Retire wired-disable/re-enable dance now that PXE LAN is 172.16.9.0/24
GE Report IP filters Get-NetIPAddress on StartsWith("10.") and PXE LAN
addresses are now 172.16.9.x which the filter skips naturally. The
disable-then-re-enable workaround was only needed when PXE LAN was
10.9.100.x and bays leaked that IP to the GE webhook. With the renumber
that whole flow is dead weight.
Removed:
- playbook/shopfloor-setup/Shopfloor/lib/Disable-WiredNics.ps1 (file)
- Run-ShopfloorSetup: Disable-WiredNics call after PPKG returns
- Run-ShopfloorSetup: "GE Re-enable Wired NICs" SYSTEM task registration
- Monitor-IntuneProgress: reportIpLog-gated wired re-enable + idx=7 retry
- Monitor-IntuneProgress: reportIpDone gate on Phase 1 done check
Side benefit: stages 2-6 dashboard pushes no longer go dark mid-flow
(used to die between idx=6 and idx=7 when wired was off). Phase 1 row
on the Monitor screen now flips COMPLETE on the natural AAD + Intune
+ EmTask + baseline-policies condition instead of waiting on the
Report IP log file.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
@@ -299,63 +299,10 @@ if (Test-Path -LiteralPath $monitorScript) {
|
||||
# These run on every logon regardless of PC type, mounting the SFLD share
|
||||
# for version-pinned app enforcement. Initial install already handled by
|
||||
# preinstall flow; enforcers only kick in when detection fails.
|
||||
# --- Re-enable wired NICs once lockdown completes (Phase 6) ---
|
||||
# migrate-to-wifi.ps1 disables wired NICs so the PPKG runs over WiFi.
|
||||
# Keep them disabled through the entire Intune sync + DSC + lockdown
|
||||
# chain so nothing interrupts the WiFi-based enrollment. Only re-enable
|
||||
# after lockdown lands (Autologon_Remediation.log confirms ShopFloor
|
||||
# autologon set). Monitor-IntuneProgress runs as Limited and can't call
|
||||
# Enable-NetAdapter (needs admin). This SYSTEM task fires at logon,
|
||||
# polls for lockdown completion, re-enables wired NICs, and self-deletes.
|
||||
$reEnableTask = 'GE Re-enable Wired NICs'
|
||||
try {
|
||||
$script = @'
|
||||
# Poll for the GE Report-IP Proactive Remediation log file. Its appearance
|
||||
# means the Report IP script has fired with WiFi-only IPs (because we
|
||||
# disabled wired post-PPKG) - which is the exact moment we want to bring
|
||||
# wired back up so Monitor-IntuneProgress can push idx=7 with the
|
||||
# DeviceId / QR code before the Intune-triggered LAPS-prompt reboot lands.
|
||||
# Extension is .LOG (not .txt) observed in field; match any extension.
|
||||
$ip = Get-ChildItem 'C:\Logs\GE_Report_IP_Address*' -ErrorAction SilentlyContinue | Select-Object -First 1
|
||||
if (-not $ip) { exit 0 }
|
||||
|
||||
# Vendor-agnostic wired-NIC re-enable. NetAdapter "Name" varies wildly
|
||||
# ("Ethernet", "Ethernet 2", "Network", per-vendor names like "Realtek
|
||||
# Gaming GbE", "Intel(R) Ethernet Connection (10) I219-V") so filtering
|
||||
# by Name is unreliable. Filter by PhysicalMediaType instead, with a
|
||||
# keyword-negative guard for drivers that mis-report PhysicalMediaType.
|
||||
# Captures Realtek, Intel, Broadcom, Marvell, Aquantia, etc.
|
||||
Get-NetAdapter -Physical -ErrorAction SilentlyContinue |
|
||||
Where-Object {
|
||||
$_.HardwareInterface -eq $true -and
|
||||
$_.PhysicalMediaType -ne 'Native 802.11' -and
|
||||
$_.PhysicalMediaType -ne 'Wireless WAN' -and
|
||||
$_.PhysicalMediaType -ne 'BlueTooth' -and
|
||||
$_.InterfaceDescription -notmatch '(?i)Wi-?Fi|Wireless|WLAN|802\.11|Bluetooth'
|
||||
} |
|
||||
Enable-NetAdapter -Confirm:$false -ErrorAction SilentlyContinue
|
||||
Unregister-ScheduledTask -TaskName 'GE Re-enable Wired NICs' -Confirm:$false -ErrorAction SilentlyContinue
|
||||
'@
|
||||
$scriptPath = 'C:\Program Files\GE\ReEnableNIC.ps1'
|
||||
if (-not (Test-Path 'C:\Program Files\GE')) {
|
||||
New-Item -Path 'C:\Program Files\GE' -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
Set-Content -Path $scriptPath -Value $script -Force
|
||||
|
||||
$reEnableAction = New-ScheduledTaskAction -Execute 'powershell.exe' `
|
||||
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$scriptPath`""
|
||||
$reEnableTrigger = New-ScheduledTaskTrigger -AtLogOn
|
||||
$reEnableTrigger.Repetition = (New-ScheduledTaskTrigger -Once -At (Get-Date) `
|
||||
-RepetitionInterval (New-TimeSpan -Minutes 5)).Repetition
|
||||
$reEnablePrincipal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
|
||||
$reEnableSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries `
|
||||
-ExecutionTimeLimit (New-TimeSpan -Minutes 2)
|
||||
Register-ScheduledTask -TaskName $reEnableTask -Action $reEnableAction -Trigger $reEnableTrigger `
|
||||
-Principal $reEnablePrincipal -Settings $reEnableSettings -Force -ErrorAction Stop | Out-Null
|
||||
Write-Host "Registered '$reEnableTask' task (waits for SFLD creds, then re-enables wired NICs)."
|
||||
} catch {
|
||||
Write-Warning "Failed to register NIC re-enable task: $_"
|
||||
}
|
||||
# Wired-disable / re-enable dance retired after PXE LAN renumber to
|
||||
# 172.16.9.0/24. GE Report IP filters Get-NetIPAddress on StartsWith("10.")
|
||||
# so PXE LAN addresses are no longer caught - wired NIC can stay up
|
||||
# through the whole imaging chain without leaking to the GE webhook.
|
||||
|
||||
$commonSetupDir = Join-Path $setupDir 'common'
|
||||
|
||||
@@ -479,24 +426,8 @@ if (Test-Path -LiteralPath $enrollScript) {
|
||||
try { Stop-Transcript | Out-Null } catch {}
|
||||
& $enrollScript
|
||||
|
||||
# idx=6 push happens BEFORE wired disable so the dashboard captures
|
||||
# the handoff stage. Disable-WiredNics comes right after - kills wired
|
||||
# before PostPpkg settle's Schedule #3 hammer hits Intune endpoints,
|
||||
# before the PPKG-driven reboot, and before IME starts firing the
|
||||
# Report IP script. Goal: GE's Report IP webhook only ever sees the
|
||||
# corp-WiFi IP, never PXE LAN (10.9.100.x). Monitor-IntuneProgress
|
||||
# re-enables wired once C:\Logs\GE_Report_IP_Address*.txt shows up
|
||||
# (proof of clean Report IP fire) and then pushes idx=7.
|
||||
Write-Host ""
|
||||
Report-Stage -Stage 'Run-ShopfloorSetup: handoff to Monitor-IntuneProgress' -Index 6
|
||||
|
||||
$disableWiredScript = Join-Path $PSScriptRoot 'shopfloor-setup\Shopfloor\lib\Disable-WiredNics.ps1'
|
||||
if (Test-Path -LiteralPath $disableWiredScript) {
|
||||
try { & $disableWiredScript } catch { Write-Warning "Disable-WiredNics threw: $_" }
|
||||
} else {
|
||||
Write-Warning "Disable-WiredNics.ps1 not found at $disableWiredScript - wired stays up (Report IP leak risk)"
|
||||
}
|
||||
|
||||
Write-Host "=== Handing off to Monitor-IntuneProgress -PostPpkg ==="
|
||||
cmd /c "shutdown /a 2>nul" | Out-Null
|
||||
$monitor = Join-Path $setupDir 'Shopfloor\lib\Monitor-IntuneProgress.ps1'
|
||||
|
||||
Reference in New Issue
Block a user