ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Monitor: fix AESFMA-connected detection + stop retrying once connected

Browse Source 
Two bugs causing "AESFMA cert detected, connecting AESFMA..." to log
over and over even after AESFMA is already up:

1. Regex 'SSID\s*:\s*AESFMA.*?State\s*:\s*connected' required SSID
   line BEFORE State line. Actual netsh wlan show interfaces order
   on Win11 is "Name / State / SSID" - State comes FIRST. The non-
   greedy match never succeeded. Always thought AESFMA wasn't
   connected. Refactor to a Test-AESFMAConnected helper that splits
   output into per-adapter blocks and checks SSID + State independently,
   tolerating either order.

2. Added a fast-path at top of the WiFi-swap block: if AESFMA is
   already connected (no help needed from us), just delete
   INTERNETACCESS if still present and flip the cache flag to stop
   running this block. Previously the block only set the flag after a
   successful connect-then-verify-then-delete cycle; if AESFMA was
   already up at first check, the cycle "succeeded" each tick but
   the flag never flipped, producing the log spam.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-05-14 20:06:00 -04:00
parent 894305e906
commit 520d4aa791
1 changed files with 52 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
View File

@@ -330,49 +330,65 @@ function Get-Phase1 {
$script:cache.EmTaskExists -and $script:cache.EmTaskExists -and
$policiesBaselineReady) $policiesBaselineReady)
if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) { if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) {
# Step 1: deterministic check for the AESFMA machine cert. Walk # Helper: split netsh wlan show interfaces output into one block
# every cert in LocalMachine\My and verify its chain ends at the # per adapter (delimited by lines starting with "Name :"), then
# GE RADIUS TrustedRootCA (thumbprint from AESFMA.xml). # check whether any block contains SSID=AESFMA AND State=connected
# Thumbprint 27F0C9A22B28CE7687B115A29E31BF4B3ABB180F = GE # in either order.
# Aerospace FreeRADIUS root. Cert chained to it = AESFMA-usable. function Test-AESFMAConnected {
$aesfmaRootThumb = '27F0C9A22B28CE7687B115A29E31BF4B3ABB180F' $out = netsh wlan show interfaces 2>$null | Out-String
$hasAesfmaCert = $false if (-not $out) { return $false }
try { $blocks = ($out -split '(?ms)(?=^\s*Name\s*:\s*)')
foreach ($cert in (Get-ChildItem 'Cert:\LocalMachine\My' -ErrorAction SilentlyContinue)) { foreach ($b in $blocks) {
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain if (($b -match 'SSID\s*:\s*AESFMA\b') -and ($b -match 'State\s*:\s*connected\b')) {
$chain.ChainPolicy.RevocationMode = 'NoCheck' return $true
$null = $chain.Build($cert)
foreach ($el in $chain.ChainElements) {
if ($el.Certificate.Thumbprint -eq $aesfmaRootThumb) {
$hasAesfmaCert = $true; break
}
} }
if ($hasAesfmaCert) { break }
} }
} catch {} return $false
}
if (-not $hasAesfmaCert) { # Fast path: AESFMA already connected (cert + WLAN service handled
# SCEP hasn't delivered the GE-rooted machine cert yet. # it without our help, or a prior tick connected). Delete
# INTERNETACCESS stays put. Retry next tick. # INTERNETACCESS if still present, flip cache flag, stop trying.
if (Test-AESFMAConnected) {
Write-Host "AESFMA already connected - cleaning up INTERNETACCESS..."
$null = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
$script:cache.InternetAccessDeleted = $true
} else { } else {
# Step 2: cert is here, AESFMA EAP-TLS should succeed. Try # Slow path: walk LocalMachine\My for any cert chained to the
# the connect with INTERNETACCESS still up as fallback. # GE Aerospace FreeRADIUS root (thumbprint from AESFMA.xml).
$aesfmaRootThumb = '27F0C9A22B28CE7687B115A29E31BF4B3ABB180F'
$hasAesfmaCert = $false
try { try {
Write-Host "AESFMA cert detected (chains to GE RADIUS root) - connecting AESFMA..." foreach ($cert in (Get-ChildItem 'Cert:\LocalMachine\My' -ErrorAction SilentlyContinue)) {
$null = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
Start-Sleep -Seconds 8 $chain.ChainPolicy.RevocationMode = 'NoCheck'
$wlanState = netsh wlan show interfaces 2>$null | Out-String $null = $chain.Build($cert)
if ($wlanState -match '(?ms)SSID\s*:\s*AESFMA.*?State\s*:\s*connected') { foreach ($el in $chain.ChainElements) {
Write-Host "AESFMA connected. Deleting INTERNETACCESS profile..." if ($el.Certificate.Thumbprint -eq $aesfmaRootThumb) {
$delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String $hasAesfmaCert = $true; break
Write-Host $delOut }
$script:cache.InternetAccessDeleted = $true }
} else { if ($hasAesfmaCert) { break }
Write-Host "AESFMA cert present but connect not yet operational - retry next tick." }
} catch {}
if ($hasAesfmaCert) {
try {
Write-Host "AESFMA cert detected (chains to GE RADIUS root) - connecting AESFMA..."
$null = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
Start-Sleep -Seconds 8
if (Test-AESFMAConnected) {
Write-Host "AESFMA connected. Deleting INTERNETACCESS profile..."
$null = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
$script:cache.InternetAccessDeleted = $true
} else {
Write-Host "AESFMA cert present but connect not yet operational - retry next tick."
}
} catch {
Write-Warning "AESFMA connect/swap attempt failed: $_"
} }
} catch {
Write-Warning "AESFMA connect/swap attempt failed: $_"
} }
# else: cert not delivered yet. INTERNETACCESS stays. Retry next tick.
} }
} }
# idx=7 push fires AS SOON AS DeviceId is captured. We want the QR # idx=7 push fires AS SOON AS DeviceId is captured. We want the QR