Intune sync: 3-step lockdown monitor, fix batch detection, remove backup_lockdown

sync_intune.bat now monitors three stages sequentially:
1. SFLD registry key (device configuration received)
2. DSCInstall.log success string (DSC installation complete)
3. SFLD - Consume Credentials scheduled task (lockdown complete)
Triggers Intune sync before each poll. Prompts reboot on completion.

Fixed batch delayed expansion bugs, removed nested if/goto blocks.
Removed backup_lockdown.bat and its desktop copy.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Shopfloor/sync_intune.bat

@@ -1,9 +1,10 @@
 @echo off
+setlocal enabledelayedexpansion
 title Intune Policy Sync
 
 :: Self-elevate to administrator
 net session >nul 2>&1
-if %errorlevel% neq 0 (
+if !errorlevel! neq 0 (
     powershell -Command "Start-Process '%~f0' -Verb RunAs"
     exit /b
 )
@@ -17,7 +18,7 @@ echo.
 :: Show Intune Device ID and QR code
 powershell -ExecutionPolicy Bypass -Command ^
     "$dsreg = dsregcmd /status 2>&1; "^
-    "$line = $dsreg | Select-String 'DeviceId'; "^
+    "$line = $dsreg | Select-String DeviceId; "^
     "if ($line) { "^
     "    $deviceId = $line.ToString().Split(':')[1].Trim(); "^
     "    Write-Host \"Intune Device ID: $deviceId\" -ForegroundColor Cyan; "^
@@ -38,68 +39,92 @@ powershell -ExecutionPolicy Bypass -Command ^
     "}"
 
 echo.
+echo ========================================
+echo   Monitoring lockdown progress...
+echo ========================================
+echo   Step 1: SFLD device configuration
+echo   Step 2: DSC installation
+echo   Step 3: SFLD - Consume Credentials task
+echo ========================================
+echo.
 
-:: Check current state
+:: ---- STEP 1: Wait for SFLD registry key ----
+echo [Step 1/3] Waiting for SFLD device configuration...
+
+:poll_sfld
 reg query "HKLM\Software\GE\SFLD" >nul 2>&1
-if %errorlevel% equ 0 (
-    echo SFLD policies already applied.
-    echo.
-    echo Run sync anyway? (Y/N)
-    choice /c YN /n
-    if errorlevel 2 exit /b
-)
+if !errorlevel! equ 0 goto sfld_done
+call :do_sync
+echo   Checking again in 15s...
+timeout /t 15 /nobreak >nul
+goto poll_sfld
 
-:: Trigger sync via the MDM enrollment scheduled task
-echo Triggering Intune sync...
+:sfld_done
+echo   [DONE] SFLD device configuration received.
+
+:: ---- STEP 2: Wait for DSC install completion ----
+echo.
+echo [Step 2/3] Waiting for DSC installation to complete...
+
+:poll_dsc
+set "dsc_ok=0"
+if exist "C:\LOGS\SFLD\DSCInstall.log" (
+    findstr /C:"Installation completed successfully" "C:\LOGS\SFLD\DSCInstall.log" >nul 2>&1
+    if !errorlevel! equ 0 set "dsc_ok=1"
+)
+if !dsc_ok! equ 1 goto dsc_done
+call :do_sync
+echo   Checking again in 15s...
+timeout /t 15 /nobreak >nul
+goto poll_dsc
+
+:dsc_done
+echo   [DONE] DSC installation completed successfully.
+
+:: ---- STEP 3: Wait for Consume Credentials scheduled task ----
+echo.
+echo [Step 3/3] Waiting for SFLD - Consume Credentials task...
+
+:poll_task
+schtasks /query /tn "SFLD - Consume Credentials" >nul 2>&1
+if !errorlevel! equ 0 goto task_done
+call :do_sync
+echo   Checking again in 15s...
+timeout /t 15 /nobreak >nul
+goto poll_task
+
+:task_done
+echo   [DONE] SFLD - Consume Credentials task found.
+
+:: ---- COMPLETE ----
+echo.
+echo ========================================
+echo   Shopfloor Lockdown complete!
+echo ========================================
+echo.
+echo   All 3 steps passed:
+echo     1. SFLD device configuration
+echo     2. DSC installation
+echo     3. Consume Credentials task
+echo.
+echo   A reboot is required to finalize.
+echo.
+choice /c YN /m "Reboot now"
+if !errorlevel! equ 1 shutdown /r /t 5
+exit /b
+
+:: ---- Subroutine: trigger Intune sync ----
+:do_sync
 powershell -ExecutionPolicy Bypass -Command ^
     "$enrollPath = 'HKLM:\SOFTWARE\Microsoft\Enrollments'; "^
-    "$found = $false; "^
     "Get-ChildItem $enrollPath -ErrorAction SilentlyContinue | ForEach-Object { "^
-    "    $id = $_.PSChildName; "^
     "    $provider = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).ProviderID; "^
     "    if ($provider -eq 'MS DM Server') { "^
-    "        $found = $true; "^
-    "        Write-Host \"Enrollment ID: $id\"; "^
+    "        $id = $_.PSChildName; "^
     "        $taskPath = \"\Microsoft\Windows\EnterpriseMgmt\$id\\\"; "^
     "        Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue | "^
     "            Where-Object { $_.TaskName -match 'Schedule #3' } | "^
-    "            ForEach-Object { "^
-    "                Start-ScheduledTask -InputObject $_; "^
-    "                Write-Host \"Sync triggered: $($_.TaskName)\"; "^
-    "            }; "^
+    "            ForEach-Object { Start-ScheduledTask -InputObject $_ }; "^
     "    } "^
-    "}; "^
-    "if (-not $found) { Write-Host 'ERROR: No Intune enrollment found.' -ForegroundColor Red }"
-
-echo.
-echo Waiting for SFLD group policies (HKLM\Software\GE\SFLD)...
-echo Press Ctrl+C to stop waiting.
-echo.
-
-:: Poll every 15 seconds for up to 10 minutes
-set /a attempts=0
-set /a max=40
-:poll
-reg query "HKLM\Software\GE\SFLD" >nul 2>&1
-if %errorlevel% equ 0 (
-    echo.
-    echo ========================================
-    echo   SFLD group policies applied!
-    echo ========================================
-    echo.
-    pause
-    exit /b
-)
-set /a attempts+=1
-if %attempts% geq %max% (
-    echo.
-    echo Timed out after 10 minutes. SFLD policies not yet applied.
-    echo The device category may not be assigned yet in Intune.
-    echo Assign the category in the portal, then run this again.
-    echo.
-    pause
-    exit /b
-)
-echo   [%attempts%/%max%] Waiting... checking again in 15s
-timeout /t 15 /nobreak >nul
-goto poll
+    "}" >nul 2>&1
+exit /b