Monitor: idx=7 push fires on Phase 1 essentials complete

Pair with the INTERNETACCESS -> AESFMA WiFi-swap commit. Once AAD-joined + IntuneEnrolled + EmTaskExists + baseline policies all true AND DeviceId is captured, push idx=7 to PXE dashboard with the DeviceId immediately - don't wait for the Report IP log (which depends on AESFMA join + script timing). Side note: the legacy wired-NIC re-enable + reportIpLog-gated idx=7 push block earlier in Get-Phase1 still exists. Both paths guard on $script:cache.DeviceIdReported so only one fires, but that block is dead-ish under the new WiFi-swap flow (no wired disable -> no NIC state file -> re-enable block no-ops; Report IP log gate may still fire idx=7 if Phase 1 essentials haven't all flipped yet but Report IP did). Worth cleaning up next pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 16:24:18 -04:00
parent f404cd2892
commit c6b249f866
1 changed files with 26 additions and 11 deletions
--- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
@@ -358,17 +358,19 @@ function Get-Phase1 {
    } catch {}

    # Once Intune registration is fully landed (AAD-joined + Intune-enrolled
-    # + EnterpriseMgmt task present + baseline policies arrived), delete the
-    # INTERNETACCESS WiFi profile so the bay falls off 172.16.x and
-    # reconnects to AESFMA (which Intune SCEP cert provisioning has made
-    # functional by this point). Bay then has a real GE corp 10.x address
-    # and Report IP fires cleanly. Fires once per Monitor lifetime via
-    # cache flag.
-    if (-not $script:cache.InternetAccessDeleted -and
-        $script:cache.AzureAdJoined -and
+    # + EnterpriseMgmt task present + baseline policies arrived), three
+    # things must happen together:
+    #   1. Delete INTERNETACCESS WiFi profile (gets bay off 172.16.x)
+    #   2. Connect AESFMA (gets bay onto corp 10.x via EAP-TLS - cert is
+    #      already in LocalMachine\My thanks to Intune SCEP)
+    #   3. Push idx=7 to the PXE dashboard with the captured DeviceId so
+    #      the dashboard card shows the QR for the Intune device id.
+    # All three fire in one shot per Monitor lifetime via cache flags.
+    $phase1Essential = ($script:cache.AzureAdJoined -and
                        $script:cache.IntuneEnrolled -and
                        $script:cache.EmTaskExists -and
-        $policiesBaselineReady) {
+                        $policiesBaselineReady)
+    if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) {
        try {
            Write-Host "Intune registration complete - deleting INTERNETACCESS profile + reconnecting to AESFMA..."
            $delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
@@ -381,6 +383,19 @@ function Get-Phase1 {
            Write-Warning "WiFi swap (INTERNETACCESS -> AESFMA) failed: $_"
        }
    }
+    if ($phase1Essential -and $script:cache.DeviceId -and -not $script:cache.DeviceIdReported) {
+        if (Get-Command Send-PxeStatus -ErrorAction SilentlyContinue) {
+            try {
+                Send-PxeStatus -Stage 'Monitor-IntuneProgress: Intune registration complete' `
+                               -StageIndex 7 -StageTotal 8 `
+                               -IntuneDeviceId $script:cache.DeviceId -ErrorAction Stop
+                $script:cache.DeviceIdReported = $true
+                Write-Host "Pushed idx=7 with DeviceId $($script:cache.DeviceId)."
+            } catch {
+                Write-Warning "idx=7 Send-PxeStatus failed: $_"
+            }
+        }
+    }

    return @{
        AzureAdJoined         = $script:cache.AzureAdJoined