Register sync task BEFORE enrollment (PPKG reboot kills run-enrollment)

Install-ProvisioningPackage triggers an immediate reboot that kills
run-enrollment.ps1 before it can register the sync_intune task or do
any post-install work. BPRT app installs happen on the NEXT boot, not
before the reboot.

Fix: move sync task registration into Run-ShopfloorSetup.ps1, executed
BEFORE calling run-enrollment.ps1. The task is safely registered while
we still have control. Then enrollment installs the PPKG and lets it
reboot. After reboot, BPRT finishes in background, sync task fires at
logon, monitors Intune enrollment (which is independent of BPRT).

Run-ShopfloorSetup.ps1:
  - Registers "Shopfloor Intune Sync" @logon task after desktop tool
    copies but BEFORE enrollment
  - Flushes transcript before calling enrollment (since PPKG reboot
    will kill us, ensures log is complete)
  - Enrollment is the absolute last call

run-enrollment.ps1:
  - Stripped to essentials: find PPKG, rename computer, set OOBE,
    Install-ProvisioningPackage
  - No BPRT polling (irrelevant - happens after reboot)
  - No task registration (already done by caller)
  - No shutdown call (PPKG handles it)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Run-ShopfloorSetup.ps1

@@ -180,23 +180,53 @@ if ($pcType -eq "Standard") {
     }
 }
 
-# --- Run enrollment (PPKG install) ---
-# Enrollment runs AFTER all our apps are installed. The PPKG installs
-# Chrome, Office, CyberArk, Tanium, etc. and needs a reboot for file
-# operations (Zscaler rename, PPKG cleanup). run-enrollment.ps1 waits
-# for all PPKG steps to complete, registers sync_intune as a persistent
-# @logon scheduled task, then reboots.
-$enrollScript = Join-Path $enrollDir 'run-enrollment.ps1'
-if (Test-Path -LiteralPath $enrollScript) {
-    Write-Host ""
-    Write-Host "=== Running enrollment (PPKG install) ==="
+# --- Register sync_intune as persistent @logon scheduled task ---
+# Must be registered BEFORE enrollment because Install-ProvisioningPackage
+# triggers an immediate reboot that kills run-enrollment.ps1. The task
+# registration must survive the PPKG reboot, so we do it here while
+# Run-ShopfloorSetup.ps1 is still running.
+#
+# The task fires at every logon until sync_intune detects completion and
+# unregisters itself. It monitors Intune enrollment (Phase 1-5), NOT BPRT
+# app installs -- BPRT finishes on its own in the background after the
+# PPKG reboot, and is irrelevant to the Intune lifecycle.
+$taskName = 'Shopfloor Intune Sync'
+$monitorScript = Join-Path $setupDir 'Shopfloor\lib\Monitor-IntuneProgress.ps1'
+$configureScript = Join-Path $setupDir 'Shopfloor\Configure-PC.ps1'
+
+if (Test-Path -LiteralPath $monitorScript) {
     try {
-        & $enrollScript
+        $action = New-ScheduledTaskAction `
+            -Execute 'powershell.exe' `
+            -Argument "-NoProfile -NoExit -ExecutionPolicy Bypass -File `"$monitorScript`" -AsTask -ConfigureScript `"$configureScript`""
+
+        $trigger = New-ScheduledTaskTrigger -AtLogOn
+
+        $principal = New-ScheduledTaskPrincipal `
+            -GroupId 'S-1-5-32-545' `
+            -RunLevel Limited
+
+        $settings = New-ScheduledTaskSettingsSet `
+            -AllowStartIfOnBatteries `
+            -DontStopIfGoingOnBatteries `
+            -StartWhenAvailable `
+            -ExecutionTimeLimit (New-TimeSpan -Hours 2)
+
+        Register-ScheduledTask `
+            -TaskName  $taskName `
+            -Action    $action `
+            -Trigger   $trigger `
+            -Principal $principal `
+            -Settings  $settings `
+            -Force `
+            -ErrorAction Stop | Out-Null
+
+        Write-Host "Registered '$taskName' logon task."
     } catch {
-        Write-Warning "run-enrollment.ps1 failed: $_"
+        Write-Warning "Failed to register sync task: $_"
     }
 } else {
-    Write-Host "run-enrollment.ps1 not found - skipping enrollment."
+    Write-Warning "Monitor-IntuneProgress.ps1 not found at $monitorScript"
 }
 
 # Set auto-logon to expire after 4 more logins (2 needed for sync_intune
@@ -205,17 +235,28 @@ if (Test-Path -LiteralPath $enrollScript) {
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 4 /f | Out-Null
 Write-Host "Auto-logon set to 4 remaining logins."
 
-Write-Host ""
-Write-Host "================================================================"
-Write-Host "=== Run-ShopfloorSetup.ps1 complete $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ==="
-Write-Host "================================================================"
-
-# Flush transcript before shutdown so the log file is complete on next boot
-try { Stop-Transcript | Out-Null } catch {}
-
-# run-enrollment.ps1 already initiated the reboot. If it didn't run
-# (no PPKG), reboot now.
-if (-not (Test-Path -LiteralPath $enrollScript)) {
+# --- Run enrollment (PPKG install) ---
+# Enrollment is the LAST thing we do. Install-ProvisioningPackage triggers
+# an immediate reboot -- everything after this call is unlikely to execute.
+# The sync_intune task is already registered above, so the PPKG reboot
+# can kill us and the chain continues on the next boot.
+$enrollScript = Join-Path $enrollDir 'run-enrollment.ps1'
+if (Test-Path -LiteralPath $enrollScript) {
+    Write-Host ""
+    Write-Host "=== Running enrollment (PPKG install) ==="
+    Write-Host "NOTE: PPKG will trigger an immediate reboot. This is expected."
+    try { Stop-Transcript | Out-Null } catch {}
+    & $enrollScript
+    # If we get here, the PPKG didn't reboot (maybe no PPKG file found).
+    Write-Host "Enrollment returned without rebooting. Rebooting now..."
+    shutdown /r /t 10
+} else {
+    Write-Host "run-enrollment.ps1 not found - skipping enrollment."
+    Write-Host ""
+    Write-Host "================================================================"
+    Write-Host "=== Run-ShopfloorSetup.ps1 complete $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ==="
+    Write-Host "================================================================"
+    try { Stop-Transcript | Out-Null } catch {}
     Write-Host "Rebooting in 10 seconds..."
     shutdown /r /t 10
 }