ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Kill wired NICs post-stage-2 until Report IP log appears

Browse Source 
Recurring Phase 2 "Device Configuration" stuck: GE Intune Proactive
Remediation "Report IP" script enumerates Get-NetIPAddress and POSTs
all IPs to a GE webhook. Bays cabled to air-gapped PXE LAN have
10.9.100.x leak into that report. GE backend tags bays "not on corp
net" -> dynamic-group assignment-filter at GE excludes them from the
SFLD ConfigurationProfile (Function + SasToken OMA-URI) ->
HKLM:\SOFTWARE\GE\SFLD\DSC never populates -> Monitor Phase 2 gate
never closes. Confirmed via mdm-diag-F907T5X3 dump: every Microsoft
policy delivered fine, zero SFLD/GE-namespace OMA-URI present.

Fix flow:
1. Run-ShopfloorSetup line 43: disable every Up wired NIC right after
   stage 2 push. NIC names persisted to
   C:\Enrollment\disabled-wired-nics.txt for later re-enable.
2. Stages 3-6 status pushes fail silently while wired is down (PXE
   server lives on the air-gapped 10.9.100.0/24 LAN, unreachable from
   WiFi). Dashboard goes dark in that window.
3. PPKG installs, immediate reboot, AAD/Intune enroll over WiFi only.
4. IME boots, Report IP script fires with corp-WiFi IP only, writes
   C:\Logs\GE_Report_IP_Address*.txt. Webhook records clean IP. GE
   dynamic group eligibility flips. SFLD policy delivers next sync.
5. Monitor-IntuneProgress detects the log file, re-enables every NIC
   in the persisted list, sleeps 1s for link, then pushes idx=7 with
   DeviceId so the dashboard card flips to QR before the Intune-
   triggered LAPS-prompt reboot lands.

Phase 1 remains "in progress" on the dashboard until Report IP fires
- correct, the bay isn't actually registration-clean until then.

Files:
- Disable-WiredNics.ps1 (new) - persists names + disables
- Run-ShopfloorSetup.ps1 - call after stage 2 Report-Stage
- Monitor-IntuneProgress.ps1 - gate idx=7 push + re-enable

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-05-13 17:22:41 -04:00
parent b5a067bd48
commit b8328171eb
3 changed files with 102 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
playbook/shopfloor-setup/Run-ShopfloorSetup.ps1
View File

@@ -41,6 +41,23 @@ function Report-Stage {
}
Report-Stage -Stage 'Run-ShopfloorSetup: starting' -Index 2
# Kill wired NICs immediately after stage 2 push. Goal: GE Intune Report
# IP webhook only ever sees this bay's corp-WiFi IP, never the PXE LAN
# (10.9.100.x) IP. Otherwise GE backend tags the bay "not on corp net"
# and dynamic-group assignment filters exclude it from the SFLD
# ConfigurationProfile -> Phase 2 stuck forever.
# Monitor-IntuneProgress re-enables wired once
# C:\Logs\GE_Report_IP_Address*.txt appears (proof the webhook fire saw
# the corp IP it needed). Side effect during disabled window:
# Send-PxeStatus pushes from stages 3-6 fail silently (PXE server lives
# on the air-gapped 10.9.100.0/24 LAN). Dashboard catches up at idx=7.
$disableWiredScript = Join-Path $PSScriptRoot 'shopfloor-setup\Shopfloor\lib\Disable-WiredNics.ps1'
if (Test-Path -LiteralPath $disableWiredScript) {
try { & $disableWiredScript } catch { Write-Warning "Disable-WiredNics threw: $_" }
} else {
Write-Warning "Disable-WiredNics.ps1 not found at $disableWiredScript - wired stays up (Report IP leak risk)"
}
# AutoLogonCount is NOT set here. Previously we bumped it to 99/4, but
# Windows decrements it per-logon and at 0 clears AutoAdminLogon -- which
# nukes the lockdown-configured ShopFloor autologon later in the chain.