ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Retire wired-disable/re-enable dance now that PXE LAN is 172.16.9.0/24

Browse Source 
GE Report IP filters Get-NetIPAddress on StartsWith("10.") and PXE LAN
addresses are now 172.16.9.x which the filter skips naturally. The
disable-then-re-enable workaround was only needed when PXE LAN was
10.9.100.x and bays leaked that IP to the GE webhook. With the renumber
that whole flow is dead weight.

Removed:
 - playbook/shopfloor-setup/Shopfloor/lib/Disable-WiredNics.ps1 (file)
 - Run-ShopfloorSetup: Disable-WiredNics call after PPKG returns
 - Run-ShopfloorSetup: "GE Re-enable Wired NICs" SYSTEM task registration
 - Monitor-IntuneProgress: reportIpLog-gated wired re-enable + idx=7 retry
 - Monitor-IntuneProgress: reportIpDone gate on Phase 1 done check

Side benefit: stages 2-6 dashboard pushes no longer go dark mid-flow
(used to die between idx=6 and idx=7 when wired was off). Phase 1 row
on the Monitor screen now flips COMPLETE on the natural AAD + Intune
+ EmTask + baseline-policies condition instead of waiting on the
Report IP log file.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-05-14 16:45:54 -04:00
parent ce604adcda
commit a17b3fae6a
3 changed files with 12 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
playbook/shopfloor-setup/Shopfloor/lib/Disable-WiredNics.ps1
View File

@@ -1,45 +0,0 @@
# Disable-WiredNics.ps1
# Disables every Up wired (MediaType 802.3) NIC and records their names to
# C:\Enrollment\disabled-wired-nics.txt so Monitor-IntuneProgress can
# re-enable them once Report IP has run on WiFi-only.
#
# Reason: GE's Intune Proactive-Remediation "Report IP" script enumerates
# Get-NetIPAddress and POSTs every IP it finds to a GE webhook. When a
# shopfloor bay is still cabled to the air-gapped PXE LAN (172.16.9.0/24),
# the webhook sees 10.9.100.x as one of the device's IPs and tags the bay
# "not on corp net". A dynamic group / assignment-filter at GE then excludes
# the bay from receiving the SFLD ConfigurationProfile (Function + SasToken
# OMA-URI) -> Phase 2 "Device Configuration" never closes.
#
# Killing the wired NIC after stage 2 reports + before AAD-join makes the
# bay's first Report IP fire see corp-WiFi IP only. The bay is tagged
# clean, dynamic group eligibility flips, SFLD policy delivers normally.
# Monitor-IntuneProgress re-enables the NIC once Report IP's log file
# appears at C:\Logs\GE_Report_IP_Address*.txt.
$ErrorActionPreference = 'Continue'
$stateFile = 'C:\Enrollment\disabled-wired-nics.txt'
try {
$wired = Get-NetAdapter -ErrorAction Stop |
Where-Object {
$_.Status -eq 'Up' -and
$_.MediaType -eq '802.3' -and
$_.HardwareInterface -eq $true
}
if (-not $wired) {
Write-Host "Disable-WiredNics: no Up wired NICs found - nothing to disable."
return
}
$names = $wired | ForEach-Object { $_.Name }
$names | Out-File -FilePath $stateFile -Encoding ASCII -Force
Write-Host ("Disable-WiredNics: persisted {0} NIC name(s) -> {1}" -f $names.Count, $stateFile)
foreach ($n in $names) { Write-Host " - $n" }
$wired | Disable-NetAdapter -Confirm:$false -ErrorAction Continue
Write-Host "Disable-WiredNics: NICs disabled. Re-enable triggered by Monitor when GE_Report_IP_Address log appears."
} catch {
Write-Warning "Disable-WiredNics: failed: $_"
}

73
playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
View File

@@ -223,61 +223,12 @@ function Get-Phase1 {
} catch {}
}
# Report IP log presence drives two independent actions that USED to be
# bundled inside the DeviceId-push gate. Splitting them so re-enable
# fires even if DeviceId hasn't been captured yet (e.g. AAD join lag,
# dsregcmd parse miss):
#
# 1. Re-enable wired NICs as soon as the log lands + state file exists.
# 2. Push idx=7 once DeviceId is captured AND the log exists.
$reportIpLog = Get-ChildItem -Path 'C:\Logs\GE_Report_IP_Address*' -ErrorAction SilentlyContinue |
Select-Object -First 1
$nicListFile = 'C:\Enrollment\disabled-wired-nics.txt'
$justReEnabled = $false
if ($reportIpLog -and (Test-Path $nicListFile)) {
try {
$nicNames = Get-Content $nicListFile -ErrorAction Stop
foreach ($n in $nicNames) {
if ([string]::IsNullOrWhiteSpace($n)) { continue }
try { Enable-NetAdapter -Name $n -Confirm:$false -ErrorAction Stop }
catch { Write-Warning "Enable-NetAdapter '$n' failed: $_" }
}
# Wait for DHCP renewal + route table update + reachability to
# PXE server. 1 second wasn't enough in field testing - the
# subsequent idx=7 push fired into the void before the wired
# NIC was carrying traffic.
Start-Sleep -Seconds 5
Remove-Item $nicListFile -Force -ErrorAction SilentlyContinue
$justReEnabled = $true
} catch {
Write-Warning "Re-enable wired NICs failed: $_"
}
}
# Push DeviceId / idx=7 once, when both DeviceId is captured and the
# Report IP log has landed (dashboard QR renders from DeviceId).
# Retry up to 6x with backoff because the imminent LAPS-prompt reboot
# gives us only seconds and the wired NIC may still be settling.
if ($script:cache.DeviceId -and -not $script:cache.DeviceIdReported -and $reportIpLog) {
Ensure-SendPxeStatus
if (Get-Command Send-PxeStatus -ErrorAction SilentlyContinue) {
$attempts = if ($justReEnabled) { 6 } else { 1 }
for ($i = 0; $i -lt $attempts; $i++) {
$err = $null
try {
Send-PxeStatus -Stage 'Monitor-IntuneProgress: Intune Device ID captured' `
-StageIndex 7 -StageTotal 8 `
-IntuneDeviceId $script:cache.DeviceId -ErrorAction Stop
$script:cache.DeviceIdReported = $true
break
} catch { $err = $_ }
if ($i -lt $attempts - 1) { Start-Sleep -Seconds 2 }
}
if (-not $script:cache.DeviceIdReported -and $err) {
Write-Warning "idx=7 push failed after $attempts attempts: $err"
}
}
}
# idx=7 push happens later in Get-Phase1 when Intune-registration
# essentials are all green (see WiFi-swap block). The legacy
# wired-NIC re-enable + reportIpLog-gated idx=7 retry was retired
# after the PXE LAN renumber to 172.16.9.0/24 - PXE LAN addresses
# no longer pass GE Report IP's StartsWith("10.") filter, so the
# wired-disable / re-enable dance is unnecessary.
# Lockdown-applied auto-completion. Fleet-wide reality: bays use a LOCAL
# ShopFloor account, so AzureAdPrt stays NO and user-scoped Intune policies
@@ -863,21 +814,13 @@ function Format-Snapshot {
# not just "arriving". Stops the category prompt firing pre-first-reboot
# when only ~4 subkeys are present (we tested this empirically; clicking
# "assign category" at 4 subkeys = imaging stalls + re-image required).
# Report IP log presence is part of Phase 1 completion. Without that log
# we know GE's Proactive-Remediation script hasn't fired on WiFi-only
# yet, which means the SFLD ConfigurationProfile assignment filter still
# sees a leaked 10.9.100.x IP and Phase 2 won't unblock. Don't call
# registration "done" until Report IP has cleared.
$reportIpDone = [bool](Get-ChildItem -Path 'C:\Logs\GE_Report_IP_Address*' -ErrorAction SilentlyContinue | Select-Object -First 1)
$p1Done = ($Snap.Phase1.AzureAdJoined -and $Snap.Phase1.IntuneEnrolled -and
$Snap.Phase1.EmTaskExists -and $Snap.Phase1.PoliciesBaselineReady -and
$reportIpDone)
$Snap.Phase1.EmTaskExists -and $Snap.Phase1.PoliciesBaselineReady)
$p1Status = Get-PhaseStatus @(
@{ Ok = $Snap.Phase1.AzureAdJoined; Failed = $false },
@{ Ok = $Snap.Phase1.IntuneEnrolled; Failed = $false },
@{ Ok = $Snap.Phase1.EmTaskExists; Failed = $false },
@{ Ok = $Snap.Phase1.PoliciesBaselineReady; Failed = $false },
@{ Ok = $reportIpDone; Failed = $false }
@{ Ok = $Snap.Phase1.PoliciesBaselineReady; Failed = $false }
)
# Phase 6 / Lockdown (shared by both flows, rendered last).