ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Monitor: fix AESFMA-connected detection + stop retrying once connected

Browse Source 
Two bugs causing "AESFMA cert detected, connecting AESFMA..." to log
over and over even after AESFMA is already up:

1. Regex 'SSID\s*:\s*AESFMA.*?State\s*:\s*connected' required SSID
   line BEFORE State line. Actual netsh wlan show interfaces order
   on Win11 is "Name / State / SSID" - State comes FIRST. The non-
   greedy match never succeeded. Always thought AESFMA wasn't
   connected. Refactor to a Test-AESFMAConnected helper that splits
   output into per-adapter blocks and checks SSID + State independently,
   tolerating either order.

2. Added a fast-path at top of the WiFi-swap block: if AESFMA is
   already connected (no help needed from us), just delete
   INTERNETACCESS if still present and flip the cache flag to stop
   running this block. Previously the block only set the flag after a
   successful connect-then-verify-then-delete cycle; if AESFMA was
   already up at first check, the cycle "succeeded" each tick but
   the flag never flipped, producing the log spam.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-05-14 20:06:00 -04:00
parent 894305e906
commit 520d4aa791
1 changed files with 52 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
View File

@@ -330,11 +330,32 @@ function Get-Phase1 {
$script:cache.EmTaskExists -and $script:cache.EmTaskExists -and
$policiesBaselineReady) $policiesBaselineReady)
if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) { if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) {
# Step 1: deterministic check for the AESFMA machine cert. Walk # Helper: split netsh wlan show interfaces output into one block
# every cert in LocalMachine\My and verify its chain ends at the # per adapter (delimited by lines starting with "Name :"), then
# GE RADIUS TrustedRootCA (thumbprint from AESFMA.xml). # check whether any block contains SSID=AESFMA AND State=connected
# Thumbprint 27F0C9A22B28CE7687B115A29E31BF4B3ABB180F = GE # in either order.
# Aerospace FreeRADIUS root. Cert chained to it = AESFMA-usable. function Test-AESFMAConnected {
$out = netsh wlan show interfaces 2>$null | Out-String
if (-not $out) { return $false }
$blocks = ($out -split '(?ms)(?=^\s*Name\s*:\s*)')
foreach ($b in $blocks) {
if (($b -match 'SSID\s*:\s*AESFMA\b') -and ($b -match 'State\s*:\s*connected\b')) {
return $true
}
}
return $false
}
# Fast path: AESFMA already connected (cert + WLAN service handled
# it without our help, or a prior tick connected). Delete
# INTERNETACCESS if still present, flip cache flag, stop trying.
if (Test-AESFMAConnected) {
Write-Host "AESFMA already connected - cleaning up INTERNETACCESS..."
$null = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
$script:cache.InternetAccessDeleted = $true
} else {
# Slow path: walk LocalMachine\My for any cert chained to the
# GE Aerospace FreeRADIUS root (thumbprint from AESFMA.xml).
$aesfmaRootThumb = '27F0C9A22B28CE7687B115A29E31BF4B3ABB180F' $aesfmaRootThumb = '27F0C9A22B28CE7687B115A29E31BF4B3ABB180F'
$hasAesfmaCert = $false $hasAesfmaCert = $false
try { try {
@@ -351,21 +372,14 @@ function Get-Phase1 {
} }
} catch {} } catch {}
if (-not $hasAesfmaCert) { if ($hasAesfmaCert) {
# SCEP hasn't delivered the GE-rooted machine cert yet.
# INTERNETACCESS stays put. Retry next tick.
} else {
# Step 2: cert is here, AESFMA EAP-TLS should succeed. Try
# the connect with INTERNETACCESS still up as fallback.
try { try {
Write-Host "AESFMA cert detected (chains to GE RADIUS root) - connecting AESFMA..." Write-Host "AESFMA cert detected (chains to GE RADIUS root) - connecting AESFMA..."
$null = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String $null = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
Start-Sleep -Seconds 8 Start-Sleep -Seconds 8
$wlanState = netsh wlan show interfaces 2>$null | Out-String if (Test-AESFMAConnected) {
if ($wlanState -match '(?ms)SSID\s*:\s*AESFMA.*?State\s*:\s*connected') {
Write-Host "AESFMA connected. Deleting INTERNETACCESS profile..." Write-Host "AESFMA connected. Deleting INTERNETACCESS profile..."
$delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String $null = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
Write-Host $delOut
$script:cache.InternetAccessDeleted = $true $script:cache.InternetAccessDeleted = $true
} else { } else {
Write-Host "AESFMA cert present but connect not yet operational - retry next tick." Write-Host "AESFMA cert present but connect not yet operational - retry next tick."
@@ -374,6 +388,8 @@ function Get-Phase1 {
Write-Warning "AESFMA connect/swap attempt failed: $_" Write-Warning "AESFMA connect/swap attempt failed: $_"
} }
} }
# else: cert not delivered yet. INTERNETACCESS stays. Retry next tick.
}
} }
# idx=7 push fires AS SOON AS DeviceId is captured. We want the QR # idx=7 push fires AS SOON AS DeviceId is captured. We want the QR
# to render on the PXE dashboard BEFORE the Intune-driven LAPS-prompt # to render on the PXE dashboard BEFORE the Intune-driven LAPS-prompt