From 7c26e10f7ecccd56d0f1683d8d7d6000b3c64d32 Mon Sep 17 00:00:00 2001
From: cproudlock <cproudlock@localhost>
Date: Fri, 10 Apr 2026 09:31:11 -0400
Subject: [PATCH] sync_intune: gate reboot prompt on Phase 1+2+3 pre-reboot
 completion

Don't prompt the user to reboot until the enrollment pipeline has
finished its pre-reboot work. Previously Test-RebootState fired as
soon as DSCDeployment.log showed "completed", even if Phase 1 (Identity)
or Phase 2 (SFLD config) checks were still in progress.

Now the reboot prompt requires ALL of these to be green in the snapshot:
  Phase 1: AzureAdJoined, IntuneEnrolled, EmTaskExists, PoliciesArriving
  Phase 2: SfldRoot, FunctionOk, SasTokenOk
  Phase 3: DeployLogExists, DeployComplete

This prevents the edge case where DSCDeployment.log completes but the
user reboots before Intune policies have fully landed, which could leave
the post-reboot DSC install phase without the SAS token or function
assignment it needs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../Shopfloor/lib/Monitor-IntuneProgress.ps1  | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
index 9e8de0c..17eccf5 100644
--- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
@@ -615,10 +615,27 @@ try {
             Invoke-SetupComplete
         }
 
-        # Reboot check (boot-loop-safe)
+        # Reboot check (boot-loop-safe). Only prompt once Phase 1 (Identity),
+        # Phase 2 (SFLD config), and Phase 3's first two items (deploy log
+        # present + pre-reboot deployment complete) are all green. Don't rush
+        # the user into rebooting before the enrollment pipeline has finished
+        # its pre-reboot work.
         $rebootState = Test-RebootState
         if ($rebootState -eq 'needed') {
-            Invoke-RebootPrompt
+            $preRebootReady = (
+                $snap.Phase1.AzureAdJoined -and
+                $snap.Phase1.IntuneEnrolled -and
+                $snap.Phase1.EmTaskExists -and
+                $snap.Phase1.PoliciesArriving -and
+                $snap.Phase2.SfldRoot -and
+                $snap.Phase2.FunctionOk -and
+                $snap.Phase2.SasTokenOk -and
+                $snap.Phase3.DeployLogExists -and
+                $snap.Phase3.DeployComplete
+            )
+            if ($preRebootReady) {
+                Invoke-RebootPrompt
+            }
         }
 
         # Re-trigger sync periodically