diff --git a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 index 470e50d..6d7409e 100644 --- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 +++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 @@ -560,11 +560,16 @@ function Invoke-SetupComplete { Write-Host "The post-reboot DSC install phase is finished. The device is ready." if ($AsTask) { - # Task mode: unregister our own scheduled task - Write-Host "Unregistering sync task..." -ForegroundColor Cyan + # Write completion marker so future logon-triggered runs exit + # immediately. We can't Unregister-ScheduledTask because the task + # runs as BUILTIN\Users (Limited) which lacks permission to delete + # tasks. The marker file makes the task a harmless no-op. try { - Unregister-ScheduledTask -TaskName 'Shopfloor Intune Sync' -Confirm:$false -ErrorAction SilentlyContinue - } catch {} + Set-Content -LiteralPath $syncCompleteMarker -Value (Get-Date -Format 'o') -Force + Write-Host "Sync complete marker written." -ForegroundColor Green + } catch { + Write-Warning "Failed to write completion marker: $_" + } # Machine number prompt only (startup items are auto-applied by # 06-OrganizeDesktop from the PC profile). Tech can re-open @@ -636,6 +641,17 @@ function Invoke-RebootPrompt { # Terminal - neither reliably honors programmatic window resize, so we # solve it by controlling cursor position instead. # ============================================================================ +$syncCompleteMarker = 'C:\Enrollment\sync-complete.txt' + +# If running as a scheduled task and sync already completed on a prior run, +# exit immediately. The task stays registered (BUILTIN\Users can't delete +# tasks) but does nothing -- fires at logon, sees marker, exits in <1s. +if ($AsTask -and (Test-Path -LiteralPath $syncCompleteMarker)) { + Write-Host "Sync already complete (marker exists). Exiting." + try { Stop-Transcript | Out-Null } catch {} + exit 0 +} + try { $qrText = Build-QRCodeText $qrRefreshed = [bool]($qrText -notmatch 'not yet Azure AD joined')