diff --git a/playbook/shopfloor-setup/run-enrollment.ps1 b/playbook/shopfloor-setup/run-enrollment.ps1
index 428f488..b1495f8 100755
--- a/playbook/shopfloor-setup/run-enrollment.ps1
+++ b/playbook/shopfloor-setup/run-enrollment.ps1
@@ -60,12 +60,18 @@ $provtool = Join-Path $env:SystemRoot 'System32\provtool.exe'
 # then /source. No /log: or /ppkg: prefix - those are not valid provtool
 # flags and caused 0x80004005 E_FAIL in the first test.
 #
-# /source BPRT keeps us in the bulk-provisioning code path used by the
-# automatic OOBE PPKG runtime. PSCmdlet would give richer ETW/event-log
-# diagnostics, but may change which actions in the PPKG actually execute
-# (not verified against Microsoft docs). Stay on BPRT and enable logging
-# manually below.
-$provArgs = @("`"$($ppkgFile.FullName)`"", "/quiet", "/source", "BPRT")
+# /source PSCmdlet matches what Install-ProvisioningPackage invokes
+# internally and is the correct post-OOBE context. BPRT was tried first
+# and verified to stop after the first RestartRequired command (DotNet35):
+# only 3 of 21 commands ran (PPKG Version Check, Lock Screen, DotNet35),
+# leaving Office/Chrome/Tanium/Activate-Windows etc never executed
+# because BPRT expects the OOBE runtime to own the reboot-and-resume
+# loop, and there is no OOBE runtime here. PSCmdlet registers a
+# RunOnce-style resume handler so the remaining commands continue after
+# the reboot Run-ShopfloorSetup issues. Timeout concerns that previously
+# motivated BPRT don't apply here because we invoke provtool.exe
+# directly, not via the 180s-capped Install-ProvisioningPackage cmdlet.
+$provArgs = @("`"$($ppkgFile.FullName)`"", "/quiet", "/source", "PSCmdlet")
 
 # Enable the Provisioning-Diagnostics-Provider Admin channel so events
 # from the BPRT run land somewhere we can export afterward. This is