Fix ShopFloor autologon persistence, S: drive mapping, sync throttle

AutoLogonCount depletion:
  Run-ShopfloorSetup set AutoLogonCount=4 for SupportUser. Windows
  decrements per-logon; at 0 it clears AutoAdminLogon + DefaultPassword,
  nuking the lockdown-configured ShopFloor autologon. Fix: delete
  AutoLogonCount in Invoke-SetupComplete before the lockdown reboot.
  ShopFloor's Autologon.exe-set config persists indefinitely.

Sync_intune window on ShopFloor:
  The marker-check path used 'exit 0' but the task runs with -NoExit,
  leaving a dangling PowerShell window on every ShopFloor logon. Fix:
  [Environment]::Exit(0) kills the host outright, defeating -NoExit.

S: drive mapping:
  Vendor ConsumeCredentials.ps1 calls New-StoredCredential -Persist
  LocalMachine (needs admin) before net use. ShopFloor is non-admin so
  cred-store fails silently and net use has no auth. Fix: new
  Map-SfldShare.ps1 reads HKLM creds and passes them inline to
  net use /user: -- no Credential Manager needed, works as Limited.
  Register-MapSfldShare updated to stage + reference our script.

Wired NIC re-enable:
  SYSTEM task polls for SFLD creds (Phase 5), re-enables wired NICs,
  self-deletes. Replaces the broken Enable-NetAdapter in Monitor
  (Limited principal can't enable NICs). No-WiFi devices unaffected
  (migrate-to-wifi never disables, re-enable is a no-op).

Sync throttle:
  15 min retrigger when only waiting for lockdown (was 5 min for all
  phases). Avoids interrupting the Intune Remediation script.

Defect Tracker path:
  All references corrected to C:\Program Files (x86)\WJF_Defect_Tracker.

QR code retry:
  Build-QRCodeText retried every poll cycle until DeviceId appears
  (was single-shot that could miss the dsregcmd timing window).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Shopfloor/Register-MapSfldShare.ps1

@@ -1,28 +1,19 @@
-# Register-MapSfldShare.ps1 - Register a parallel logon task that runs
-# the SFLD vendor's ConsumeCredentials.ps1 for ANY user in BUILTIN\Users.
+# Register-MapSfldShare.ps1 - Stage Map-SfldShare.ps1 + register a logon
+# task that maps S: for any user in BUILTIN\Users (SupportUser, ShopFloor,
+# any future end-user accounts).
 #
-# Why: the vendor's own 'SFLD - Consume Credentials' scheduled task is
-# registered with a principal that excludes ShopFloor (admin/specific-
-# user only), so when ShopFloor logs in, ConsumeCredentials never fires
-# for that session and S: drive is never mapped (drive mappings are
-# per-user-session, so SupportUser's mapping doesn't carry over).
-#
-# We don't reimplement the mapping logic - the vendor script at
-# C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1 already
-# reads HKLM creds and runs net use when DriveLetter/ShareName are
-# populated. We just register a second task with a wider principal
-# (BUILTIN\Users + Limited) so the vendor script ALSO fires for the
-# end-user logon.
-#
-# Trade-off: the vendor script's New-StoredCredential -Persist LocalMachine
-# step requires admin to write Cred Manager. ShopFloor (Limited) will see
-# that part throw, but the script catches per-cred and the net use step
-# still runs and lands the drive in ShopFloor's session.
+# Why not the vendor's ConsumeCredentials.ps1: it calls
+# New-StoredCredential -Persist LocalMachine (needs admin) before net use.
+# ShopFloor is non-admin, so the cred-store fails and net use has no auth.
+# Our Map-SfldShare.ps1 reads HKLM creds directly and passes them inline
+# to net use /user: -- no Credential Manager needed, works as Limited.
 
 $ErrorActionPreference = 'Continue'
 
-$logDir  = 'C:\Logs\SFLD'
-$logFile = Join-Path $logDir 'register-mapshare.log'
+$installRoot = 'C:\Program Files\GE\SfldShare'
+$mapScript   = Join-Path $installRoot 'Map-SfldShare.ps1'
+$logDir      = 'C:\Logs\SFLD'
+$logFile     = Join-Path $logDir 'register-mapshare.log'
 if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }
 
 function Write-RegLog {
@@ -34,12 +25,23 @@ function Write-RegLog {
 
 Write-RegLog '=== Register-MapSfldShare start ==='
 
-$vendorScript = 'C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1'
+# Stage our Map-SfldShare.ps1 to a persistent location
+if (-not (Test-Path $installRoot)) {
+    New-Item -Path $installRoot -ItemType Directory -Force | Out-Null
+}
+$src = Join-Path $PSScriptRoot 'lib\Map-SfldShare.ps1'
+if (Test-Path $src) {
+    Copy-Item -Path $src -Destination $mapScript -Force
+    Write-RegLog "Staged $src -> $mapScript"
+} else {
+    Write-RegLog "Map-SfldShare.ps1 not found at $src - cannot register"
+    exit 1
+}
 
 try {
     $action = New-ScheduledTaskAction `
         -Execute 'powershell.exe' `
-        -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$vendorScript`""
+        -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$mapScript`""
 
     $trigger = New-ScheduledTaskTrigger -AtLogOn
 
@@ -63,7 +65,7 @@ try {
         -Principal $principal `
         -Settings  $settings `
         -Force `
-        -Description 'Run vendor ConsumeCredentials.ps1 on any user logon (parallel to the principal-restricted SFLD-owned task) so ShopFloor and other end-user accounts get S: mapped' `
+        -Description 'Map SFLD share drives on any user logon using HKLM creds (parallel to the principal-restricted vendor task) so ShopFloor and other end-user accounts get S: mapped' `
         -ErrorAction Stop | Out-Null
 
     Write-RegLog 'Scheduled task registered'