ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Monitor: deterministic AESFMA cert check via X509Chain root match

Browse Source 
Walk Cert:\LocalMachine\My, build each cert's chain, look for chain
element with thumbprint 27F0C9A22B28CE7687B115A29E31BF4B3ABB180F.
That's the AESFMA.xml TrustedRootCA value = the GE Aerospace
FreeRADIUS root that AESFMA EAP-TLS validates against. A client cert
chained to that root is the SCEP-provisioned AESFMA machine cert.

Combined with the verify-before-delete connect attempt, this gives
two gates:
 1. Cert deterministically exists + chains correctly
 2. netsh wlan connect to AESFMA actually reports State=connected

Only after both pass does INTERNETACCESS get deleted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-05-14 17:48:00 -04:00
parent f013aa2bff
commit 9beee842f1
1 changed files with 41 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
View File

@@ -325,21 +325,49 @@ function Get-Phase1 {
$script:cache.EmTaskExists -and
$policiesBaselineReady)
if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) {
# Step 1: deterministic check for the AESFMA machine cert. Walk
# every cert in LocalMachine\My and verify its chain ends at the
# GE RADIUS TrustedRootCA (thumbprint from AESFMA.xml).
# Thumbprint 27F0C9A22B28CE7687B115A29E31BF4B3ABB180F = GE
# Aerospace FreeRADIUS root. Cert chained to it = AESFMA-usable.
$aesfmaRootThumb = '27F0C9A22B28CE7687B115A29E31BF4B3ABB180F'
$hasAesfmaCert = $false
try {
Write-Host "Phase 1 essentials complete - attempting AESFMA join (verify-before-delete)..."
$null = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
Start-Sleep -Seconds 8
$wlanState = netsh wlan show interfaces 2>$null | Out-String
if ($wlanState -match '(?ms)SSID\s*:\s*AESFMA.*?State\s*:\s*connected') {
Write-Host "AESFMA connected. Deleting INTERNETACCESS profile..."
$delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
Write-Host $delOut
$script:cache.InternetAccessDeleted = $true
} else {
Write-Host "AESFMA connect not yet operational - keeping INTERNETACCESS, will retry next tick."
foreach ($cert in (Get-ChildItem 'Cert:\LocalMachine\My' -ErrorAction SilentlyContinue)) {
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.ChainPolicy.RevocationMode = 'NoCheck'
$null = $chain.Build($cert)
foreach ($el in $chain.ChainElements) {
if ($el.Certificate.Thumbprint -eq $aesfmaRootThumb) {
$hasAesfmaCert = $true; break
}
}
if ($hasAesfmaCert) { break }
}
} catch {}
if (-not $hasAesfmaCert) {
# SCEP hasn't delivered the GE-rooted machine cert yet.
# INTERNETACCESS stays put. Retry next tick.
} else {
# Step 2: cert is here, AESFMA EAP-TLS should succeed. Try
# the connect with INTERNETACCESS still up as fallback.
try {
Write-Host "AESFMA cert detected (chains to GE RADIUS root) - connecting AESFMA..."
$null = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
Start-Sleep -Seconds 8
$wlanState = netsh wlan show interfaces 2>$null | Out-String
if ($wlanState -match '(?ms)SSID\s*:\s*AESFMA.*?State\s*:\s*connected') {
Write-Host "AESFMA connected. Deleting INTERNETACCESS profile..."
$delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
Write-Host $delOut
$script:cache.InternetAccessDeleted = $true
} else {
Write-Host "AESFMA cert present but connect not yet operational - retry next tick."
}
} catch {
Write-Warning "AESFMA connect/swap attempt failed: $_"
}
} catch {
Write-Warning "AESFMA verify-before-delete attempt failed: $_"
}
}
# idx=7 push fires AS SOON AS DeviceId is captured. We want the QR