Kill wired NICs post-stage-2 until Report IP log appears

Recurring Phase 2 "Device Configuration" stuck: GE Intune Proactive
Remediation "Report IP" script enumerates Get-NetIPAddress and POSTs
all IPs to a GE webhook. Bays cabled to air-gapped PXE LAN have
10.9.100.x leak into that report. GE backend tags bays "not on corp
net" -> dynamic-group assignment-filter at GE excludes them from the
SFLD ConfigurationProfile (Function + SasToken OMA-URI) ->
HKLM:\SOFTWARE\GE\SFLD\DSC never populates -> Monitor Phase 2 gate
never closes. Confirmed via mdm-diag-F907T5X3 dump: every Microsoft
policy delivered fine, zero SFLD/GE-namespace OMA-URI present.

Fix flow:
1. Run-ShopfloorSetup line 43: disable every Up wired NIC right after
   stage 2 push. NIC names persisted to
   C:\Enrollment\disabled-wired-nics.txt for later re-enable.
2. Stages 3-6 status pushes fail silently while wired is down (PXE
   server lives on the air-gapped 10.9.100.0/24 LAN, unreachable from
   WiFi). Dashboard goes dark in that window.
3. PPKG installs, immediate reboot, AAD/Intune enroll over WiFi only.
4. IME boots, Report IP script fires with corp-WiFi IP only, writes
   C:\Logs\GE_Report_IP_Address*.txt. Webhook records clean IP. GE
   dynamic group eligibility flips. SFLD policy delivers next sync.
5. Monitor-IntuneProgress detects the log file, re-enables every NIC
   in the persisted list, sleeps 1s for link, then pushes idx=7 with
   DeviceId so the dashboard card flips to QR before the Intune-
   triggered LAPS-prompt reboot lands.

Phase 1 remains "in progress" on the dashboard until Report IP fires
- correct, the bay isn't actually registration-clean until then.

Files:
- Disable-WiredNics.ps1 (new) - persists names + disables
- Run-ShopfloorSetup.ps1 - call after stage 2 Report-Stage
- Monitor-IntuneProgress.ps1 - gate idx=7 push + re-enable

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Shopfloor/lib/Disable-WiredNics.ps1

@@ -0,0 +1,45 @@
+# Disable-WiredNics.ps1
+# Disables every Up wired (MediaType 802.3) NIC and records their names to
+# C:\Enrollment\disabled-wired-nics.txt so Monitor-IntuneProgress can
+# re-enable them once Report IP has run on WiFi-only.
+#
+# Reason: GE's Intune Proactive-Remediation "Report IP" script enumerates
+# Get-NetIPAddress and POSTs every IP it finds to a GE webhook. When a
+# shopfloor bay is still cabled to the air-gapped PXE LAN (10.9.100.0/24),
+# the webhook sees 10.9.100.x as one of the device's IPs and tags the bay
+# "not on corp net". A dynamic group / assignment-filter at GE then excludes
+# the bay from receiving the SFLD ConfigurationProfile (Function + SasToken
+# OMA-URI) -> Phase 2 "Device Configuration" never closes.
+#
+# Killing the wired NIC after stage 2 reports + before AAD-join makes the
+# bay's first Report IP fire see corp-WiFi IP only. The bay is tagged
+# clean, dynamic group eligibility flips, SFLD policy delivers normally.
+# Monitor-IntuneProgress re-enables the NIC once Report IP's log file
+# appears at C:\Logs\GE_Report_IP_Address*.txt.
+
+$ErrorActionPreference = 'Continue'
+$stateFile = 'C:\Enrollment\disabled-wired-nics.txt'
+
+try {
+    $wired = Get-NetAdapter -ErrorAction Stop |
+             Where-Object {
+                 $_.Status -eq 'Up' -and
+                 $_.MediaType -eq '802.3' -and
+                 $_.HardwareInterface -eq $true
+             }
+
+    if (-not $wired) {
+        Write-Host "Disable-WiredNics: no Up wired NICs found - nothing to disable."
+        return
+    }
+
+    $names = $wired | ForEach-Object { $_.Name }
+    $names | Out-File -FilePath $stateFile -Encoding ASCII -Force
+    Write-Host ("Disable-WiredNics: persisted {0} NIC name(s) -> {1}" -f $names.Count, $stateFile)
+    foreach ($n in $names) { Write-Host "  - $n" }
+
+    $wired | Disable-NetAdapter -Confirm:$false -ErrorAction Continue
+    Write-Host "Disable-WiredNics: NICs disabled. Re-enable triggered by Monitor when GE_Report_IP_Address log appears."
+} catch {
+    Write-Warning "Disable-WiredNics: failed: $_"
+}