diff --git a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 index 5ae7a38..34cf9c7 100644 --- a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 +++ b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 @@ -41,23 +41,6 @@ function Report-Stage { } Report-Stage -Stage 'Run-ShopfloorSetup: starting' -Index 2 -# Kill wired NICs immediately after stage 2 push. Goal: GE Intune Report -# IP webhook only ever sees this bay's corp-WiFi IP, never the PXE LAN -# (10.9.100.x) IP. Otherwise GE backend tags the bay "not on corp net" -# and dynamic-group assignment filters exclude it from the SFLD -# ConfigurationProfile -> Phase 2 stuck forever. -# Monitor-IntuneProgress re-enables wired once -# C:\Logs\GE_Report_IP_Address*.txt appears (proof the webhook fire saw -# the corp IP it needed). Side effect during disabled window: -# Send-PxeStatus pushes from stages 3-6 fail silently (PXE server lives -# on the air-gapped 10.9.100.0/24 LAN). Dashboard catches up at idx=7. -$disableWiredScript = Join-Path $PSScriptRoot 'shopfloor-setup\Shopfloor\lib\Disable-WiredNics.ps1' -if (Test-Path -LiteralPath $disableWiredScript) { - try { & $disableWiredScript } catch { Write-Warning "Disable-WiredNics threw: $_" } -} else { - Write-Warning "Disable-WiredNics.ps1 not found at $disableWiredScript - wired stays up (Report IP leak risk)" -} - # AutoLogonCount is NOT set here. Previously we bumped it to 99/4, but # Windows decrements it per-logon and at 0 clears AutoAdminLogon -- which # nukes the lockdown-configured ShopFloor autologon later in the chain. @@ -493,13 +476,24 @@ if (Test-Path -LiteralPath $enrollScript) { try { Stop-Transcript | Out-Null } catch {} & $enrollScript - # PPKG completes -> we're back here with a pending shutdown timer. - # Hand off to Monitor in -PostPpkg mode. Monitor cancels the shutdown, - # settles, renders live status, then issues its own reboot. The - # persistent @logon sync_intune task fires on the next boot to resume - # tracking through device-category-assignment + lockdown. + # idx=6 push happens BEFORE wired disable so the dashboard captures + # the handoff stage. Disable-WiredNics comes right after - kills wired + # before PostPpkg settle's Schedule #3 hammer hits Intune endpoints, + # before the PPKG-driven reboot, and before IME starts firing the + # Report IP script. Goal: GE's Report IP webhook only ever sees the + # corp-WiFi IP, never PXE LAN (10.9.100.x). Monitor-IntuneProgress + # re-enables wired once C:\Logs\GE_Report_IP_Address*.txt shows up + # (proof of clean Report IP fire) and then pushes idx=7. Write-Host "" Report-Stage -Stage 'Run-ShopfloorSetup: handoff to Monitor-IntuneProgress' -Index 6 + + $disableWiredScript = Join-Path $PSScriptRoot 'shopfloor-setup\Shopfloor\lib\Disable-WiredNics.ps1' + if (Test-Path -LiteralPath $disableWiredScript) { + try { & $disableWiredScript } catch { Write-Warning "Disable-WiredNics threw: $_" } + } else { + Write-Warning "Disable-WiredNics.ps1 not found at $disableWiredScript - wired stays up (Report IP leak risk)" + } + Write-Host "=== Handing off to Monitor-IntuneProgress -PostPpkg ===" cmd /c "shutdown /a 2>nul" | Out-Null $monitor = Join-Path $setupDir 'Shopfloor\lib\Monitor-IntuneProgress.ps1'