ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Intune sync: 3-step lockdown monitor, fix batch detection, remove backup_lockdown

Browse Source 
sync_intune.bat now monitors three stages sequentially:
1. SFLD registry key (device configuration received)
2. DSCInstall.log success string (DSC installation complete)
3. SFLD - Consume Credentials scheduled task (lockdown complete)
Triggers Intune sync before each poll. Prompts reboot on completion.

Fixed batch delayed expansion bugs, removed nested if/goto blocks.
Removed backup_lockdown.bat and its desktop copy.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-03-31 10:52:31 -04:00
parent e3f2bbc6a5
commit 05fa74574a
3 changed files with 83 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
View File

@@ -71,20 +71,15 @@ if ($pcType -ne "Shopfloor") {
Write-Host "Shopfloor setup complete for $pcType." Write-Host "Shopfloor setup complete for $pcType."
# Copy utility scripts to SupportUser desktop # Copy utility scripts to SupportUser desktop
$lockdownScript = Join-Path $setupDir "backup_lockdown.bat"
if (Test-Path $lockdownScript) {
Copy-Item -Path $lockdownScript -Destination "C:\Users\SupportUser\Desktop\backup_lockdown.bat" -Force
Write-Host "backup_lockdown.bat copied to desktop."
}
$syncScript = Join-Path $setupDir "Shopfloor\sync_intune.bat" $syncScript = Join-Path $setupDir "Shopfloor\sync_intune.bat"
if (Test-Path $syncScript) { if (Test-Path $syncScript) {
Copy-Item -Path $syncScript -Destination "C:\Users\SupportUser\Desktop\sync_intune.bat" -Force Copy-Item -Path $syncScript -Destination "C:\Users\SupportUser\Desktop\sync_intune.bat" -Force
Write-Host "sync_intune.bat copied to desktop." Write-Host "sync_intune.bat copied to desktop."
} }
# Set auto-logon to expire after 1 more login # Set auto-logon to expire after 2 more logins
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 1 /f | Out-Null reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 2 /f | Out-Null
Write-Host "Auto-logon set to 1 remaining login." Write-Host "Auto-logon set to 2 remaining logins."
Write-Host "Rebooting in 10 seconds..." Write-Host "Rebooting in 10 seconds..."
shutdown /r /t 10 shutdown /r /t 10

135
playbook/shopfloor-setup/Shopfloor/sync_intune.bat
View File

@@ -1,9 +1,10 @@
@echo off @echo off
setlocal enabledelayedexpansion
title Intune Policy Sync title Intune Policy Sync
:: Self-elevate to administrator :: Self-elevate to administrator
net session >nul 2>&1 net session >nul 2>&1
if %errorlevel% neq 0 ( if !errorlevel! neq 0 (
powershell -Command "Start-Process '%~f0' -Verb RunAs" powershell -Command "Start-Process '%~f0' -Verb RunAs"
exit /b exit /b
) )
@@ -17,7 +18,7 @@ echo.
:: Show Intune Device ID and QR code :: Show Intune Device ID and QR code
powershell -ExecutionPolicy Bypass -Command ^ powershell -ExecutionPolicy Bypass -Command ^
"$dsreg = dsregcmd /status 2>&1; "^ "$dsreg = dsregcmd /status 2>&1; "^
"$line = $dsreg | Select-String 'DeviceId'; "^ "$line = $dsreg | Select-String DeviceId; "^
"if ($line) { "^ "if ($line) { "^
" $deviceId = $line.ToString().Split(':')[1].Trim(); "^ " $deviceId = $line.ToString().Split(':')[1].Trim(); "^
" Write-Host \"Intune Device ID: $deviceId\" -ForegroundColor Cyan; "^ " Write-Host \"Intune Device ID: $deviceId\" -ForegroundColor Cyan; "^
@@ -38,68 +39,92 @@ powershell -ExecutionPolicy Bypass -Command ^
"}" "}"
echo. echo.
echo ========================================
echo Monitoring lockdown progress...
echo ========================================
echo Step 1: SFLD device configuration
echo Step 2: DSC installation
echo Step 3: SFLD - Consume Credentials task
echo ========================================
echo.
:: Check current state :: ---- STEP 1: Wait for SFLD registry key ----
echo [Step 1/3] Waiting for SFLD device configuration...
:poll_sfld
reg query "HKLM\Software\GE\SFLD" >nul 2>&1 reg query "HKLM\Software\GE\SFLD" >nul 2>&1
if %errorlevel% equ 0 ( if !errorlevel! equ 0 goto sfld_done
echo SFLD policies already applied. call :do_sync
echo. echo Checking again in 15s...
echo Run sync anyway? (Y/N) timeout /t 15 /nobreak >nul
choice /c YN /n goto poll_sfld
if errorlevel 2 exit /b
)
:: Trigger sync via the MDM enrollment scheduled task :sfld_done
echo Triggering Intune sync... echo [DONE] SFLD device configuration received.
:: ---- STEP 2: Wait for DSC install completion ----
echo.
echo [Step 2/3] Waiting for DSC installation to complete...
:poll_dsc
set "dsc_ok=0"
if exist "C:\LOGS\SFLD\DSCInstall.log" (
findstr /C:"Installation completed successfully" "C:\LOGS\SFLD\DSCInstall.log" >nul 2>&1
if !errorlevel! equ 0 set "dsc_ok=1"
)
if !dsc_ok! equ 1 goto dsc_done
call :do_sync
echo Checking again in 15s...
timeout /t 15 /nobreak >nul
goto poll_dsc
:dsc_done
echo [DONE] DSC installation completed successfully.
:: ---- STEP 3: Wait for Consume Credentials scheduled task ----
echo.
echo [Step 3/3] Waiting for SFLD - Consume Credentials task...
:poll_task
schtasks /query /tn "SFLD - Consume Credentials" >nul 2>&1
if !errorlevel! equ 0 goto task_done
call :do_sync
echo Checking again in 15s...
timeout /t 15 /nobreak >nul
goto poll_task
:task_done
echo [DONE] SFLD - Consume Credentials task found.
:: ---- COMPLETE ----
echo.
echo ========================================
echo Shopfloor Lockdown complete!
echo ========================================
echo.
echo All 3 steps passed:
echo 1. SFLD device configuration
echo 2. DSC installation
echo 3. Consume Credentials task
echo.
echo A reboot is required to finalize.
echo.
choice /c YN /m "Reboot now"
if !errorlevel! equ 1 shutdown /r /t 5
exit /b
:: ---- Subroutine: trigger Intune sync ----
:do_sync
powershell -ExecutionPolicy Bypass -Command ^ powershell -ExecutionPolicy Bypass -Command ^
"$enrollPath = 'HKLM:\SOFTWARE\Microsoft\Enrollments'; "^ "$enrollPath = 'HKLM:\SOFTWARE\Microsoft\Enrollments'; "^
"$found = $false; "^
"Get-ChildItem $enrollPath -ErrorAction SilentlyContinue | ForEach-Object { "^ "Get-ChildItem $enrollPath -ErrorAction SilentlyContinue | ForEach-Object { "^
" $id = $_.PSChildName; "^
" $provider = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).ProviderID; "^ " $provider = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).ProviderID; "^
" if ($provider -eq 'MS DM Server') { "^ " if ($provider -eq 'MS DM Server') { "^
" $found = $true; "^ " $id = $_.PSChildName; "^
" Write-Host \"Enrollment ID: $id\"; "^
" $taskPath = \"\Microsoft\Windows\EnterpriseMgmt\$id\\\"; "^ " $taskPath = \"\Microsoft\Windows\EnterpriseMgmt\$id\\\"; "^
" Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue | "^ " Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue | "^
" Where-Object { $_.TaskName -match 'Schedule #3' } | "^ " Where-Object { $_.TaskName -match 'Schedule #3' } | "^
" ForEach-Object { "^ " ForEach-Object { Start-ScheduledTask -InputObject $_ }; "^
" Start-ScheduledTask -InputObject $_; "^
" Write-Host \"Sync triggered: $($_.TaskName)\"; "^
" }; "^
" } "^ " } "^
"}; "^ "}" >nul 2>&1
"if (-not $found) { Write-Host 'ERROR: No Intune enrollment found.' -ForegroundColor Red }" exit /b
echo.
echo Waiting for SFLD group policies (HKLM\Software\GE\SFLD)...
echo Press Ctrl+C to stop waiting.
echo.
:: Poll every 15 seconds for up to 10 minutes
set /a attempts=0
set /a max=40
:poll
reg query "HKLM\Software\GE\SFLD" >nul 2>&1
if %errorlevel% equ 0 (
echo.
echo ========================================
echo SFLD group policies applied!
echo ========================================
echo.
pause
exit /b
)
set /a attempts+=1
if %attempts% geq %max% (
echo.
echo Timed out after 10 minutes. SFLD policies not yet applied.
echo The device category may not be assigned yet in Intune.
echo Assign the category in the portal, then run this again.
echo.
pause
exit /b
)
echo [%attempts%/%max%] Waiting... checking again in 15s
timeout /t 15 /nobreak >nul
goto poll

54
playbook/shopfloor-setup/backup_lockdown.bat
View File

@@ -1,54 +0,0 @@
@echo off
title Shopfloor Backup Lockdown
:: Self-elevate to administrator
net session >nul 2>&1
if %errorlevel% neq 0 (
echo Requesting administrator privileges...
powershell -Command "Start-Process '%~f0' -Verb RunAs"
exit /b
)
echo.
echo ========================================
echo Shopfloor Backup Lockdown
echo ========================================
echo.
:: Run SFLD autologon script first
echo Running SFLD autologon script...
"C:\Program Files\PowerShell\7\pwsh.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\Sysinternals\sfld_autologon.ps1"
echo.
echo Waiting 10 seconds...
ping -n 11 127.0.0.1 >nul
:: Discover the EnterpriseMgmt enrollment GUID
for /f "delims=" %%G in ('powershell -NoProfile -Command "$t = Get-ScheduledTask | Where-Object { $_.TaskPath -match '\\Microsoft\\EnterpriseMgmt\\' -and $_.TaskName -match 'Schedule #1' }; if ($t) { $t.TaskPath -replace '.*EnterpriseMgmt\\([^\\]+)\\.*','$1' | Select-Object -First 1 } else { '' }"') do set GUID=%%G
if not defined GUID (
echo ERROR: No EnterpriseMgmt enrollment GUID found.
echo The device may not be enrolled in MDM yet.
pause
exit /b 1
)
echo Enrollment GUID: %GUID%
echo.
echo Running EnterpriseMgmt Schedule #1...
schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #1 created by enrollment client"
echo Waiting 30 seconds...
ping -n 31 127.0.0.1 >nul
echo Running EnterpriseMgmt Schedule #2...
schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #2 created by enrollment client"
echo Waiting 90 seconds...
ping -n 91 127.0.0.1 >nul
echo Running EnterpriseMgmt Schedule #3...
schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #3 created by enrollment client"
echo.
echo Lockdown complete.
pause