diff --git a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
index 246566b..3fee7dc 100644
--- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
@@ -358,17 +358,19 @@ function Get-Phase1 {
     } catch {}
 
     # Once Intune registration is fully landed (AAD-joined + Intune-enrolled
-    # + EnterpriseMgmt task present + baseline policies arrived), delete the
-    # INTERNETACCESS WiFi profile so the bay falls off 172.16.x and
-    # reconnects to AESFMA (which Intune SCEP cert provisioning has made
-    # functional by this point). Bay then has a real GE corp 10.x address
-    # and Report IP fires cleanly. Fires once per Monitor lifetime via
-    # cache flag.
-    if (-not $script:cache.InternetAccessDeleted -and
-        $script:cache.AzureAdJoined -and
-        $script:cache.IntuneEnrolled -and
-        $script:cache.EmTaskExists -and
-        $policiesBaselineReady) {
+    # + EnterpriseMgmt task present + baseline policies arrived), three
+    # things must happen together:
+    #   1. Delete INTERNETACCESS WiFi profile (gets bay off 172.16.x)
+    #   2. Connect AESFMA (gets bay onto corp 10.x via EAP-TLS - cert is
+    #      already in LocalMachine\My thanks to Intune SCEP)
+    #   3. Push idx=7 to the PXE dashboard with the captured DeviceId so
+    #      the dashboard card shows the QR for the Intune device id.
+    # All three fire in one shot per Monitor lifetime via cache flags.
+    $phase1Essential = ($script:cache.AzureAdJoined -and
+                        $script:cache.IntuneEnrolled -and
+                        $script:cache.EmTaskExists -and
+                        $policiesBaselineReady)
+    if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) {
         try {
             Write-Host "Intune registration complete - deleting INTERNETACCESS profile + reconnecting to AESFMA..."
             $delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
@@ -381,6 +383,19 @@ function Get-Phase1 {
             Write-Warning "WiFi swap (INTERNETACCESS -> AESFMA) failed: $_"
         }
     }
+    if ($phase1Essential -and $script:cache.DeviceId -and -not $script:cache.DeviceIdReported) {
+        if (Get-Command Send-PxeStatus -ErrorAction SilentlyContinue) {
+            try {
+                Send-PxeStatus -Stage 'Monitor-IntuneProgress: Intune registration complete' `
+                               -StageIndex 7 -StageTotal 8 `
+                               -IntuneDeviceId $script:cache.DeviceId -ErrorAction Stop
+                $script:cache.DeviceIdReported = $true
+                Write-Host "Pushed idx=7 with DeviceId $($script:cache.DeviceId)."
+            } catch {
+                Write-Warning "idx=7 Send-PxeStatus failed: $_"
+            }
+        }
+    }
 
     return @{
         AzureAdJoined         = $script:cache.AzureAdJoined