ChildItem $enrollPath -ErrorAction SilentlyContinue | ForEach-Object { "^ - " $id = $_.PSChildName; "^ " $provider = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).ProviderID; "^ " if ($provider -eq 'MS DM Server') { "^ - " $found = $true; "^ - " Write-Host \"Enrollment ID: $id\"; "^ + " $id = $_.PSChildName; "^ " $taskPath = \"\Microsoft\Windows\EnterpriseMgmt\$id\\\"; "^ " Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue | "^ " Where-Object { $_.TaskName -match 'Schedule #3' } | "^ - " ForEach-Object { "^ - " Start-ScheduledTask -InputObject $_; "^ - " Write-Host \"Sync triggered: $($_.TaskName)\"; "^ - " }; "^ + " ForEach-Object { Start-ScheduledTask -InputObject $_ }; "^ " } "^ - "}; "^ - "if (-not $found) { Write-Host 'ERROR: No Intune enrollment found.' -ForegroundColor Red }" - -echo. -echo Waiting for SFLD group policies (HKLM\Software\GE\SFLD)... -echo Press Ctrl+C to stop waiting. -echo. - -:: Poll every 15 seconds for up to 10 minutes -set /a attempts=0 -set /a max=40 -:poll -reg query "HKLM\Software\GE\SFLD" >nul 2>&1 -if %errorlevel% equ 0 ( - echo. - echo ======================================== - echo SFLD group policies applied! - echo ======================================== - echo. - pause - exit /b -) -set /a attempts+=1 -if %attempts% geq %max% ( - echo. - echo Timed out after 10 minutes. SFLD policies not yet applied. - echo The device category may not be assigned yet in Intune. - echo Assign the category in the portal, then run this again. - echo. - pause - exit /b -) -echo [%attempts%/%max%] Waiting... checking again in 15s -timeout /t 15 /nobreak >nul -goto poll + "}" >nul 2>&1 +exit /b diff --git a/playbook/shopfloor-setup/backup_lockdown.bat b/playbook/shopfloor-setup/backup_lockdown.bat deleted file mode 100644 index 3d1781a..0000000 --- a/playbook/shopfloor-setup/backup_lockdown.bat +++ /dev/null @@ -1,54 +0,0 @@ -@echo off -title Shopfloor Backup Lockdown - -:: Self-elevate to administrator -net session >nul 2>&1 -if %errorlevel% neq 0 ( - echo Requesting administrator privileges... - powershell -Command "Start-Process '%~f0' -Verb RunAs" - exit /b -) - -echo. -echo ======================================== -echo Shopfloor Backup Lockdown -echo ======================================== -echo. - -:: Run SFLD autologon script first -echo Running SFLD autologon script... -"C:\Program Files\PowerShell\7\pwsh.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\Sysinternals\sfld_autologon.ps1" - -echo. -echo Waiting 10 seconds... -ping -n 11 127.0.0.1 >nul - -:: Discover the EnterpriseMgmt enrollment GUID -for /f "delims=" %%G in ('powershell -NoProfile -Command "$t = Get-ScheduledTask | Where-Object { $_.TaskPath -match '\\Microsoft\\EnterpriseMgmt\\' -and $_.TaskName -match 'Schedule #1' }; if ($t) { $t.TaskPath -replace '.*EnterpriseMgmt\\([^\\]+)\\.*','$1' | Select-Object -First 1 } else { '' }"') do set GUID=%%G - -if not defined GUID ( - echo ERROR: No EnterpriseMgmt enrollment GUID found. - echo The device may not be enrolled in MDM yet. - pause - exit /b 1 -) - -echo Enrollment GUID: %GUID% -echo. - -echo Running EnterpriseMgmt Schedule #1... -schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #1 created by enrollment client" -echo Waiting 30 seconds... -ping -n 31 127.0.0.1 >nul - -echo Running EnterpriseMgmt Schedule #2... -schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #2 created by enrollment client" -echo Waiting 90 seconds... -ping -n 91 127.0.0.1 >nul - -echo Running EnterpriseMgmt Schedule #3... -schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #3 created by enrollment client" - -echo. -echo Lockdown complete. -pause