Intune sync: 3-step lockdown monitor, fix batch detection, remove backup_lockdown
sync_intune.bat now monitors three stages sequentially: 1. SFLD registry key (device configuration received) 2. DSCInstall.log success string (DSC installation complete) 3. SFLD - Consume Credentials scheduled task (lockdown complete) Triggers Intune sync before each poll. Prompts reboot on completion. Fixed batch delayed expansion bugs, removed nested if/goto blocks. Removed backup_lockdown.bat and its desktop copy. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
@@ -71,20 +71,15 @@ if ($pcType -ne "Shopfloor") {
|
||||
Write-Host "Shopfloor setup complete for $pcType."
|
||||
|
||||
# Copy utility scripts to SupportUser desktop
|
||||
$lockdownScript = Join-Path $setupDir "backup_lockdown.bat"
|
||||
if (Test-Path $lockdownScript) {
|
||||
Copy-Item -Path $lockdownScript -Destination "C:\Users\SupportUser\Desktop\backup_lockdown.bat" -Force
|
||||
Write-Host "backup_lockdown.bat copied to desktop."
|
||||
}
|
||||
$syncScript = Join-Path $setupDir "Shopfloor\sync_intune.bat"
|
||||
if (Test-Path $syncScript) {
|
||||
Copy-Item -Path $syncScript -Destination "C:\Users\SupportUser\Desktop\sync_intune.bat" -Force
|
||||
Write-Host "sync_intune.bat copied to desktop."
|
||||
}
|
||||
|
||||
# Set auto-logon to expire after 1 more login
|
||||
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 1 /f | Out-Null
|
||||
Write-Host "Auto-logon set to 1 remaining login."
|
||||
# Set auto-logon to expire after 2 more logins
|
||||
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 2 /f | Out-Null
|
||||
Write-Host "Auto-logon set to 2 remaining logins."
|
||||
|
||||
Write-Host "Rebooting in 10 seconds..."
|
||||
shutdown /r /t 10
|
||||
|
||||
@@ -1,9 +1,10 @@
|
||||
@echo off
|
||||
setlocal enabledelayedexpansion
|
||||
title Intune Policy Sync
|
||||
|
||||
:: Self-elevate to administrator
|
||||
net session >nul 2>&1
|
||||
if %errorlevel% neq 0 (
|
||||
if !errorlevel! neq 0 (
|
||||
powershell -Command "Start-Process '%~f0' -Verb RunAs"
|
||||
exit /b
|
||||
)
|
||||
@@ -17,7 +18,7 @@ echo.
|
||||
:: Show Intune Device ID and QR code
|
||||
powershell -ExecutionPolicy Bypass -Command ^
|
||||
"$dsreg = dsregcmd /status 2>&1; "^
|
||||
"$line = $dsreg | Select-String 'DeviceId'; "^
|
||||
"$line = $dsreg | Select-String DeviceId; "^
|
||||
"if ($line) { "^
|
||||
" $deviceId = $line.ToString().Split(':')[1].Trim(); "^
|
||||
" Write-Host \"Intune Device ID: $deviceId\" -ForegroundColor Cyan; "^
|
||||
@@ -38,68 +39,92 @@ powershell -ExecutionPolicy Bypass -Command ^
|
||||
"}"
|
||||
|
||||
echo.
|
||||
|
||||
:: Check current state
|
||||
reg query "HKLM\Software\GE\SFLD" >nul 2>&1
|
||||
if %errorlevel% equ 0 (
|
||||
echo SFLD policies already applied.
|
||||
echo ========================================
|
||||
echo Monitoring lockdown progress...
|
||||
echo ========================================
|
||||
echo Step 1: SFLD device configuration
|
||||
echo Step 2: DSC installation
|
||||
echo Step 3: SFLD - Consume Credentials task
|
||||
echo ========================================
|
||||
echo.
|
||||
echo Run sync anyway? (Y/N)
|
||||
choice /c YN /n
|
||||
if errorlevel 2 exit /b
|
||||
)
|
||||
|
||||
:: Trigger sync via the MDM enrollment scheduled task
|
||||
echo Triggering Intune sync...
|
||||
:: ---- STEP 1: Wait for SFLD registry key ----
|
||||
echo [Step 1/3] Waiting for SFLD device configuration...
|
||||
|
||||
:poll_sfld
|
||||
reg query "HKLM\Software\GE\SFLD" >nul 2>&1
|
||||
if !errorlevel! equ 0 goto sfld_done
|
||||
call :do_sync
|
||||
echo Checking again in 15s...
|
||||
timeout /t 15 /nobreak >nul
|
||||
goto poll_sfld
|
||||
|
||||
:sfld_done
|
||||
echo [DONE] SFLD device configuration received.
|
||||
|
||||
:: ---- STEP 2: Wait for DSC install completion ----
|
||||
echo.
|
||||
echo [Step 2/3] Waiting for DSC installation to complete...
|
||||
|
||||
:poll_dsc
|
||||
set "dsc_ok=0"
|
||||
if exist "C:\LOGS\SFLD\DSCInstall.log" (
|
||||
findstr /C:"Installation completed successfully" "C:\LOGS\SFLD\DSCInstall.log" >nul 2>&1
|
||||
if !errorlevel! equ 0 set "dsc_ok=1"
|
||||
)
|
||||
if !dsc_ok! equ 1 goto dsc_done
|
||||
call :do_sync
|
||||
echo Checking again in 15s...
|
||||
timeout /t 15 /nobreak >nul
|
||||
goto poll_dsc
|
||||
|
||||
:dsc_done
|
||||
echo [DONE] DSC installation completed successfully.
|
||||
|
||||
:: ---- STEP 3: Wait for Consume Credentials scheduled task ----
|
||||
echo.
|
||||
echo [Step 3/3] Waiting for SFLD - Consume Credentials task...
|
||||
|
||||
:poll_task
|
||||
schtasks /query /tn "SFLD - Consume Credentials" >nul 2>&1
|
||||
if !errorlevel! equ 0 goto task_done
|
||||
call :do_sync
|
||||
echo Checking again in 15s...
|
||||
timeout /t 15 /nobreak >nul
|
||||
goto poll_task
|
||||
|
||||
:task_done
|
||||
echo [DONE] SFLD - Consume Credentials task found.
|
||||
|
||||
:: ---- COMPLETE ----
|
||||
echo.
|
||||
echo ========================================
|
||||
echo Shopfloor Lockdown complete!
|
||||
echo ========================================
|
||||
echo.
|
||||
echo All 3 steps passed:
|
||||
echo 1. SFLD device configuration
|
||||
echo 2. DSC installation
|
||||
echo 3. Consume Credentials task
|
||||
echo.
|
||||
echo A reboot is required to finalize.
|
||||
echo.
|
||||
choice /c YN /m "Reboot now"
|
||||
if !errorlevel! equ 1 shutdown /r /t 5
|
||||
exit /b
|
||||
|
||||
:: ---- Subroutine: trigger Intune sync ----
|
||||
:do_sync
|
||||
powershell -ExecutionPolicy Bypass -Command ^
|
||||
"$enrollPath = 'HKLM:\SOFTWARE\Microsoft\Enrollments'; "^
|
||||
"$found = $false; "^
|
||||
"Get-ChildItem $enrollPath -ErrorAction SilentlyContinue | ForEach-Object { "^
|
||||
" $id = $_.PSChildName; "^
|
||||
" $provider = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).ProviderID; "^
|
||||
" if ($provider -eq 'MS DM Server') { "^
|
||||
" $found = $true; "^
|
||||
" Write-Host \"Enrollment ID: $id\"; "^
|
||||
" $id = $_.PSChildName; "^
|
||||
" $taskPath = \"\Microsoft\Windows\EnterpriseMgmt\$id\\\"; "^
|
||||
" Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue | "^
|
||||
" Where-Object { $_.TaskName -match 'Schedule #3' } | "^
|
||||
" ForEach-Object { "^
|
||||
" Start-ScheduledTask -InputObject $_; "^
|
||||
" Write-Host \"Sync triggered: $($_.TaskName)\"; "^
|
||||
" }; "^
|
||||
" ForEach-Object { Start-ScheduledTask -InputObject $_ }; "^
|
||||
" } "^
|
||||
"}; "^
|
||||
"if (-not $found) { Write-Host 'ERROR: No Intune enrollment found.' -ForegroundColor Red }"
|
||||
|
||||
echo.
|
||||
echo Waiting for SFLD group policies (HKLM\Software\GE\SFLD)...
|
||||
echo Press Ctrl+C to stop waiting.
|
||||
echo.
|
||||
|
||||
:: Poll every 15 seconds for up to 10 minutes
|
||||
set /a attempts=0
|
||||
set /a max=40
|
||||
:poll
|
||||
reg query "HKLM\Software\GE\SFLD" >nul 2>&1
|
||||
if %errorlevel% equ 0 (
|
||||
echo.
|
||||
echo ========================================
|
||||
echo SFLD group policies applied!
|
||||
echo ========================================
|
||||
echo.
|
||||
pause
|
||||
"}" >nul 2>&1
|
||||
exit /b
|
||||
)
|
||||
set /a attempts+=1
|
||||
if %attempts% geq %max% (
|
||||
echo.
|
||||
echo Timed out after 10 minutes. SFLD policies not yet applied.
|
||||
echo The device category may not be assigned yet in Intune.
|
||||
echo Assign the category in the portal, then run this again.
|
||||
echo.
|
||||
pause
|
||||
exit /b
|
||||
)
|
||||
echo [%attempts%/%max%] Waiting... checking again in 15s
|
||||
timeout /t 15 /nobreak >nul
|
||||
goto poll
|
||||
|
||||
@@ -1,54 +0,0 @@
|
||||
@echo off
|
||||
title Shopfloor Backup Lockdown
|
||||
|
||||
:: Self-elevate to administrator
|
||||
net session >nul 2>&1
|
||||
if %errorlevel% neq 0 (
|
||||
echo Requesting administrator privileges...
|
||||
powershell -Command "Start-Process '%~f0' -Verb RunAs"
|
||||
exit /b
|
||||
)
|
||||
|
||||
echo.
|
||||
echo ========================================
|
||||
echo Shopfloor Backup Lockdown
|
||||
echo ========================================
|
||||
echo.
|
||||
|
||||
:: Run SFLD autologon script first
|
||||
echo Running SFLD autologon script...
|
||||
"C:\Program Files\PowerShell\7\pwsh.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\Sysinternals\sfld_autologon.ps1"
|
||||
|
||||
echo.
|
||||
echo Waiting 10 seconds...
|
||||
ping -n 11 127.0.0.1 >nul
|
||||
|
||||
:: Discover the EnterpriseMgmt enrollment GUID
|
||||
for /f "delims=" %%G in ('powershell -NoProfile -Command "$t = Get-ScheduledTask | Where-Object { $_.TaskPath -match '\\Microsoft\\EnterpriseMgmt\\' -and $_.TaskName -match 'Schedule #1' }; if ($t) { $t.TaskPath -replace '.*EnterpriseMgmt\\([^\\]+)\\.*','$1' | Select-Object -First 1 } else { '' }"') do set GUID=%%G
|
||||
|
||||
if not defined GUID (
|
||||
echo ERROR: No EnterpriseMgmt enrollment GUID found.
|
||||
echo The device may not be enrolled in MDM yet.
|
||||
pause
|
||||
exit /b 1
|
||||
)
|
||||
|
||||
echo Enrollment GUID: %GUID%
|
||||
echo.
|
||||
|
||||
echo Running EnterpriseMgmt Schedule #1...
|
||||
schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #1 created by enrollment client"
|
||||
echo Waiting 30 seconds...
|
||||
ping -n 31 127.0.0.1 >nul
|
||||
|
||||
echo Running EnterpriseMgmt Schedule #2...
|
||||
schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #2 created by enrollment client"
|
||||
echo Waiting 90 seconds...
|
||||
ping -n 91 127.0.0.1 >nul
|
||||
|
||||
echo Running EnterpriseMgmt Schedule #3...
|
||||
schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #3 created by enrollment client"
|
||||
|
||||
echo.
|
||||
echo Lockdown complete.
|
||||
pause
|
||||
Reference in New Issue
Block a user