diff --git a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 index 5926fb3..246566b 100644 --- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 +++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 @@ -187,6 +187,7 @@ $script:cache = @{ DeviceId = $null DeviceIdReported = $false LockdownCompletePushed = $false + InternetAccessDeleted = $false } # Load Send-PxeStatus at SCRIPT scope (not inside a function). A dot-source @@ -356,6 +357,31 @@ function Get-Phase1 { $policiesBaselineReady = ($subkeyCount -ge 5) } catch {} + # Once Intune registration is fully landed (AAD-joined + Intune-enrolled + # + EnterpriseMgmt task present + baseline policies arrived), delete the + # INTERNETACCESS WiFi profile so the bay falls off 172.16.x and + # reconnects to AESFMA (which Intune SCEP cert provisioning has made + # functional by this point). Bay then has a real GE corp 10.x address + # and Report IP fires cleanly. Fires once per Monitor lifetime via + # cache flag. + if (-not $script:cache.InternetAccessDeleted -and + $script:cache.AzureAdJoined -and + $script:cache.IntuneEnrolled -and + $script:cache.EmTaskExists -and + $policiesBaselineReady) { + try { + Write-Host "Intune registration complete - deleting INTERNETACCESS profile + reconnecting to AESFMA..." + $delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String + Write-Host $delOut + Start-Sleep -Seconds 2 + $conOut = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String + Write-Host $conOut + $script:cache.InternetAccessDeleted = $true + } catch { + Write-Warning "WiFi swap (INTERNETACCESS -> AESFMA) failed: $_" + } + } + return @{ AzureAdJoined = $script:cache.AzureAdJoined IntuneEnrolled = $script:cache.IntuneEnrolled