Monitor: idx=7 push fires on Phase 1 essentials complete

Pair with the INTERNETACCESS -> AESFMA WiFi-swap commit. Once
AAD-joined + IntuneEnrolled + EmTaskExists + baseline policies
all true AND DeviceId is captured, push idx=7 to PXE dashboard
with the DeviceId immediately - don't wait for the Report IP log
(which depends on AESFMA join + script timing).

Side note: the legacy wired-NIC re-enable + reportIpLog-gated
idx=7 push block earlier in Get-Phase1 still exists. Both paths
guard on $script:cache.DeviceIdReported so only one fires, but
that block is dead-ish under the new WiFi-swap flow (no wired
disable -> no NIC state file -> re-enable block no-ops; Report
IP log gate may still fire idx=7 if Phase 1 essentials haven't
all flipped yet but Report IP did). Worth cleaning up next pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1

@@ -358,17 +358,19 @@ function Get-Phase1 {
     } catch {}
 
     # Once Intune registration is fully landed (AAD-joined + Intune-enrolled
-    # + EnterpriseMgmt task present + baseline policies arrived), delete the
-    # INTERNETACCESS WiFi profile so the bay falls off 172.16.x and
-    # reconnects to AESFMA (which Intune SCEP cert provisioning has made
-    # functional by this point). Bay then has a real GE corp 10.x address
-    # and Report IP fires cleanly. Fires once per Monitor lifetime via
-    # cache flag.
-    if (-not $script:cache.InternetAccessDeleted -and
-        $script:cache.AzureAdJoined -and
-        $script:cache.IntuneEnrolled -and
-        $script:cache.EmTaskExists -and
-        $policiesBaselineReady) {
+    # + EnterpriseMgmt task present + baseline policies arrived), three
+    # things must happen together:
+    #   1. Delete INTERNETACCESS WiFi profile (gets bay off 172.16.x)
+    #   2. Connect AESFMA (gets bay onto corp 10.x via EAP-TLS - cert is
+    #      already in LocalMachine\My thanks to Intune SCEP)
+    #   3. Push idx=7 to the PXE dashboard with the captured DeviceId so
+    #      the dashboard card shows the QR for the Intune device id.
+    # All three fire in one shot per Monitor lifetime via cache flags.
+    $phase1Essential = ($script:cache.AzureAdJoined -and
+                        $script:cache.IntuneEnrolled -and
+                        $script:cache.EmTaskExists -and
+                        $policiesBaselineReady)
+    if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) {
         try {
             Write-Host "Intune registration complete - deleting INTERNETACCESS profile + reconnecting to AESFMA..."
             $delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
@@ -381,6 +383,19 @@ function Get-Phase1 {
             Write-Warning "WiFi swap (INTERNETACCESS -> AESFMA) failed: $_"
         }
     }
+    if ($phase1Essential -and $script:cache.DeviceId -and -not $script:cache.DeviceIdReported) {
+        if (Get-Command Send-PxeStatus -ErrorAction SilentlyContinue) {
+            try {
+                Send-PxeStatus -Stage 'Monitor-IntuneProgress: Intune registration complete' `
+                               -StageIndex 7 -StageTotal 8 `
+                               -IntuneDeviceId $script:cache.DeviceId -ErrorAction Stop
+                $script:cache.DeviceIdReported = $true
+                Write-Host "Pushed idx=7 with DeviceId $($script:cache.DeviceId)."
+            } catch {
+                Write-Warning "idx=7 Send-PxeStatus failed: $_"
+            }
+        }
+    }
 
     return @{
         AzureAdJoined         = $script:cache.AzureAdJoined