Monitor: deterministic AESFMA cert check via X509Chain root match

Walk Cert:\LocalMachine\My, build each cert's chain, look for chain element with thumbprint 27F0C9A22B28CE7687B115A29E31BF4B3ABB180F. That's the AESFMA.xml TrustedRootCA value = the GE Aerospace FreeRADIUS root that AESFMA EAP-TLS validates against. A client cert chained to that root is the SCEP-provisioned AESFMA machine cert. Combined with the verify-before-delete connect attempt, this gives two gates: 1. Cert deterministically exists + chains correctly 2. netsh wlan connect to AESFMA actually reports State=connected Only after both pass does INTERNETACCESS get deleted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 17:48:00 -04:00
parent f013aa2bff
commit 9beee842f1
1 changed files with 41 additions and 13 deletions
--- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
@@ -325,8 +325,35 @@ function Get-Phase1 {
                        $script:cache.EmTaskExists -and
                        $policiesBaselineReady)
    if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) {
+        # Step 1: deterministic check for the AESFMA machine cert. Walk
+        # every cert in LocalMachine\My and verify its chain ends at the
+        # GE RADIUS TrustedRootCA (thumbprint from AESFMA.xml).
+        # Thumbprint 27F0C9A22B28CE7687B115A29E31BF4B3ABB180F = GE
+        # Aerospace FreeRADIUS root. Cert chained to it = AESFMA-usable.
+        $aesfmaRootThumb = '27F0C9A22B28CE7687B115A29E31BF4B3ABB180F'
+        $hasAesfmaCert = $false
        try {
-            Write-Host "Phase 1 essentials complete - attempting AESFMA join (verify-before-delete)..."
+            foreach ($cert in (Get-ChildItem 'Cert:\LocalMachine\My' -ErrorAction SilentlyContinue)) {
+                $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
+                $chain.ChainPolicy.RevocationMode = 'NoCheck'
+                $null = $chain.Build($cert)
+                foreach ($el in $chain.ChainElements) {
+                    if ($el.Certificate.Thumbprint -eq $aesfmaRootThumb) {
+                        $hasAesfmaCert = $true; break
+                    }
+                }
+                if ($hasAesfmaCert) { break }
+            }
+        } catch {}
+
+        if (-not $hasAesfmaCert) {
+            # SCEP hasn't delivered the GE-rooted machine cert yet.
+            # INTERNETACCESS stays put. Retry next tick.
+        } else {
+            # Step 2: cert is here, AESFMA EAP-TLS should succeed. Try
+            # the connect with INTERNETACCESS still up as fallback.
+            try {
+                Write-Host "AESFMA cert detected (chains to GE RADIUS root) - connecting AESFMA..."
                $null = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
                Start-Sleep -Seconds 8
                $wlanState = netsh wlan show interfaces 2>$null | Out-String
@@ -336,10 +363,11 @@ function Get-Phase1 {
                    Write-Host $delOut
                    $script:cache.InternetAccessDeleted = $true
                } else {
-                Write-Host "AESFMA connect not yet operational - keeping INTERNETACCESS, will retry next tick."
+                    Write-Host "AESFMA cert present but connect not yet operational - retry next tick."
                }
            } catch {
-            Write-Warning "AESFMA verify-before-delete attempt failed: $_"
+                Write-Warning "AESFMA connect/swap attempt failed: $_"
+            }
        }
    }
    # idx=7 push fires AS SOON AS DeviceId is captured. We want the QR