Monitor: drop AESFMA-connected from Phase 1 done; webapp: LAPS endpoint

1. Phase 1 done gate was requiring 'AESFMA WLAN connected' in addition to the data-side signals (AAD + Intune + EmTask + baseline). If the bay never reached AESFMA (cert never landed, RADIUS unreachable), Phase 1 stayed IN PROGRESS forever even though Intune registration was actually complete. Reverting to the data-side-only definition. 2. New webapp endpoint POST /imaging/<serial>/laps stores a LAPS password in the session JSON so it survives the 5s dashboard auto-refresh. Empty body clears the field. Daily reset of the server (cron/restart) is the lifetime cap on stored passwords. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 19:53:05 -04:00
parent 1b7e1bfee4
commit 894305e906
2 changed files with 25 additions and 16 deletions
--- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
@@ -860,27 +860,13 @@ function Format-Snapshot {
    # not just "arriving". Stops the category prompt firing pre-first-reboot
    # when only ~4 subkeys are present (we tested this empirically; clicking
    # "assign category" at 4 subkeys = imaging stalls + re-image required).
-    # AESFMA connected = bay has a live corp WLAN association on the
-    # machine-auth profile. That's the natural ground-truth that Phase 1
-    # is operationally done (not just the data-side flags). Check the
-    # WLAN state via netsh wlan show interfaces - look for SSID=AESFMA
-    # with state=connected.
-    $aesfmaConnected = $false
-    try {
-        $wlanOut = netsh wlan show interfaces 2>$null
-        if ($wlanOut -match '(?ms)SSID\s*:\s*AESFMA.*?State\s*:\s*connected') {
-            $aesfmaConnected = $true
-        }
-    } catch {}
    $p1Done = ($Snap.Phase1.AzureAdJoined -and $Snap.Phase1.IntuneEnrolled -and
-               $Snap.Phase1.EmTaskExists -and $Snap.Phase1.PoliciesBaselineReady -and
-               $aesfmaConnected)
+               $Snap.Phase1.EmTaskExists -and $Snap.Phase1.PoliciesBaselineReady)
    $p1Status = Get-PhaseStatus @(
        @{ Ok = $Snap.Phase1.AzureAdJoined;          Failed = $false },
        @{ Ok = $Snap.Phase1.IntuneEnrolled;          Failed = $false },
        @{ Ok = $Snap.Phase1.EmTaskExists;            Failed = $false },
-        @{ Ok = $Snap.Phase1.PoliciesBaselineReady;   Failed = $false },
-        @{ Ok = $aesfmaConnected;                     Failed = $false }
+        @{ Ok = $Snap.Phase1.PoliciesBaselineReady;   Failed = $false }
    )

    # Phase 6 / Lockdown (shared by both flows, rendered last).