sync_intune: gate reboot prompt on Phase 1+2+3 pre-reboot completion
Don't prompt the user to reboot until the enrollment pipeline has finished its pre-reboot work. Previously Test-RebootState fired as soon as DSCDeployment.log showed "completed", even if Phase 1 (Identity) or Phase 2 (SFLD config) checks were still in progress. Now the reboot prompt requires ALL of these to be green in the snapshot: Phase 1: AzureAdJoined, IntuneEnrolled, EmTaskExists, PoliciesArriving Phase 2: SfldRoot, FunctionOk, SasTokenOk Phase 3: DeployLogExists, DeployComplete This prevents the edge case where DSCDeployment.log completes but the user reboots before Intune policies have fully landed, which could leave the post-reboot DSC install phase without the SAS token or function assignment it needs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
@@ -615,10 +615,27 @@ try {
|
||||
Invoke-SetupComplete
|
||||
}
|
||||
|
||||
# Reboot check (boot-loop-safe)
|
||||
# Reboot check (boot-loop-safe). Only prompt once Phase 1 (Identity),
|
||||
# Phase 2 (SFLD config), and Phase 3's first two items (deploy log
|
||||
# present + pre-reboot deployment complete) are all green. Don't rush
|
||||
# the user into rebooting before the enrollment pipeline has finished
|
||||
# its pre-reboot work.
|
||||
$rebootState = Test-RebootState
|
||||
if ($rebootState -eq 'needed') {
|
||||
Invoke-RebootPrompt
|
||||
$preRebootReady = (
|
||||
$snap.Phase1.AzureAdJoined -and
|
||||
$snap.Phase1.IntuneEnrolled -and
|
||||
$snap.Phase1.EmTaskExists -and
|
||||
$snap.Phase1.PoliciesArriving -and
|
||||
$snap.Phase2.SfldRoot -and
|
||||
$snap.Phase2.FunctionOk -and
|
||||
$snap.Phase2.SasTokenOk -and
|
||||
$snap.Phase3.DeployLogExists -and
|
||||
$snap.Phase3.DeployComplete
|
||||
)
|
||||
if ($preRebootReady) {
|
||||
Invoke-RebootPrompt
|
||||
}
|
||||
}
|
||||
|
||||
# Re-trigger sync periodically
|
||||
|
||||
Reference in New Issue
Block a user