From 4dd300e7ab79455c858e7d6f02f435d778be3232 Mon Sep 17 00:00:00 2001 From: cproudlock Date: Thu, 14 May 2026 16:13:11 -0400 Subject: [PATCH] Stage GE MachineAuth profiles at imaging time (AESFMA auto-join) Hypothesis test for WJ Phase 2 stuck issue. GE Report IP script filters Get-NetIPAddress on StartsWith("10.") - WJ bays don't see ANY 10.x because: - PXE LAN is 10.9.100.x (we'd disable wired anyway to avoid leak) - Internet WiFi at site is 172.16.x (filter rejects) - AESFMA corp WiFi (10.x) requires machine cert that Intune SCEP provisions a few minutes AFTER PPKG enrollment Result: Report IP webhook gets nothing -> GE backend never sees the bay -> bay never enters the dynamic group that SFLD policy is assigned to. Other GE sites work because their corp WiFi/wired is on a real 10.x corp network and the script always finds a 10.x to report. Drop the MA package (8021x.xml + AESFMA.xml + multi-NIC bat) onto each bay early in Run-ShopfloorSetup, run MA4NetworkConfigv2.bat to import both profiles to every physical wired + wireless adapter. AESFMA.xml patched to connectionMode=auto (default V02 was manual) so WLAN service auto-joins as soon as the SCEP cert lands. Bay gets a real 10.x corp address. Report IP webhook fires cleanly. Profile XMLs (8021x.xml, AESFMA.xml, BLUESSO.xml, WiFi-Profile.xml, *.wlanprofile, *.lanprofile) added to .gitignore - they contain GE-internal SSID + trusted-root thumbprint and are staged on the PXE enrollment share at /srv/samba/enrollment/MachineAuth/ instead of git. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitignore | 10 ++++++ .../shopfloor-setup/Run-ShopfloorSetup.ps1 | 32 +++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/.gitignore b/.gitignore index 36d8abc..eb188d4 100644 --- a/.gitignore +++ b/.gitignore @@ -82,6 +82,16 @@ secrets.yml *_secrets credentials.json +# GE-internal WiFi / 802.1X profiles - contain SSID + trusted-root thumbprint. +# Staged on PXE share at /srv/samba/enrollment/MachineAuth/ and copied to +# bays during imaging. Never check these into git. +AESFMA.xml +8021x.xml +BLUESSO.xml +WiFi-Profile.xml +*.wlanprofile +*.lanprofile + # Pre-staged binary (142 MB) - track via LFS or stage on PXE server, not in regular git playbook/shopfloor-setup/Shopfloor/PrinterInstallerMap.exe diff --git a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 index 461b85b..4b8a604 100644 --- a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 +++ b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 @@ -41,6 +41,38 @@ function Report-Stage { } Report-Stage -Stage 'Run-ShopfloorSetup: starting' -Index 2 +# ---- Pre-stage GE Machine Auth (802.1X / AESFMA WiFi) profiles ---- +# Drops the V02 MA package (8021x.xml + AESFMA.xml + bat) to a known +# location and imports profiles to every physical wired/wireless NIC. +# Profile XML is GE-internal (Intune-managed PSK + RADIUS root CA +# thumbprint) so it lives on the PXE enrollment share, NOT git. +# +# Effect: bay has the AESFMA WiFi profile ready (connectionMode=auto). +# Once Intune SCEP cert provisioning lands (a few minutes after PPKG +# enrollment), the WLAN service auto-joins AESFMA and the bay gets a +# real GE corp 10.x address. GE Report-IP script then sees that 10.x, +# POSTs cleanly to the webhook, dynamic group eligibility flips, SFLD +# ConfigurationProfile delivers, Phase 2 completes naturally. +$maShare = '\\10.9.100.1\enrollment\MachineAuth' +$maLocal = 'C:\Windows\Options\Packages\GEAerospace_MA_4x1_V02' +if (Test-Path -LiteralPath $maShare) { + try { + if (-not (Test-Path $maLocal)) { New-Item -ItemType Directory -Path $maLocal -Force | Out-Null } + Copy-Item -Path (Join-Path $maShare '*') -Destination $maLocal -Recurse -Force -ErrorAction Stop + $maBat = Join-Path $maLocal 'MA4NetworkConfigv2.bat' + if (Test-Path -LiteralPath $maBat) { + Write-Host "Running MA4NetworkConfigv2.bat (imports 8021x + AESFMA profiles)..." + Start-Process -FilePath 'cmd.exe' -ArgumentList '/c', "`"$maBat`"" -Wait -NoNewWindow -ErrorAction SilentlyContinue + } else { + Write-Warning "MA bat not at $maBat - profiles NOT imported." + } + } catch { + Write-Warning "MachineAuth stage failed: $_" + } +} else { + Write-Warning "MachineAuth share not reachable at $maShare - skipping profile import." +} + # AutoLogonCount is NOT set here. Previously we bumped it to 99/4, but # Windows decrements it per-logon and at 0 clears AutoAdminLogon -- which # nukes the lockdown-configured ShopFloor autologon later in the chain.