From ae037d0f49b654f4882f738492fd4f12317953b9 Mon Sep 17 00:00:00 2001 From: cproudlock Date: Wed, 13 May 2026 12:29:26 -0400 Subject: [PATCH] Revert "migrate-to-wifi: restore wired-disable behavior" This reverts commit 2b730969dd853d87c4a38b9dc24a2526866d2deb. --- playbook/migrate-to-wifi.ps1 | 67 +++++++++++++++--------------------- 1 file changed, 27 insertions(+), 40 deletions(-) diff --git a/playbook/migrate-to-wifi.ps1 b/playbook/migrate-to-wifi.ps1 index be803f0..babf163 100644 --- a/playbook/migrate-to-wifi.ps1 +++ b/playbook/migrate-to-wifi.ps1 @@ -1,43 +1,30 @@ -# migrate-to-wifi.ps1 - Invoked by FlatUnattendW10-shopfloor.xml as Order 5 -# during first logon, right after wait-for-internet.ps1 and right before -# GCCH enrollment. Moves the machine off wired onto WiFi for the rest of -# the imaging chain so the PXE ethernet cable can be safely disconnected. +# migrate-to-wifi.ps1 - No-op as of 2026-04-24. # -# Gated: if there is no physical Wi-Fi adapter on the machine (tower / -# desktop case), the whole migration is a no-op. Previously this step -# disabled all wired adapters unconditionally and then waited for WiFi -# internet that could never arrive on towers, hanging first logon forever. +# Previously this disabled all wired NICs at first logon to keep PPKG / +# Intune enrollment routing internet traffic via WiFi. The wired NIC was +# preferred by Windows because the PXE dnsmasq was handing out a default +# gateway (dhcp-option=3,10.9.100.1) which Windows installed as a default +# route, and the lower interface metric of wired beat WiFi. Internet-bound +# traffic then black-holed at 10.9.100.1 (the PXE server, which doesn't +# forward). +# +# That root cause was fixed by removing the dhcp-option=3 and =6 lines +# from /etc/dnsmasq.conf on the PXE server. Without an advertised gateway +# on the PXE side, Windows can't add a default route via wired, so all +# internet traffic uses WiFi by default and the wired NIC stays harmless +# for same-subnet PXE/SMB traffic to 10.9.100.1. +# +# Side effect of the original behavior was an eDNC race: eDNC autostart +# would fire while the wired NIC was still disabled and hit WSAEINVAL +# (Winsock 10022) trying to bind to a non-existent local IP, looping its +# retry timer until a SYSTEM task re-enabled the NIC after SFLD creds +# landed (often ~30+ min later). Keeping the NIC up the whole time +# eliminates that race. +# +# Kept as a no-op file (instead of removed) so the unattend XML's Order 5 +# RunSynchronousCommand entry does not need to be re-numbered. If the +# dhcp-option lines ever come back, this can be reverted to the disable +# logic by restoring from git. -$wifi = Get-NetAdapter -Physical -ErrorAction SilentlyContinue | - Where-Object { $_.InterfaceDescription -match 'Wi-?Fi|Wireless|WLAN|802\.11' } - -if (-not $wifi) { - Write-Host 'No WiFi adapter - staying on ethernet.' -ForegroundColor Cyan - exit 0 -} - -Get-NetAdapter -Physical | - Where-Object { $_.InterfaceDescription -notmatch 'Wi-?Fi|Wireless|WLAN|802\.11' } | - Disable-NetAdapter -Confirm:$false - -$deadline = (Get-Date).AddMinutes(5) -$ok = $false -while ((Get-Date) -lt $deadline) { - try { - if (Test-NetConnection -ComputerName login.microsoftonline.us -Port 443 -InformationLevel Quiet -WarningAction SilentlyContinue) { - $ok = $true - break - } - } catch {} - Start-Sleep -Seconds 5 -} - -if ($ok) { - Write-Host 'Internet confirmed over WiFi.' -ForegroundColor Green -} else { - Write-Host 'WiFi internet timeout - re-enabling ethernet.' -ForegroundColor Yellow - Get-NetAdapter -Physical | - Where-Object { $_.InterfaceDescription -notmatch 'Wi-?Fi|Wireless|WLAN|802\.11' } | - Enable-NetAdapter -Confirm:$false -} +Write-Host 'migrate-to-wifi.ps1: no-op (wired NIC kept enabled).' exit 0