diff --git a/playbook/FlatUnattendW10-shopfloor.xml b/playbook/FlatUnattendW10-shopfloor.xml
index a810fc5..c0c02aa 100644
--- a/playbook/FlatUnattendW10-shopfloor.xml
+++ b/playbook/FlatUnattendW10-shopfloor.xml
@@ -161,26 +161,31 @@
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
 					<Order>5</Order>
+					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\Enrollment\Verify-And-Heal-Staging.ps1"</CommandLine>
+					<Description>Verify every imaging payload arrived and re-pull anything missing from the PXE share (incl the CMM bundle + selected-bay backup) while still on the imaging LAN, BEFORE wait-for-internet switches the bay to the production network. Log at C:\Logs\Fetch\.</Description>
+				</SynchronousCommand>
+				<SynchronousCommand wcm:action="add">
+					<Order>6</Order>
 					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\Enrollment\wait-for-internet.ps1"</CommandLine>
 					<Description>Prompt to connect production network then wait for TCP 443 connectivity</Description>
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
-					<Order>6</Order>
+					<Order>7</Order>
 					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\Enrollment\migrate-to-wifi.ps1"</CommandLine>
 					<Description>Migrate from wired to WiFi if WiFi adapter present, else stay on wired</Description>
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
-					<Order>7</Order>
+					<Order>8</Order>
 					<CommandLine>msiexec.exe /i "C:\PreInstall\installers\powershell7\PowerShell-7.5.4-win-x64.msi" /qn /norestart ADD_PATH=1 USE_MU=0 ENABLE_MU=0 DISABLE_TELEMETRY=1</CommandLine>
 					<Description>Install PowerShell 7 BEFORE PPKG so Intune SetupCredentials Win32App finds pwsh.exe (race fix)</Description>
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
-					<Order>8</Order>
+					<Order>9</Order>
 					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\run-enrollment.ps1"</CommandLine>
 					<Description>Run GCCH Enrollment</Description>
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
-					<Order>9</Order>
+					<Order>10</Order>
 					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\Enrollment\Run-ShopfloorSetup.ps1"</CommandLine>
 					<Description>Run shopfloor PC type setup</Description>
 				</SynchronousCommand>
diff --git a/playbook/shopfloor-setup/Fetch-StagingPayload.ps1 b/playbook/shopfloor-setup/Fetch-StagingPayload.ps1
index 8340a96..4bc00d4 100644
--- a/playbook/shopfloor-setup/Fetch-StagingPayload.ps1
+++ b/playbook/shopfloor-setup/Fetch-StagingPayload.ps1
@@ -142,6 +142,11 @@ $SFD = 'C:\Enrollment\shopfloor-setup'
 $PIN = 'C:\PreInstall'
 
 Fetch-Item -Label 'Run-ShopfloorSetup.ps1' -SrcDir 'shopfloor-setup' -DstDir $ENR -Files @('Run-ShopfloorSetup.ps1')
+# Verify-And-Heal-Staging runs as its own unattend step (right after this Fetch,
+# before the production-network switch) to re-pull anything that did not arrive -
+# including the heavy CMM payload Fetch does not carry. Pull the small script
+# itself here so it is on disk for that step.
+Fetch-Item -Label 'Verify-And-Heal-Staging.ps1' -SrcDir 'shopfloor-setup' -DstDir $ENR -Files @('Verify-And-Heal-Staging.ps1')
 Fetch-Item -Label 'backup_lockdown.bat'    -SrcDir 'shopfloor-setup' -DstDir $SFD -Files @('backup_lockdown.bat')
 Fetch-Item -Label 'Shopfloor baseline'     -SrcDir 'shopfloor-setup\Shopfloor'       -DstDir (Join-Path $SFD 'Shopfloor')       -Recurse
 Fetch-Item -Label 'common'                 -SrcDir 'shopfloor-setup\common'          -DstDir (Join-Path $SFD 'common')          -Recurse